Importance of the Security Schedule | The Centauri Step, Governance and IT Security
Importance of the Security Schedule
Marion Mellor
Where do you start when it comes to demanding security rules in your contracts?
A revolution for Procurement
As you are no doubt aware, an ever-increasing number of parties and contracts are involved in everyday business operations. The cause of this is the increase in players, start-ups, conventions, agreements and even associations between global organizations seeking to gain competitive advantage, for example.
In this environment, Procurement departments have a myriad of functions and need multidisciplinary profiles with the ability to adapt to different contexts.
Develop a close working relationship between Security and Procurement from the start
Buyers are required to negotiate contracts with parties such as software publishers, tech people and service providers which handle critical data or have access to corporate IT systems. Every buyer thus has to negotiate the conditions of these contracts, which can sometimes be extremely technical.
In some organizations, the prior verification process or “due diligence” is systematic and well designed. As soon as a bidding process in underway or a framework contract is under negotiation, a number of teams are called in to begin assessing the supplier(s) in question. In any case, Security teams must work closely with Purchasing teams as they are real partners. Security provides detailed information on suppliers and Purchasing an overall vision with respect to the agreements and data access allowed.
Write your own Security Schedule!
One of my favourite terms when it comes to discussing contractual terms related to security, is the term “Schedule” or ” Security Appendix “:
- this includes all of the security provisions that apply to your base of contracts.
The French government has published a number of sample clauses for ensuring IT security / cybersecurity in your contracts
- (French) Order of September 18, 2018 approving the simplified cybersecurity clause book for public contracts.
Similarly, the French National Agency for the Security of Information Systems (ANSSI) recommends that businesses should have an IT purchasing policy.
So how do you this? It is helpful to have a single document stipulating the security standards and conditions that the provider must agree to sign. Prepared with the assistance of legal teams, this binding document shall be annexed to the main contract.
MY ADVICE
MY ADVICE = If your business considers that the ISO 27001 best practices should apply for the performance of the contract (that would be what I wouldrecommend)you will need to specify the controls used to verify that such practices are in place.
- Highlight the standards on which your IT requirements are based.
- Outline critical points in a few targeted clauses, such as the reporting of security flaws, auditing rights and pentest reports.
- Set out a list of requirements for the main security issues: access, HR, supplier relations, incident management procedures, etc.
Your completed clause book should be no more than five pages long; this will ensure that it remains focused. It can however be shorter (or slightly longer) depending on the criticality of the service. Ask me for a template!