Common use of Audits and compliance Clause in Contracts

Audits and compliance. (a) The Supplier must audit its compliance with its Security Program and security obligations under this Agreement in accordance with any timeframes specified in the Order Documents and, where no such timeframes are specified, on an annual basis. (b) The Supplier must provide the Customer, at the Customer's request, with electronic copies of: (i) any security certifications required by this clause 21 and a copy of each renewal of these certifications; (ii) a description of the Supplier's information security management system and cyber security management system; (iii) all reports relating to: A. any external or internal audits of the Supplier's security systems (to be provided for the most recent period available), including follow-up reports on audit action items; and B. where applicable, the integrity of any data backups required to be undertaken as part of the Supplier's Activities; (iv) evidence that a vulnerability and security management process is in place within its organisation that includes ongoing and routine vulnerability scanning, patching and coverage verification, with a frequency commensurate with any applicable security requirements specified in the Order Form, or where no requirements are specified, Best Industry Practice. This can include copies of relevant policies, scan results, vulnerability reports, registers of vulnerabilities and patch reports; (v) evidence that (if applicable) penetration and security testing (including any Acceptance Tests set out in the Order Form) are carried out: A. prior to, and directly after, new systems are moved into production or in the event of a significant change to the configuration of any existing system; or B. at such other times specified in the Order Form; and (vi) evidence that high and extreme Inherent Risks identified in audits, vulnerability scans and tests have been remediated, which must contain (at a minimum) full and complete details of information and reports insofar as they relate to the Supplier's Activities. Where the Supplier is not permitted to provide the Customer with any of the foregoing (due to confidentiality obligations to third parties or because to do so would cause the Supplier to breach any Law or relevant security certification that the Supplier is subject to), the Supplier may (acting reasonably) redact those components that it is not permitted to provide to the Customer but only to the fullest extent needed to prevent the Supplier's non- compliance. (c) Without limiting clause 11.3(a)(ii), the Supplier must run initial and annual mandatory security awareness training for all of the Supplier’s Personnel involved in carrying out the Supplier's Activities under this Agreement and ensure that those Personnel have completed the initial training prior to carrying out the Supplier's Activities. (d) At the Customer's request, the Supplier must implement any audit findings or recommendations arising from an audit conducted under clause 21.3(a) and reasonably demonstrate to the Customer the implementation of such findings and recommendations.

Audits and compliance. ‌ (a) The Supplier must audit its compliance with its Security Program and security obligations under this Agreement in accordance with any timeframes specified in the Order Documents and, where no such timeframes are specified, on an annual basis.basis.‌ (b) The Supplier must provide the Customer, at the Customer's request, with electronic copies of: (i) any security certifications required by this clause 21 and a copy of each renewal of these certifications; (ii) a description of the Supplier's information security management system and cyber security management system; (iii) all reports relating to: A. any external or internal audits of the Supplier's security systems (to be provided for the most recent period available), including follow-up reports on audit action items; and B. where applicable, the integrity of any data backups required to be undertaken as part of the Supplier's Activities; (iv) evidence that a vulnerability and security management process is in place within its organisation that includes ongoing and routine vulnerability scanning, patching and coverage verification, with a frequency commensurate with any applicable security requirements specified in the Order Form, or where no requirements are specified, Best Industry Practice. This can include copies of relevant policies, scan results, vulnerability reports, registers of vulnerabilities and patch reports; (viv) evidence that (if applicable) penetration and security testing (including any Acceptance Tests set out in the Order Form) are carried out: A. prior to, and directly after, new systems are moved into production or in the event of a significant change to the configuration of any existing system; or B. at such other times specified in the Order Form; and (viv) evidence that high and extreme Inherent Risks identified in audits, vulnerability scans and tests have been remediated, which must contain (at a minimum) full and complete details of information and reports insofar as they relate to the Supplier's Activities. Where the Supplier is not permitted to provide the Customer with any of the foregoing (due to confidentiality obligations to third parties or because to do so would cause the Supplier to breach any Law or relevant security certification that the Supplier is subject to), the Supplier may (acting reasonably) redact those components that it is not permitted to provide to the Customer but only to the fullest extent needed to prevent the Supplier's non- non-compliance. (c) Without limiting clause 11.3(a)(ii), the Supplier must run initial and annual mandatory security awareness training for all of the Supplier’s Personnel involved in carrying out the Supplier's Activities under this Agreement and ensure that those Personnel have completed the initial training prior to carrying out the Supplier's Activities. (d) At the Customer's request, the Supplier must implement any audit findings or recommendations arising from an audit conducted under clause 21.3(a) and reasonably demonstrate to the Customer the implementation of such findings and recommendations.

Audits and compliance. (a) The Supplier must audit its compliance with its Security Program and security obligations under this Agreement in accordance with any timeframes specified in the Order Documents and, where no such timeframes are specified, on an annual basis. (b) The Supplier must provide the Customer, at the Customer's request, with electronic copies of: (i) any security certifications required by this clause 21 and a copy of each renewal of these certifications; (ii) a description of the Supplier's information security management system and cyber security management system; (iii) all reports relating to: A. any external or internal audits of the Supplier's security systems (to be provided for the most recent period available), including follow-up reports on audit action items; and B. where applicable, the integrity of any data backups required to be undertaken as part of the Supplier's Activities; (iv) evidence that a vulnerability and security management process is in place within its organisation that includes ongoing and routine vulnerability scanning, patching and coverage verification, with a frequency commensurate with any applicable security requirements specified in the Order Form, or where no requirements are specified, Best Industry Practice. This can include copies of relevant policies, scan results, vulnerability reports, registers of vulnerabilities and patch reports; (v) evidence that (if applicable) penetration and security testing (including any Acceptance Tests set out in the Order Form) are carried out: A. prior to, and directly after, new systems are moved into production or in the event of a significant change to the configuration of any existing system; or B. at such other times specified in the Order Form; and (vi) evidence that high and extreme Inherent Risks identified in audits, vulnerability scans and tests have been remediated, which must contain (at a minimum) full and complete details of information and reports insofar as they relate to the Supplier's Activities. Where the Supplier is not permitted to provide the Customer with any of the foregoing (due to confidentiality obligations to third parties or because to do so would cause the Supplier to breach any Law or relevant security certification that the Supplier is subject to), the Supplier may (acting reasonably) redact those components that it is not permitted to provide to the Customer but only to the fullest extent needed to prevent the Supplier's non- compliance. (c) Without limiting clause 11.3(a)(ii), the Supplier must run initial and annual mandatory security awareness training for all of the Supplier’s Personnel involved in carrying out the Supplier's Activities under this Agreement and ensure that those Personnel have completed the initial training prior to carrying out the Supplier's Activities. (d) At the Customer's request, the Supplier must implement any audit findings or recommendations arising from an audit conducted under clause 21.3(a) and reasonably demonstrate to the Customer the implementation of such findings and recommendations.

Audits and compliance. (a) The Supplier must audit its compliance with its Security Program and security obligations under this Agreement in accordance with any timeframes specified in the Order Documents this Agreement and, where no such timeframes are specified, on an annual basis. (b) The Supplier must provide the Customer, at the Customer's request, with electronic copies of: (i) any security certifications required by this clause 21 18 and a copy of each renewal of these certifications; (ii) a description of the Supplier's information security management system and cyber security management system; (iii) all reports relating to: A. any external or internal audits of the Supplier's security systems (to be provided for the most recent period available), including follow-up reports on audit action items; and B. where applicable, the integrity of any data backups required to be undertaken as part of the Supplier's ActivitiesSupplies; (iv) evidence that a vulnerability and security management process is in place within its organisation that includes ongoing and routine vulnerability scanning, patching and coverage verification, with a frequency commensurate with any applicable security requirements specified in the Order Formthis Agreement, or where no requirements are specified, Best Industry Practice. This can include copies of relevant policies, scan results, vulnerability reports, registers of vulnerabilities and patch reports; (v) evidence that (if applicable) penetration and security testing (including any Acceptance Tests set out in the Order Formrequired to be performed under this Agreement) are carried out: A. prior to, and directly after, new systems are moved into production or in the event of a significant change to the configuration of any existing system; or B. at such other times specified in the Order Formthis Agreement; and (vi) evidence that high and extreme Inherent Risks identified in audits, vulnerability scans and tests have been remediated, which must contain (at a minimum) full and complete details of information and reports insofar as they relate to the Supplier's ActivitiesSupplies. Where the Supplier is not permitted to provide the Customer with any of the foregoing (due to confidentiality obligations to third parties or because to do so would cause the Supplier to breach any Law or relevant security certification that the Supplier is subject to), the Supplier may (acting reasonably) redact those components that it is not permitted to provide to the Customer but only to the fullest minimum extent needed to prevent the Supplier's non- compliance. (c) Without limiting clause 11.3(a)(ii10.1(a)(ii), the Supplier must run initial and annual mandatory security awareness training for all of the Supplier’s Personnel involved in carrying out supplying the Supplier's Activities Supplies under this Agreement and ensure that those Personnel have completed the initial training prior to carrying out supplying the Supplier's ActivitiesSupplies. (d) At the Customer's request, the Supplier must implement any audit findings or recommendations arising from an audit conducted under clause 21.3(a18.3(a) and reasonably demonstrate to the Customer the implementation of such findings and recommendations. NSW Health | Deed | Standing Offer Arrangement (SOA) | Goods and Services OFFICIAL (e) The parties acknowledge and agree that this clause 18 does not limit any obligation of the Supplier under the SPRs.