Firewall Wizards mailing list archives
Re: Security clauses for contracts
From: Dave Piscitello <dave () corecom com>
Date: Tue, 21 May 2002 10:13:19 -0400
"Process sensitive information" is rather generic. But your clauses suggest this is an engagement contract for a security audit. And for the most part, you've stipulated things from Alice's point of view. What you state is reasonable for Alice. But I think it's common that Bob has more demands, especially where Bob takes security very seriously. I can think of several additional clauses to contracts where Bob's sensitive information is processed by Alice. I imagine you have simply skipped over the non-disclosure agreement, and clearly, this is essential. Also, where sensitive information is disclosed, I've seen contracts stipulating the exact number and format of the disclosed material, appropriate handling (literally, a chain of custody), and its disposition following the authorized processing. Enumeration of Alice's staff engaged by Bob is common. Background checks on this staff are common. Disclosure of Alice's operations environment, its physical and "logical" security measures is common. Procedures for "auditing the auditor", including site visits, accompaniment or participation in the security audit process, is common. I recently ran into an unique situation that may illustrate my point. For some set of Bobs, it may be the case that sensitive information (e.g., application payloads) cannot be legally disclosed--specifically, Bob is not the owner of the information and cannot authorize its disclosure, as Bob's already agreed contractually to protect it. I'm working with an auditing/performance analysis company, Alice, who is developing a hardware probe specifically for the Bobs of the world, where packet header analysis is performed, and application payload is scrubbed, before the packets, interpacket delays, etc. are made available to Alice. At 03:28 PM 5/20/2002 -0400, you wrote:
In thinking about liability issues, and more generally contracts, the question of "what security tidbits do you put into a contract?" comes up. (Also, I've been asked to think about this by some colleagues, in the context of Bob hiring Alice to process sensitive information.) Alice claims to "take security and privacy very seriously." A few of the things I'd like to see: 1. Alice will provide copies of their security and privacy policies to Bob. 2. Alice will provide copies of recent audits to Bob. 3. Alice agrees that Bob can conduct audits/pen tests, as long as the results are shared with Bob, the tests are designed to be non-damaging, and don't use knowledge from (2). (This one is clearly controversial; however, Bob would really like assurance that Alice isnt falling behind on their patching...) Are these reasonable? Are there other things that you'd want to see in such a contract? Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
David M. Piscitello Core Competence, Inc. & The Internet Security Conference 3 Myrtle Bank Lane Hilton Head, SC 29926 dave () corecom com www.corecom.com www.tisc2002.com hhi.corecom.com/~yodave/ _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Security clauses for contracts Bret Watson (May 21)
- Re: Security clauses for contracts Adam Shostack (May 22)
- <Possible follow-ups>
- RE: Security clauses for contracts Fred Kreitzberg (May 21)
- Re: Security clauses for contracts Frederick M Avolio (May 21)
- Re: Security clauses for contracts t (May 23)
- Re: Security clauses for contracts Adam Shostack (May 23)
- Re: Security clauses for contracts Matt Curtin (May 26)
- Re: Security clauses for contracts t (May 23)
- Re: Security clauses for contracts Avishai Wool (May 21)
- Re: Security clauses for contracts R. DuFresne (May 22)
- Re: Security clauses for contracts Dave Piscitello (May 22)
- RE: Security clauses for contracts Scott, Richard (May 22)
- Re: Security clauses for contracts Matt Curtin (May 23)