Common use of The Certification Clause in Contracts

The Certification. Process ⮉ Once the EIEP has successfully satisfied Phase 1, SSA will conduct an onsite certification review. The objective of the onsite review is to ensure the EIEP’s non-technical and technical controls safeguard SSA-provided information from misuse and improper disclosure and that those safeguards function and work as intended. At its discretion, SSA may request that the EIEP participate in an onsite review and compliance certification of their security infrastructure. The onsite review may address any or all of SSA’s security requirements and include, when appropriate: • a demonstration of the EIEP’s implementation of each requirement • random sampling of audit records and transactions submitted to SSA • a walkthrough of the EIEP’s data center to observe and document physical security safeguards • a demonstration of the EIEP’s implementation of electronic exchange of data with SSA • discussions with managers/supervisors • examination of management control procedures and reports (e.g., anomaly detection reports, etc.) • demonstration of technical tools pertaining to user access control and if appropriate, browsing prevention, specifically: o If the design is based on a permission module or similar design, or it is transaction driven, the EIEP will demonstrate how the system triggers requests for information from SSA. o If the design is based on a permission module, the EIEP will demonstrate how the process for requests for SSA-provided information prevent SSNs not present in the EIEP’s system from sending requests to SSA. We will attempt to obtain information from SSA using at least one, randomly created, fictitious number not known to the EIEPs system. During a certification or compliance review, SSA or a certifier acting on its behalf, may request a demonstration of the EIEP’s audit trail system (ATS) and its record retrieval capability. The certifier may request a demonstration of the ATS’ capability to track the activity of employees who have the potential to access SSA-provided information within the EIEP’s system. The certifier may request more information from those EIEPs who use an STC to handle and audit transactions. We will conduct a demonstration to see how the EIEP obtains audit information from the STC regarding the EIEP’s SSA transactions. If an STC handles and audits an EIEP’s transactions, SSA requires the EIEP to demonstrate both their own in-house audit capabilities and the process used to obtain audit information from the STC. If the EIEP employs a contractor who processes, handles, or transmits the EIEP’s SSA- provided information offsite, SSA, at its discretion, may include the contractor’s facility in the onsite certification review. The inspection may occur with or without a representative of the EIEP. Upon successful completion of the onsite certification exercise, SSA will authorize electronic access to production data by the EIEP. SSA will provide written notification of its certification to the EIEP and all appropriate internal SSA components. The following is a high-level flow chart of the OIS Certification Process: ⮉