Because I have both an audit background and an IT security background, I’m frequently involved in helping clients address contract issues. The activities vendors perform for your organization under contract are an extension of your internal processes. Thus your contracts can impact ISO 27001 certification, regulatory compliance, business continuity and so on—not to mention your InfoSec posture.
Why Vendor Contract Review is So Important
Frequently I review contracts that have no security or privacy provisions. In other words, the client is giving the vendor its data and assuming they know what they’re doing. No service levels or other parameters are spelled out contractually.
What all too often ends up happening from there is a “lesson learned” or an IT audit issue. Then people start asking, “Where’s your process for this or your procedure for that?” And the vendor holds up the contract and says, “Tell me where it says in here that we have to meet those standards?”
But if the required controls are built into the process via the contract, suddenly a big gray area looks a whole lot more black-and-white.
It should be part of your third-party risk management (TPRM) process (and/or your project management or InfoSec policies) to have IT carefully evaluate each clause in any security-related contract and insert security-specific language as needed. This should include spelling out expectations for service levels, service delivery, response times, uptime and recovery time.
It’s also frequently a good idea to contractually specify the ability to audit a high-risk vendor for contract compliance. Logging and monitoring vendor activities can be part of evaluating the cost/benefit of the relationship, as well as ensuring information security and compliance.
Every contract is unique. But what often works as a starting point from the IT audit/InfoSec perspective is to insert language like: “… meets or exceeds the controls in our current InfoSec program.” That way the vendor’s process, as an extension of your process, is mandated to be at least as good as what you have in-house.
When Should You Run a Vendor Contract by IT?
If there are user IDs and passwords involved, that’s a big indicator. (This is point number one on your contract review checklist.)
Better safe than sorry, because where you don’t want to be is in the position of trying to amend a signed contract that you failed to review prior to signing. You may not be able to make changes until the contract comes up for renewal in a year or two or more.
Unfortunately, at that point it’s usually too late: you’re experiencing a problem and viewing a contract with 20/20 hindsight. Now you know what to ask about and get into the contract “next time.”
Vendor Contract Review Checklist
To recap, here’s a checklist to get you started when you’re reviewing a contract with a new third-party vendor:
- Involve IT in any security-related contract, especially when IDs and passwords are involved
- Carefully evaluate each clause; insert security-specific language where appropriate
- Spell out expectations for service levels, delivery, response times, uptime, recovery time
- Specify the ability to audit a high-risk vendor for contract compliance
- Use “… meets or exceeds the controls in our current InfoSec program” as a starting point
To talk over your current business processes and/or work through a contract review or negotiation scenario so that your information security and compliance needs are covered contractually “this time,” contact Pivot Point Security.