Malicious Software16

20.9.  The Service Provider shall, as an enduring obligation throughout the Contract Period, use the latest versions of anti-virus definitions available from an industry accepted anti-virus software vendor and in accordance with Good Industry Practice to check for and delete Malicious Software from the ICT Environment

20.10.  Notwithstanding clause 20.9, if Malicious Software is found, the parties shall co-operate to reduce the effect of the Malicious Software and, particularly if Malicious Software causes loss of operational efficiency or loss or corruption of Authority Data, assist each other to mitigate any losses and to restore the Services to their desired operating efficiency.  

20.11.  Any cost arising out of the actions of the parties taken in compliance with the provisions of clause 20.10 shall be borne by the parties as follows:

20.11.1.  by the Service Provider where the Malicious Software originates from the Service Provider Software, the Third Party Software or the Authority Data (whilst the Authority Data was under the control of the Service Provider); and

20.11.2.  by the Authority if the Malicious Software originates from the Authority Software or the Authority Data (whilst the Authority Data was under the control of the Authority).

20.12.  In addition to the Service Provider's obligations under clause 19 (Data Protection), the Service Provider shall establish and maintain reasonable and appropriate security measures and procedures to provide for the safe custody of the Authority Data and to prevent unauthorised access thereto or use thereof.

20.13.  Viruses

20.13.1.  The Service Provider shall use its reasonable endeavours to ensure that no electronic viruses or similar items are introduced into any software or solution or equipment of the Authority or the Service Provider (if used for the provision of the Services) and the Service Provider shall, promptly upon the discovery of any such virus, use its reasonable efforts to eliminate such virus and mitigate its effect.

20.13.2.  The Service Provider shall ensure that at all times, its anti-virus software is up to date and in accordance with Good Industry Practice.

__________________________________________________________________________________________

16  Guidance: Rather than going into too much detail in this clause, it is better to have a specific technical section in the Output Specification setting out what is required by way of anti-virus measures and amend clauses 20.9 to 20.13 to accordingly.  The Authority should consider, for example, responsibility for the management of any network, in particular responsibility for managing firewalls and gateway guards, and for procedures, including acceptable use policies. When setting out responsibility for the consequences of the infection of computer systems by a virus the Authority will need to consider the possible causes of infection, including the possibility that the virus originates from the Internet and not from the Authority's or the Service Provider's system.