Re: Security clauses for contracts

[Matt Curtin <cmcurtin () interhack net>]

"Scott, Richard" <Richard.Scott () BestBuy com> writes:

> 1. Alice will provide copies of their security and privacy policies
> to Bob.

There's an inherent problem here where Bob is hiring Alice for
security work that includes policy.  That's hardly unheard-of among
readers of this list.  That is, Bob could just get Alice's policies,
and then decide not to go through with the deal, opting instead to
model his own policies after "what he's seen around".

Solving this problem might be a straightforward matter of signing some
kind of letter of intent, and that failure to negotiate security and
privacy concerns could nuke the deal.

> It is especially important that you state how you want security to
> be handled internally.  Data segregation, data encryption, VPN
> standards... and more.

Things can get pretty complicated when dealing with various
organizations that have different notions of access control.  An
organization that puts everything into some mandatory access control
scheme might have difficulty negotiating protection terms with an
organization whose notion of access control is tied to the ability to
find stuff in Bob's office. :-)

-- 
Matt Curtin  Interhack Corp  +1 614 545 HACK http://web.interhack.com/
Author,  Developing Trust: Online Privacy and Security  (Apress, 2001)
Knight, Lambda Calculus | Certum quod factum. --Giovanni Battista Vico
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards