Re: Security clauses for contracts

[Dave Piscitello <dave () corecom com>]

"Process sensitive information" is rather generic.
But your clauses suggest this is an engagement contract
for a security audit. And for the most part, you've stipulated
things from Alice's point of view. What you state is
reasonable for Alice. But I think it's common that Bob has more demands,
especially where Bob takes security very seriously.

I can think of several additional clauses to contracts where Bob's
sensitive information is processed by Alice. I imagine you have simply
skipped over the non-disclosure agreement, and clearly, this is essential.

Also, where sensitive information is disclosed, I've seen contracts
stipulating the exact number and format of the disclosed material,
appropriate handling (literally, a chain of custody), and its disposition
following the authorized processing.

Enumeration of Alice's staff engaged by Bob is common.
Background checks on this staff are common.
Disclosure of Alice's operations environment, its physical
and "logical" security measures is common.
Procedures for "auditing the auditor", including site visits,
accompaniment or participation in the security audit process,
is common.

I recently ran into an unique situation that may illustrate my point.
For some set of Bobs, it may be the case that sensitive information
(e.g., application payloads) cannot be legally disclosed--specifically,
Bob is not the owner of the information and cannot authorize its
disclosure, as Bob's already agreed contractually to protect it.
I'm working with an auditing/performance analysis company, Alice,
who is developing a hardware probe specifically for the Bobs of the
world, where packet header analysis is performed, and application
payload is scrubbed, before the packets, interpacket delays, etc.
are made available to Alice.



At 03:28 PM 5/20/2002 -0400, you wrote:
> In thinking about liability issues, and more generally contracts, the
> question of "what security tidbits do you put into a contract?" comes
> up.  (Also, I've been asked to think about this by some colleagues, in
> the context of Bob hiring Alice to process sensitive information.)
> Alice claims to "take security and privacy very seriously."
>
> A few of the things I'd like to see:
>
> 1. Alice will provide copies of their security and privacy policies to
> Bob.
>
> 2. Alice will provide copies of recent audits to Bob.
>
> 3. Alice agrees that Bob can conduct audits/pen tests, as long as the
> results are shared with Bob, the tests are designed to be
> non-damaging, and don't use knowledge from (2).  (This one is clearly
> controversial; however, Bob would really like assurance that Alice
> isnt falling behind on their patching...)
> Are these reasonable?  Are there other things that you'd want to see
> in such a contract?
>
> Adam
>
>
>
> --
> "It is seldom that liberty of any kind is lost all at once."
>                                                        -Hume
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://list.nfr.com/mailman/listinfo/firewall-wizards


David M. Piscitello
Core Competence, Inc. &
The Internet Security Conference
3 Myrtle Bank Lane
Hilton Head, SC 29926
dave () corecom com
www.corecom.com
www.tisc2002.com
hhi.corecom.com/~yodave/


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards