Privacy and Security Audit Reports Services

The vendor is required to provide includes reviewing approximately 18 audit reports from independent auditors, focusing on audit scope, findings, and corrective actions.
- The contractor will identify opportunities to enhance privacy and security through improvements to business and technology controls, policies, and procedures, and recommend new controls to address gaps and align with or exceed industry best practices.
- CRISP (Chesapeake regional information system for our patients)
• The master contractor shall review the most recent privacy and security audit reports and corrective actions taken by CRISP.
• CRISP management response for implementing corrective actions in specified timeframes.
- CRISP third-party service organizations
• The master contractor shall identify all essential third-party service organizations and review their most recent privacy and security audit report.
- Categorization of all exceptions identified and the severity of potential risk of a breach, impact to CRISP operations, and other possible impact(s);
- Apparent gaps in controls and other considerations for CRISP and third-party service organizations, such as controls those best practices would indicate should be implemented to meet or strengthen certain control objectives or criteria;
- Assessment of corrective actions taken by CRISP to address audit findings, including those relevant to third-party service organizations;
- Findings presented in these audit reports to assess implementation of previous corrective actions and determine the root cause(s) for repeat findings;
- Assessment of the adequacy of CRISP’s procedures and related processes supporting the bi-annual attestation submitted to agency related to audits of third-party service organizations and their related corrective actions; and
- Overall assessment and opinion of privacy and security for CRISP and CRISP third-party service organizations.
- Contract Period/Term: 2 years
- A Pre-Bid Teleconference Date: June 24, 2025