Common use of Audit and Testing Clause in Contracts

Audit and Testing. Vendor will complete one of the following audits at least annually and immediately after any actual or reasonably suspected Security Incident: SOC 2 Type II, SOC for Cybersecurity, or an accepted Higher Education Cloud Vendor Assessment Tool (xxxxx://xxxxxxx.xxxxxxxx.xxx/resources/2020/4/higher-education-community-vendor-assessment-toolkit). Evidence must be provided to the University prior to this Agreement and at least annually thereafter. Prior to this Agreement, and at regular intervals of no less than annually and whenever a change is made which may impact the confidentiality, integrity, or availability of University Data, and in accordance with industry standards and best practices, Vendor will, at its expense, perform scans for unauthorized applications, services, code and system vulnerabilities on the networks and systems used to perform services related to this Agreement (“Security Tests”). An initial report must be provided to the University prior to this Agreement. Vendor will provide the University the reports or other documentation resulting from the audits, certifications, scans and tests within five (5) business days of Vendor' generation or receipt of such results. If any critical finding is identified, Vendor agrees to notify the University and remediate the critical finding within thirty (30) days. Any critical finding not remediated within thirty (30) days must be reported to University at xxxxxxxx@xxxxxxx.xxx. All other findings must be remediated within ninety (90) days. At University’s request, Vendor will promptly provide written attestation that required Security Tests, independent audits, and/or a DPIA have been conducted either by a qualified Representative or by a third party in the prior twelve months. The University may require the Vendor to perform additional audits and tests, the results of which will be provided to the University within five (5) business days of the Vendor’s receipt of such results. Vendor agrees to take reasonable steps to assist University in maintaining the accuracy of such University Data under the control of Vendor, including synchronizing relevant Systems, databases, or applications, as deemed necessary by University. The University reserves the right to annual, at a minimum, review of: Vendor’s access reports related to access to University Data; Vendor’s patch management process, schedules, and logs; findings of vulnerability scans and/or penetration tests of Vendor systems; and Vendor development standards and processes.

Audit and Testing. Vendor will complete one of the following audits at least annually and immediately after any actual or reasonably suspected Security Incident: SOC 2 Type II, SOC for Cybersecurity, or an accepted Higher Education Cloud Vendor Assessment Tool (xxxxx://xxxxxxx.xxxxxxxx.xxx/resources/2020/4/higher-education-community-vendor-assessment-toolkitxxxxx://xxxxxxx.xxxxxxxx.xxx/resources/2020/4/higher-education-community-vendor-assessment-toolkit11). Evidence must be provided to the University prior to this Agreement and at least annually thereafter. thereafter.12 Prior to this Agreement, and at regular intervals of no less than annually and whenever a change is made which may impact the confidentiality, integrity, or availability of University Data, and in accordance with industry standards and best practices, Vendor will, at its expense, perform scans for unauthorized applications, services, code and system vulnerabilities on the networks and systems used to perform services related to this Agreement (“Security Tests”). An initial report must be provided to the University prior to this Agreement. Vendor will provide the University the reports or other documentation resulting from the audits, certifications, scans and tests within five (5) business days of Vendor' generation or receipt of such results. If any critical finding is identified, Vendor agrees to notify the University and remediate the critical finding within thirty (30) days. Any critical finding not remediated within thirty (30) days must be reported to University at xxxxxxxx@xxxxxxx.xxx. All other findings must be remediated within ninety (90) days. At University’s request, Vendor will promptly provide written attestation that required Security Tests, independent audits, and/or a DPIA have been conducted either by a qualified Representative or by a third party in the prior twelve months. The University may require the Vendor to perform additional audits and tests, the results of which will be provided to the University within five (5) business days of the Vendor’s receipt of such results. Vendor agrees to take reasonable steps to assist University in maintaining the accuracy of such University Data under the control of Vendor, including synchronizing relevant Systems, databases, or applications, as deemed necessary by UniversityUniversity13. The University reserves the right to annual, at a minimum, review of: Vendor’s access reports related to access to University Data; Vendor’s patch management process, schedules, and logs; findings of vulnerability scans and/or penetration tests of Vendor systems; and Vendor development standards and processes.

Audit and Testing. Vendor will complete one of the following audits at least annually and immediately after any actual or reasonably suspected Security Incident: SOC 2 Type II, SOC for Cybersecurity, or an accepted Higher Education Cloud Vendor Assessment Tool (xxxxx://xxxxxxx.xxxxxxxx.xxx/resources/2020/4/higher-education-community-vendor-assessment-toolkitxxxxx://xxxxxxx.xxxxxxxx.xxx/resources/2016/10/higher-education-cloud-vendor-assessment-tool11). Evidence must be provided to the University prior to this Agreement and at least annually thereafter. thereafter.12 Prior to this Agreement, and at regular intervals of no less than annually and whenever a change is made which may impact the confidentiality, integrity, or availability of University Data, and in accordance with industry standards and best practices, Vendor will, at its expense, perform scans for unauthorized applications, services, code and system vulnerabilities on the networks and systems used to perform services related to this Agreement (“Security Tests”). An initial report must be provided to the University prior to this Agreement. Vendor will provide the University the reports or other documentation resulting from the audits, certifications, scans and tests within five (5) business days of Vendor' generation or receipt of such results. If any critical finding is identified, Vendor agrees to notify the University and remediate the critical finding within thirty (30) days. Any critical finding not remediated within thirty (30) days must be reported to University at xxxxxxxx@xxxxxxx.xxx. All other findings must be remediated within ninety (90) days. At University’s request, Vendor will promptly provide written attestation that required Security Tests, independent audits, and/or a DPIA have been conducted either by a qualified Representative or by a third party in the prior twelve months. The University may require the Vendor to perform additional audits and tests, the results of which will be provided to the University within five (5) business days of the Vendor’s receipt of such results. Vendor agrees to take reasonable steps to assist University in maintaining the accuracy of such University Data under the control of Vendor, including synchronizing relevant Systems, databases, or applications, as deemed necessary by UniversityUniversity13. The University reserves the right to annual, at a minimum, review of: Vendor’s access reports related to access to University Data; Vendor’s patch management process, schedules, and logs; findings of vulnerability scans and/or penetration tests of Vendor systems; and Vendor development standards and processes.

Audit and Testing. Vendor will complete one of the following audits at least annually and immediately after any actual or reasonably suspected Security Incident: SOC 2 Type II, SOC for Cybersecurity, or an accepted Higher Education Cloud Vendor Assessment Tool (xxxxx://xxxxxxx.xxxxxxxx.xxx/resources/2020/4/higher-education-community-vendor-assessment-toolkitxxxxx://xxxxxxx.xxxxxxxx.xxx/resources/2016/10/higher-education-cloud-vendor-assessment-tool). Evidence must be provided to the University prior to this Agreement and at least annually thereafter. Prior to this Agreement, and at regular intervals of no less than annually and whenever a change is made which may impact the confidentiality, integrity, or availability of University Data, and in accordance with industry standards and best practices, Vendor will, at its expense, perform scans for unauthorized applications, services, code and system vulnerabilities on the networks and systems used to perform services related to this Agreement (“Security Tests”). An initial report must be provided to the University prior to this Agreement. Vendor will provide the University the reports or other documentation resulting from the audits, certifications, scans and tests within five (5) business days of Vendor' generation or receipt of such results. If any critical finding is identified, Vendor agrees to notify the University and remediate the critical finding within thirty (30) days. Any critical finding not remediated within thirty (30) days must be reported to University at xxxxxxxx@xxxxxxx.xxx. All other findings must be remediated within ninety (90) days. At University’s request, Vendor will promptly provide written attestation that required Security Tests, independent audits, and/or a DPIA have been conducted either by a qualified Representative or by a third party in the prior twelve months. The University may require the Vendor to perform additional audits and tests, the results of which will be provided to the University within five (5) business days of the Vendor’s receipt of such results. Vendor agrees to take reasonable steps to assist University in maintaining the accuracy of such University Data under the control of Vendor, including synchronizing relevant Systems, databases, or applications, as deemed necessary by University. The University reserves the right to annual, at a minimum, review of: Vendor’s access reports related to access to University Data; Vendor’s patch management process, schedules, and logs; findings of vulnerability scans and/or penetration tests of Vendor systems; and Vendor development standards and processes.