Laserfiche WebLink
9. FORTE's Annual Validation of Adherence to Security Standards. FORTE and AGENCY agree to utilize <br /> existing FORTE assessment reports and Certifications (SSAE report and PCI Certification), to validate <br /> FORTE's compliance with the Information Security Requirements set forth in this Appendix E. <br /> a. FORTE shall maintain all records pertaining to the Services as required by applicable Rule or Law <br /> b. FORTE shall provide at its expense, upon AGENCY's written request on no more than an annual <br /> basis,its most current independent, SSAE report (third party service organization report). An SSAE <br /> report for purposes of this Agreement is defined as a specialized report or reports of controls, <br /> generally accepted in the industry, in the areas of financial reporting and general information <br /> technology controls for the services provided by a hosted solutions provider, managed services <br /> provider, service organization, service bureau or other similarly structured provider of software and <br /> hardware solutions. FORTE shall select the type of SSAE report that will be provided based upon <br /> the relationship between the Parties and the products and services provided by FORTE. In the event <br /> AGENCY wishes to receive a type of SSAE report not currently provided by FORTE, AGENCY <br /> shall provide no less than eighteen(18)months prior written notice to FORTE and FORTE in its sole <br /> discretion shall determine whether it will provide the additional type of SSAE report to AGENCY. <br /> FORTE will provide a copy of the most current report prepared;provided that AGENCY shall accept <br /> and agree to any conditions imposed by the independent audit firm for access to such report. FORTE <br /> will use good faith efforts to assist in resolving any issues that may arise between AGENCY and any <br /> independent auditor firm regarding the viewing of the SSAE report.AGENCY may not distribute or <br /> provide FORTE's SSAE report to third parties without FORTE's prior written consent. <br /> c. FORTE is PCI DSS certified and undergoes an annual audit in order to maintain PCI DSS compliance <br /> against the current version of PCI DSS published on the PCI SSC (PCI Security Standards Council) <br /> website. <br /> d. AGENCY and its auditors will maintain the confidentiality of FORTE's procedures and processes, <br /> which FORTE describes as confidential, and which are disclosed as a result of any review or audit. <br /> FORTE agrees that any material failure, as defined by AGENCY in its reasonable discretion, to <br /> cooperate fully and promptly in the conduct of any audit requested pursuant to this paragraph will <br /> constitute grounds for AGENCY to immediately terminate the Agreement and cease receiving <br /> Services from FORTE; provided, however, AGENCY shall provide FORTE with written notice of <br /> such material failure to cooperate and FORTE shall have thirty(30) days opportunity to cure. Such <br /> termination shall be AGENCY's sole and exclusive remedy for any such failure to cooperate. <br /> 10. Network and Application Scans. FORTE shall perform network and application security scans that test <br /> the FORTE's systems for(i)security vulnerabilities, (ii)denial of service vulnerabilities and(ill)system <br /> access. FORTE will have processes that review and remediate vulnerabilities. <br /> 22.11.30 <br /> Page 21 <br /> CSG#65915.0 03-19 26 <br />