System Audits. At least once per year, at Vendor’s, expense, Vendor shall conduct site audits of the information technology and information security controls for all facilities used in complying with its obligations under this Agreement, including, but not limited to, PCI Compliance and obtaining a network‐level vulnerability assessment performed by a recognized third‐party audit firm based on the recognized industry best practices. A copy of the site audit will be provided to University’s Contract Administrator. Additionally, upon the Contract Administrator’s written request, Vendor shall make available for Contract Administrator review all of the following, as applicable: Vendor 's latest Statement on Standards for Attestation Engagements (SSAE) No. 16 audit reports for Reporting on Controls at a Service Organization (SOC 2) and any reports relating to its ISO/IEC 27001 certification. University shall treat such audit reports as Vendor's Confidential Information under this Agreement. Any exceptions noted on the SSAE report or other audit reports will be promptly addressed with the development and implementation of a corrective action plan by Vendor.
Appears in 2 contracts
Sources: Campus Dining Provider Agreement, Dining Provider Agreement