Centralized management of contracts is a requirement for successful TPRM. At most companies, the Infosec team will need to review any contract for vendors which will access customer or employee personal data. (Customer being whatever type of organization or person your company serves, e.g. patient, consumer, small business, etc.) There are very specific privacy provisions for handling sensitive data, so it is imperative that your Legal department review any contract which deals with this type of data. While it is fine for the budget to be approved by a business owner, the decision to sign the contract needs to be made by Legal / Security / Procurement working in concert to ensure all compliance regulations are followed.
Kate Wakefield CISSP, CIPT, MPA
Sr. Manager Security Compliance