Information Security Requirements

Temenos Information Security Requirements

1. Supplier Security Obligations

 The Supplier shall:

1. Implement and maintain appropriate information security requirements (“ISRs”) to ensure an adequate level of security for the processing of Temenos Data.
2. Ensure that when providing the Services they align with recognized standards and frameworks such as the NIST Cybersecurity Framework, ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27017, ISO/IEC 27018, SOC 2 Type II, and the Cloud Security Alliance STAR.
3. Consider the sensitivity of the data processed under this Agreement in determining appropriate security measures.

This Schedule sets forth the ISRs that shall govern the Supplier’s Processing activities.

For the purposes of this Schedule:

“Good Industry Practice” means the degree of skill, care, diligence, prudence, efficiency, foresight, and timeliness that would be expected from a leading company in the Supplier’s industry or business sector.

“Processing” means any operation or set of operations that is performed on Temenos Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure, or destruction.

“Temenos Data” means the data and information, including Personal Data, that are provided to the Supplier by, or on behalf of, Temenos or Temenos Affiliates under or in connection with this Agreement or an Order.

2. Information Security Governance

 Information Security Policy

SUPPLIER shall establish and maintain an Information Security Policy that:

1. Is formally approved by SUPPLIER’s executive management and communicated to all relevant personnel and subcontractors;
2. Clearly defines roles and responsibilities for its effective implementation; and
3. Is reviewed at least annually, or more frequently as necessary, and updated to ensure its continued relevance and effectiveness.

• Access Management and Personnel Security

SUPLIER shall ensure that all personnel with access to Temenos Data:

1. Have undergone appropriate background checks in line with Good Industry Practice before having access to Temenos Data;
   1. Are granted access strictly on a need-to-know basis, limited to the minimum privileges necessary for their roles;
   2. Are authenticated using industry-standard identity verification and authentication mechanisms;
   3. Receive regular security awareness training tailored to their role and responsibilities. The training will include best practices to detect and protect against phishing. Supplier will also, at reasonable intervals, conduct phishing simulations to train its personnel to detect and protect against phishing attempts; and
   4. Are contractually bound to comply with these ISRs.

 Physical Security and Asset Protection

SUPPLIER shall enforce strict physical security controls to:

1. Prevent unauthorized access to facilities, equipment, and data storage areas.
2. Restrict access to data centers and other sensitive locations;
3. Secure and dispose of media and equipment in accordance with Good Industry Practice; and
4. Prohibit the unauthorized removal of Temenos Data, or equipment or media containing Temenos Data from Supplier premises.

• Logical Access Control and Data Protection

SUPPLIER shall:

1. Implement strict operating procedures, including segregation of duties and automated access controls;
2. Establish and enforce strong authentication, password management, and privilege assignment policies;
3. Use multi-factor authentication for any of the following:
   1. Privileged access (e.g. system or data base level administrative access) to any servers and/or applications hosting Temenos Data;
   2. Any remote access to Temenos Data.
4. Conduct periodic reviews of user access rights to ensure they remain appropriate; and
5. Implement clear desk and clear screen policies to mitigate accidental exposure of sensitive data.

• Network and System Security

SUPPLIER shall implement industry-standard security controls to:

1. Protect networks, systems, and data from external and internal security threats;
   1. Use only securely configured, corporate-owned devices (i.e. hybrid/work personal use devices) to connect to Temenos networks and systems or to access or store Temenos Data.
   2. Enforce encryption of Temenos Data at rest and in transit using robust cryptographic standards;
   3. Secure all access points, including remote and mobile access mechanisms;
   4. Monitor for threats and vulnerabilities through regular security assessments; and
   5. Establish clear protocols for secure data exchange and messaging.

• Security Logging and Change Management

SUPPLIER shall:

1. Maintain and monitor logs of critical access and security-related events;
2. Ensure that changes to infrastructure, applications, and services are assessed for security risks prior to implementation;
   1. have a documented log review process. Administrators with privileged access to Temenos Data must not be allowed to perform log maintenance. The following logs must be captured and actively monitored:
      1. Successful and failed logins of users and administrators;
      2. All admin access to the Temenos Data and systems provided as part of the services;

• Changes to security configuration settings (password requirements, encryption settings, etc.);

1. Other security relevant events (database transaction logging, database access logging, etc.); and
2. Implement tools for backup, capacity management, and mobile device security.

• Third-Party Security Oversight

When engaging third parties to process Temenos Data or provide supporting services, SUPPLIER shall:

1. Ensure appropriate contractual obligations are in place with the third parties to enforce security standards no less stringent than those set out in these ISRs;
2. Conduct security risk assessments prior to engaging third parties, and mitigate identified risks; and
3. Perform continuous monitoring and at least annual security reviews of third-party providers.

• Security Incident Management and Investigations

SUPPLIER shall:

1. Establish and maintain an incident response plan that ensures a consistent, structured approach to managing Security Incidents;
2. Ensure that security events, threats, and weaknesses are reported and addressed in a timely manner;
3. Notify Temenos of any confirmed data breach within 24 hours of becoming aware of the Security Incident; and
4. Fully cooperate with Temenos in any security investigations relating to unauthorized access, data breaches, or other Security Incidents, including:

1. Providing access to relevant logs, forensic reports, and security assessments upon request;
2. Supporting joint investigations and remedial action plans; and

• Ensuring transparency in root cause analysis and corrective measures.

For the purpose of this ISR8, “Security Incident” means any actual or suspected violation of security policies, unauthorized data access, or compromise that could impact the confidentiality, integrity, or availability of Temenos Data.

• Business Continuity and Disaster Recovery

SUPPLIER shall:

1. Maintain, test, and update a Business Continuity Plan that ensures resilience against disruptions, including security-related incidents;
2. Ensure information security controls remain in place throughout any disruption; and
3. Conduct regular disaster recovery exercises to validate the effectiveness of security safeguards.

• Asset and Information Classification

SUPLIER shall:

1. Maintain an inventory of critical information assets and associated applications;

1. Implement an asset classification scheme to define security requirements based on risk and sensitivity; and
2. Assign ownership responsibility for each information asset, ensuring accountability for security and compliance.

• Compliance Monitoring and Record-Keeping

SUPPLIER shall:

1. Maintain adequate documentation and records to demonstrate compliance with these ISRs as well as accepted industry standards (e.g., the NIST Cyber Security Framework, ISO 27001/27002, ISO 27017, ISO 27018, SOC 2 Type II, Cloud Security Alliance STAR, etc.) and comply at all times with all applicable laws concerning the protection and securing of information;
   1. Shall implement a process for regularly testing, assessing and evaluating the effectiveness of the security measures it puts in place to ensure the security of the Temenos Data.
   2. Update its security practices and controls at its own cost to continue to comply with accepted industry standards;
   3. Provide evidence of security controls upon reasonable request; and
   4. Participate in security assessments, audits, or reviews as are reasonably required by Temenos to the extent such security assessments, audits or reviews concerns the Services.

• Secure Development and System Security Requirements

SUPPLIER shall:

1. Establish a documented System Development Lifecycle (SDLC) based on industry-standard methodologies;
2. Implement security best practices, including:
   1. Secure by design and default principles;
   2. Defence in depth strategies;

• Secure coding guidelines aligned with OWASP Top 10 and CWE/SANS Top 25; and

1. Privacy-by-design and privacy-by-default principles; and

1. Ensure that applications handling Temenos Data undergo regular security assessments, including penetration testing and secure code reviews.

• Security Control Modifications

SUPPLIER shall:

1. Notify Temenos in writing of any material changes to its security controls that could impact the security of Temenos Data; and
2. Ensure that such changes do not degrade the overall security posture of Temenos.