Audit and Testing. a. Vendor will complete one of the following audits at least annually and immediately after any actual or reasonably suspected Security Incident: SOC 2 Type II, SOC for Cybersecurity, or an accepted Higher Education Cloud Vendor Assessment Tool (▇▇▇▇▇://▇▇▇▇▇▇▇.▇▇▇▇▇▇▇▇.▇▇▇/resources/2020/4/higher- education-community-vendor-assessment-toolkit). Evidence must be provided to the University prior to this Agreement and at least annually thereafter. b. Prior to this Agreement, and at regular intervals of no less than annually and whenever a change is made which may impact the confidentiality, integrity, or availability of University Data, and in accordance with industry standards and best practices, Vendor will, at its expense, perform scans for unauthorized applications, services, code and system vulnerabilities on the networks and systems used to perform services related to this Agreement (“Security Tests”). An initial report must be provided to the University prior to this Agreement. Vendor will provide the University the reports or other documentation resulting from the audits, certifications, scans and tests within five (5) business days of Vendor' generation or receipt of such results. If any critical finding is identified, Vendor agrees to notify the University and remediate the critical finding within thirty (30) days. Any critical finding not remediated within thirty (30) days must be reported to University at ▇▇▇▇▇▇▇▇@▇▇▇▇▇▇▇.▇▇▇. All other findings must be remediated within ninety (90) days. At University’s request, Vendor will promptly provide written attestation that required Security Tests, independent audits, and/or a DPIA have been conducted either by a qualified Representative or by a third party in the prior twelve months. The University may require the Vendor to perform additional audits and tests, the results of which will be provided to the University within five (5) business days of the Vendor’s receipt of such results. c. Vendor agrees to take reasonable steps to assist University in maintaining the accuracy of such University Data under the control of Vendor, including synchronizing relevant Systems, databases, or applications, as deemed necessary by University. The University reserves the right to annual, at a minimum, review of: Vendor’s access reports related to access to University Data; Vendor’s patch management process, schedules, and logs; findings of vulnerability scans and/or penetration tests of Vendor systems; and Vendor development standards and processes.
Appears in 2 contracts
Sources: Information Security and Privacy Addendum, Information Security and Privacy Addendum
Audit and Testing. a. Vendor will complete one of the following audits at least annually and immediately after any actual or reasonably suspected Security Incident: SOC 2 Type II, SOC for Cybersecurity, or an accepted Higher Education Cloud Vendor Assessment Tool (▇▇▇▇▇://▇▇▇▇▇▇▇.▇▇▇▇▇▇▇▇.▇▇▇/resources/2020/4/higher- higher-education-community-vendor-assessment-toolkit). Evidence must be provided to the University prior to this Agreement and at least annually thereafter.
b. . Prior to this Agreement, and at regular intervals of no less than annually and whenever a change is made which may impact the confidentiality, integrity, or availability of University Data, and in accordance with industry standards and best practices, Vendor will, at its expense, perform scans for unauthorized applications, services, code and system vulnerabilities on the networks and systems used to perform services related to this Agreement (“Security Tests”). An initial report must be provided to the University prior to this Agreement. Vendor will provide the University the reports or other documentation resulting from the audits, certifications, scans and tests within five (5) business days of Vendor' generation or receipt of such results. If any critical finding is identified, Vendor agrees to notify the University and remediate the critical finding within thirty (30) days. Any critical finding not remediated within thirty (30) days must be reported to University at ▇▇▇▇▇▇▇▇@▇▇▇▇▇▇▇.▇▇▇. All other findings must be remediated within ninety (90) days. At University’s request, Vendor will promptly provide written attestation that required Security Tests, independent audits, and/or a DPIA have been conducted either by a qualified Representative or by a third party in the prior twelve months. The University may require the Vendor to perform additional audits and tests, the results of which will be provided to the University within five (5) business days of the Vendor’s receipt of such results.
c. . Vendor agrees to take reasonable steps to assist University in maintaining the accuracy of such University Data under the control of Vendor, including synchronizing relevant Systems, databases, or applications, as deemed necessary by University. The University reserves the right to annual, at a minimum, review of: Vendor’s access reports related to access to University Data; Vendor’s patch management process, schedules, and logs; findings of vulnerability scans and/or penetration tests of Vendor systems; and Vendor development standards and processes.
Appears in 2 contracts
Sources: Information Security and Privacy Addendum, Information Security and Privacy Addendum
Audit and Testing. a. Vendor will complete one of the following audits at least annually and immediately after any actual or reasonably suspected Security Incident: SOC 2 Type II, SOC for Cybersecurity, or an accepted Higher Education Cloud Vendor Assessment Tool (▇▇▇▇▇://▇▇▇▇▇▇▇.▇▇▇▇▇▇▇▇.▇▇▇/resources/2020/4/resources/2016/10/higher- higher-education-communitycloud-vendor-assessment-toolkittool11). Evidence must be provided to the University prior to this Agreement and at least annually thereafter.
b. thereafter.12 Prior to this Agreement, and at regular intervals of no less than annually and whenever a change is made which may impact the confidentiality, integrity, or availability of University Data, and in accordance with industry standards and best practices, Vendor will, at its expense, perform scans for unauthorized applications, services, code and system vulnerabilities on the networks and systems used to perform services related to this Agreement (“Security Tests”). An initial report must be provided to the University prior to this Agreement. Vendor will provide the University the reports or other documentation resulting from the audits, certifications, scans and tests within five (5) business days of Vendor' generation or receipt of such results. If any critical finding is identified, Vendor agrees to notify the University and remediate the critical finding within thirty (30) days. Any critical finding not remediated within thirty (30) days must be reported to University at ▇▇▇▇▇▇▇▇@▇▇▇▇▇▇▇.▇▇▇. All other findings must be remediated within ninety (90) days. At University’s request, Vendor will promptly provide written attestation that required Security Tests, independent audits, and/or a DPIA have been conducted either by a qualified Representative or by a third party in the prior twelve months. The University may require the Vendor to perform additional audits and tests, the results of which will be provided to the University within five (5) business days of the Vendor’s receipt of such results.
c. . Vendor agrees to take reasonable steps to assist University in maintaining the accuracy of such University Data under the control of Vendor, including synchronizing relevant Systems, databases, or applications, as deemed necessary by UniversityUniversity13. The University reserves the right to annual, at a minimum, review of: Vendor’s access reports related to access to University Data; Vendor’s patch management process, schedules, and logs; findings of vulnerability scans and/or penetration tests of Vendor systems; and Vendor development standards and processes.
Appears in 1 contract
Audit and Testing. a. Vendor will complete one 7.1 The Cyber Security Management Plan shall provide for the Supplier to:
7.1.1 conduct compliance audits of the following audits ISMS as per the ISO/IEC 27001 standard certification requirements;
7.1.2 conduct compliance tests of the Cyber Security Management Plan implementation six (6) months after the Commencement Date and then on a quarterly basis;
7.1.3 as appropriate to the performance of its obligations under this Agreement conduct vulnerability scans, as required in the CSIA Document Policy Set;
7.1.4 conduct tests including penetration tests of its Cyber Security Management Plan using independent testers and in line with Good Industry Practice, as required in the CSIA Document Policy Set;
7.1.5 ensure an Information Security Health Check (ISHC), as required in the CSIA Policy Document Set, is performed at least annually by an approved and immediately reputable external CREST (Council for Registered Ethical Security Testers) service provider and that a report detailing any remediation required is presented to the Customer within fifteen (15) working days of the delivery of the report to the Supplier, for review and agreement on remediation. Once agreed, a remediation plan (containing a prioritised road map containing issues, their impact or severity, proposed fixes, target completion date and ownership) must be presented to the Customer within ten (10) for approval. The Supplier shall implement the agreed remediation plan and conduct relevant testing to ensure the remediation has been implemented correctly and has addressed the issues identified in the ISHC;
7.1.6 agree the date, timing, content and conduct of such tests in advance with the Customer;
7.1.7 maintain evidence of compliance with this Schedule and the CSIA Policy Document Set and provide this evidence in accordance with this Paragraph 7 or as reasonably requested by the Customer;
7.1.8 where applicable assist with forensic investigations as required by the Customer;
7.1.9 where applicable assist with such additional ISHCs, including applications security testing, physical security reviews, wireless testing and vulnerability scans as required by the Customer;
7.1.10 allow the Customer to send a representative to witness the conduct of the ISHC and the testing conducted in accordance with this Paragraph 7. The Supplier shall provide the Customer with the results of such tests (in a form approved by the Customer in advance) as soon as practicable after completion of each such test;
7.1.11 subject to Paragraph 7, on a minimum of seven (7) days’ prior written notice given by the Customer to the Supplier, allow the Customer at any actual time to carry out such tests (including penetration tests) as it may reasonably require on systems dedicated to the performance of the Supplier’s obligations under this Agreement, in relation to the ISMS and the Supplier’s compliance with the ISMS and the Cyber Security Management Plan. The Customer may notify the Supplier of the results of such tests after completion of each such test; and
7.1.12 promptly notify the Customer, where any security tests carried out pursuant to this Paragraph 7 reveal any actual, potential or reasonably suspected attempted Breach of Security, potential security failure or weakness, of any changes to the ISMS and to the Cyber Security Incident: SOC 2 Type IIManagement Plan (and the implementation thereof) which the Supplier proposes to make in order to rectify appropriately such failure or weakness in accordance with Paragraph 6.4. For the purposes of this Paragraph7.1.12, SOC weakness means vulnerability in security and a potential security failure means a possible breach of the Cyber Security Management Plan or security requirements detailed in the CSIA Policy Document Set.
7.2 Subject to Paragraph 7.4, on a minimum of seven (7) days’ prior written notice given by the Customer to the Supplier the Customer is entitled from time to time during the term of this Agreement and for Cybersecurityup to twelve (12) months thereafter to require the Supplier to permit or procure permission for a duly authorised employee or representative, a competent authority, or an accepted Higher Education Cloud Vendor Assessment Tool external auditor of the Customer (▇▇▇▇▇an “Auditor”), to://▇▇▇▇▇▇▇.▇▇▇▇▇▇▇▇.▇▇▇/resources/2020/4/higher- education-community-vendor-assessment-toolkit). Evidence must be provided
7.2.1 audit the Supplier’s records, systems and procedures (whether current or past) to:
(a) assess whether any [Charges] have been properly calculated in accordance with this Agreement;
(b) assess the compliance of the Supplier with this Agreement;
(c) audit and monitor activities relating to the University prior Customer’s [Confidential Information];
(d) review the Supplier’s processes and controls in relation to the performance of the Supplier’s obligations under this Agreement Agreement;
(e) assess and at least annually thereafter.review compliance with the CSIA Policy Document Set;
b. Prior (f) assess the Supplier’s security arrangement and controls in relation to Customer Data; and
(g) to carry out any right or duty conferred or imposed by Applicable Laws and Standards; and
7.2.2 carry out such tests (including penetration tests) as it may reasonably require on systems used in relation to the performance of the Supplier’s obligations under this Agreement, in relation to the ISMS and at regular intervals the Supplier’s compliance with the ISMS and the Cyber Security Management Plan.
7.3 Where in the reasonable opinion of no less than annually the Customer it is not able to give the notice required by Paragraph 7.2 because of the urgency or the seriousness of the circumstances (which shall include a suspected breach of this Agreement) the notice period specified in Paragraph 7.2 above shall not apply.
7.4 The Supplier shall for the purpose of the audit and whenever a change is made which testing (as applicable) provide or procure access to the records, premises, equipment, systems, procedures and staff as may impact be reasonably necessary or desirable in connection with the confidentiality, integrity, or availability of University Dataaudit, and shall permit the Auditor to take copies of relevant documents and data.
7.5 Subject to the approval of the Customer, the Supplier shall as soon as reasonably practicable correct any omissions or failures in the Supplier’s records, systems or procedures which have been identified by an Auditor (or otherwise).
7.6 Within one (1) month after receipt of a copy of or extract from the Auditor’s report, the Supplier shall present a plan to the Customer showing how these measures have been or shall be taken.
7.7 The Supplier shall report on the implementation of any remedial action in accordance with industry standards and best practices, Vendor will, at its expense, perform scans for unauthorized applications, services, code and system vulnerabilities on the networks and systems used to perform services related to this Agreement (“Security Tests”). An initial report must be provided to the University prior to this Agreement. Vendor will provide the University the reports or other documentation resulting from the audits, certifications, scans and tests within five (5) business days of Vendor' generation or receipt of such results. If any critical finding is identified, Vendor agrees to notify the University and remediate the critical finding within thirty (30) days. Any critical finding not remediated within thirty (30) days must be reported to University at ▇▇▇▇▇▇▇▇@▇▇▇▇▇▇▇.▇▇▇. All other findings must be remediated within ninety (90) days. At University’s request, Vendor will promptly provide written attestation that required Security Tests, independent audits, and/or a DPIA have been conducted either by a qualified Representative or by a third party in the prior twelve months. The University may require the Vendor to perform additional audits and tests, the results of which will be provided to the University within five (5) business days of the Vendor’s receipt of such resultsagreed timetable.
c. Vendor agrees 7.8 The corrections referred to take reasonable steps in Paragraphs 7.5 to assist University in maintaining 7.7 (inclusive) shall be undertaken at the accuracy of such University Data under the control of Vendor, including synchronizing relevant Systems, databases, or applications, as deemed necessary by University. The University reserves the right to annual, at a minimum, review of: VendorSupplier’s access reports related to access to University Data; Vendor’s patch management process, schedules, and logs; findings of vulnerability scans and/or penetration tests of Vendor systems; and Vendor development standards and processescost.
Appears in 1 contract
Sources: Services Agreement
Audit and Testing. a. Vendor will complete one of the following audits at least annually and immediately after any actual or reasonably suspected Security Incident: SOC 2 Type II, SOC for Cybersecurity, or an accepted Higher Education Cloud Vendor Assessment Tool (▇▇▇▇▇://▇▇▇▇▇▇▇.▇▇▇▇▇▇▇▇.▇▇▇/resources/2020/4/resources/2016/10/higher- higher-education-communitycloud-vendor-assessment-toolkittool). Evidence must be provided to the University prior to this Agreement and at least annually thereafter.
b. . Prior to this Agreement, and at regular intervals of no less than annually and whenever a change is made which may impact the confidentiality, integrity, or availability of University Data, and in accordance with industry standards and best practices, Vendor will, at its expense, perform scans for unauthorized applications, services, code and system vulnerabilities on the networks and systems used to perform services related to this Agreement (“Security Tests”). An initial report must be provided to the University prior to this Agreement. Vendor will provide the University the reports or other documentation resulting from the audits, certifications, scans and tests within five (5) business days of Vendor' generation or receipt of such results. If any critical finding is identified, Vendor agrees to notify the University and remediate the critical finding within thirty (30) days. Any critical finding not remediated within thirty (30) days must be reported to University at ▇▇▇▇▇▇▇▇@▇▇▇▇▇▇▇.▇▇▇. All other findings must be remediated within ninety (90) days. At University’s request, Vendor will promptly provide written attestation that required Security Tests, independent audits, and/or a DPIA have been conducted either by a qualified Representative or by a third party in the prior twelve months. The University may require the Vendor to perform additional audits and tests, the results of which will be provided to the University within five (5) business days of the Vendor’s receipt of such results.
c. . Vendor agrees to take reasonable steps to assist University in maintaining the accuracy of such University Data under the control of Vendor, including synchronizing relevant Systems, databases, or applications, as deemed necessary by University. The University reserves the right to annual, at a minimum, review of: Vendor’s access reports related to access to University Data; Vendor’s patch management process, schedules, and logs; findings of vulnerability scans and/or penetration tests of Vendor systems; and Vendor development standards and processes.
Appears in 1 contract
Audit and Testing. a. Vendor will complete one of the following audits at least annually and immediately after any actual or reasonably suspected Security Incident: SOC 2 Type II, SOC for Cybersecurity, or an accepted Higher Education Cloud Vendor Assessment Tool (▇▇▇▇▇://▇▇▇▇▇▇▇.▇▇▇▇▇▇▇▇.▇▇▇/resources/2020/4/higher- higher-education-community-vendor-assessment-toolkittoolkit11). Evidence must be provided to the University prior to this Agreement and at least annually thereafter.
b. thereafter.12 Prior to this Agreement, and at regular intervals of no less than annually and whenever a change is made which may impact the confidentiality, integrity, or availability of University Data, and in accordance with industry standards and best practices, Vendor will, at its expense, perform scans for unauthorized applications, services, code and system vulnerabilities on the networks and systems used to perform services related to this Agreement (“Security Tests”). An initial report must be provided to the University prior to this Agreement. Vendor will provide the University the reports or other documentation resulting from the audits, certifications, scans and tests within five (5) business days of Vendor' generation or receipt of such results. If any critical finding is identified, Vendor agrees to notify the University and remediate the critical finding within thirty (30) days. Any critical finding not remediated within thirty (30) days must be reported to University at ▇▇▇▇▇▇▇▇@▇▇▇▇▇▇▇.▇▇▇. All other findings must be remediated within ninety (90) days. At University’s request, Vendor will promptly provide written attestation that required Security Tests, independent audits, and/or a DPIA have been conducted either by a qualified Representative or by a third party in the prior twelve months. The University may require the Vendor to perform additional audits and tests, the results of which will be provided to the University within five (5) business days of the Vendor’s receipt of such results.
c. . Vendor agrees to take reasonable steps to assist University in maintaining the accuracy of such University Data under the control of Vendor, including synchronizing relevant Systems, databases, or applications, as deemed necessary by UniversityUniversity13. The University reserves the right to annual, at a minimum, review of: Vendor’s access reports related to access to University Data; Vendor’s patch management process, schedules, and logs; findings of vulnerability scans and/or penetration tests of Vendor systems; and Vendor development standards and processes.
Appears in 1 contract