Don’t forget to include a review of your contracts with vendors when reviewing your own security compliance. Here is the short version of my checklist for vendor contracts:
- Confidential Information – How can the vendor use confidential information?
- Safeguarding Information – Do you require the vendor to meet specific standards, have specific controls, keep data within the borders of the U.S.?
- Oversight – When and who does the audit of the vendor?
- Data Breach Procedures
- Compelled Disclosures – Are they required to tell you in time for a legal response to subpoenas?
- Termination Procedures – What do they do with information when the contract ends?
- Subcontractors – Are subcontractors of the vendor required to meet the same standards?
- Employee training
- Insurance and Indemnity requirements
- Definitions – Do you have definitions that match your requirements? For example, does your insurance definition of breach match your contract definition?