Educause Security Discussion mailing list archives

Re: Confidentiality Agreement with third party vendor

From: Mike Waller <mwaller.distro () GMAIL COM>
Date: Tue, 26 Aug 2008 17:30:29 -0400

Those are all things to be considered. There are a few additional areas that
should probably be addressed:

1. Data lifecycle/data destruction. You'll want the third party to do the
appropriate work as required by the contract, but at some point, you want to
have assurances that the data is being destroyed in an appropriate manner.
Most generally, you should look for data destruction processes that are DoD
compliant -- could include software wipe, physical destruction of media,
etc.

2. You might want to request, at least, a summary of the third party's
security policies and procedures. This helps you determine, at least at a
very basic level, what kind of security posture they have. Solid policies
and standards don't guarantee anything, but it's sort of a quick-hit review
point.

3. Right to review. I'd recommend adding language that reserves the right to
require a review of the third party's security systems as they pertain to
the work being done. You may never use it, but it A) gives you a contracted
basis for establishing a more comprehensive third party review process in
the future and B) gives you more leverage in the event of a breach. I'd
probably use some language that includes reserving the right to review, up
to, and including, physical site inspections, vulnerability scanning and
penetration testing. Make it a standard clause in your security language.

Good luck!

Mike

On Tue, Aug 26, 2008 at 4:57 PM, Jeff Holden <JHolden () mtsac edu> wrote:


Do any of you have a confidentiality agreement they can share with me on or
off list.  I need one pertaining to a third party that is going to convert
data from one format to another.  All the confidentiality agreements I have
found are more structured to business use or for research data.  I want it
to include clauses that data is only to be used for the intended purpose of
converting formats, won't be transmitted unencrypted, won't be disclosed to
anyone,  will be disclosed to us if their security is breached, and that the
data will securely be deleted after the process is complete and any other
standard clauses needed to CMA.

Thanks,
Jeff Holden, CISSP, RHCE
Manager, Network & Data Security
Mt. San Antonio College
(909) 594-5611 X5017

Current thread:

Confidentiality Agreement with third party vendor Jeff Holden (Aug 26)
- <Possible follow-ups>
- Re: Confidentiality Agreement with third party vendor Mike Waller (Aug 26)
- Re: Confidentiality Agreement with third party vendor Georgios Mousouros (Aug 26)