O'Reilly logo

A Guide to IT Contracting by Michael R. Overly, Matthew A. Karlyn

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

271
22
Integrating Information Security
into the Contracting Life Cycle
CHECKLIST
Use the ree Tools for Better Integrating Information Security into
the Contract Life Cycle
Pre-Contract Due Diligence
Key Contractual Protections
Information Security Requirements Exhibit
Pre-Contract Due Diligence
Develop a form due diligence questionnaire
Ensure the questionnaire covers all key areas
Use the questionnaire as an early means of identifying security
issues
Use the questionnaire to conduct an “apples-to-apples” compari-
son of prospective vendors
Key Contractual Protections
Fully eshed-out condentiality clause
Warranties
S Compliance with best industry practices; specify the relevant
industry
S Compliance with applicable laws and regulations (e.g.,
HIPAA, GLB, etc.)
S Compliance with third-party standards (e.g., payment card
industry, data security standard, payment application data
security standard)
S Compliance with customers privacy policy
S Prohibition against making data available oshore
S Responses to due diligence questionnaire are true and correct
272  •  A Guide to IT Contracting: Checklists, Tools, and Techniques
General Security Obligations
S All reasonable measures to secure and defend systems
S Use of industry standard anti-virus soware
S Vulnerability testing
S Immediate reporting of actual or suspected breaches
S Participation in joint audits
S Participation in regulatory reviews
Indemnity against claims, damages, costs arising from a breach
of security
Responsibility for costs associated with providing breach noti-
cations to consumers; control of timing and content of notice
Forensic Assistance
S Duty to preserve evidence
S Duty to cooperate in investigations
S Duty to share information
Audit Rights
S Periodic audits to conrm compliance with the agreement
and applicable law
S Provision of any SAS 70, SSAE 16, or similar audits
Limitation of liability should exclude breaches of condentiality
from all limitations and exclusions of liability
Post-contract policing
Information Security Requirements Exhibit
Where appropriate, develop an exhibit, statement of work, or
other contract attachment describing specic required informa-
tion security measures
Use of wireless networks
Removable media
Encryption
Firewalls
Physical security
OVERVIEW
Newspapers and trade journals feature a growing number of stories
detailing instances in which organizations have entrusted their most
sensitive information and data to a vendor only to see that information
Integrating Information Security into the Contracting Life Cycle • 273
compromised because the vendor failed to implement appropriate infor-
mation security safeguards. Worse yet, those same organizations are fre-
quently found to have performed little or no due diligence regarding their
vendors and have failed to adequately address information security in
their vendor contracts, in many instances leaving the organizations with-
out a meaningful remedy for the substantial harm they have suered as a
result of a compromise. at harm may take a variety of forms: damage
to business reputation, loss of business, potential liability to the data sub-
jects, and regulatory and compliance issues.
Whether the information at issue is highly regulated data identiable to
individuals (e.g., non-public nancial information, protected health infor-
mation, or the myriad of other information now subject to state, federal,
and international protection relating to individuals) or sensitive business
information, including trade secrets and other proprietary information,
companies must ensure that information is adequately protected by their
vendors. is chapter discusses three tools companies may use to reduce
information security threats posed by their vendor relationships, to ensure
proper due diligence is conducted and documented, and to provide rem-
edies in the event of a compromise. ose tools are: (1) the due diligence
questionnaire; (2) key contractual protections; and (3) the use in appro-
priate circumstances of an information security requirements exhibit.
Whenever a vendor will have access to an organizations network, facili-
ties, personal data, or other sensitive or valuable data, one or more of these
tools should be used.
By implementing these measures, the company can better integrate
information security into the entire contracting process—as opposed to
simply having it be a “bolt-on” at the time of contract negotiations.
DUE DILIGENCE: THE FIRST TOOL
Companies should conduct some form of due diligence before entrust-
ing vendors with sensitive information or with access to their systems.
Unfortunately, most companies conduct this review on an ad hoc basis,
informally, without clear documentation. In very few instances is the out-
come of that due diligence actually incorporated into the parties’ contract.
is approach to due diligence may no longer be appropriate or reason-
able in the context of today’s business and regulatory environment. To

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required