{"id":329,"date":"2015-12-14T14:49:34","date_gmt":"2015-12-14T20:49:34","guid":{"rendered":"http:\/\/ericlambert.net\/blog\/?p=329"},"modified":"2015-12-14T14:49:34","modified_gmt":"2015-12-14T20:49:34","slug":"key-security-provisions-for-all-vendor-contracts","status":"publish","type":"post","link":"https:\/\/ericlambert.net\/blog\/2015\/12\/14\/key-security-provisions-for-all-vendor-contracts\/","title":{"rendered":"Key Security Provisions for Vendor\/Partner Contracts"},"content":{"rendered":"<p>One of the most important lessons from the 2013 Target breach was that hackers will look for the weakest link in\u00a0a company&#8217;s security chain when seeking a point of entry. Often, that weakest link is the vendors and partners which integrate with your IT infrastructure or have login credentials to your systems.\u00a0Target&#8217;s HVAC vendor suffered a phishing attack that resulted in hackers obtaining access credentials to Target&#8217;s network which they used as their point of entry. Companies are increasingly doing\u00a0security diligence on their vendors and partners to ensure that\u00a0if they have access to the company&#8217;s network or systems, they will meet minimum security requirements. \u00a0It&#8217;s\u00a0critical that your vendors and partners agree\u00a0to\u00a0minimum contractual security commitments\u00a0as well. I often use a &#8220;security addendum&#8221; with controlling language to ensure that my\u00a0standard provisions control over any conflicting provisions in the\u00a0vendor\/partner agreement, but will sometimes embed them directly into the contract.<\/p>\n<p>Here are some of the provisions I like to include in vendor and partner agreements:<\/p>\n<ul>\n<li><strong>Definitions of Personal Information and Financial Account Information.<\/strong> \u00a0It&#8217;s important to define what &#8220;personal information&#8221; and &#8220;financial account information&#8221; mean. \u00a0In many cases, your vendor\/partner&#8217;s\u00a0definition of these terms\u00a0may differ from yours.\u00a0Ensuring you&#8217;re on the same page (e.g., you may consider IP addresses to be personal information, they do not) can be critical in the event there is an unauthorized release of information. \u00a0Be careful using a list of information types as the list may change over time; instead, consider a broad definition with examples.<\/li>\n<li><strong>Credentials.<\/strong>\u00a0If you are providing credentials to your vendor\/partner to access your network or systems, or that of a third party (e.g., a marketing service, a cloud hosting environment, etc.), ensure they will only use them\u00a0as\u00a0required by the contract. \u00a0Ensure they fall under the contractual definition of Confidential Information and will be treated as such. \u00a0Access to credentials should be limited to those with a &#8220;need to know.&#8221;<\/li>\n<li><strong>Safeguards. \u00a0<\/strong>I like to include a requirement to implement and follow administrative, physical and technical safeguards (no less rigorous than industry standard) designed to protect\u00a0information and credentials. \u00a0This can be a good catch-all\u00a0that can be leveraged if the vendor\/partner has a problem later on and\u00a0did not use industry\u00a0standard security safeguards. \u00a0I also like to call out the importance of installing security software patches immediately to reduce the risk of an exploitable security hole. \u00a0If the vendor\/partner has obtained security certifications (e.g., SSAE16, ISO 27001, etc.) that you are relying on, ensure they provide evidence of current certification\u00a0upon request and do not let certifications\u00a0lapse during the term of the Agreement.<\/li>\n<li><strong>Anti-Phishing Training.<\/strong>\u00a0 Over 90% of hacking attacks start with a &#8220;phishing&#8221; attack. Consider specifically requiring your vendors\/partners to provide anti-phishing training to all employees.<\/li>\n<li><strong>Payment Account Information.<\/strong>\u00a0 If the vendor\/partner will not be handling payment account information, add an\u00a0affirmative obligation that the vendor\/partner will not access, use, store, or process payment account information. If you are afraid that information might be inadvertently provided to the vendor\/partner, consider adding\u00a0a provision stating that if any payment account information is\u00a0inadvertently provided to the vendor\/partner, as long as they destroy it immediately and notify your company the vendor\/partner will not be in breach of the affirmative obligation not to use payment account information. \u00a0If your vendor\/partner will handle payment account information, ensure you have appropriate language that\u00a0covers both\u00a0current and future PCI-DSS (Payment Card Industry Data Security Standard)\u00a0versions. \u00a0If appropriate, add language making clear that payment account information will be stored in active memory only, and not stored or retained on the vendor\/partner&#8217;s servers (e.g., where the payment information is &#8220;tokenized&#8221; and\/or securely transmitted to your company&#8217;s own servers at the time the transaction is processed).<\/li>\n<li><strong>Information Security Questionnaire.<\/strong> \u00a0Include the right to have the vendor\/partner complete a written security questionnaire once a year signed by a corporate officer. Requiring an annual questionnaire can help identify whether your vendors\/partners are on top of emerging threats and risks.\u00a0If you have limited resources to conduct audits, the responses to the questionnaires can help you identify which vendors\/partners may be best to audit. \u00a0As part of the questionnaire, ask for copies of the vendor\/partner&#8217;s disaster recovery plan and business continuity plan, and certificate of insurance for the vendor\/partner&#8217;s cyber security policy\u00a0if your company is named as an additional insured.<\/li>\n<li><strong>Audit Rights.<\/strong> \u00a0Include a right to do a security audit of a\u00a0vendor\/partner&#8217;s information technology and information security controls. This should include the right to conduct\u00a0penetration testing of the vendor\/partner&#8217;s network, ideally on an unannounced basis. \u00a0Make sure the vendor\/partner is obligated to correct any security discrepancies found at their expense; if they don&#8217;t make corrections to your reasonable satisfaction, you should be able to exit the contract. \u00a0Ensure you can use internal and third party resources to conduct the training.\u00a0In addition to a right to audit on a regular basis (e.g., once per year), allow the right to audit after a security breach so you can do your own analysis of how well the vendor\/partner has bulletproofed their systems in light of a breach.<\/li>\n<li><strong>Security Breach.<\/strong>\u00a0 Define what a &#8220;security breach&#8221; is (consider a broad definition that includes\u00a0security incidents as well). \u00a0Ensure the vendor\/partner promptly notifies your company in the event of a security breach, ideally by email to a &#8220;role&#8221; mailbox or to your CIO\/CTO. \u00a0The vendor\/partner should take any triage steps necessary to close the immediate security hole and then thoroughly review and bulletproof its systems and networks. \u00a0The vendor\/partner should agree to work with your company and any government entities in any investigation of\u00a0the breach. \u00a0Ensure that your company, not the vendor\/partner, decides whether and how to communicate with affected individuals. \u00a0Ensure the vendor\/partner bears the\u00a0costs associated with a security breach.<\/li>\n<li><strong>Preservation Notices and E-Discovery.<\/strong>\u00a0 If the records of the vendor\/partner may be important if\u00a0litigation is brought against your company, consider adding a clause ensuring that\u00a0the vendor\/partner will comply with any\u00a0document preservation\/litigation hold notice you provide, and that the vendor\/partner will reasonably assist with electronic discovery requests. \u00a0A &#8220;friendly&#8221; clause like this can help avoid issues and strain on the partnership if litigation occurs.<\/li>\n<\/ul>\n<p>Once you have these provisions in your agreement, don&#8217;t forget to tie them into your risk allocation provisions. If the\u00a0vendor\/partner carries insurance to protect against security breaches, ensure you are an additional insured and ask for a certificate of insurance annually. Ensure your indemnification section fully covers any breach of security obligations, and consider excluding these from your limitation of liability to the greatest extent possible.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>One of the most important lessons from the 2013 Target breach was that hackers will look for the weakest link in\u00a0a company&#8217;s security chain when seeking a point of entry. Often, that weakest link is the vendors and partners which &hellip; <a href=\"https:\/\/ericlambert.net\/blog\/2015\/12\/14\/key-security-provisions-for-all-vendor-contracts\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[14,4,10,11],"tags":[48,57,163,185],"class_list":["post-329","post","type-post","status-publish","format-standard","hentry","category-drafting","category-legal","category-privacy","category-security","tag-compliance","tag-contracting","tag-security","tag-vendor"],"_links":{"self":[{"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/posts\/329","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/comments?post=329"}],"version-history":[{"count":0,"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/posts\/329\/revisions"}],"wp:attachment":[{"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/media?parent=329"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/categories?post=329"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/tags?post=329"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}