A. The COMMISSION’s data must be located and remain within the continental United States. B. Vendor shall use commercially reasonable resources and efforts to maintain adequate internet connection bandwidth, service capacity, and ensure its data center and/or other Vendors performing subcontracted services have industry standard physical, technical, human, and administrative controls. C. Vendor shall house all services and equipment in an operational environment that meets industry standards including climate control, fire and safety hazard detection, redundancy, electrical needs, and physical security. D. If access is required, then the Azure cloud platform must be used for authentication and authorization, and the Identity Provider must be the COMMISSION's Azure AD tenant. E. For any system accessing COMMISSION resources, Azure or Cisco Duo Multi=Factor Authentication must be supported and used. F. When SAML authentication is used for any system, the Vendor must use Service Provider-initiated authentication. G. PTC uses a centralized Identity and Access Management (IAM) solution for managing the identity and access lifecycle management tasks for employees, consultants, Business Partners (BPs), non-network accounts, and system accounts. For all applications (on-prem and cloud-based) and systems, the IAM life cycle tasks such as provision, de-provision, profile updates, application authorization role assignments or removal must be managed by PTC’s IAM system (myIdentity). This applies to individual user accounts as well as system accounts associated with the applications and systems such as service accounts, privileged accounts. H. All cloud-based/hosted systems using HTTPS, or any other protocol using SSL/TLS, must use TLS 1.2 or later with a key size no smaller than 2048 bits. I. For public-facing systems, the Vendor shall utilize a third-party certificate provider who is a recognized and trusted authority in the industry. J. The Vendor is responsible for sending the COMMISSION system/network vulnerability scan results upon request. K. The Vendor will supply firewall and IPS logs for malicious intrusion and access attempts into hosted COMMISSION systems in the event of a security incident to assist with an investigation. L. Vendors must have, and upon request by the COMMISSION, shall make viewable to the PTC its information security policies that cover the following elements: o Data classification and privacy o Security training and awareness o Systems administration, patching, and configuration o Application development and code review o Incident response o Workstation management, mobile devices, and antivirus o Backups, disaster recovery, and business continuity o Regular audits and testing o Requirements for third-party business partners and contractors
