1. Work with the company's own information security team to create a set of minimum control standards, which will protect their data. Include this document as a checklist to be certified annually. Share this document with vendors and have those vendors also certify the checklist.
2. Do not allow company data to be delivered to any third party (including affiliates) without their written approval.
3. Request the right to conduct on-site audits at subvendors or allow vendors to conduct those audits.
4. When invoking those audit rights, use "show me" style testing; obtain physical evidence
5. Ensure vendors receive a SAS 70 from their vendors and, if possible, obtain rights to review the SAS 70. (A SAS 70 is a report that a service organization obtains from an outside auditor representing that the service organization has been through an in-depth audit of their control objectives and control activities.)
6. Include penalties for "incidents" or any violations of the contract (particularly if a breach occurs). Include language that ensures the vendor or subvendor will share a financial stake in any post-breach activities
7. Research relevant federal and state laws to ensure they maintain these standards. Create controls to help ensure adherence to those standards and ensure vendors and their vendors implement those controls
8. For anyone that possesses company data, document what the company wants them to do with the data upon termination of the contract--destroy it, return it or store it.
PETE PEARLMAN is a consultant with Navigant Consulting.
November 1, 2007
Copyright 2007© LRP Publications