My company has contracted with a vendor to install,
configure, and maintain an off-the-shelf project
management system for use on a project that will last
3 years. The vendor is responsible for
implementation and overall day-to-day administration
of the application level security for the system to
restrict access to modules and documents users
can view or edit. Users of the system include outside
contractors. The application is installed on our
company servers, which we secure network access
rights to the system. At the end of the project, the
vendor will hand-over the system as well as the data
to our company. I have reviewed the contract that we
have with the vendor and found that it does not
specify any computer security related requirements
that the vendor must follow to protect the
confidentiality, integrity, and availability of the data
from unauthorized use. Since the vendor’s IT staff
has overall access to the system, I am concern that
they might not use our data appropriately. Because
the system runs on our network, I am also concern
that users of the system may inappropriately use our
network or worst yet compromise the security of
other sensitive Company systems. Off the top of my
head, those are my concerns. Can anyone think of
any additional concerns? Are there links or
resources that give samples of contract terms and
conditions that relate to computer security and
protection of data confidentiality, integrity, and
availability? Should the contract include a “Right to
audit” clause, disclosure agreement on proprietary
information, appropriate use guidelines for accessing
our company network and penalty for non-
compliance? Sorry for being so long winded. I hope
someone could point me in the right direction. Thanks