Home Computer Science
Table of Contents:
Information Security Requirements Exhibit: The Third Tool
Tire final tool in minimizing vendor information security risks is the use of an exhibit, statement of work, or other contract attachment that specifically defines the minimum security requirements relevant for a particular transaction. For example, the information security requirements exhibit may prohibit the vendor from transmitting the company’s information over wireless networks (e.g., 802.11a/b/g/n/ac/ax) or over public networks without encryption or from transferring that information to removable media that could be easily misplaced or lost. The exhibit may also contain specific requirements for physical access to processing systems, the use of encryption at rest and access control technology, requirements for internal risk assessments and training of personnel, and for decommissioning hardware and storage media on which the company’s information was stored to ensure the information is properly scrubbed from the hardware and media. Other specific physical and technological security measures should be identified as relevant to the particular transaction.
An example security requirements exhibit is provided at the end of this chapter.
Companies face unique risks when they entrust personal information and proprietary and confidential information to their vendors. Those risks can be minimized by employing the tools discussed in this chapter: appropriate and uniform due diligence, use of specific contractual protections relating to information security, and use, where relevant, of exhibits or other attachments to the agreement detailing unique security requirements to be imposed on the vendor.
Example Information Security Requirements Exhibit
This exhibit provides the information security procedures to be established by vendor before the effective date of this agreement and maintained throughout the term. These procedures are in addition to the requirements of the agreement and present a minimum standard only. However, it is vendor’s sole obligation to (i) implement appropriate measures to secure its systems and data, including XYZ COMPANY confidential information, against internal and external threats and risks; and (ii) continuously review and revise those measures to address ongoing threats and risks. Failure to comply with the minimum standards set forth in this exhibit will constitute a material, noncurable breach of the agreement by vendor, entitling XYZ COMPANY, in addition to and cumulative of all other remedies available to it at law, in equity, or under the agreement, to immediately terminate the agreement. Unless specifically defined in this exhibit, capitalized terms shall have the meanings set forth in the agreement.
■ Security policy. Vendor shall establish and maintain a formal, documented, mandated, company-wide information security program, including security policies, standards, and procedures (collectively “Information Security Policy”). Hie Information Security Policy will be communicated to all vendor personnel and contractors in a relevant, accessible, and understandable form and will be regularly reviewed and evaluated to ensure its operational effectiveness, compliance with all applicable laws and regulations, and to address new threats and risks.
■ Personnel and vendor protections. Vendor shall screen all personnel contacting XYZ COMPANY confidential information, including customer information, for potential security risks and require all employees, contractors, and subcontractors to sign an appropriate written confidentiality/ nondisclosure agreement. All agreements with third parties involving access to vendor’s systems and data, including all outsourcing arrangements and maintenance and support agreements (including facilities maintenance), shall specifically address security risks, controls, and procedures for information systems. Vendor shall supply each of its personnel and contractors with appropriate, ongoing training regarding information security procedures, risks, and threats. Vendor shall have an established set of procedures to ensure personnel and contractors promptly report actual and/or suspected breaches of security.
■ Removable media. Except in the context of vendor’s routine backups or as otherwise specifically authorized by XYZ COMPANY in writing, vendor shall institute strict physical and logical security controls to prevent transfer of customer information to any form of removable media. For purposes of this exhibit, Removable Media means portable or removable hard disks, floppy disks, USB memory drives, zip disks, optical disks, CDs, DVDs, digital film, memory cards (e.g., Secure Digital (“SD”), Memory Sticks (“MS”), CompactFlash (“CF”), SmartMedia (“SM”), MultiMediaCard (“MMC”), and xD-Picture Card (“xD”)), magnetic tape, and all other removable data storage media.
■ Data control; media disposal and servicing. XYZ COMPANY confidential information (i) may only be made available and accessible to those parties explicitly authorized under the agreement or otherwise expressly by XYZ COMPANY in writing; (ii) if transferred across the Internet, any wireless network (e.g., cellular, 802.1 lx, or similar technology), or other public or shared networks, must be protected using appropriate cryptography as designated or approved by XYZ COMPANY in writing; and (iii) if transferred using removable media (as defined above) must be sent via a bonded courier or protected using cryptography designated or approved by XYZ COMPANY in writing. The foregoing requirements shall apply to backup data stored by vendor at off-site facilities. In the event any hardware, storage media, or removable media must be disposed of or sent off-site for servicing, vendor shall ensure all XYZ COMPANY confidential information, including customer information, has been “scrubbed” from such hardware and/or media using industry best practices (e.g., DoD 5220-22-M Standard), but in no event less than the level of care set forth in NIST Special Publication 800-88, Guidelines for Media Sanitization.
■ Hardware return. Upon termination or expiration of the agreement or at any time upon XYZ COMPANY’S request, vendor will return all hardware, if any, provided by XYZ COMPANY containing XYZ COMPANY confidential information to XYZ COMPANY. The XYZ COMPANY confidential information shall not be removed or altered in any way. The hardware should be physically sealed and returned via a bonded courier or as otherwise directed by XYZ COMPANY. In the event the hardware is owned by vendor or a third-party, a notarized statement, detailing the destruction method used and the data sets involved, the date of destruction, and the company or individual who performed the destruction will be sent to a designated XYZ COMPANY security representative within fifteen (15) days of termination or expiration of the agreement or at any time upon XYZ COMPANY’S request. Vendor’s destruction or erasure of customer information pursuant to this section shall be in compliance with best industry practices (e.g., DoD
5220-22-M Standard), but in event less than the level of care set forth in NIST Special Publication 800-88, Guidelines for Media Sanitization.
■ Physical and environmental security. Vendor facilities that process XYZ COMPANY confidential information will be housed in secure areas and protected by perimeter security such as barrier access controls (e.g., the use of guards and entry badges) that provide a physically secure environment from unauthorized access, damage, and interference.
■ Communications and operational management. Vendor shall (i) monitor and manage all of its information processing facilities, including, without limitation, implementing operational procedures, change management, and incident response procedures; and (ii) deploy adequate antiviral software and adequate backup facilities to ensure essential business information can be promptly recovered in the event of a disaster or media failure; and (iii) ensure its operating procedures will be adequately documented and designed to protect information, computer media, and data from theft and unauthorized access.
■ Access control. Vendor shall implement formal procedures to control access to its systems, services, and data, including, but not limited to, user account management procedures and the following controls:
■ Incident notification. Vendor will promptly notify (but in no event more than twenty-four (24) hours after the occurrence) the designated XYZ COMPANY security contact by telephone and subsequently via written letter of any potential or actual security attacks or incidents. The notice shall include the approximate date and time of the occurrence and a summary of the relevant facts, including a description of measures being taken to address the occurrence. A security incident includes instances in which internal personnel access systems in excess of their user rights or use the systems inappropriately. In addition, vendor will provide a monthly report of all security incidents noting the actions taken. This will be provided via a written letter to the XYZ COMPANY security representative on or before the first week of each calendar month.