Firewall Wizards mailing list archives
RE: Security clauses for contracts
From: "Scott, Richard" <Richard.Scott () BestBuy com>
Date: Wed, 22 May 2002 09:42:51 -0500
In thinking about liability issues, and more generally contracts, the question of "what security tidbits do you put into a contract?" comes up. (Also, I've been asked to think about this by some colleagues, in the context of Bob hiring Alice to process sensitive information.) Alice claims to "take security and privacy very seriously." One must realize the duty of what the business is trying to accomplish. Each contract may be different. You mention two areas that have huge scope for definition. Privacy and Security. Lets just take security... A few of the things I'd like to see: 1. Alice will provide copies of their security and privacy policies to Bob. This is the first step, but Alice or Bob need to step up to the highest level of security between the two. This is very difficult initiative, if Bob has a better security model than Alice, then Alice should step up to the plate and continue that security model. However, the other way round gets more political. The exchange of standards, guidelines and privacy policies is the initial start of defining a mutual agreement of security. IMHO though, If Bob is security conscious, he should dictate the security required to Alice, providing Bob is relatively secure. 2. Alice will provide copies of recent audits to Bob. Audit information, is another information asset that companies do not like to hand out, and before this is shared, a NDA should be signed. The NDA should stipulate a few things: (1) information shared is confidential (2) information produced on Bob's behalf by Alice is owned by Bob (3) Alice is responsible for security of the data it holds that is owned by Bob Some of this is place in the contract directly, and not in the NDA. Furthermore, the issue of liability is defined. Here one states where each firms privacy policy covers, in the event of "illegal" data disclosure. Bob is responsible for drafting all the requirements that detail how data should be handled, classification, ACL, etc etc. 3. Alice agrees that Bob can conduct audits/pen tests, as long as the results are shared with Bob, the tests are designed to be non-damaging, and don't use knowledge from (2). (This one is clearly controversial; however, Bob would really like assurance that Alice isnt falling behind on their patching...) Depends on the project. If Alice is willing to share the liability of handling sensitive data then the Bob may be covered, he' reduced the risk and pushed it on to Alice. Providing that Alice has had some audit, and can show that security exists and is in place (scenario based) then a full pen test et al is not necessary in many scenarios.
From my experience, external agents that do processing of sensitive data
must satisfy some requirement of security. This general comes down to the basic perimeter firewall security, and no security internal. It is especially important that you state how you want security to be handled internally. Data segregation, data encryption, VPN standards... and more. Binding this in to a contract will need the help of two faculties within the Bob. One legal to do the necessary loop hole checking etc, and also by security, because they will need to have preset standards and policies in place to dictate. Cheers r. Richard Scott INFORMATION SECURITY Tel: (001) -952-324-0697 Fax: (001) -952-996-4830 Best Buy World Headquarters 7075 Flying Cloud Drive Eden Prairie, MN 55344 USA The views expressed in this email do not represent Best Buy or any of its subsidiaries _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Security clauses for contracts Bret Watson (May 21)
- Re: Security clauses for contracts Adam Shostack (May 22)
- <Possible follow-ups>
- RE: Security clauses for contracts Fred Kreitzberg (May 21)
- Re: Security clauses for contracts Frederick M Avolio (May 21)
- Re: Security clauses for contracts t (May 23)
- Re: Security clauses for contracts Adam Shostack (May 23)
- Re: Security clauses for contracts Matt Curtin (May 26)
- Re: Security clauses for contracts t (May 23)
- Re: Security clauses for contracts Avishai Wool (May 21)
- Re: Security clauses for contracts R. DuFresne (May 22)
- Re: Security clauses for contracts Dave Piscitello (May 22)
- RE: Security clauses for contracts Scott, Richard (May 22)
- Re: Security clauses for contracts Matt Curtin (May 23)