Common use of Security Audits & Remediation Clause in Contracts

Security Audits & Remediation. Contractor will audit the security of the systems and processes used to provide any and all Cloud Services, including those of the data centers used by Contractor to provide any and all Cloud Services to the State. This security audit: (1) will be performed at least once every calendar year beginning with 2016; (2) will be performed according Statement on Standards for Attestation Engagements (“SSAE”) 16 Service Organization Control (“SOC”) 2, International Organization for Standardization (“ISO”) 27001, or FedRAMP; (3) will be performed by third party security professionals at Contractor’s election and expense; (4) will result in the generation of an audit report (“Contractor Audit Report”), which will, to the extent permitted by applicable law, be deemed confidential information and as not public data under the Minnesota Government Data Practices Act (Minnesota Statutes chapter 13); and (5) may be performed for other purposes in addition to satisfying this section. Upon the State’s reasonable, advance written request, Contractor will provide to the State a copy of the Contractor Audit Report. Contractor will make best efforts to remediate any control deficiencies identified in the Contractor Audit Report in a commercially reasonable timeframe. If the State becomes aware of any other Contractor controls that do not substantially meet the State’s requirements, the State may request remediation from Contractor. Contractor will make best efforts to remediate any control deficiencies identified by the State or known by Contractor, in a commercially reasonable timeframe.

Security Audits & Remediation. Contractor will audit the security of the systems and processes used to provide any and all Cloud Services, including those of the data centers used by Contractor to provide any and all Cloud Services fulfil its obligations to the StateState under the Contract. This security audit: (1) will be performed at least once every calendar year beginning with 20162020; (2) will be performed according Statement on Standards for Attestation Engagements (“SSAE”) 16 Service Organization Control (“SOC”) 2, International Organization for Standardization (“ISO”) 27001, or FedRAMP; (3) will be performed by third third-party security professionals at Contractor’s election and expense; (4) will result in the generation of an audit report (“Contractor Audit Report”), which will, to the extent permitted by applicable law, be deemed confidential information and as not public data under the Minnesota Government Data Practices Act (Minnesota Statutes chapter 13); and (5) may be performed for other purposes in addition to satisfying this section. Upon the State’s reasonable, advance written request, Contractor will provide to the State a copy of the Contractor Audit Report. Contractor will make best efforts to remediate any control deficiencies identified in the Contractor Audit Report in a commercially reasonable timeframe. If the State becomes aware of any other Contractor controls that do not substantially meet the State’s requirements, the State may request remediation from Contractor. Contractor will make best efforts to remediate any control deficiencies identified by the State or known by Contractor, in a commercially reasonable timeframe.

Security Audits & Remediation. Contractor will audit the security of the systems and processes used to provide any and all Cloud Servicescloud computing or hosting services, including those of the data centers used by Contractor to provide any and all Cloud Services cloud computing or hosting services to the State. This security audit: (1) will be performed at least once every calendar year beginning with 20162014; (2) will be performed according Statement on Standards for Attestation Engagements (“SSAE”) 16 Service Organization Control (“SOC”) 2, International Organization for Standardization (“ISO”) 27001, or FedRAMP; (3) will be performed by third party security professionals at Contractor’s election and expense; (4) will result in the generation of an audit report (“Contractor Audit Report”), which will, to the extent permitted by applicable law, be deemed confidential information and as not public data under the Minnesota Government Data Practices Act (Minnesota Statutes chapter 13)Act; and (5) may be performed for other purposes in addition to satisfying this section. Upon the State’s reasonable, advance written request, Contractor will provide to the State a copy of the Contractor Audit Report. Contractor will make best efforts to remediate any control deficiencies identified in the Contractor Audit Report in a commercially reasonable timeframe. If the State becomes aware of any other Contractor controls that do not substantially meet the State’s requirements, the State may request remediation from Contractor. Contractor will make best efforts to remediate any control deficiencies identified by the State or known by Contractor, in a commercially reasonable timeframe.

Security Audits & Remediation. Contractor will audit the security of the systems and processes used to provide any and all Cloud Services, including those of the data centers used by Contractor to provide any and all Cloud Services to the State. This security audit: (1) will be performed at least once every calendar year beginning with 2016; (2) will be performed according Statement on Standards for Attestation Engagements (“SSAE”) 16 Service Organization Control (“SOC”) 2, International Organization for Standardization (“ISO”) 27001, or FedRAMP; (3) will be performed by third party security professionals at Contractor’s election and expense; (4) will result in the generation of an audit report (“Contractor Audit Report”), which will, to the extent permitted by applicable law, be deemed confidential information and as not public data under the Minnesota Government Data Practices Act (Minnesota Statutes chapter 13); and (5) may be performed for other purposes in addition to satisfying this section. section.‌‌ Upon the State’s reasonable, advance written request, Contractor will provide to the State a copy of the Contractor Audit Report. Contractor will make best efforts to remediate any control deficiencies identified in the Contractor Audit Report in a commercially reasonable timeframe. If the State becomes aware of any other Contractor controls that do not substantially meet the State’s requirements, the State may request remediation from Contractor. Contractor will make best efforts to remediate any control deficiencies identified by the State or known by Contractor, in a commercially reasonable timeframe.