Common use of Procurement Controls Clause in Contracts

Procurement Controls. 2.2.20.1 Breach notification requirements clause to be included in new or renewal contracts (once policy is effective) for systems containing sensitive information. Contractor shall report to the County within 24 hours as defined in this contract when Contractor becomes aware of any suspected data breach of Contractor’s or Sub-Contractor’s systems involving County’s data. 2.2.20.2 Departments shall review all procurements and renewals for software and equipment (hosted/managed by the vendor) that transmits, stores, or processes sensitive information to ensure that vendors and contractors are aware of and are in compliance with County’s cybersecurity policies. Departments shall obtain documentation supporting the business partners, contractors, consultants, or vendors compliance with County’s cybersecurity policies such as: • SOC 1 Type 2 • SOC 2 Type 2 • Security Certifications (ISO, PCI, etc.) • Penetration Test Results

Procurement Controls. 2.2.20.1 Breach notification requirements clause to be included in new or renewal contracts (once policy is effective) for systems containing sensitive information. Contractor shall report to the County within 24 hours as defined in this contract when Contractor becomes aware of any suspected data breach of Contractor’s or Sub-Contractor’s systems involving County’s data. 2.2.20.2 Departments shall review all procurements and renewals for software and equipment (hosted/managed by the vendor) that transmits, stores, or processes sensitive information to ensure that vendors and contractors are aware of and are in compliance with County’s cybersecurity policies. Departments shall obtain documentation supporting the business partners, contractors, consultants, or vendors compliance with County’s cybersecurity policies policies, if applicable, such as: • SOC 1 Type 2 • SOC 2 Type 2 • Security Certifications (ISO, PCI, etc.) • Penetration Test Results:

Procurement Controls. 2.2.20.1 Breach notification requirements clause to be included in new or renewal contracts (once policy is effective) for systems containing sensitive information. . 2.2.20.2 Contractor shall report to the County immediately or within 24 hours as defined in this contract when Contractor contractor becomes aware of any potential or suspected data breach of Contractorcontractor’s or Sub-Contractorsubcontractor’s systems involving County’s data. 2.2.20.2 2.2.20.3 Departments shall review all procurements and renewals for software and equipment (hosted/managed by the vendorcontractor) that transmits, stores, or processes sensitive information to ensure that vendors and contractors are aware of and are in compliance with County’s cybersecurity policiespolicies if applicable. Departments shall obtain documentation supporting the business partners, contractors, or consultants, or vendors ’ compliance with County’s cybersecurity policies such as: • SOC 1 Type 2 • SOC 2 Type 2 • Security Certifications (ISO, PCI, etc.) • FedRAMP certification • Penetration Test Results