Pre-Contract: Contract Clauses Flashcards
Contract Clauses
-Framework leads to the Standards that lead to the Cyber Scurity Terms & Conditions (T&C)
-Need a framework to build off of, NIST, CSF, ISO 27001
-Standard internal document
-Risk-based approach
-Critical Controls
-Which one doesn’t look like the other…(Due Diligence Questionnaire and Cyber T&Cs)?
Contract Clauses:
Critical Controls
-Identify critical controls
-Vary by some organizations, but generally MFA for privilege’s access, you have a security program, encryption, software development lifecycle.
-List of critical controls should be small
-These are die on the hill controls.
E.g. Microsoft, they will give you their info and you may want to focus on critical controls.
-Look at the answers in the due diligence questionnaires vs the terms and conditions, see if anything has been changed or if the answers are the same.
-Compare and contrast where they’re answering differently on more document vs the other.
-The terms and conditions are compared by the lawyers so much likely that document is most accurate so you get a decision before the contract is signed.
Contract Clauses:
How do you identify Critical Controls?
What controls do they need to have in place to start sending them data.
-These need to be in the master service agreement not the SOW because SOW are temporary.
-You need the security control adademe in the master service agreement.
-In order for you to do your job you need other clauses
-Right to audit and right to review in the security adadum
-Right means from time to time we will do security questionnaire, on sight review, ask for evidence, and response in specific amount of time.
Noncompliance Triggers
-If not making cadiance in remediating findings or no proper controls in place
-You’ve done an assessment there’s some findings you do a more indepth review maybe onsight and there looks bad and they’re ot remediating then you can withhold money.
-If they still aren’t doing anything about it then you remove the data from their environment and put it in your or terminate the contract.