Firewall Wizards mailing list archives

Re: Security clauses for contracts

From: Bret Watson <lists () ticm com>
Date: Tue, 21 May 2002 08:24:22 +0800

Hi Adam,

hmm penetration tests I'd probably drop, but audits are always there... wemake it a standard condition that we can audit third pary suppliers ofinformation processing and IT outsourcing.

Viewing the relevant policies I think is fine - though we tend not to takethe seriously... Better though is to ask "where is your BS7799certification?" or their SAS70 audit certification.

Recent audits can have low value as well unless you know the competency andrelationship of the auditors then I would only take them as guidance(especially if they are Big N-1 right now)...

We've been looking at our T&Cs with software vendors at the memoent...we've added "and security issues" to our warranty clause.. we'll see whatthe vendor reaction is, but what we ask is that they warrant the systemsare free from security issues and that they will fix the issues at nocharge for our set warranty period. :}


Cheers,

Bret


 At 15:28 20/05/02 -0400, you wrote:

In thinking about liability issues, and more generally contracts, the
question of "what security tidbits do you put into a contract?" comes
up.  (Also, I've been asked to think about this by some colleagues, in
the context of Bob hiring Alice to process sensitive information.)
Alice claims to "take security and privacy very seriously."

A few of the things I'd like to see:

1. Alice will provide copies of their security and privacy policies to
Bob.

2. Alice will provide copies of recent audits to Bob.

3. Alice agrees that Bob can conduct audits/pen tests, as long as the
results are shared with Bob, the tests are designed to be
non-damaging, and don't use knowledge from (2).  (This one is clearly
controversial; however, Bob would really like assurance that Alice
isnt falling behind on their patching...)

Are these reasonable?  Are there other things that you'd want to see
in such a contract?

Adam



--
"It is seldom that liberty of any kind is lost all at once."
                                                       -Hume


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Security clauses for contracts Bret Watson (May 21)
- Re: Security clauses for contracts Adam Shostack (May 22)
- <Possible follow-ups>
- RE: Security clauses for contracts Fred Kreitzberg (May 21)
- Re: Security clauses for contracts Frederick M Avolio (May 21)
  - Re: Security clauses for contracts t (May 23)
    - Re: Security clauses for contracts Adam Shostack (May 23)
    - Re: Security clauses for contracts Matt Curtin (May 26)
- Re: Security clauses for contracts Avishai Wool (May 21)
  - Re: Security clauses for contracts R. DuFresne (May 22)
- Re: Security clauses for contracts Dave Piscitello (May 22)
- RE: Security clauses for contracts Scott, Richard (May 22)

(Thread continues...)