Third Party Contracts Agreement Recommendations

An FRSecure Self-Help Document of Guidelines and Best Practices

Vendors and third parties have increasing access to our data, so it’s important we understand what risks they pose to our organizations as we work with them. Contractual agreements we make with our third-party contractors are ways that we can control how our vendors handle sensitive information—or at least have a documented defense if something were to go wrong on their accord.

This guide is meant to be a starting point for your business. It paints a picture of what things you need to be thinking about when creating contractual agreements with your vendors, and allows you to mold and shape vendor-related policies and procedures from its recommendations.

This document will help you:

  • Understand what kinds of things vendors should agree to when working with your business
  • Find places where you can get more information about vendor risk management
  • Shape recommendations into actions and policies while logging the changes
Third Party Contracts Agreement Recommendation

Third-Party Contracts

Information Security Contractual Agreement Recommendations

The following topical areas should be considered for inclusion in third party agreements to satisfy information security requirements:

  • A description of information that will be provided or accessed and approved methods for access to and transmission of that information;
  • The classification of information according to the organization’s classification scheme. Consider mapping the organization’s classification scheme with the classification scheme of the third party;
  • Any legal and/or regulatory requirements related to the information;
  • Obligation of each contractual party to implement an agreed set of controls to manage the information including access control, performance review, monitoring, reporting and auditing;
  • Rules of acceptable and unacceptable use of the information;
  • Information security policies and procedures;
  • Risk management requirements;
  • Incident management requirements and procedures (especially notification and collaboration during incident remediation);
  • Training and awareness requirements for specific procedures and information security requirements;
  • An explicit list of third-party personnel authorized to access or receive the organization’s information. If an explicit list is not feasible, documented procedures or conditions for authorization, and removal of the authorization, for access to or receipt of the organization’s information by third party personnel;
  • Relevant controls around sub-contracting;
  • Relevant agreement partners, including a contact person for information security issues;
  • Screening requirements for third party personnel with access to the organization information commensurate with the organizations screening program.
  • Right to audit the third-party processes and controls related to the management of the organization’s information;
  • Third party’s obligations to comply with the organization’s security requirements.
  • Defect resolution and conflict resolution processes;
  • Third party’s obligation to periodically obtain an independent assessment or audit on the effectiveness of their controls and agreement on timely correction of relevant issues identified in the assessment or audit.

This is not an exhaustive list and each organization should consider their own Information Security policies as well as legal and regulatory requirements when setting up agreements with third parties.

References

  • ISO 27002: 17
  • NIST CSF: ID.BE, PR.IP, RS.RP, RS.CO, RS.IM, RS.RP, RC.IM, RC.CO
  • FRSecure Information Classification and Handling Policy

Waivers

Waivers from certain policy provisions may be sought following the FRSecure Waiver Process.

Enforcement

Personnel found to have violated this policy may be subject to disciplinary action, up to and including termination of employment, and related civil or criminal penalties.

Any vendor, consultant, or contractor found to have violated this policy may be subject to sanctions up to and including removal of access rights, termination of contract(s), and related civil or criminal penalties.