Educause Security Discussion mailing list archives
Re: Confidentiality Agreement with third party vendor
From: Mike Waller <mwaller.distro () GMAIL COM>
Date: Tue, 26 Aug 2008 17:30:29 -0400
Those are all things to be considered. There are a few additional areas that should probably be addressed: 1. Data lifecycle/data destruction. You'll want the third party to do the appropriate work as required by the contract, but at some point, you want to have assurances that the data is being destroyed in an appropriate manner. Most generally, you should look for data destruction processes that are DoD compliant -- could include software wipe, physical destruction of media, etc. 2. You might want to request, at least, a summary of the third party's security policies and procedures. This helps you determine, at least at a very basic level, what kind of security posture they have. Solid policies and standards don't guarantee anything, but it's sort of a quick-hit review point. 3. Right to review. I'd recommend adding language that reserves the right to require a review of the third party's security systems as they pertain to the work being done. You may never use it, but it A) gives you a contracted basis for establishing a more comprehensive third party review process in the future and B) gives you more leverage in the event of a breach. I'd probably use some language that includes reserving the right to review, up to, and including, physical site inspections, vulnerability scanning and penetration testing. Make it a standard clause in your security language. Good luck! Mike On Tue, Aug 26, 2008 at 4:57 PM, Jeff Holden <JHolden () mtsac edu> wrote:
Do any of you have a confidentiality agreement they can share with me on or off list. I need one pertaining to a third party that is going to convert data from one format to another. All the confidentiality agreements I have found are more structured to business use or for research data. I want it to include clauses that data is only to be used for the intended purpose of converting formats, won't be transmitted unencrypted, won't be disclosed to anyone, will be disclosed to us if their security is breached, and that the data will securely be deleted after the process is complete and any other standard clauses needed to CMA. Thanks, Jeff Holden, CISSP, RHCE Manager, Network & Data Security Mt. San Antonio College (909) 594-5611 X5017
Current thread:
- Confidentiality Agreement with third party vendor Jeff Holden (Aug 26)
- <Possible follow-ups>
- Re: Confidentiality Agreement with third party vendor Mike Waller (Aug 26)
- Re: Confidentiality Agreement with third party vendor Georgios Mousouros (Aug 26)