Article written by:
Doug Davidson, CISA
Director of Information Technology Services
Many companies today are obligating their downstream vendors and suppliers contractually for security controls, compliance and/or service level agreements related to security and privacy activities.
This is a direct result of the third party breaches that began in 2013 with the Target PCI cardholder breach. A hacker gained access to the company’s cardholder environment, which exposed 70 million records, through the systems of a third party HVAC vendor providing services to Target.
Not wanting to turn down business, vendors and suppliers are often times accepting these security and privacy obligations as a condition of the sale. Companies do this without understanding the obligations and without assigning them to IT and security operations to implement the controls, or without accepting the risk of operating without the controls.
An agreement exists that requires the company to implement certain controls, adopt certain frameworks or perform certain actions. No one tells those responsible for operations, IT or information security about those obligations.
This creates a contractual compliance gap and unmanaged risk for many firms.
We are beginning to explore that scenario when we scope our information risk assessments and security assessments.
When we conduct an information risk assessment or security assessment, GBQ IT Services can conduct a detailed contract review. We will go through the contract language and identify obligations that have been accepted for our client’s security and information technology programs.
Here are some lessons learned from those contracts we have reviewed so far in 2018:
Companies obligate based on their regulatory model and what they know.
Large companies are requiring suppliers, particularly services and information technology providers, to connect to the company with contractual obligations aligned with the buying company’s industry. This means that if you sell into health care, you are likely to be obligated to HIPAA even if you have no access to medical record data (referred to as ePHI). If you sell into financial institution markets, you may be obligated to payment card compliance even if you do not have access to that company’s customers’ credit card information.
One firm that serviced a utility market had contracts obligating them to critical infrastructure security frameworks (NERC CIP) that went well beyond what was required to protect the information and types of systems they operate with. Yet, they signed a contract obligating them to a higher standard.
Obligations take on one of three forms:
- An obligation to a particular information security control framework, such as NIST, ISO 27001 or ISO 27002; SOC; or a regulatory framework, such as HIPAA, PCI, NERC CIP, etc. Obligation to a framework can mean an obligation to hundreds of controls and considerable expense.
- An obligation to a specific security or privacy control. These obligations get to the point of the matter, which is generally a specific risk the customer is concerned about rather than a whole class of activity. This is more acceptable and manageable. For instance, an obligation to implement a security awareness for employees based on NERC CIP is much less onerous than implementing NERC CIP, particularly when it does not apply to the situation.
- An obligation to certain performance activities such as reporting when certain events occur including security events, incidents or breaches, outages or other IT events. On the surface these are reasonable requests but raise risk dramatically for a firm that does not have the wherewithal to identify, log, manage and report on those types of events.
Words matter. In layman’s terms, a security event is something related to security that happens. A security incident is an event that is validated as an actual security threat to the company. And finally, a security breach is an incident that involves the penetration of your IT assets and a loss or exposure event. It is reasonable to obligate your company to report on a breach that involves your customer data. It may be unreasonable for your firm to accept reporting on events because based on how it is defined, the event may occur daily.
Attorneys need to focus on the law; someone knowledgeable about information risk management, security and privacy needs to focus on the impact of the obligations. We are not attorneys. We are friends with many different attorneys in many different firms. Have an attorney review your contract. But understand that most attorneys do not understand the operational requirements of implementing security frameworks or specific security controls. It is imperative that an outside expert or an internal expert on your IT or information security staff be involved.
Signing the contract is not the end. To protect your company your firm needs to have a risk-based, policy defined information risk management program that focuses on measuring information risk across the entire business and including not just IT but directly affected business units and a senior management champion.