This article was originally published on CSO, and is republished here with permission.
So, maybe you’ve read my previous blog posts and have spent time developing strong information security and privacy protections to be included in your contracts with relevant business partners, vendors and suppliers.
The question is: when do I require those protections? Certainly not in every contract. That would greatly expand the cost and time of negotiating contracts that, potentially, present no security or privacy risks.
So how do you decide?
That is one of the most common questions I receive from clients. They want a bright line rule to determine when to insist those additional contract protections be included in their third-party contracts and when not to require them.
To be more specific and as discussed in prior blog posts, most businesses these days have developed specific contractual protections relating to security and privacy:
- Warranties relating to viruses, disabling mechanisms and phone-home functionality
- Secure programming and testing warranties
- More expansive requirements for compliance with applicable laws, including those relating to privacy, information security and, of course, industry specific requirements for HIPAA, GLB, GDPR, CCPA, etc.
- PCI DSS compliance
- Security incident handling procedures, notification, cost reimbursement, etc.
- Expanded audit rights, including penetration testing
- Disaster recovery and business continuity requirements
The key question is when do we need to include those protections?
Our recommendation is businesses should create decision matrices or trees to provide an easy means of determining when to require a supplier or vendor to be bound by these additional contractual protections. Specifically, the decision matrix is designed to identify instances in which a proposed use of a supplier or vendor may pose material security or privacy risk to the business, its data and/or its systems.
In those instances, prior to executing any new agreement or initiating any new project with an existing supplier or vendor, the decision matrix should be used to determine whether additional protections are required. The matrix should be written to permit non-experts to easily triage third party engagements to identify those requiring heightened protections.
The questions below provide an example of a matrix intended to identify situations in which a vendor or supplier will have potential access to company data or systems. It is important to understand that risk can arise even if the vendor or supplier has no access to personally identifiable, regulated information or other highly sensitive data.
For example, a vendor could provide software or hardware that, when implemented in the company’s facilities, could malfunction, contain a virus or have a security vulnerability that could seriously impact the operation of the company’s critical systems.
The object is to create matrix containing a brief set of or “yes” or “no” questions. If the employee is unsure about a response, they should contact their supervisor or the legal department for guidance.
If any answer is “yes,” the proposed engagement or project may not be made or initiated unless the supplier or vendor executes an agreement containing the business’ heightened security requirements – or until corporate senior management and legal have expressly approved in writing proceeding without those requirements.
Example Decision Matrix:
1. Data access or storage
Question: Will the vendor have access to or host unencrypted personally identifiable or other highly sensitive information (e.g., employee information, proprietary processes and trade secrets, etc.)?
Explanation: Encryption should be the rule, not the exception. In the event of a data breach, unencrypted data is significantly easier to obtain in readable format, including by bad actors. Regulatory issues may also arise if, among other things, highly sensitive information is not encrypted.
Every vendor or supplier who has access to this information in unencrypted form should be bound by the heightened security requirements, including, where relevant, a business associate agreement if protected health information is at risk.
Answer: ☐ Yes ☐ No
2. On premises software and hardware
Question: Will the vendor provide software or hardware for installation in our facilities or as part of our systems?
Explanation: Software and hardware products may contain a wide range of risks: viruses, undisclosed mechanisms that transmit Company data outside our environment, serious performance bugs, security vulnerabilities, etc. A malfunction in a vendor product may disrupt operation of our other systems. A security vulnerability in a product may create the means for a bad actor to gain access not only to the product but to the systems to which that product is connected.
Answer: ☐ Yes ☐ No
3. Interfaces or connections to company systems
Question: Will the vendor be connecting or interfacing its systems, whether onsite or remotely, to any Company systems?
Explanation: Any situation in which a vendor is interacting with our systems creates risk, particularly when the vendor is interfacing or otherwise connecting its systems to Company systems. This can arise in a variety of circumstances, including situations where the vendor is remotely accessing our systems. For example, a vendor may require the ability to remotely access our systems in order to provide support services for a piece of software we have licensed or interface with our network for billing and/or payment purposes.
Answer: ☐ Yes ☐ No
4. Onsite personnel
Question: Will the vendor be performing services in non-public areas of Company facilities?
Explanation: Do not overlook situations where a vendor or supplier may be onsite at our facilities in non-public areas where sensitive data may be seen, even if inadvertently. In addition, vendor personnel may carry smart phones and other devices that could be used to record sensitive information. A vendor may also bring onsite devices and technology that could be installed or operated without our knowledge and, potentially, impact operation of our systems and create security risks.
Answer: ☐ Yes ☐ No
5. System access
Question: Will the vendor require privileged access to any Company systems or “service” accounts?
Explanation: Some software packages require privileged access or service accounts for installation, configuration, or operation. These accounts may require exceptions to password policies such as mandatory password change requirements. The vendor or supplier may also share passwords among multiple employees in violation of Company policy. Disclosure of a privileged account password puts may systems in jeopardy of malicious use and unauthorized data disclosure.
Answer: ☐ Yes ☐ No
Of course, no decision matrix will fit every business. The matrix should be revised to reflect the unique risks presented to your organization, including the industry it’s operating in. By developing the matrix, you will have a simple, bright-line means of triaging engagements to determine whether heightened security and privacy measures should be required.
