Common use of Information Security Reviews Clause in Contracts

Information Security Reviews. During the Term, County may perform information security reviews on any County Systems, Assets, or facilities used by Vendor to provide the Services hereunder (“Reviews”). The Reviews may include physical inspection, external scan, internal scan, code review, process reviews, and reviews of system configurations. The Reviews may be conducted, at County’s discretion and at County’s expense, by County, another Affiliate, or their designees, including third party consultants or other providers retained by County. The Reviews may include unannounced penetration, vulnerability assessments, and security tests, as it relates to the receipt, maintenance, use, or retention of County’s Confidential Information or County Data in which case County shall provide contemporaneous notice to Vendor. Vendor hereby grants permission to County to perform the Reviews per the agreed upon scope and methodology; provided, however, that any such Review shall be conducted by County, another Affiliate or their designees, as applicable. To the fullest extent permitted by law, Vendor hereby waives the benefit of any state or federal law which may provide a cause of action against County and its Affiliates based upon Reviews permitted under this Section 29.5 (Information Security Reviews) and conducted pursuant to the agreed upon scope and methodology. Should any Review result in the discovery of material security risks to the County Systems, Equipment, Software, networks, or facilities used by Vendor to provide the Services, County shall promptly notify Vendor of such risks, and Vendor shall respond to County in writing within three (3) days with Vendor’s plan to take reasonable measures to promptly correct, repair, or modify the applicable County System, Assets, or facility to effectively eliminate such risks at no cost to County. Upon County’s approval, Vendor shall implement such plan as quickly as practicable. Should Vendor fail to take reasonable measures to remedy the identified risk, County may terminate this Agreement for cause effective immediately.