Desktop version

Home arrow Computer Science

  • Increase font
  • Decrease font

<<   CONTENTS   >>

Integrating Information Security into the Contracting Life Cycle


Use the Three Tools for Better Integrating Information Security into the Contract Life Cycle

□ Precontract due diligence

□ Key contractual protections

□ Information security requirements exhibit

Precontract Due Diligence

□ Develop a form due diligence questionnaire

□ Ensure the questionnaire covers all key areas

□ Use the questionnaire as an early means of identifying security issues

□ Use the questionnaire to conduct an “apples-to-apples” comparison of prospective vendors

Key Contractual Protections

□ Fully fleshed-out confidentiality clause

□ Warranties

  • - Compliance with best industry practices; specify the relevant industry
  • - Compliance with applicable laws and regulations (e.g., HIPAA, GLB)
  • - Compliance with third-party standards (e.g., payment card industry, data security standard, payment application data security standard)
  • - Compliance with customer’s privacy policy
  • - Prohibition against making data available offshore
  • - Responses to due diligence questionnaire are true and correct

□ General security obligations

  • - All reasonable measures to secure and defend systems
  • - Use of industry standard antivirus software
  • - Vulnerability testing
  • - Immediate reporting of actual or suspected breaches
  • - Participation in joint audits
  • - Participation in regulatory reviews

□ Indemnity against claims, damages, costs arising from a breach of security

□ Responsibility for costs associated with providing breach notifications to consumers; control of timing and content of notice

□ Forensic assistance

  • - Duty to preserve evidence
  • - Duty to cooperate in investigations
  • - Duty to share information

□ Audit rights

  • - Periodic audits to confirm compliance with the agreement and applicable law
  • - Provision of any appropriate SSAE 16 (now SSAE 18, often referred to as a SOC 1 audit), SOC 2 audit, ISO/IEC 27001, or similar audits

□ Limitation of liability should exclude breaches of confidentiality from all limitations and exclusions of liability

□ Post-contract policing

Information Security Requirements Exhibit

□ Where appropriate, develop an exhibit, statement of work, or other contract attachment describing specific required information security measures

□ Use of wireless networks

□ Removable media

□ Encryption

□ Firewalls

□ Physical security


Newspapers and trade journals feature a growing number of stories detailing instances in which organizations have entrusted their most sensitive information and data to a vendor only to see that information compromised because the vendor failed to implement appropriate information security safeguards. Worse yet, those same organizations are frequently found to have performed little or no due diligence regarding their vendors and have failed to adequately address information security in their vendor contracts, in many instances leaving the organizations without a meaningful remedy for the substantial harm they have suffered as a result of a compromise. That harm may take a variety of forms: damage to business reputation, loss of business, potential liability to the data subjects, and regulatory and compliance issues.

Whether the information at issue is highly regulated data identifiable to individuals (e.g., nonpublic financial information, protected health information, or the myriad of other information now subject to state, federal, and international protection relating to individuals) or sensitive business information, including trade secrets and other proprietary information, companies must ensure that information is adequately protected by their vendors. This chapter discusses three tools companies may use to reduce information security threats posed by their vendor relationships, to ensure proper due diligence is conducted and documented, and to provide remedies in the event of a compromise. Those tools are: (i) the due diligence questionnaire; (ii) key contractual protections; and (iii) the use in appropriate circumstances of an information security requirements exhibit. Whenever a vendor will have access to an organization’s network, facilities, personal data, or other sensitive or valuable data, one or more of these tools should be used.

By implementing these measures, the company can better integrate information security into the entire contracting process—as opposed to simply having it be a “bolt-on” at the time of contract negotiations.

Due Diligence: The First Tool

Companies should conduct some form of due diligence before entrusting vendors with sensitive information or with access to their systems. Unfortunately, most companies conduct this review on an ad hoc basis, informally, without clear documentation. In very few instances is the outcome of that due diligence actually incorporated into the parties’ contract. This approach to due diligence may no longer be appropriate or reasonable in the context of today’s business and regulatory environment. To help ensure proper documentation and uniformity of the due diligence process, especially for high-risk arrangements, companies should consider developing a standard due diligence questionnaire or adopting an industry standard one for the company’s industry for prospective vendors to complete.

<<   CONTENTS   >>

Related topics