If your business deals with British conglomerate Imperial Chemical Industries' data, you'll have to submit to regular third-party scans of your networks and be prepared to promptly fix any exploitable flaws.
"We have a very simple rule: If you have a new vulnerability that crops up, you see it at the same time as I do, and you take care of it," Paul Simmonds, ICI's global information security director, explains. "If the same vulnerability shows on the next week's scan, then I want to come and get you."
Such "agreements," sometimes referred to as security warranties or security service-level agreements (SLAs), are on the rise as enterprises realize growing risks in a legally complex and increasingly regulated, interconnected global economy. But their emergence also raises questions about the legality and enforceability of contracts that are still largely written ad hoc. And while the industry grapples to find common language and best practices to use in boilerplate agreements, the ICIs of the world are blazing new trails by penalizing business partners who fail to adequately maintain their own systems.
"They're probably at the front of that curve," Jonathan Gossels, founder and president of IT consultancy SystemsExperts, says of ICI's initiative. But a growing number of companies are demanding software development or service-provider agreements include security provisions, and that's changing the competitive landscape, particularly when it comes to outsourcing.
"Unless you're able in this climate to put these [security] practices in place from the ground up ... you're not going to be successful," says David Bixler, an information security officer for Mason, Ohio-based Siemens Business Services, which provides hosted IT services to such giants as Intel, MetLife and Kemper Insurance.
Defining "secure" is a major hurdle when negotiating security contracts, says Ounce Labs CEO Jack Danahy. "One of the challenges in the SLA space is creating a defined language through which one can enforce the security measures being placed on the outsourcer," he says.
At a minimum for outsourced software development or hosted services, experts say every contract should identify security as a key provision. In the case of code development, companies should have the right to review code and parties should agree that any bugs be corrected prior to delivery of the final product. And the contracting company should be allowed to terminate a business agreement if the outsourcer fails to meet its security obligations -- including assuming risks when using subcontractors, whether on the coding or hosting side.
Such terms may seem severe, especially when working with small companies or young development teams that lack large budgets. But that's the new cost of doing business, says Forrester Research analyst Michael Rasmussen.
"Organizations face an increasing amount of liability and regulations, like HIPAA, Gramm-Leach-Bliley and SB 1386," he says. "Even in the case of Sarbanes-Oxley, you've got disclosure requirements. They all have pretty harsh penalties, and your liabilities don't stop when you outsource. They only grow."