How to write technology outsourcing contracts

BROWSE BY TAG Security Management,   Enterprise Data Governance,   Enterprise Data Protection,   Information Security Management,   Enterprise Compliance Management Strategy,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Management How to prepare for a FERPA audit Why doesn't the CISSP cover information assurance and DIACAP? Data breach notification legislation: What info must be released? Risk management strategy for an information technology solution provider Are there guidelines to create a HIPAA-compliant data center? HHS HIPAA guidance on encryption requirements and data destruction Writing a patient identifier policy to prevent common HIPAA violations The requirements for being a PCI DSS-compliant service provider The requirements needed to make an external penetration test legal How to create configuration management plans to install DLP Enterprise Data Governance How to protect distributed information flows Interpreting 'risk' in the Massachusetts data protection law Creating an enterprise data protection framework Analyst DLP study finds maturity, ranks top DLP vendors Voltage, RSA spar over tokenization, data protection Twitter gets condemned by CISOs at Forrester forum PCI DSS compliance requirements: Ensuring data integrity Trustwave acquires data loss prevention vendor Vericept Data has become too distributed to secure, Forrester says Cloud-based security services should start private Enterprise Compliance Management Strategy Financial impact of regulatory compliance Part 3: Marcus Ranum on the state of information security FTC Red Flags Rules: How to create an identity theft prevention plan Jon Moore: Build a Security Control Framework for Predictable Compliance Data protection tips for corporate compliance leaders Quiz: Automated compliance in the enterprise

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary cut-and-paste attack  (SearchSecurity.com) data masking  (SearchSecurity.com) data splitting  (SearchSecurity.com) deperimeterization  (SearchSecurity.com) Google hacking  (SearchSecurity.com) masquerade  (SearchSecurity.com) snooping  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

The minimum requirements for technology-outsourcing contracts will vary somewhat based on what services you are outsourcing, what data the outsourcer will have access to and what vertical your business is in. Not knowing what you do or what services you are outsourcing, it's hard to give you specific advice. However, a good place to start is the Payment Card Industry Data Security Standard (PCI DSS). While not perfect, PCI DSS provides a great baseline, and as such makes for a great set of minimum requirements.

Rather then just demand PCI DSS compliance, use it as the basis for your requirements and remove the items that are not relevant to your organization. For example, if you aren't outsourcing access to credit card data, you don't need to include provisions that are specific to credit card number encryption or transmission; or, if the outsourcer isn't providing applications to you, you can remove the verbiage around secure development.

Alternately you may want to add provisions. For example, if you are outsourcing access to Social Security numbers, you will want to change the language of PCI DSS to address SSNs.

For more information:

• Check out this Information Security magazine feature and learn more about enforcing a vendor risk assessment to avoid outsourcing security risks.
• Read more about the requirements for bein a PCI DSS-compliant service provider.