Assessment Methodology. The SPA methodology herein is based on the standard CMS methodology and is described in the Framework for Independent Assessment of Security and Privacy Controls. The Auditor must prepare and Web-broker must submit a Security Privacy Controls Assessment Test Plan (SAP) that describes the Auditor’s scope and methodology of the assessment. Web-broker must submit the Auditor-prepared SAP at least thirty (30) Days prior to commencing the assessment. The assessment methods may include examination of documentation, logs, and configurations; interviews of personnel; and/or testing of technical controls. The SPA must provide an accurate depiction of the security and privacy controls in place, as well as potential security and privacy risks, by identifying the following: a. Application or system vulnerabilities, the associated business and system risks and potential impact; b. Weaknesses in the configuration management process such as weak system configuration settings that may compromise the confidentiality, integrity, and availability of the system; c. Web-broker security and privacy policies and procedures; and d. Major documentation omissions and/or discrepancies. 9 This document is located on CMS zONE at the following link: ▇▇▇▇▇://▇▇▇▇.▇▇▇.▇▇▇/document/privacy-and- security-audit. 9F
Appears in 2 contracts
Sources: Web Broker Agreement, Web Broker Agreement