216 • A Guide to IT Contracting: Checklists, Tools, and Techniques
Businesses must be rigorous in entering into vendor relationships in
which sensitive information will be placed at risk. Security requires a uni-
ed approach, including but not limited to security policies, employee
education, use of security technology, performing security audits, and
addressing security in contracts with business partners and other vendors.
Information security can be divided into three categories—administra-
tive, technical, and physical. In this chapter we evaluate tools that busi-
nesses can immediately put to use to substantially reduce the information
security threats posed by their vendors and business partners, to ensure
proper diligence is conducted and documented, and to provide remedies
in the event of compromised security.
KEY ISSUES AND GUIDING PRINCIPLES
• Denitions. e denition of data should include all information
to which the vendor may have access, including the company’s cus-
tomer information, the company’s proprietary and condential
information, and any other non-public information provided by the
client to the vendor, including its intellectual property and business
information. In many instances, a company’s proprietary and con-
dential information is the most important asset of the company.
• Assess the risk of contracting. Does the risk of involving another
party outweigh the benets of services provided by that third party?
If not, an agreement should be in place any time the third party will
have access to data.
Vendor Due Diligence
• Companies should put all vendors on notice that their security poli-
cies and procedures will in part determine whether any particular
vendor shall be selected to have access to data.
• A company must also consider all applicable security standards,
• Gramm-Leach-Bliley Act (a federal law directed at the protection
of non-public, personally identiable nancial information)