Firewall Wizards mailing list archives
Re: Security clauses for contracts
From: Bret Watson <lists () ticm com>
Date: Tue, 21 May 2002 08:24:22 +0800
Hi Adam,hmm penetration tests I'd probably drop, but audits are always there... we make it a standard condition that we can audit third pary suppliers of information processing and IT outsourcing.
Viewing the relevant policies I think is fine - though we tend not to take the seriously... Better though is to ask "where is your BS7799 certification?" or their SAS70 audit certification.
Recent audits can have low value as well unless you know the competency and relationship of the auditors then I would only take them as guidance (especially if they are Big N-1 right now)...
We've been looking at our T&Cs with software vendors at the memoent... we've added "and security issues" to our warranty clause.. we'll see what the vendor reaction is, but what we ask is that they warrant the systems are free from security issues and that they will fix the issues at no charge for our set warranty period. :}
Cheers, Bret At 15:28 20/05/02 -0400, you wrote:
In thinking about liability issues, and more generally contracts, the question of "what security tidbits do you put into a contract?" comes up. (Also, I've been asked to think about this by some colleagues, in the context of Bob hiring Alice to process sensitive information.) Alice claims to "take security and privacy very seriously." A few of the things I'd like to see: 1. Alice will provide copies of their security and privacy policies to Bob. 2. Alice will provide copies of recent audits to Bob. 3. Alice agrees that Bob can conduct audits/pen tests, as long as the results are shared with Bob, the tests are designed to be non-damaging, and don't use knowledge from (2). (This one is clearly controversial; however, Bob would really like assurance that Alice isnt falling behind on their patching...) Are these reasonable? Are there other things that you'd want to see in such a contract? Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Security clauses for contracts Bret Watson (May 21)
- Re: Security clauses for contracts Adam Shostack (May 22)
- <Possible follow-ups>
- RE: Security clauses for contracts Fred Kreitzberg (May 21)
- Re: Security clauses for contracts Frederick M Avolio (May 21)
- Re: Security clauses for contracts t (May 23)
- Re: Security clauses for contracts Adam Shostack (May 23)
- Re: Security clauses for contracts Matt Curtin (May 26)
- Re: Security clauses for contracts t (May 23)
- Re: Security clauses for contracts Avishai Wool (May 21)
- Re: Security clauses for contracts R. DuFresne (May 22)
- Re: Security clauses for contracts Dave Piscitello (May 22)
- RE: Security clauses for contracts Scott, Richard (May 22)