Due Diligence and Ongoing Monitoring

  • 1.  Off Boarding Vendors

    Posted 09-11-2019 01:07 PM
    You see a great deal of information posted about on boarding new vendors but not much posted on off boarding vendors.  Is there good information out there regarding off boarding.  In particular if there are contract clause regarding the removal of "your information" from the vendors systems, etc.  How do you insure that is done.

    Thanks,
    Charlotte


  • 2.  RE: Off Boarding Vendors

    Posted 09-11-2019 01:41 PM
    Contractually this is an important topic and it has gotten a little more difficult with the wide-spread adoption of cloud services as your vendor may not physically poses or own the hard drives storing your data. Upon contract termination it's common to require a "certificate of destruction" and this is mentioned in financial regulations. I'll post exact references later today. You'll have to rely on your vendor's word that the data is destroyed or no longer accessible. 

    Another challenge comes in with cloud services storage as you cannot expect the vendor to physically destroy the hard drives your data may have touched throughout it's life cycle. A solution to this is to ask for or perform yourself, depending on the service, a process called cryptographic erasure. Essentially this is encrypting data at rest and throwing away the key. 

    Here is a contractual statement that we see in many vendor contracts where data is shared: 
    "Return of Information.  Your Vendor will, at the request of the Client, during the Term or thereafter (a) promptly return all Confidential Information held or used by Your Vendor in whatever form, or (b) at the discretion of the Client, promptly destroy all such Confidential Information, including all copies thereof, and those portions of all documents that incorporate such Confidential Information and provide a certificate of destruction."

    Edit - 
    Section III.C.4 of 12 CFR Appendix B to Part 30 Interagency Guidelines Establishing Information Security Standards states: Develop, implement, and maintain, as part of its information security program, appropriate measures to properly dispose of customer information and consumer information in accordance with each of the requirements of this paragraph III. Link to Regulation Text


    Edit 2 - Additional Common Contractual Statement
    "At Client's direction at any time during the term of the Agreement, and in any event upon termination or expiration of this Agreement, Your Vendor shall, and shall cause its representatives to, immediately delete Client’s Data and/or return to Client all Client Data and then (except in the event Client requests preservation) destroy and certify the destruction of any and all residual copies of Client Data."


  • 3.  RE: Off Boarding Vendors

    Posted 09-12-2019 09:02 AM
    Technologically due to backups and robust DR programs, erasure/destruction cannot be completely accomplished on your systems or your 3rd parties systems or it is at least very rare. In addition to the data destruction clauses Arron provides as examples in his response, consider adding something like the following into your Confidentiality sections. 

    "Notwithstanding the foregoing data destruction provisions, the Receiving Party shall not be obligated to return Confidential Information that is required for archival, regulatory, or audit purposes or contained in an archived computer system backup made in accordance with the Receiving Party's security or disaster recovery procedures provided that the Confidential Information so retained will remain subject to the terms and conditions of this Agreement until it is destroyed or deleted."​


  • 4.  RE: Off Boarding Vendors

    This message was posted by a user wishing to remain anonymous
    Posted 09-07-2021 12:47 PM
    This message was posted by a user wishing to remain anonymous

    Is anyone willing to share their document when they offboard a vendor?  Currently we do not have a consistent template/document used by all vendor owners when they terminate or move on from a vendor?

    Thank you


  • 5.  RE: Off Boarding Vendors

    This message was posted by a user wishing to remain anonymous
    Posted 09-07-2021 01:33 PM
    This message was posted by a user wishing to remain anonymous

    ​We are creating a questionnaire for offboarding vendors.  If the vendor had access to our data, we are asking that they certify in writing that the data has been returned or destroyed.


  • 6.  RE: Off Boarding Vendors

    This message was posted by a user wishing to remain anonymous
    Posted 09-07-2021 02:07 PM
    This message was posted by a user wishing to remain anonymous

    Our non-renewal/termination template letter contains the following.

    "Any data must be destroyed or returned to [us] within thirty (30) days of the termination date.  A member of [our] Cyber Security Team will follow up on actionable items ensure completion and request, if appropriate, applicable documentation."