Royal Caribbean Group Information Security Schedule
This Information Security Schedule (“Schedule”) sets forth the applicable information security requirements governing the relationship between Royal Caribbean Group (RCG) and Counterparty. Throughout the term of the Agreement and for as long as Counterparty controls, possesses, stores, transmits, or processes Protected Data, or connects to or access any RCG Information Assets as part of the services provided to RCG or otherwise under the Agreement between the parties, Counterparty shall comply with the requirements set forth in this Schedule. Any breach of this Schedule shall be deemed a material breach under the Agreement.
1. Definitions:
“Affiliate” means any company or other entity which directly or indirectly controls, is controlled by or is under common control with a company, or any limited partnership or limited liability partnership whose general partner or managing member is an aforementioned company or entity.
“Authorized Personnel” for the purposes of this Schedule, means Counterparty’s employees or subcontractors who: (i) have a need to receive or access Protected Data to enable Counterparty to perform its obligations under the Agreement; and (ii) are bound in writing with Counterparty by confidentiality obligations sufficient for the protection of Protected Data in accordance with the terms and conditions set forth in the Agreement and this Schedule.
“Common Software Vulnerabilities” (CSV) are application defects and errors that are commonly exploited in software. This includes but is not limited to:
- The CWE/SANS Top 25 Programming Errors – see http://cwe.mitre.org/top25 and http://www.sans.org/top25-software-errors
- The Open Web Application Security Project’s (OWASP) “Top Ten Project” – see http://www.owasp.org
“Credit Card Data” includes: Credit or Debit Card Account Number, Security Code, Expiry Month, Expiry Year, or any data taken from the magnetic stripe of a credit or debit card.
“Data Protection Legislation” means, in each case to the extent applicable to activities undertaken in connection with this Agreement: (i) Regulation (EU) 2016/679; and (ii) UK GDPR (the “GDPR”), Directive 2002/58/EC, the California Consumer Privacy Act and any other legislation and/or regulation implementing or made pursuant to them, or which amends, replaces, re-enacts or consolidates any of them, and all other applicable laws relating to processing of personal data, data protection and privacy that may exist in any relevant jurisdiction, including, where applicable, the guidance and codes of practice issued by supervisory authorities.
“Industry Standards” mean generally recognized industry standards, best practices, and benchmarks, including but not limited to the latest version from time to time of the following:
- Payment Card Industry Data Security Standards (“PCI DSS”) – see http://www.pcisecuritystandards.org
- National Institute for Standards and Technology (“NIST”) – see http://csrc.nist.gov
- ISO / IEC 27000-series – see http://www.iso27001security.com
- COBIT 5 – http://www.isaca.org/cobit
- NIST Cyber Security Framework – see http://www.nist.gov/cyberframework
- Cloud Security Alliance (“CSA”) – see https://cloudsecurityalliance.org
- Other standards applicable to the services provided by Counterparty to RCG
“Information Assets” means all RCG and RCG Affiliate data, networks, systems, applications, or other resources housing RCG and/or RCG Affiliate data.
“Personal Data” also known as Personally Identifiable Information (PII), is information of RCG customers, guests, employees, and subcontractors held by Counterparty that can be used on its own or combined with other information to identify, contact, or locate a person, or to identify an individual in context. Examples of Personal Data include name, social security number or national identifier, biometric records, driver’s license number, either alone or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc. Personal Information may also be defined under applicable state or federal law in the event of a Security Incident.
“Restricted/Confidential Data” is information that the RCG or its Affiliates designate as having a higher degree of confidentiality or sensitivity and includes:
- Network topology including IP addresses, configuration, and architecture documents
- Vulnerability assessment reports including specific vulnerabilities and exploits
- Usernames and passwords
- Personal data
- Credit card data
- Political opinions
- Medical or health conditions
- Religious or philosophical beliefs
- Information relating to sexual orientation
- Certain criminal records
Collectively ”Personal Data” and “Restricted/Confidential Data” may be referred to herein as “Protected Data.”
“Security Incident” is any actual or suspected occurrence of:
- Unauthorized access, use, alteration, disclosure, loss, theft of, acquisition of, or destruction of unencrypted Protected Data or the systems / storage media containing Protected Data
- Illicit or malicious code, phishing, spamming, spoofing
- Unauthorized use of, or unauthorized access to, Counterparty’s systems
- Inability to access Protected Data or Counterparty systems as a result of a Denial of Service (DOS) or Distributed Denial of Service (DDOS) attack
- Loss of Protected Data due to a breach of security
“Security Vulnerability” is an application, operating system, or system flaw (including, but not limited to, associated process, computer, device, network, or software weakness) that can be exploited resulting in a Security Incident.
“controller”, “processor”, “data subject”, “processing” and “appropriate technical and organisational measures” shall be interpreted in accordance with the GDPR.
2. General Security Requirements:
2.1 Information Security Program Management
Counterparty represents and warrants that it currently employs one or more employees in the development, implementation and maintenance of Counterparty’s enterprise information security program. In the event Counterparty cannot so warrant, Counterparty agrees to either (a) assign a qualified member of its workforce or (b) commission a reputable third-party service provider to be responsible for the development, implementation and maintenance of Counterparty’s enterprise information security program.
2.2 Policies and Standards
To protect RCG and RCG Affiliates’ Protected Data, Counterparty shall implement and maintain reasonable security that complies with Data Protection Legislation and meets data security Industry Standards.
Counterparty shall maintain formal written information security policies and standards that as a minimum:
- Define the administrative, physical, and technological controls to protect the confidentiality, integrity, and availability of Protected Data, RCG systems, and Counterparty systems (including mobile devices) used in providing Services to RCG
- Encompasses secure access, retention, and transport of Protected Data
- Provide for disciplinary or legal action in the event of violation of policy by employees or Counterparty subcontractors and vendors
- Prevent unauthorized access to RCG data, RCG systems, and Counterparty systems, including access by Counterparty’s terminated employees and subcontractors
- Employ the requirements for assessment, monitoring and auditing procedures to ensure Counterparty is compliant with the policies
- Conduct an annual assessment of such policies, and upon RCG’s written request, provide attestation of compliance.
2.3 Security and Privacy Training
Counterparty, at its sole cost and expense, shall train any new and existing Counterparty employees and subcontractors to comply with the security obligations under the Agreement and this Schedule. Ongoing training is to be provided by Counterparty at least annually, more frequently as Counterparty deems appropriate, or as requested by RCG. RCG may provide specific training material to Counterparty to include in its employee/subcontractor training.
2.4 Access Control
Counterparty shall ensure that RCG Protected Data shall be accessible only by Authorized Personnel after appropriate user authentication and access controls (including but not limited to two-factor authentication) that satisfy the requirements of this Schedule. Each Authorized Personnel shall have unique access credentials and shall receive training which includes a prohibition on sharing access credentials with any other person. Counterparty shall maintain access logs relevant to RCG Protected Data for a minimum of six (6) months or other mutually agreed upon duration.
2.5 Data Backup
As part of any Statement of Work, the parties shall agree upon the categories of RCG Protected Data that are required to be backed up by Counterparty. [DAFA1] Unless otherwise agreed to in writing by RCG, backups of RCG Protected Data shall reside solely in the United States. For the orderly and timely recovery of Protected Data in the event of a service interruption:
- Counterparty shall store a backup of Protected Data at a secure offsite facility and maintain a contemporaneous backup of Protected Data on-site to meet needed data recovery time objectives.
- Counterparty shall encrypt and isolate all RCG backup data on portable media from any backup data of Counterparty’s other customers.
2.6 Network Security
Counterparty agrees to maintain network security controls that conform to Industry Standards including, but not limited to, the following:
- Firewalls. Counterparty shall utilize firewalls to manage and restrict inbound, outbound, and internal network traffic to only the necessary hosts and network resources.
- Network Architecture. Counterparty shall appropriately segment its network to only allow authorized hosts and users to traverse areas of the network and access resources that are required for their job responsibilities.
- Demilitarized Zone (DMZ). Counterparty shall ensure that publicly accessible servers are placed on a separate, isolated network segment typically referred to as the DMZ.
- Intrusion Detection/Intrusion Prevention (IDS/IPS) System. Counterparty shall have an IDS and/or IPS in place to detect inappropriate, incorrect, or anomalous activity and determine whether Counterparty’s computer network and/or server(s) have experienced an unauthorized intrusion.
- Penetration Testing. Counterparty shall have regular (once annually) third party penetration testing.
2.7 Application and Software Security
Counterparty, agrees at all times to provide, maintain and support its software applications or Software as a Service (SaaS) and subsequent updates, upgrades, and bug fixes such that the Software is, and remains secure from Software Vulnerabilities and, at a minimum, incorporate the following:
- Malicious Code Protection. Counterparty’s software development processes and environment must protect against malicious code being introduced into its product(s) future releases and/or updates.
- Vulnerability Management. Counterparty agrees at all times to provide, maintain, and support its software and subsequent updates, upgrades, and bug fixes such that the software is, and remains secure from Common Software Vulnerabilities as described in the OWASP Top 10 – see http://www.owasp.org; or the CWE/SANS Top 25 Programming Errors – see http://cwe.mitre.org/top25 or http://www.sans.org/top25-programming-errors; or other generally recognized and comparable industry practices or ISO 27001 standards.
- Application Level Security. Counterparty must use a reputable third party to conduct static/manual application vulnerability scans on the application(s) software provided to RCG and/or its Affiliates for each major code release or at the time of contract renewal. An internally produced static/manual test from the Counterparty shall not be accepted. Results of the application testing shall be provided to RCG in a summary report and vulnerabilities categorized as Very High, High or that have been identified as part of the Open Web Application Security Project’s (OWASP) Top 10 and SANS Top 25 shall be remediated within ten (10) weeks of identification.
- Logging. Counterparty software that controls access to Protected Data must log and track all access to the information.
- Updates and Patches. Counterparty agrees to promptly provide updates and patches to remediate Security Vulnerabilities that are exploitable. Upon RCG’s request, Counterparty shall provide information on remediation efforts of known Security Vulnerabilities.
2.8 Disaster Recovery and Business Continuity
Counterparty agrees to maintain up to date plans for reestablishing critical business processes whenever extraordinary conditions occur that prevent normal operation. Counterparty agrees to test disaster recovery plans at least once a year and allow RCG or its authorized third party, upon a minimum of thirty (30) days’ notice to Counterparty’s designated Security Contact, to perform an assessment of Counterparty’s Business Continuity and Disaster Recovery plans once annually, or more frequently if agreed to in an SOW or other document. Counterparty shall notify the RCG Information Security Department Incident Response Team by telephone and e-mail within 24 hours, whenever a disaster or emergency situation is declared.
2.9 Change Management Procedures
Counterparty agrees to follow change management procedures for services that are provided to RCG including but not limited to infrastructure, applications, databases, security, and networking infrastructure. The change management procedures shall meet the minimum Information Technology Infrastructure Library (“ITIL) Change Management Framework or Information Technology Service Management (“ITSM”) to confirm that standardized methods and procedures are used to minimize the impact of change-related incidents upon service quality and availability.
2.10 Right to Audit
RCG or an RCG-appointed audit firm shall have the right to audit Counterparty, its subcontractors or affiliates’ policies, procedures, software, system(s), and data processing environment to confirm compliance with this Schedule. RCG may conduct such audit by providing Counterparty no less than two weeks (10 business days) notice to the Counterparty, following the Notice provision in the Agreement. Should documentation requested be unable to be removed from the Counterparty’s premises, Counterparty shall allow RCG or its auditors access to Counterparty’s premises. Where necessary, the Counterparty shall provide a personal site guide for the Auditors while on site. Counterparty shall provide a private accommodation on site for data analysis and meetings; the accommodation shall allow for a reasonable workspace, with appropriate lighting, electrical, a printer and Internet connectivity. Counterparty shall make necessary employees or contractors available for interviews in person or on the phone during the time frame of the audit. Counterparty shall provide reasonable support to the audit team. Audits shall be at RCG sole expense, except where the audit reveals material noncompliance with contract specifications, in which case the cost shall be borne by the Counterparty. Upon request, Counterparty shall provide any relevant third-party assessment reports, such as SOC 2, PCI DSS Report on Compliance, or ISO 27001 certification, etc. At RCG’s request, Counterparty shall provide a remediation plan to RCG to remedy such issues at Counterparty’s expense. RCG has the right to review the controls tested as well as the results of third-party assessment reports, and has the right to request additional controls to be added to third party assessments for testing controls that have an impact on RCG data.
2.11 Payment Cardholder Data
If Counterparty accesses, collects, processes, uses, stores, transmits, discloses, or disposes of RCG / RCG Affiliate and/or RCG / RCG Affiliate Credit Card Data, Counterparty agrees to the following additional requirements:
- Counterparty, at its sole expense, shall comply with the PCI DSS, as may be amended or changed from time to time, including without limitation, any and all payment card industry validation actions (e.g., third party assessments, self-assessments, security vulnerability scans, or any other actions identified by payment card companies for the purpose of validating Counterparty’s compliance with the PCI DSS).
- Counterparty shall maintain a continuous PCI DSS compliance program. Annually, Counterparty agrees to provide evidence of PCI DSS compliance in the form of a Qualified Security Assessor (“QSA”) Assessment Certificate, a PCI Report on Compliance (“ROC”), or a PCI Attesting of Compliance (“AOC”).
- Counterparty shall immediately notify RCG if Counterparty is found to be non-compliant with a PCI DSS requirement or if there is any breach of cardholder data impacting RCG or its customers.
3. Protected Data
3.1 Authorized Personnel
Counterparty shall require all Authorized Personnel to meet Counterparty’s obligations under the Agreement with respect to Protected Data. Counterparty shall screen and evaluate all Authorized Personnel and shall provide appropriate privacy and security training, as set forth above, in order to meet Counterparty’s obligations under the Agreement. Upon RCG’s written request, Counterparty shall provide RCG with a list of Authorized Personnel. Counterparty shall remain fully responsible for any act, error, or omission of its Authorized Personnel.
3.2 Handling of Protected Data
Counterparty shall:
- Keep and maintain all Protected Data in strict confidence in accordance with the terms of the Agreement
- Use and disclose Protected Data solely and exclusively for the purpose for which the Protected Data is provided pursuant to the terms and conditions of the Agreement. Counterparty shall not disclose Protected Data to any person other than to Authorized Personnel without RCG’s prior written consent, unless and to the extent required by applicable law, in which case, Counterparty shall use best efforts to notify RCG before any such disclosure or as soon thereafter as reasonably possible. In addition, Counterparty shall not produce any Protected Data in response to a non-legally binding request for disclosure of such Protected Data.
3.3 Data Security
Counterparty agrees to preserve the confidentiality, integrity and accessibility of RCG / RCG Affiliate data with administrative, technical and physical measures that conform to generally recognized Industry Standards and best practices that Counterparty then applies to its own processing environment. Maintenance of a secure processing environment includes, but is not limited to, the timely application of patches, fixes and updates to operating systems and applications as provided by Counterparty or open source support.
3.4 Data Storage
Unless otherwise agreed to in writing by RCG, any and all RCG Protected Data shall be stored, processed, and maintained solely on designated systems located in the continental United States. RCG Protected Data shall not be stored, processed, or transferred to any portable or laptop computing device or any portable storage medium, unless that device or storage medium is in use as part of the Counterparty’s designated backup and recovery processes and encrypted in accordance with “3.7. Data Encryption”. Counterparty shall segregate RCG Protected Data from Counterparty’s data and from the data of Counterparty’s other customers or third parties.
3.5 Data Retention and Destruction
Except as required to comply with its recordkeeping or audit requirements or if required by law, Counterparty agrees that any and all data associated with RCG and/or RCG Affiliate transactions shall be irreversibly destroyed when the data is no longer necessary for the purposes for which it was processed. Upon expiration or termination of this Agreement or upon RCG’s written request, Counterparty and its Authorized Personnel shall promptly return to RCG all RCG Protected Data and/or securely destroy RCG / RCG Affiliate Protected Data. At a minimum, destruction of data activity is to be performed according to the standards enumerated by the National Institute of Standards, Guidelines for Media Sanitization – see http://csrc.nist.gov. If destroyed, an officer of Counterparty must certify to RCG in writing within ten (10) business days all destruction of RCG Protected Data. If Counterparty is required to retain any RCG Protected Data or metadata to comply with a legal requirement, Counterparty shall provide notice to both the general notice contact in the Agreement as well as RCG’s designated Security Contact.
3.6 Data Transmission.
Counterparty agrees that any and all electronic transmission or exchange of system and application data with RCG and/or any other parties expressly designated by RCG shall take place via secure means (using HTTPS or SFTP or equivalent) and solely in accordance with “4.8. Data Re-Use”.
3.7 Data Encryption
Counterparty agrees to store all RCG and RCG Affiliate backup data as part of its designated backup and recovery processes in encrypted form, using a commercially supported encryption solution. Counterparty further agrees that any and all RCG and/or RCG Affiliates’ Personal Data stored on any portable or laptop computing device or any portable storage medium be likewise encrypted. Encryption solutions shall be deployed with no less than a 128-bit key for symmetric encryption and a 1024 (or larger) bit key length for asymmetric encryption.
3.8 Data Re-Use.
Counterparty agrees that any and all data exchanged shall be used expressly and solely for the purposes enumerated in the Agreement and addenda. Data shall not be distributed, repurposed or shared across other applications, environments, or business units of Counterparty. Counterparty further agrees that no RCG data of any kind shall be transmitted, exchanged, or otherwise passed to other interested parties except on a case-by-case basis as specifically agreed to in writing by RCG.
4. Security Incident
4.1 Security Contact
The individuals identified below shall serve as each party’s designated Security Contact for security issues under this Schedule.
RCG Security Contact:
RCG Information Security Department Cyber Threat Response and Investigations Team
- E-Mail: [email protected]
4.2 Incident Response
Counterparty shall take Industry Standard measures to ensure that RCG and its Affiliates are protected against any and all reasonably anticipated Security Incidents, including but not limited to:
- Counterparty’s systems are continually monitored to detect evidence of a Security Incident
- Counterparty has a Security Incident response process to manage and to take corrective action for any suspected or realized Security Incident
- Upon request Counterparty shall provide RCG with a copy of its Security Incident policies and procedures. If a Security Incident affecting RCG or any of its Affiliates occurs, Counterparty, at its expense and in accordance with applicable Data Protection Legislation, shall immediately take action to prevent the continuation of the Security Incident.
4.3 Incident Notification
Counterparty agrees to comply with all applicable laws applicable to it that require the notification of individuals in the event of unauthorized release of RCG or RCG Affiliate Protected Data. In the event of a Security Incident, Counterparty agrees to:
- Notify RCG Information Security Department Incident Response Team by telephone and e-mail of such an event within 24 hours of discovery.
- Upon Counterparty’s notification to RCG of a Security Incident, the parties shall coordinate to investigate the Security Incident. Counterparty shall be responsible for leading the investigation of the Security Incident, but shall cooperate with RCG to the extent RCG requires involvement in the investigation. Counterparty shall involve law enforcement in the investigation if requested by RCG. Depending upon the type and scope of the Security Incident, RCG personnel may participate in: (i) interviews with Counterparty’s employees and subcontractors involved in the incident; and (ii) review of all relevant records, logs, files, reporting data, systems, Counterparty devices, and other materials as otherwise required by RCG.
- Counterparty shall cooperate, at its expense, with RCG in any litigation or investigation deemed reasonably necessary by RCG to protect its rights relating to the use, disclosure, protection and maintenance of Protected Data. Counterparty shall reimburse RCG for actual costs incurred by RCG in responding to, and mitigating damages caused by any Security Incident, including all costs of notice and remediation which RCG, in its sole discretion, deems necessary to protect such affected individuals in light of the risks posed by the Security Incident. Counterparty shall use reasonable efforts to prevent a recurrence of any such Security Incident. Additionally, Counterparty shall provide (or reimburse RCG and its Affiliates) for at least one (1) year of complimentary access for one (1) credit monitoring service, credit protection service, credit fraud alert and/or similar services, which RCG deems necessary to protect affected individuals in light of risks posed by a Security Incident.
- Counterparty shall provide RCG and its relevant Affiliates with a final written incident report within five (5) business days after resolution of a Security Incident or upon determination that the Security Incident cannot be sufficiently resolved.
5. Third Party Location
5.1 Due Diligence
Counterparty shall conduct thorough background checks and due diligence on any third and fourth parties which materially impact Counterparty’s ability to provide the products and/or Services to RCG as described in the Agreement.
5.2 Third Party Location
Counterparty shall not outsource any work related to its products or the Services provided to RCG in countries outside the United States, which have not been disclosed in the Agreement or without prior written approval from RCG Legal and Information Security departments. If Counterparty desires to outsource certain work during the Term of the Agreement, Counterparty shall first notify RCG so that the parties can ensure adequate security protections are in place with respect to the Services provided to RCG.
6. Changes
In the event of any change in RCG’s data protection or privacy obligations due to legislative or regulatory actions, industry standards, technology advances, or contractual obligations, Counterparty shall work in good faith with RCG to promptly amend this Schedule accordingly.