The minimum requirements for technology-outsourcing contracts will vary somewhat based on what services you are outsourcing, what data the outsourcer will have access to and what vertical your business is in. Not knowing what you do or what services you are outsourcing, it's hard to give you specific advice. However, a good place to start is the Payment Card Industry Data Security Standard (PCI DSS). While not perfect, PCI DSS provides a great baseline, and as such makes for a great set of minimum requirements.
Rather then just demand PCI DSS compliance, use it as the basis for your requirements and remove the items that are not relevant to your organization. For example, if you aren't outsourcing access to credit card data, you don't need to include provisions that are specific to credit card number encryption or transmission; or, if the outsourcer isn't providing applications to you, you can remove the verbiage around secure development.
Alternately you may want to add provisions. For example, if you are outsourcing access to Social Security numbers, you will want to change the language of PCI DSS to address SSNs.
For more information:
- Check out this Information Security magazine feature and learn more about enforcing a vendor risk assessment to avoid outsourcing security risks.
- Read more about the requirements for bein a PCI DSS-compliant service provider.
This was first published in June 2009