ntxissacsc4 - mitigating security risks in vendor agreements
TRANSCRIPT
@NTXISSA#NTXISSACSC4
MitigatingSecurityRisksinVendorAgreements
BrianKirkpatrick,JD,MA(Econ),C|CISO,C|EHPresidentandTechnologyAttorney
KirkpatrickLawPCOctober2016
Thispresentationisaboutlegalissues,butisnotlegaladvice.Anattorneyshouldbeconsultedforadviceregardingyourindividualsituation.
@NTXISSA#NTXISSACSC4
AnswerstoCommonQuestions
Wearesecurityprofessionals,notlawyers.
Whyshouldthecontractsbeourproblem?
NTXISSACyberSecurityConference– October7-8,2016 2
@NTXISSA#NTXISSACSC4
AnswerstoCommonQuestions
Securityiseveryone’sproblemandresponsibility
NTXISSACyberSecurityConference– October7-8,2106 3
@NTXISSA#NTXISSACSC4
AnswerstoCommonQuestions
Weareshortstaffed,budgetconstrained,andhavetoomuchworkalready.
WhyshouldIdothelegaldepartment’sjobtoo?
NTXISSACyberSecurityConference– October7-8,2106 4
@NTXISSA#NTXISSACSC4
AnswerstoCommonQuestions
ImproveVendorAgreements
PreventBigProblems
SecurityOrganizationisintheBestPositiontoIdentifyTechnicalRisks
NTXISSACyberSecurityConference– October7-8,2106 5
@NTXISSA#NTXISSACSC4
AnswerstoCommonQuestions
What’sinitforme?
NTXISSACyberSecurityConference– October7-8,2106 6
@NTXISSA#NTXISSACSC4
BuildTrustwithyourPartners
ImprovetheLegal/SecurityRelationship
NTXISSACyberSecurityConference– October7-8,2106 7
@NTXISSA#NTXISSACSC4
TopSecurityIssues
Top5issuestoreview:
1. Vendor’sInformationSecurityProgram2. SecurityStandards3. DataBreachInsurance4. SecurityAudits5. InformationSecurityWarranty
NTXISSACyberSecurityConference– October7-8,2106 8
@NTXISSA#NTXISSACSC4
Vendor’sInformationSecurityProgram
Weneedtounderstandhowthevendoriscurrentlyprotectingitscustomer’s
information.
NTXISSACyberSecurityConference– October7-8,2106 9
@NTXISSA#NTXISSACSC4
Vendor’sInformationSecurityProgram
• Thevendorshouldactuallyhaveaninformationsecurityprogram.
• Theinformationsecurityprogramshouldbeattachedtotheagreement.
• Theagreementshouldincludeawarrantytocomplywiththeattachedprogram.
NTXISSACyberSecurityConference– October7-8,2106 10
@NTXISSA#NTXISSACSC4
Vendor’sInformationSecurityProgram
Samplebasiclanguage:
VendorwarrantsthatitwillatalltimescomplywiththeInformationSecurityProgramattachedasExhibitA.
NTXISSACyberSecurityConference– October7-8,2106 11
@NTXISSA#NTXISSACSC4
SecurityStandards
• Thesecuritystandardsshouldbeidentified.
• Who’sstandardsmatter?
• Whatstandardsapply?
NTXISSACyberSecurityConference– October7-8,2106 12
@NTXISSA#NTXISSACSC4
SecurityStandards
• Askthevendorwhatsecuritystandardsitusestoprotectitsclient’sinformation.
• The“Industrystandard”isvague.
• Determinewhatstandardsarerequiredbyyourindustry.PCI-DSS,HIPAA,GLBA,etc.
• Findthestandardsnamedintheagreement.
NTXISSACyberSecurityConference– October7-8,2106 13
@NTXISSA#NTXISSACSC4
SecurityStandards
Samplebasiclanguage:
Vendorwillperforminaccordancewiththesecuritystandardsastheyapplytothehealthcareindustry.Specifically,VendorwillcomplywithHIPAA.
NTXISSACyberSecurityConference– October7-8,2106 14
@NTXISSA#NTXISSACSC4
DataBreachInsurance
IfaCustomer’sdataislost,stolenormisused,howwilltheVendorcompensate
theCustomer?
NTXISSACyberSecurityConference– October7-8,2106 15
@NTXISSA#NTXISSACSC4
DataBreachInsurance
• Isthevendorinsuredwiththeappropriatecoveragetypes?• Isthevendorinsuredattheappropriateamounts?• Aretheinsurancerequirementsillustratedintheagreement?• Isyourbusinessnamedasabeneficiary?
NTXISSACyberSecurityConference– October7-8,2106 16
@NTXISSA#NTXISSACSC4
DataBreachInsurance
• Samplebasiclanguage:
Duringthetermofthisagreementandfor3yearsthereafter,Vendorshallmaintainaminimumof$500,000ofdatabreachinsurance,nameCustomerasthebeneficiary,andprovideCustomerwithaCertificateofInsurancewithin10daysofexecutingtheagreement.
NTXISSACyberSecurityConference– October7-8,2106 17
@NTXISSA#NTXISSACSC4
SecurityAudits
Customer’sneedamechanismtoverifythattheVendorisprovidingthesecuritycontrolsthatitpromised.
NTXISSACyberSecurityConference– October7-8,2106 18
@NTXISSA#NTXISSACSC4
SecurityAudits
3waystoaudit:
1. Customerentersthephysicalpremisestoauditthecontrolsdirectly.
2. Vendorobtainsa3rd partyaudit(SSAE16)andprovidestoCustomer.
3. VendorprovidesCustomerwithasignedself-attestationofcompliance.
NTXISSACyberSecurityConference– October7-8,2106 19
@NTXISSA#NTXISSACSC4
SecurityAudits
Samplebasiclanguage:
Nolessthanannually,Vendorwillretainathird-partycertifiedpublicaccountingfirmtoperformaSSAE16auditofsecuritymeasuresandprovidethereporttoCustomerpromptlyafterreceipt.
NTXISSACyberSecurityConference– October7-8,2106 20
@NTXISSA#NTXISSACSC4
InformationSecurityWarranty
Servicesthatincludeinformationsecuritycontrolsanddataprotectionsafeguardsshouldincludeawarrantytoprotectthe
Customeragainstaloss.
NTXISSACyberSecurityConference– October7-8,2106 21
@NTXISSA#NTXISSACSC4
InformationSecurityWarranty
• Usually,allwarrantiesaredisclaimedunlessspecificallystated.
• Awarrantyshouldbeincludedregarding:1. Compliancewiththesecurityprogram2. Performanceinaccordancewiththestandards3. Conductingsecurityaudits4. Maintainingappropriateinsurancecoverage
NTXISSACyberSecurityConference– October7-8,2106 22
@NTXISSA#NTXISSACSC4
InformationSecurityWarranty
Samplebasiclanguage:
VendorwarrantsthatitwillabidebythesecurityprograminExhibitA,performtheservicesinaccordancewiththe[applicablelawsandstandards],maintaininsuranceasdescribedinthisagreement,andconductanannual3rd partyauditofthesecuritycontrols.
NTXISSACyberSecurityConference– October7-8,2106 23
@NTXISSA#NTXISSACSC4
Summary
• Everyindustryhasdifferentrisks.
• Vendorcontractsareyourinitialsourcesforlegalandtechnicalinformationprotection.
• LegalandSecurityorganizationsshouldformatightalliance.
NTXISSACyberSecurityConference– October7-8,2106 24
@NTXISSA#NTXISSACSC4@NTXISSA#NTXISSACSC4
The Collin College Engineering DepartmentCollin College StudentChapteroftheNorthTexasISSA
NorthTexasISSA(InformationSystemsSecurityAssociation)
NTXISSACyberSecurityConference– October7-8,2016 25
Thankyou