Common use of Security Assessment Clause in Contracts

Security Assessment. The State requires any entity or third-party vendor hosting Oklahoma Customer Data to submit to a State Certification and Accreditation Review process to assess initial security risk. Vendor submitted to the review and met the State’s minimum security standards at time the Contract was executed. Failure to maintain the State’s minimum security standards during the term of the Contract, including renewals, constitutes a material breach. To the extent Vendor requests a different sub-contractor than the third-party hosting vendor already approved by the State, the different sub-contractor is subject to the State’s approval. Vendor agrees not to migrate State’s data or otherwise utilize a different third-party hosting vendor in connection with key business functions that are Vendor’s obligations under the Contract until the State approves the third-party hosting vendor’s State Certification and Accreditation Review, which approval shall not be unreasonably withheld or delayed. In the event the third-party hosting vendor does not meet the State’s requirements under the State Certification and Accreditation Review, Vendor acknowledges and agrees it may not utilize such third-party vendor in connection with key business functions that are Vendor’s obligations under the Contract, until such third party meets such requirements. Security Incident Notification and Responsibilities: Vendor shall inform Customer of any Security Incident or Data Breach Vendor may need to communicate with outside parties regarding a Security Incident, which may include contacting law enforcement, fielding media inquiries and seeking external expertise as mutually agreed upon, defined by law or contained in the Contract. If a Security Incident involves Customer Data, Vendor will coordinate with Customer prior to making any such communication. Vendor shall report a Security Incident to the Customer identified contact set forth herein within five (5) days of discovery of the Security Incident or within a shorter notice period required by applicable law or regulation (i.e. HIPAA requires notice to be provided within 24 hours). Vendor shall: (i) maintain processes and procedures to identify, respond to and analyze Security Incidents; (ii) make summary information regarding such procedures available to Customer at Customer’s request, (iii) mitigate, to the extent practicable, harmful effects of Security Incidents that are known to Vendor; and (iv) documents all Security Incidents and their outcomes.