Welcome back to the cybersecurity awareness month blog series, all about how contract management can help you improve your cybersecurity posture! If you missed the first post, check it out here.
Now that you know what cybersecurity stipulations should be in your contract, it’s time to discuss where to look for them. With LinkSquares Analyze, you can identify specific sections, clauses, and data points in your legal agreements, which we call Smart Values. Below are the Smart Values most likely to contain some version of the cybersecurity stipulations that CISA recommends.
These are the core Smart Values relevant to your cybersecurity posture.
The Data Security Clause will likely contain some version of Stipulations 1, 2, and 3. The level of specificity here is critical, as many organizations will simply promise “industry standard,” “reasonable measures,” “generally accepted” security practices or similar vagaries. When you redline a contract, make sure you insist on explicit measures.
This clause specifies how often an outside party verifies a vendor’s promised security measures, as well as how you can request copies of those attestations. Make sure you can access these reports in a timely and regular fashion. There are several subordinate Smart Values that note if specific security attestations are available.
Is there any mention of "SOC" in the document, which is most likely a reference to the System and Organization Controls (SOC) standards for accounting and information best practices?
Is there any mention of "SOC 1 Type 1" one-time financial controls attestations in the contract?
Is there any mention of "SOC 1 Type 2" ongoing financial controls attestations in the contract?
Is there any mention of "SOC 2 Type 1" one-time information security controls attestations in the contract?
Is there any mention of "SOC 2 Type 2" ongoing information security controls attestations in the contract?
Is there any mention of "SOC 3" simplified information security controls attestations in the contract?
Is there any mention of the US Health Information Portability and Accountability Act (HIPAA), which includes explicit information security and privacy guarantees, in the document?
Is there any mention of the International Organization for Standardization (ISO), including any of their explicit compliance and security standards, in the document?
Is there any mention of the Payment Card Industry Data Security Standard (PCI DSS), which governs the security of credit and debit card transaction and cardholder data, in the document?
Is there any mention of HITRUST in the document?
This clause will spell out the procedures a vendor will follow in the event that a cyberattack is successful, which is called for in Stipulation 4. You should read this clause carefully, as it spells out your rights when a vendor fails to protect your data and systems, including what information the vendor must share, and how quickly. There are also subordinate smart values that LinkSquares Analyze can explicitly call out.
In the event of a data breach, if you are entitled to immediate notification, this Smart Value will highlight that contact obligation.
In the event of a data breach, if you are not entitled to immediate notification, this Smart Value will call out how long a vendor can wait after a breach to notify you of the attack.
This clause describes a party's process for continuing to store the other party's data for compliance or business reasons. Knowing who has the rights to store your data is critical to crisis management.
But wait, there’s more! Next week on the blog we’ll go over even more LinkSquares Smart Values for cybersecurity – you don’t want to miss it. Subscribe to the blog and we’ll keep you up-to-date.