RE: Security clauses for contracts

["Scott, Richard" <Richard.Scott () BestBuy com>]

In thinking about liability issues, and more generally contracts, the
question of "what security tidbits do you put into a contract?" comes
up.  (Also, I've been asked to think about this by some colleagues, in
the context of Bob hiring Alice to process sensitive information.)
Alice claims to "take security and privacy very seriously."

One must realize the duty of what the business is trying to accomplish.
Each contract may be different.  You mention two areas that have huge scope
for definition.  Privacy and Security.
Lets just take security...

A few of the things I'd like to see:

1. Alice will provide copies of their security and privacy policies to
Bob.  

This is the first step, but Alice or Bob need to step up to the highest
level of security between the two.  This is very difficult initiative, if
Bob has a better security model than Alice, then Alice should step up to the
plate and continue that security model.  However, the other way round gets
more political.  The exchange of standards, guidelines and privacy policies
is the initial start of defining a mutual agreement of security.  IMHO
though, If Bob is security conscious, he should dictate the security
required to Alice, providing Bob is relatively secure.

2. Alice will provide copies of recent audits to Bob.  

Audit information, is another information asset that companies do not like
to hand out, and before this is shared, a NDA should be signed.  The NDA
should stipulate a few things:
(1) information shared is confidential
(2) information produced on Bob's behalf by Alice is owned by Bob
(3) Alice is responsible for security of the data it holds that is owned by
Bob

Some of this is place in the contract directly, and not in the NDA.
Furthermore, the issue of liability is defined.  Here one states where each
firms privacy policy covers, in the event of "illegal" data disclosure.  Bob
is responsible for drafting all the requirements that detail how data should
be handled, classification, ACL, etc etc.

3. Alice agrees that Bob can conduct audits/pen tests, as long as the
results are shared with Bob, the tests are designed to be
non-damaging, and don't use knowledge from (2).  (This one is clearly
controversial; however, Bob would really like assurance that Alice
isnt falling behind on their patching...)

Depends on the project.  If Alice is willing to share the liability of
handling sensitive data then the Bob may be covered, he' reduced the risk
and pushed it on to Alice.
Providing that Alice has had some audit, and can show that security exists
and is in place (scenario based) then a full pen test et al is not necessary
in many scenarios.

> From my experience, external agents that do processing of sensitive data
must satisfy some requirement of security.  This general comes down to the
basic perimeter firewall security, and no security internal.  It is
especially important that you state how you want security to be handled
internally.  Data segregation, data encryption, VPN standards... and more.

Binding this in to a contract will need the help of two faculties within the
Bob.  One legal to do the necessary loop hole checking etc, and also by
security, because they will need to have preset standards and policies in
place to dictate.

Cheers
r.

Richard Scott
INFORMATION SECURITY
Tel: (001) -952-324-0697
Fax: (001) -952-996-4830
Best Buy World Headquarters
7075 Flying Cloud Drive
Eden Prairie, MN 55344 USA

The views expressed in this email do not represent Best Buy
or any of its subsidiaries



_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards