Common use of Security Audits Clause in Contracts

Security Audits. Contractor shall maintain complete and accurate records relating to its SOC Type II or equivalent’s data protection practices and the security of any of County Data, including any backup, disaster recovery, or other policies, practices or procedures. Further, Contractor shall inform County of any security audit or assessment performed on Contractor’s operations, information security program, or disaster recovery plan that includes County Data, within sixty (60) calendar days of such audit or assessment. Contractor will provide a copy of the audit report to County within thirty (30) days after Contractor’s receipt of request for such report. If Contractor does not perform a SOC Type II or equivalent audit at least once per calendar year, County may perform or have performed by an independent security expert its own such security audits, which may include penetration and security tests of Contractor Systems and operating environments. All such testing shall ensure all pertinent County security standards as well as any HCA/Environmental Health requirements (e.g., such as federal tax requirements or HIPAA) are in place. Contractor shall reasonably cooperate with all County security reviews and testing, including but not limited to, penetration testing. Contractor shall implement any required safeguards as identified by County or by any audit of Contractor’s data privacy and information security program. In addition, Contractor will provide to County upon request the most recent third-party SOC 2 Type II report. County may also have the right to review Plans of Actions and Milestones (POA&M) for any outstanding items identified by the SOC 2 Type II report requiring remediation as it pertains to the confidentiality, integrity, and availability of County Data. County reserves the right, at its sole discretion, to immediately terminate this Contract or a part thereof without limitation and without liability if County reasonably determines Contractor fails or has failed to meet its obligations under this paragraph.

Security Audits. Contractor shall maintain complete and accurate records relating to its SOC Type II system or equivalent’s data protection practices and the security of any of County Data, including any backup, disaster recovery, or other policies, practices or procedures. Further, Contractor shall inform County of any security audit or assessment performed on Contractor’s operations, information security program, or disaster recovery plan that includes County Data, within sixty (60) calendar days of such audit or assessment. Contractor will provide a copy of the audit report to County within thirty (30) days after Contractor’s receipt of request for such report. If Contractor does not perform a SOC Type II or equivalent audit at least once per calendar year, County may perform or have performed by an independent security expert its own such security audits, which may include penetration and security tests of Contractor Systems and operating environments. All such testing shall ensure all pertinent County security standards as well as any HCA/Environmental Health requirements (e.g., such as federal tax requirements or HIPAA) are in place. Contractor shall reasonably cooperate with all County security reviews and testing, including but not limited to, penetration testing. Contractor shall implement any required safeguards as identified by County or by any audit of Contractor’s data privacy and information security program. In addition, Contractor will provide to County upon request the most recent third-party SOC 2 Type II report. County may also have the right to review Plans of Actions and Milestones (POA&M) for any outstanding items identified by the SOC 2 Type II report requiring remediation as it pertains to the confidentiality, integrity, and availability of County Data. County reserves the right, at its sole discretion, to immediately terminate this Contract or a part thereof without limitation and without liability if County reasonably determines Contractor fails or has failed to meet its obligations under this paragraph.

Security Audits. Contractor shall maintain complete and accurate records relating to its SOC Type II or equivalent’s data protection practices and the security of any of County Data, including any backup, disaster recovery, or other policies, practices or procedures. Further, Contractor shall inform County of any security audit or assessment performed on Contractor’s operations, information security program, or disaster recovery plan that includes County Data, within sixty (60) calendar days of such audit or assessment. Contractor will provide a copy of the audit report to County within thirty (30) calendar days after Contractor’s receipt of request for such report. If Contractor does not perform a SOC Type II or equivalent audit at least once per calendar year, County may perform or have performed by an independent security expert its own such security audits, which may include penetration and security tests of Contractor Systems and operating environments. All such testing shall ensure all pertinent County security standards as well as any HCA/Environmental Health HCA requirements (e.g., such as federal tax requirements or HIPAA) are in place. Contractor shall reasonably cooperate with all County security reviews and testing, including but not limited to, penetration testing. Contractor shall implement any required safeguards as identified by County or by any audit of Contractor’s data privacy and information security program. In addition, Contractor will provide to County upon request the most recent third-third- party SOC 2 Type II report. County may also have the right to review Plans of Actions and Milestones (POA&M) for any outstanding items identified by the SOC 2 Type II report requiring remediation as it pertains to the confidentiality, integrity, and availability of County Data. County reserves the right, at its sole discretion, to immediately terminate this Contract or a part thereof without limitation and without liability if County reasonably determines Contractor fails or has failed to meet its obligations under this paragraph.

Security Audits. Contractor shall maintain complete and accurate records relating to its SOC Type II or equivalent’s data protection practices and the security of any of County Data, including any backup, disaster recovery, or other policies, practices or procedures. Further, Contractor shall inform County of any security audit or assessment performed on Contractor’s operations, information security program, or disaster recovery plan that includes County Data, within sixty (60) calendar days of such audit or assessment. Contractor will provide a copy of the audit report to County within thirty (30) days after Contractor’s receipt of request for such report. If Contractor does not perform a SOC Type II or equivalent audit at least once per calendar year, County may perform or have performed by an independent security expert its own such security audits, which may include penetration and security tests of Contractor Systems and operating environments. All such testing shall ensure all pertinent County security standards as well as any HCA/Environmental Health customer agency requirements (e.g., such as federal tax requirements or HIPAA) are in place. Contractor shall reasonably cooperate with all County security reviews and testing, including but not limited to, penetration testing. Contractor shall implement any required safeguards as identified by County or by any audit of Contractor’s data privacy and information security program. In addition, Contractor will provide to County upon request the most recent third-party SOC 2 Type II report. County may also have the right to review Plans of Actions and Milestones (POA&M) for any outstanding items identified by the SOC 2 Type II report requiring remediation as it pertains to the confidentiality, integrity, and availability of County Data. County reserves the right, at its sole discretion, to immediately terminate this Contract or a part thereof without limitation and without liability if County reasonably determines Contractor fails or has failed to meet its obligations under this paragraph.