Welcome back to the cybersecurity awareness month blog series, all about how contract management can help you improve your cybersecurity posture! If you missed the first post, check it out here.
Now that you know what cybersecurity stipulations should be in your contract, it’s time to discuss where to look for them. With LinkSquares Analyze, you can identify specific sections, clauses, and data points in your legal agreements, which we call Smart Values. Below are the Smart Values most likely to contain some version of the cybersecurity stipulations that CISA recommends.
Primary Cybersecurity Smart Values
These are the core Smart Values relevant to your cybersecurity posture.
Data Security Clause
The Data Security Clause will likely contain some version of Stipulations 1, 2, and 3. The level of specificity here is critical, as many organizations will simply promise “industry standard,” “reasonable measures,” “generally accepted” security practices or similar vagaries. When you redline a contract, make sure you insist on explicit measures.
Data Security Audit and Certification
This clause specifies how often an outside party verifies a vendor’s promised security measures, as well as how you can request copies of those attestations. Make sure you can access these reports in a timely and regular fashion. There are several subordinate Smart Values that note if specific security attestations are available.
Data Security - SOC
Is there any mention of "SOC" in the document, which is most likely a reference to the System and Organization Controls (SOC) standards for accounting and information best practices?
Data Security - SOC 1 Type 1
Is there any mention of "SOC 1 Type 1" one-time financial controls attestations in the contract?
Data Security - SOC 1 Type 2
Is there any mention of "SOC 1 Type 2" ongoing financial controls attestations in the contract?
Data Security - SOC 2 Type 1
Is there any mention of "SOC 2 Type 1" one-time information security controls attestations in the contract?
Data Security - SOC 2 Type 2
Is there any mention of "SOC 2 Type 2" ongoing information security controls attestations in the contract?
Data Security - SOC 3
Is there any mention of "SOC 3" simplified information security controls attestations in the contract?
Data Security - HIPAA
Is there any mention of the US Health Information Portability and Accountability Act (HIPAA), which includes explicit information security and privacy guarantees, in the document?
Data Security - ISO
Is there any mention of the International Organization for Standardization (ISO), including any of their explicit compliance and security standards, in the document?
Data Security - PCI DSS
Is there any mention of the Payment Card Industry Data Security Standard (PCI DSS), which governs the security of credit and debit card transaction and cardholder data, in the document?
Data Security - HITRUST
Is there any mention of HITRUST in the document?
Data Breach
This clause will spell out the procedures a vendor will follow in the event that a cyberattack is successful, which is called for in Stipulation 4. You should read this clause carefully, as it spells out your rights when a vendor fails to protect your data and systems, including what information the vendor must share, and how quickly. There are also subordinate smart values that LinkSquares Analyze can explicitly call out.
Data Breach Notify Immediately
In the event of a data breach, if you are entitled to immediate notification, this Smart Value will highlight that contact obligation.
Data Breach Notification Period
In the event of a data breach, if you are not entitled to immediate notification, this Smart Value will call out how long a vendor can wait after a breach to notify you of the attack.
Data Retention Clause
This clause describes a party's process for continuing to store the other party's data for compliance or business reasons. Knowing who has the rights to store your data is critical to crisis management.
But wait, there’s more! Next week on the blog we’ll go over even more LinkSquares Smart Values for cybersecurity – you don’t want to miss it. Subscribe to the blog and we’ll keep you up-to-date.
