Common use of Security Testing Clause in Contracts

Security Testing. The Supplier shall, at its own cost and expense procure and conduct: testing of the Information Management System by a CHECK Service Provider or a CREST Service Provider (“IT Health Check”); and such other security tests as may be required by the Authority, The Supplier shall complete all of the above security tests before the Supplier submits the Security Management Plan to the Authority for review in accordance with Paragraph 4; and it shall repeat the IT Health Check not less than once every 12 months during the Term and submit the results of each such test to the Authority for review in accordance with this Paragraph. In relation to each IT Health Check, the Supplier shall: agree with the Authority the aim and scope of the IT Health Check; promptly, and no later than ten (10) Working Days, following the receipt of each IT Health Check report, provide the Authority with a copy of the full report; in the event that the IT Health Check report identifies any vulnerabilities, the Supplier shall: prepare a remedial plan for approval by the Authority (each a "Vulnerability Correction Plan") which sets out in respect of each vulnerability identified in the IT Health Check report: how the vulnerability will be remedied; unless otherwise agreed in writing between the Parties, the date by which the vulnerability will be remedied, which must be: within three months of the date the Supplier received the IT Health Check report in the case of any vulnerability categorised with a severity of “medium”; within one month of the date the Supplier received the IT Health Check report in the case of any vulnerability categorised with a severity of “high”; and

Security Testing. The Supplier Provider shall, at its own cost and expense procure and conduct: testing of the Information Management System by a CHECK Service Provider or a CREST Service Provider (“IT Health Check”); and such other security tests as may be required by the Authority, HSE. The Supplier shall Provider shall: complete all of the above security tests before before: the Supplier Provider submits the Security Management Plan to the Authority HSE for review in accordance with Paragraph 4paragraph 4 of this Schedule; and it shall before the Provider is given permission by HSE to Process or manage any HSE Data; and repeat the IT Health Check not less than once every 12 months during the Term and submit the results of each such test to the Authority HSE for review in accordance with this Paragraphparagraph 7. In relation to each IT Health Check, the Supplier Provider shall: agree with the Authority HSE the aim and scope of the IT Health Check; promptly, and no later than ten (10) Working Days, following the receipt of each IT Health Check report, provide the Authority HSE with a copy of the full report; in the event that the IT Health Check report identifies any vulnerabilities, the Supplier Provider shall: prepare a remedial plan for approval by the Authority HSE (each a "Vulnerability Correction Remediation Action Plan") which sets out in respect of each vulnerability identified in the IT Health Check report: how the vulnerability will be remedied; unless otherwise agreed in writing between the Parties, the date by which the vulnerability will be remedied, which must be: within three months of the date the Supplier Provider received the IT Health Check report in the case of any vulnerability categorised with a severity of “medium”; within one month of the date the Supplier Provider received the IT Health Check report in the case of any vulnerability categorised with a severity of “high”; and

Security Testing. The Supplier shall, at its own cost and expense procure and conduct: testing of the Information Management System by a CHECK Service Provider or a CREST Service Provider (“IT Health Check”); and such other security tests as may be required by the Authority, . The Supplier shall shall: complete all of the above security tests before before: the Supplier submits the Security Management Plan to the Authority for review in accordance with Paragraph 4paragraph 3; and it shall before the Supplier is given permission by the Authority to Process or manage any Authority Data repeat the IT Health Check not less than once every 12 months Months during the Term and submit the results of each such test to the Authority for review in accordance with this Paragraphparagraph 6. In relation to each IT Health Check, the Supplier shall: agree with the Authority the aim and scope of the IT Health Check; promptly, and no later than ten (10) 10 Working Days, following the receipt of each IT Health Check report, provide the Authority with a copy of the full report; in the event that if the IT Health Check report identifies any vulnerabilities, the Supplier shall: prepare a remedial plan for approval by the Authority (each a "Vulnerability Correction Remediation Plan") which sets out in respect of each vulnerability identified in the IT Health Check report: how the vulnerability will be remedied; unless otherwise agreed in writing between the Parties, the date by which the vulnerability will be remedied, which must be: within three months 3 Months of the date the Supplier received the IT Health Check report in the case of any vulnerability categorised with a severity of “medium”; within one month Month of the date the Supplier received the IT Health Check report in the case of any vulnerability categorised with a severity of “high”; and

Security Testing. 6.1 The Supplier shall, at its own cost and expense procure and conduct: : (a) testing of the Information Management System by a CHECK Service Provider or a CREST Service Provider (“IT Health Check”); and and (b) such other security tests as may be required by the Authority, . 6.2 The Supplier shall shall: (a) complete all of the above security tests before before: (i) the Supplier submits the Security Management Plan to the Authority for review in accordance with Paragraph 4paragraph 3; and it shall and (ii) before the Supplier is given permission by the Authority to Process or manage any Authority Data (b) repeat the IT Health Check not less than once every 12 months Months during the Term and submit the results of each such test to the Authority for review in accordance with this Paragraph. paragraph 6. 6.3 In relation to each IT Health Check, the Supplier shall: : (a) agree with the Authority the aim and scope of the IT Health Check; ; (b) promptly, and no later than ten (10) 10 Working Days, following the receipt of each IT Health Check report, provide the Authority with a copy of the full report; in the event that ; (c) if the IT Health Check report identifies any vulnerabilities, the Supplier shall: : (i) prepare a remedial plan for approval by the Authority (each a "Vulnerability Correction Remediation Plan") which sets out in respect of each vulnerability identified in the IT Health Check report: : (A) how the vulnerability will be remedied; ; (B) unless otherwise agreed in writing between the Parties, the date by which the vulnerability will be remedied, which must be: : (1) within three months 3 Months of the date the Supplier received the IT Health Check report in the case of any vulnerability categorised with a severity of “medium”; ; (2) within one month Month of the date the Supplier received the IT Health Check report in the case of any vulnerability categorised with a severity of “high”; and (3) within 7 Working Days of the date the Supplier received the IT Health Check report in the case of any vulnerability categorised with a severity of “critical”; (C) the tests which the Supplier shall perform or procure to be performed (which may, at the discretion of the Authority, include a further IT Health Check) to confirm that the vulnerability has been remedied; (ii) comply with the Remediation Plan; and (iii) conduct such further tests on the Service as are required by the Remediation Plan to confirm that the Remediation Plan has been complied with. 6.4 The Supplier shall ensure that any testing which could adversely affect the Supplier System shall be designed and implemented by the Supplier so as to minimise the impact on the delivery of the Services and the date, timing, content and conduct of such tests shall be agreed in advance with the Authority. 6.5 If any testing conducted by or on behalf of the Supplier identifies a new risk, new threat, vulnerability or exploitation technique that has the potential to affect the security of the Information Management System, the Supplier shall, within 2 Working Days of becoming aware of such risk, threat, vulnerability or exploitation technique, provide the Authority with a copy of the test report and: (a) propose interim mitigation measures to vulnerabilities in the Information Management System known to be exploitable where a security patch is not immediately available; and (b) where and to the extent applicable, remove or disable any extraneous interfaces, services or capabilities that are not needed for the provision of the Services (in order to reduce the attack surface of the Supplier System) within the timescales set out in the test report or such other timescales as may be agreed with the Authority. 6.6 The Supplier shall conduct such further tests of the Supplier System as may be required by the Authority from time to time to demonstrate compliance with its obligations set out this Schedule 6 and the Contract. 6.7 The Supplier shall notify the Authority immediately if it fails to, or believes that it will not, mitigate the vulnerability within the timescales set out in paragraph 6.3.