Upload File

Download - NTXISSACSC4 - Mitigating Security Risks in Vendor Agreements

Transcript
Page 1: NTXISSACSC4 - Mitigating Security Risks in Vendor Agreements

@NTXISSA#NTXISSACSC4

MitigatingSecurityRisksinVendorAgreements

BrianKirkpatrick,JD,MA(Econ),C|CISO,C|EHPresidentandTechnologyAttorney

KirkpatrickLawPCOctober2016

Thispresentationisaboutlegalissues,butisnotlegaladvice.Anattorneyshouldbeconsultedforadviceregardingyourindividualsituation.

Page 2: NTXISSACSC4 - Mitigating Security Risks in Vendor Agreements

@NTXISSA#NTXISSACSC4

AnswerstoCommonQuestions

Wearesecurityprofessionals,notlawyers.

Whyshouldthecontractsbeourproblem?

NTXISSACyberSecurityConference– October7-8,2016 2

Page 3: NTXISSACSC4 - Mitigating Security Risks in Vendor Agreements

@NTXISSA#NTXISSACSC4

AnswerstoCommonQuestions

Securityiseveryone’sproblemandresponsibility

NTXISSACyberSecurityConference– October7-8,2106 3

Page 4: NTXISSACSC4 - Mitigating Security Risks in Vendor Agreements

@NTXISSA#NTXISSACSC4

AnswerstoCommonQuestions

Weareshortstaffed,budgetconstrained,andhavetoomuchworkalready.

WhyshouldIdothelegaldepartment’sjobtoo?

NTXISSACyberSecurityConference– October7-8,2106 4

Page 5: NTXISSACSC4 - Mitigating Security Risks in Vendor Agreements

@NTXISSA#NTXISSACSC4

AnswerstoCommonQuestions

ImproveVendorAgreements

PreventBigProblems

SecurityOrganizationisintheBestPositiontoIdentifyTechnicalRisks

NTXISSACyberSecurityConference– October7-8,2106 5

Page 6: NTXISSACSC4 - Mitigating Security Risks in Vendor Agreements

@NTXISSA#NTXISSACSC4

AnswerstoCommonQuestions

What’sinitforme?

NTXISSACyberSecurityConference– October7-8,2106 6

Page 7: NTXISSACSC4 - Mitigating Security Risks in Vendor Agreements

@NTXISSA#NTXISSACSC4

BuildTrustwithyourPartners

ImprovetheLegal/SecurityRelationship

NTXISSACyberSecurityConference– October7-8,2106 7

Page 8: NTXISSACSC4 - Mitigating Security Risks in Vendor Agreements

@NTXISSA#NTXISSACSC4

TopSecurityIssues

Top5issuestoreview:

1. Vendor’sInformationSecurityProgram2. SecurityStandards3. DataBreachInsurance4. SecurityAudits5. InformationSecurityWarranty

NTXISSACyberSecurityConference– October7-8,2106 8

Page 9: NTXISSACSC4 - Mitigating Security Risks in Vendor Agreements

@NTXISSA#NTXISSACSC4

Vendor’sInformationSecurityProgram

Weneedtounderstandhowthevendoriscurrentlyprotectingitscustomer’s

information.

NTXISSACyberSecurityConference– October7-8,2106 9

Page 10: NTXISSACSC4 - Mitigating Security Risks in Vendor Agreements

@NTXISSA#NTXISSACSC4

Vendor’sInformationSecurityProgram

• Thevendorshouldactuallyhaveaninformationsecurityprogram.

• Theinformationsecurityprogramshouldbeattachedtotheagreement.

• Theagreementshouldincludeawarrantytocomplywiththeattachedprogram.

NTXISSACyberSecurityConference– October7-8,2106 10

Page 11: NTXISSACSC4 - Mitigating Security Risks in Vendor Agreements

@NTXISSA#NTXISSACSC4

Vendor’sInformationSecurityProgram

Samplebasiclanguage:

VendorwarrantsthatitwillatalltimescomplywiththeInformationSecurityProgramattachedasExhibitA.

NTXISSACyberSecurityConference– October7-8,2106 11

Page 12: NTXISSACSC4 - Mitigating Security Risks in Vendor Agreements

@NTXISSA#NTXISSACSC4

SecurityStandards

• Thesecuritystandardsshouldbeidentified.

• Who’sstandardsmatter?

• Whatstandardsapply?

NTXISSACyberSecurityConference– October7-8,2106 12

Page 13: NTXISSACSC4 - Mitigating Security Risks in Vendor Agreements

@NTXISSA#NTXISSACSC4

SecurityStandards

• Askthevendorwhatsecuritystandardsitusestoprotectitsclient’sinformation.

• The“Industrystandard”isvague.

• Determinewhatstandardsarerequiredbyyourindustry.PCI-DSS,HIPAA,GLBA,etc.

• Findthestandardsnamedintheagreement.

NTXISSACyberSecurityConference– October7-8,2106 13

Page 14: NTXISSACSC4 - Mitigating Security Risks in Vendor Agreements

@NTXISSA#NTXISSACSC4

SecurityStandards

Samplebasiclanguage:

Vendorwillperforminaccordancewiththesecuritystandardsastheyapplytothehealthcareindustry.Specifically,VendorwillcomplywithHIPAA.

NTXISSACyberSecurityConference– October7-8,2106 14

Page 15: NTXISSACSC4 - Mitigating Security Risks in Vendor Agreements

@NTXISSA#NTXISSACSC4

DataBreachInsurance

IfaCustomer’sdataislost,stolenormisused,howwilltheVendorcompensate

theCustomer?

NTXISSACyberSecurityConference– October7-8,2106 15

Page 16: NTXISSACSC4 - Mitigating Security Risks in Vendor Agreements

@NTXISSA#NTXISSACSC4

DataBreachInsurance

• Isthevendorinsuredwiththeappropriatecoveragetypes?• Isthevendorinsuredattheappropriateamounts?• Aretheinsurancerequirementsillustratedintheagreement?• Isyourbusinessnamedasabeneficiary?

NTXISSACyberSecurityConference– October7-8,2106 16

Page 17: NTXISSACSC4 - Mitigating Security Risks in Vendor Agreements

@NTXISSA#NTXISSACSC4

DataBreachInsurance

• Samplebasiclanguage:

Duringthetermofthisagreementandfor3yearsthereafter,Vendorshallmaintainaminimumof$500,000ofdatabreachinsurance,nameCustomerasthebeneficiary,andprovideCustomerwithaCertificateofInsurancewithin10daysofexecutingtheagreement.

NTXISSACyberSecurityConference– October7-8,2106 17

Page 18: NTXISSACSC4 - Mitigating Security Risks in Vendor Agreements

@NTXISSA#NTXISSACSC4

SecurityAudits

Customer’sneedamechanismtoverifythattheVendorisprovidingthesecuritycontrolsthatitpromised.

NTXISSACyberSecurityConference– October7-8,2106 18

Page 19: NTXISSACSC4 - Mitigating Security Risks in Vendor Agreements

@NTXISSA#NTXISSACSC4

SecurityAudits

3waystoaudit:

1. Customerentersthephysicalpremisestoauditthecontrolsdirectly.

2. Vendorobtainsa3rd partyaudit(SSAE16)andprovidestoCustomer.

3. VendorprovidesCustomerwithasignedself-attestationofcompliance.

NTXISSACyberSecurityConference– October7-8,2106 19

Page 20: NTXISSACSC4 - Mitigating Security Risks in Vendor Agreements

@NTXISSA#NTXISSACSC4

SecurityAudits

Samplebasiclanguage:

Nolessthanannually,Vendorwillretainathird-partycertifiedpublicaccountingfirmtoperformaSSAE16auditofsecuritymeasuresandprovidethereporttoCustomerpromptlyafterreceipt.

NTXISSACyberSecurityConference– October7-8,2106 20

Page 21: NTXISSACSC4 - Mitigating Security Risks in Vendor Agreements

@NTXISSA#NTXISSACSC4

InformationSecurityWarranty

Servicesthatincludeinformationsecuritycontrolsanddataprotectionsafeguardsshouldincludeawarrantytoprotectthe

Customeragainstaloss.

NTXISSACyberSecurityConference– October7-8,2106 21

Page 22: NTXISSACSC4 - Mitigating Security Risks in Vendor Agreements

@NTXISSA#NTXISSACSC4

InformationSecurityWarranty

• Usually,allwarrantiesaredisclaimedunlessspecificallystated.

• Awarrantyshouldbeincludedregarding:1. Compliancewiththesecurityprogram2. Performanceinaccordancewiththestandards3. Conductingsecurityaudits4. Maintainingappropriateinsurancecoverage

NTXISSACyberSecurityConference– October7-8,2106 22

Page 23: NTXISSACSC4 - Mitigating Security Risks in Vendor Agreements

@NTXISSA#NTXISSACSC4

InformationSecurityWarranty

Samplebasiclanguage:

VendorwarrantsthatitwillabidebythesecurityprograminExhibitA,performtheservicesinaccordancewiththe[applicablelawsandstandards],maintaininsuranceasdescribedinthisagreement,andconductanannual3rd partyauditofthesecuritycontrols.

NTXISSACyberSecurityConference– October7-8,2106 23

Page 24: NTXISSACSC4 - Mitigating Security Risks in Vendor Agreements

@NTXISSA#NTXISSACSC4

Summary

• Everyindustryhasdifferentrisks.

• Vendorcontractsareyourinitialsourcesforlegalandtechnicalinformationprotection.

• LegalandSecurityorganizationsshouldformatightalliance.

NTXISSACyberSecurityConference– October7-8,2106 24

Page 25: NTXISSACSC4 - Mitigating Security Risks in Vendor Agreements

@NTXISSA#NTXISSACSC4@NTXISSA#NTXISSACSC4

The Collin College Engineering DepartmentCollin College StudentChapteroftheNorthTexasISSA

NorthTexasISSA(InformationSystemsSecurityAssociation)

NTXISSACyberSecurityConference– October7-8,2016 25

Thankyou


Top Related

Mitigating BC
Mitigating BC
NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, Information Security, and Internal Audit
NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, Information Security, and Internal Audit
NTXISSACSC4 - Business Geekdom: 1 = 3 = 5
NTXISSACSC4 - Business Geekdom: 1 = 3 = 5
Individual Mitigating Circumstances & Assessment · Individual Mitigating Circumstances and Assessment Introduction General description of Individual Mitigating Circumstances 1. Individual
Individual Mitigating Circumstances & Assessment · Individual Mitigating Circumstances and Assessment Introduction General description of Individual Mitigating Circumstances 1. Individual
Mitigating Legal Risks of Artificial Intelligence: Best ...media.straffordpub.com/products/mitigating-legal-risks-of... · Mitigating Legal Risks of Artificial Intelligence: Best
Mitigating Legal Risks of Artificial Intelligence: Best ...media.straffordpub.com/products/mitigating-legal-risks-of... · Mitigating Legal Risks of Artificial Intelligence: Best
Mitigating Risk
Mitigating Risk
NTXISSACSC4 - Identity as a Threat Plane Leveraging UEBA and IdA
NTXISSACSC4 - Identity as a Threat Plane Leveraging UEBA and IdA
Mitigating Payment Fraud
Mitigating Payment Fraud