The outsourcing contract spells out security requirements and sets up regular audits and costly penalties for noncompliance With legal recourse limited in many countries, the contract with the provider becomes critically important for outlining security responsibilities and penalties for breaches. Leave plenty of time for negotiation, says Scott Sysol, director of infrastructure and security architecture for CNA. “It is a strenuous process with multilevel reviews inside both companies,” he says. There are also certain levels of sanctions that can be built into the contract. “You need to get something in the contract that says if someone steals something, the contractor will take responsibility,” says Sysol. “We’ve built some [financial] sanctions into our contracts. But you can’t go overboard because the providers will walk away from the deal.” Other contract recommendations: Demand nondisclosure and noncompete agreements. With offshore providers growing so rapidly and turnover highas high as 30 percent in some companiesit’s important to understand what your offshore vendor is doing with your intellectual property and to do what you can to keep people from taking information about you with them, says Vinnie Mirchandani, principal of consultancy Deal Architect. Bring legal disputes to U.S. courts. Require that the offshore vendor agree to handle legal disputes in the United States. Require insurance. Top offshore vendors have insurance to protect customers against losses caused by the vendor or its contractors, says Forrester Research. Keep discussions private. Insist on a separate meeting room near the work area. Look for certifications. Though they do not guarantee good performance, the Certified Information Systems Security Professional, or CISSP, certification program and Global Information Assurance Certification at least demonstrate that employees have had exposure to security issues and best practices. -C.K. Related content news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry news UK data regulator warns that data breaches put abuse victims’ lives at risk The UK Information Commissioner’s Office has reprimanded seven organizations in the past 14 months for data breaches affecting victims of domestic abuse. By Michael Hill Sep 28, 2023 3 mins Electronic Health Records Data Breach Government news EchoMark releases watermarking solution to secure private communications, detect insider threats Enterprise-grade software embeds AI-driven, forensic watermarking in emails and documents to pinpoint potential insider risks By Michael Hill Sep 28, 2023 4 mins Communications Security Threat and Vulnerability Management Security Software news SpecterOps to use in-house approximation to test for global attack variations The new offering uses atomic tests and in-house approximation in purple team assessment to test all known techniques of an attack. By Shweta Sharma Sep 28, 2023 3 mins Penetration Testing Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe