Vendor Risk Management: Information Security Responsibilities

Welcome back! This article serves as part two in my Vendor Risk Management blog series, continuing the discussion on some important factors of creating and renewing third-party contracts. In my previous article I briefly explained the importance of building a detailed Service Level Agreement (SLA) into new and preexisting third-party contracts, to ensure that all parties meet agreed upon obligations and expectations to maintain a healthy and mutually beneficial relationship. In addition to SLAs as part of a standard contract process, guidelines and requirements set forth by the contracting party to protect information should also be generated, utilized, and shared.

Information Security Responsibilities

The importance of information security and appropriate data management practices cannot be understated in today’s threat landscape. There is an expectation in every business relationship that both digital and hard copy forms of information will be shared at some point, if not on a regular basis as part of a contractual obligation or service offering. This can include anything from internal business data to private client data, to reports, logs, and metrics. This makes it extremely important and relevant that strict information security requirements are set forth and documented at the beginning of the contract underwriting process and in every subsequent renewal of contracts moving forward. Information security standards can include:

• How information is used, stored and shared
  Depending on what information requires protection and how it will be used, both parties should at the very least acknowledge where the data will be stored, whether physically or digitally. The party maintaining the storage location will usually be the one responsible for ensuring the appropriate controls are implemented. This includes situations where the data is stored by another third party that has already entered into a contractual agreement with approved SLAs to maintain the storage location on behalf of the primary party, such as a datacenter or cloud storage provider.
   
• How information is classified
  Data from both entities should have internally derived classifications that provide context to the appropriate security and access levels of information. Although the exact classification terminology and sharing protocols may differ, both parties will need to maintain an understanding of what each independent classification entails. A compromise can be made to classify any shared information in its own category with unique controls.
   
• How access to information is authorized and performed
  Similar to data classification, access to information must be controlled through a standard which has been agreed upon by both parties. Information access controls are usually implemented in the form of authorized user accounts with limitations based on the individual’s need to know, or job function. The method by which an individual is authorized to access information should be decided through a joint effort by each entity’s high-level information security personnel and the supervising manager of the user.
   
• Physical and logical controls protecting information
  Probably one of the most important responsibilities of any entity entering into a third-party contract are the methods and technologies by which information will be safeguarded. During the contract negotiations, both parties will likely need to divulge and prove the effectiveness of how they intend to secure the information they will have governance over. Depending on the format of the information in question, information will need to be protected by physical and/or digital means. Hardcopy information should be secured in locked, surveilled storage areas and receptacles, while digital information can be encrypted, made available on a least privilege basis, and accessible by specific means. In both cases, the information should be duplicated and backed up at an off-site location for disaster recovery purposes.
   
• Breach responsibilities
  All organizations should prepare for and be ready to respond to a data breach at one point or another. It is important for all parties of a budding or renewed contract engagement to determine and agree to their responsibilities in such an event. Some breach responsibilities can be included in the contract’s SLA, but the majority will be determined by a dedicated parameter of the agreement. Breach responsibilities include information sharing of the event, monitoring and documentation requirements, notifications of status, forensic responses, and mitigation and recovery activities.
   
• Information retention and destruction requirements
  As with anything in this material world, information is subject to a shelf life. There are legal, ethical, and security related reasons to ensure that a retention and destruction process is defined and enforced within the contract’s bindings. Most retention and destruction requirements are generally derived from state or federal laws and regulations and incorporated into company policy. However, there will still be variation for each party. A compromise by both parties based upon industry best practices, laws, and regulations will generally result in the best standard which can be incorporated back into the internal policies and procedures of each organization. As a point of reference, most information should only be retained as long as it is needed or required to by law and should be destroyed in a secure manner at the end of its lifecycle.

Each party should have agreeable information security obligations as a part of the contract that ensures that overall security is maintained. Regardless of who accepts specific responsibilities, the protection, privacy, and security of the information is the primary goal. The contract should be written in such a way that there is no question as to which party is responsible in any situation while concurrently complying with applicable laws and regulations and still being able to meet bidirectional SLAs. Stay tuned for the next article in this series, where I dive into Third-Party Risk Analysis and Review requirements. Feel free to contact us to further discuss your unique vendor risk management situation!