Common use of Assessment Methodology Clause in Contracts

Assessment Methodology. The SPA assessment methodology described herein is based on the standard CMS methodology used in the assessment of all CMS internal and business partner information systems. The Non-Exchange Entity shall prepare an assessment plan to evaluate any system vulnerabilities. The assessment methods may include examination of documentation, logs, and configurations; interviews of personnel; and/or testing of technical controls. The SPA assessment shall provide an accurate depiction of the security and privacy controls in place, as well as potential security and privacy risks, by identifying the following: a. Application or system vulnerabilities, the associated business and system risks and potential impact; b. Weaknesses in the configuration management process such as weak system configuration settings that may compromise the confidentiality, integrity, and availability of the system; c. Non-Exchange Entity security and privacy policies and procedures; and d. Major documentation omissions and/or discrepancies.

Assessment Methodology. The SPA assessment methodology described herein is based on the standard CMS methodology used in the assessment of all CMS internal and business partner information systems. The Non-Exchange Entity shall prepare an assessment plan to evaluate any system vulnerabilities. The assessment methods may include examination of documentation, logs, and configurations; interviews of personnel; and/or testing of technical controls. The SPA assessment shall provide an accurate depiction of the security and privacy controls in place, as well as potential security and privacy risks, by identifying the following: : a. Application or system vulnerabilities, the associated business and system risks and potential impact; ; b. Weaknesses in the configuration management process such as weak system configuration settings that may compromise the confidentiality, integrity, and availability of the system; ; c. Non-Exchange Entity security and privacy policies and procedures; and and d. Major documentation omissions and/or discrepancies.