The minimum requirements for technology-outsourcing contracts will vary somewhat based on what services you are...
outsourcing, what data the outsourcer will have access to and what vertical your business is in. Not knowing what you do or what services you are outsourcing, it's hard to give you specific advice. However, a good place to start is the Payment Card Industry Data Security Standard (PCI DSS). While not perfect, PCI DSS provides a great baseline, and as such makes for a great set of minimum requirements.
Rather then just demand PCI DSS compliance, use it as the basis for your requirements and remove the items that are not relevant to your organization. For example, if you aren't outsourcing access to credit card data, you don't need to include provisions that are specific to credit card number encryption or transmission; or, if the outsourcer isn't providing applications to you, you can remove the verbiage around secure development.
Alternately you may want to add provisions. For example, if you are outsourcing access to Social Security numbers, you will want to change the language of PCI DSS to address SSNs.
For more information:
- Check out this Information Security magazine feature and learn more about enforcing a vendor risk assessment to avoid outsourcing security risks.
- Read more about the requirements for bein a PCI DSS-compliant service provider.
Dig Deeper on Enterprise Data Governance
Related Q&A from David Mortman
While IT security consultancies can be helpful when trying to find flaws in an information security management framework, there are ways to do it ...continue reading
PCI DSS audits can be a lot easier if the scope is narrow. Learn how to consolidate and store sensitive data in order to best reduce PCI DSS security...continue reading
When hiring an information security team member, how important is a certification in information security? Learn how to talk to executives about ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.