Contract Management

 View Only
  • 1.  Information Security Contract Details for Supply Chain Vendors

    This message was posted by a user wishing to remain anonymous
    Posted 10-19-2021 08:59 AM
    This message was posted by a user wishing to remain anonymous

    Hello, How does everyone handle inserting Information Security terms into their Supply Chain contracts?  An example would be for a transportation vendor who only has details about the order they are moving from one location to another.  Would you require any terms for Information Security or count solely on the Confidentiality terms of the agreement?


  • 2.  RE: Information Security Contract Details for Supply Chain Vendors

    Posted 10-20-2021 12:28 PM
    While conducting a supplier risk assessment I determine what type of information is being shared, how it is being shared and then utilize the appropriate data security language section as prepared by our attorney for that specific purpose. 

    If there is no data being transmitted or stored then we just rely on the confidentiality language of the contract

    If there is some corporate data being transmitted or stored (Not NPPII)  then we utilize a short data security section similar to this:
    • Supplier represents and warrants that it has (and shall maintain throughout the term of this engagement) written information security programs, policies and procedures that include physical, technical, and administrative controls and measures designed to protect any systems on which Supplier collects, accesses, maintains, uses, shares, disseminates, or disposes of Customer Information from loss, misuse, unauthorized access, acquisition, or alteration.  The information security program will include policies and procedures to address, at a minimum:  governance and periodic assessment of program, access control (including multifactor authentication), data handling (including encryption), incident management (including notification within 24 hours of suspected unauthorized access, use or disclosure of Customer's information), business continuity and disaster recovery, system security (including firewalls, antivirus, monitoring and penetration testing) and data retention. At the request of Customer, Supplier will complete a Cyber Security Questionnaire or provide other adequate documentation that Customer may request to validate the status of Supplier's data security and BCDR environment.

    If the supplier will transmit NPPII of our employees or customer's then we use much more detailed data security language which includes the following sections:  Specific requirements related to the Information Security plan, handling of Subcontractors who have access to data, Data Retention and return of data, breach notification procedures and inspection and audit rights.