Stipulate Security Requirements in Your Contracts
Security and risk mitigation requirements must be included in an organization's contractual agreement with third-party vendor and service providers, says Rocco Grillo, managing director with professional services firm Alvarez & Marsal. Requirements should include the ability for an organization to audit the third party's security practices and business continuity plans, establish performance standards, and clearly define default and termination terms. The contract should include provisions governing the use of foreign-based service providers and outline data governance and vendor subcontracting rules, he says.
"Ensure contracts include the right to audit the security posture of suppliers by your security team or a third party," adds Jason Haward-Grau, CISO at PAS Global. "For suppliers of software of any type, require certification of cybersecurity vulnerability assessment with each release by the supplier."
Image Source: Shutterstock