Common use of Security Audits Clause in Contracts

Security Audits. Contractor shall maintain complete and accurate records relating to its SOC Type II or equivalent’s data protection practices and the security of any of County Data, including any backup, disaster recovery, or other policies, practices or procedures. Further, Contractor shall inform County of any security audit or assessment performed on Contractor’s operations, information security program, or disaster recovery plan that includes County Data, within sixty (60) calendar days of such audit or assessment. Contractor will provide a copy of the audit report to County within thirty (30) days after Contractor’s receipt of request for such report. If Contractor does not perform a SOC Type II or equivalent audit at least once per calendar year, County may perform or have performed by an independent security expert its own such security audits, which may include penetration and security tests of Contractor Systems and operating environments. All such testing shall ensure all pertinent County security standards as well as any HCA/Environmental Health requirements (e.g., such as federal tax requirements or HIPAA) are in place. Contractor shall reasonably cooperate with all County security reviews and testing, including but not limited to, penetration testing. Contractor shall implement any required safeguards as identified by County or by any audit of Contractor’s data privacy and information security program. In addition, Contractor will provide to County upon request the most recent third-party SOC 2 Type II report. County may also have the right to review Plans of Actions and Milestones (POA&M) for any outstanding items identified by the SOC 2 Type II report requiring remediation as it pertains to the confidentiality, integrity, and availability of County Data. County reserves the right, at its sole discretion, to immediately terminate this Contract or a part thereof without limitation and without liability if County reasonably determines Contractor fails or has failed to meet its obligations under this paragraph.

Security Audits. Contractor shall maintain complete and accurate records relating to its SOC system and Organization Controls (SOC) Type II audits or equivalent’s data protection practices practices, internal and external audits, and the security of any of County DataCounty-hosted content, including any confidentiality, integrity, and availability operations (data hosting, backup, disaster recovery, external dependencies management, vulnerability testing, penetration testing, patching, or other related policies, practices practices, standards, or procedures). Further, Contractor shall inform County of any internal/external security audit or assessment performed on Contractor’s operations, information and cyber security program, or disaster recovery plan plan, and prevention, detection, or response protocols that includes are related to hosted County Datacontent, within sixty (60) calendar days of such audit or assessment. Contractor will provide a copy of the audit report to County within thirty (30) days after Contractor’s receipt of request for such report. If Contractor does not perform a SOC Type II or equivalent audit at least once per calendar year, County may perform or have performed by an independent security expert its own such security audits, which may include penetration and security tests of Contractor Systems and operating environments. All such testing shall ensure all pertinent County security standards as well as any HCA/Environmental Health requirements (e.g., such as federal tax requirements or HIPAA) are in placereport(s). Contractor shall reasonably cooperate with all County security reviews and testing, including but not limited to, to penetration testingtesting of any cloud-based solution provided by Contractor to County under this Contract. Contractor shall implement any required safeguards as identified by County or by any audit of Contractor’s data privacy and information information/cyber security program. In addition, Contractor will provide to County upon request the most recent third-party SOC 2 Type II report. County may also have has the right to review Plans of Actions and Milestones (POA&M) for any outstanding items identified by the SOC 2 Type II report requiring remediation as it pertains to the confidentiality, integrity, and availability of County Datadata. County reserves the right, at its sole discretion, to immediately terminate this Contract or a part thereof without limitation and without liability to County if County reasonably determines Contractor fails or has failed to meet its obligations under this paragraphsection.

Security Audits. Contractor shall maintain complete and accurate records relating to its SOC Type II or equivalent’s data protection practices and the security of any of County Data, including any backup, disaster recovery, or other policies, practices or procedures. Further, Contractor shall inform County of any security audit or assessment performed on Contractor’s operations, information security program, or disaster recovery plan that includes County Data, within sixty (60) calendar days of such audit or assessment. Contractor will provide a copy of the audit report to County within thirty (30) calendar days after Contractor’s receipt of request for such report. If Contractor does not perform a SOC Type II or equivalent audit at least once per calendar year, County may perform or have performed by an independent security expert its own such security audits, which may include penetration and security tests of Contractor Systems and operating environments. All such testing shall ensure all pertinent County security standards as well as any HCA/Environmental Health HCA requirements (e.g., such as federal tax requirements or HIPAA) are in place. Contractor shall reasonably cooperate with all County security reviews and testing, including but not limited to, penetration testing. Contractor shall implement any required safeguards as identified by County or by any audit of Contractor’s data privacy and information security program. In addition, Contractor will provide to County upon request the most recent third-third- party SOC 2 Type II report. County may also have the right to review Plans of Actions and Milestones (POA&M) for any outstanding items identified by the SOC 2 Type II report requiring remediation as it pertains to the confidentiality, integrity, and availability of County Data. County reserves the right, at its sole discretion, to immediately terminate this Contract or a part thereof without limitation and without liability if County reasonably determines Contractor fails or has failed to meet its obligations under this paragraph.