The Importance of Evolving Standards for Information Security in Vendor Agreements

The April issue of Technology Review magazine ran a fascinating story about the work of Marc Stevens, a PhD student at a school in the Netherlands. Using nothing more than a laptop and his PlayStation 3, Marc was able to force the MD5 (Message-Digest algorithm 5) digital fingerprint for an unrelated file to match that of a target file. He did this by appending junk data to the unrelated file. While this kind of “collision” is theoretically possible using almost any hash function, the possibility of intentionally forcing collision by such modest computing means is disturbing. Other flaws have been identified since MD5 was first released in 1991 by Ron Rivest, including the potential to fake SSL certificate validity. This points out the continuing (and expected) trend that as our knowledge of cryptography increases and computing power becomes less expensive, previously secure algorithms and technologies are being compromised at an ever more rapid rate.

In light of the foregoing, it is important to highlight the need for language in vendor and business partner contracts that includes a “floating standard” for security measures. Specifically, agreements in which sensitive data will be shared with a vendor or business partner should include two categories of information security protections. The first category relates to “fixed” security standards and should include specific details about the baseline security requirements for the vendor or business partner (e.g., SSL in transmitting data over the Internet, a defined level of encryption for databases, no use of removable media, data scrubbing procedures, etc.). The second category relates to “floating” security requirements or standards. This language is typically worded along the lines of “physical and logical security measures consistent with then current industry best practices” or similar language. The idea is to supplement the fixed standards with any evolving standards during the term of the agreement. In the case cited above, if MD5 was being used, the evolving standard may be to transition to a more secure hash function. The point is to ensure information security is not a static, but a dynamic, requirement in your vendor and business partner agreements.