- Contact Us
Welcome back! This article serves as part two in my Vendor Risk Management blog series, continuing the discussion on some important factors of creating and renewing third-party contracts. In my previous article I briefly explained the importance of building a detailed Service Level Agreement (SLA) into new and preexisting third-party contracts, to ensure that all parties meet agreed upon obligations and expectations to maintain a healthy and mutually beneficial relationship. In addition to SLAs as part of a standard contract process, guidelines and requirements set forth by the contracting party to protect information should also be generated, utilized, and shared.
Information Security Responsibilities
The importance of information security and appropriate data management practices cannot be understated in today’s threat landscape. There is an expectation in every business relationship that both digital and hard copy forms of information will be shared at some point, if not on a regular basis as part of a contractual obligation or service offering. This can include anything from internal business data to private client data, to reports, logs, and metrics. This makes it extremely important and relevant that strict information security requirements are set forth and documented at the beginning of the contract underwriting process and in every subsequent renewal of contracts moving forward. Information security standards can include:
Each party should have agreeable information security obligations as a part of the contract that ensures that overall security is maintained. Regardless of who accepts specific responsibilities, the protection, privacy, and security of the information is the primary goal. The contract should be written in such a way that there is no question as to which party is responsible in any situation while concurrently complying with applicable laws and regulations and still being able to meet bidirectional SLAs. Stay tuned for the next article in this series, where I dive into Third-Party Risk Analysis and Review requirements. Feel free to contact us to further discuss your unique vendor risk management situation!