procurement of software and information technology services
TRANSCRIPT
Procuring Software and Information Technology
The Legal and Business Issues Presented
The Computer Forensics ShowHotel Pennsylvania, New York, NY
April 19, 2011
An Initial Risk AssessmentSecurity Risk Management Guidance
Impact
Probability High (3) Medium (2) Low (1)
High (3) 9 6 3
Medium (2) 6 4 2
Low (1) 3 2 1
The Risk Matrix is a classification tool used to rate security risks based on impact and probability
Cloud Legal RisksLegal Risk
Description Probability Impact Risk StatementSubpoena and E-Discovery
High Medium High
Risk From Changes of Jurisdiction
Very High High High
Data Protection Risks
High High High
Licensing Risk Medium Medium Medium
ENISA (European Network and Information Security Agency) ) and Cloud Security Alliance Leading Practices
Key legal questions the customer should ask the cloud provider
ENISA (European Network and Information Security Agency) ) and Cloud Security Alliance Leading Practices
• In what country is the cloud provider located? • Is the cloud provider’s infrastructure located in the same country or in
different countries? • Will the cloud provider use other companies whose infrastructure is
located outside that of the cloud provider? • Where will the data be physically located? • Will jurisdiction over the contract terms and over the data be divided? • Will any of the cloud provider’s services be subcontracted out? • Will any of the cloud provider’s services be outsourced? • How will the data provided by the customer and the customer’s
customers, be collected, processed and transferred? • What happens to the data sent to the cloud provider upon termination of
the contract?
Key legal Recommendations for Cloud Computing
ENISA (European Network and Information Security Agency) ) and Cloud Security Alliance Leading Practices
• Customers and cloud providers must have a mutual understanding of each other’s roles and responsibilities related to electronic discovery, including such activities as litigation hold, discovery searches, who provides expert testimony, etc.
• Cloud providers are advised to assure their information security systems are responsive to customer requirements to preserve data as authentic and reliable, including both primary and secondary information such as metadata and log files.
• Data in the custody of cloud service providers must receive equivalent guardianship as in the hands of their original owner or custodian.
• Plan for both expected and unexpected termination of the relationship in the contract negotiations, and for an orderly return or secure disposal of assets.
• Pre-contract due diligence, contract term negotiation, post-contract monitoring, and contract termination, and the transition of data custodianship are components of the duty of care required of a cloud services client.
• Knowing where the cloud service provider will host the data is a prerequisite to implementing the required measures to ensure compliance with local laws that restrict the cross-border flow of data.
• As the custodian of the personal data of its employees or clients, and of the company’s other intellectual property assets, a company that uses Cloud Computing services should ensure that it retains ownership of its data in its original and authenticable format.
• Numerous security issues, such as suspected data breaches, must be addressed in specific provisions of the service agreement that clarify the respective commitments of the cloud service provider and the client.
• The cloud service provider and the client should have a unified process for responding to subpoenas, service of process, and other legal requests.
• The cloud services agreement must allow the cloud services client or designated third party to monitor the service provider’s performance and test for vulnerabilities in the system.
• The parties to a cloud services agreement should ensure that the agreement anticipates problems relating to recovery of the client’s data after their contractual relationship terminates.
The Selection Process• Stakeholders• Using Risk Assessment• Establishing a Governance Process At the Outset
Strate
gic
Alignm
ent Value Delivery
Ris
k M
anagem
ent
Resource Management
Perform
ance
Measu
rem
ent
IT IT GovernanceGovernance
DomainsDomains
Strate
gic
Alignm
ent Value Delivery
Ris
k M
anagem
ent
Resource Management
Perform
ance
Measu
rem
ent
IT GovernanceFocus Areas
Selection Process
• Requests for Proposal– Establishing technical requirements– Establishing security requirements: Gap analysis
between vendor policies and customer requirements
– Requesting comments on contract terms during RFP process
• Upgrading Vendor’s Security Policies
Products and Services
• Pricing– MFN provisions, pass-throughs of cost savings
• Change Control– How are disagreements about change
requirements managed?• Acceptance/Rejection• Service Levels
Intellectual Property Rights
• Will any new intellectual property be created? If so, who will own it? What rights will the non-owner retain?
• Will licenses survive termination?
Representations and Warranties
Sophisticated customers will require a number of representations and warranties and also require indemnification if they are breached:
• Ownership of all IP rights;• Compliance with all applicable law;• Employees with appropriate skills and background;• Systems are secure and properly maintained;• Industry standard disaster recovery and back-up measures
are in place;• Data is not stored or maintained in a manner other than
described to customer.
Liability and Remedies
• Scope of possible injuries for which vendor may be liable
• Monetary Limits• Indemnification• Service Level Credits• Repair/Replacement
Governance and Dispute Resolution
• Relationship Governance– Designated project managers and key employees
• Escalation clauses• Arbitration vs. Court• Fast track arbitration mechanisms• Continuing payments and work during
disputes
Term and Termination• Typical duration of a contract
– Vendors will rarely want contracts that extend more than 3-4 years.• Termination for cause• Right of customer to terminate for convenience
– Often means termination fees.• Exit Assistance
– Demand the creation of a plan at the outset that provides for transfer of data, equipment, and knowledge
– May be the most important item for customer’s leverage, it is important that vendor know customer can end the agreement without too much pain
• Escrow Provisions/Step-In– This is customer’s best protection in the event of a bankruptcy or major failure, but it
requires a commitment to make sure escrow is maintained and can be used by customer.
– It is also important to avoid the potential to get “gummed up” by arbitration over whether it is properly triggered.
Appendices
• Appendix A: Identifying Constituencies and What Matters to Them
• Appendix B: Governmental, Regulatory, and Privacy Touch Points
• Appendix C: What Do We Examine When Assessing ‘Security?’
Appendix A: Identifying Constituencies and What Matters to Them
Constituencies What They Care About
I.T. Department Delivering good service. Jobs and budgets. Technical success and efficiency. Security.
Company Perform core business functions with maximum profit and long-term stability and value. Usually NOT I.T.
Company’s Customers Getting service - - better, faster, cheaper. Often NOT I.T.
Company’s Customers’ Customers
Effectiveness. Results. Avoidance of delay, loss or other pain. Removed from immediate tactical goals of Company’s IT department. NOT Company’s IT problems.
Regulatory Bodies / Government
Compliance. Privacy. Protection of Network and shared resources and the “commons”, including security. Enforcement of non-I.T. laws.
Appendix A: Identifying Constituencies and What Matters to Them (continued)Constituencies What They Care About
Company’s Employees Support and resource. Keeping jobs and looking good. Privacy.
Risk Management group within Company
No losses, no lawsuits, no increase in compliance costs, no insurance claims.
Company’s Owners Short- and mid-term Profits and long term value.
Company’s Management Employment and compensation. Company performance. Usually I.T. as a means, not end.
Appendix B: Governmental and Regulatory Touch Points
Rule or Scheme Implications for Cloud, Outsourcing and Enterprise Software and Systems
Sarbanes-Oxley (“SOX”)Section 404 - -evaluation and assessment of internal controls of public companies. Includes record keeping and, thus, I.T. issues. Also Section 302 disclosure controls and other parts.
Cloud Security (“CSA”) Statement of Best Practices
Extensive output on security and GRC ((Governance, Risk Management and Compliance) work.
Cloud AuditSome objective assessment of certain features of an enterprise’s cloud interfaces Best known is A6 (Automated Audit, Assertion, Assessment, and Assurance API)
SAS 70 - - Statement on Auditing Standards from the
AICPA.
Report to the effect of “In our opinion, the accompanying description of the aforementioned application presents fairly, in all material respects, the relevant aspects of XYZ Service Organization’s policies and procedures that had been placed in operation as of __________. Also, in our opinion, the policies and procedures, as described, are suitably designed to provide reasonable assurance that the specified control objectives would be achieved if the described policies and procedures were complied with satisfactorily. . . .”
Appendix B: Governmental and Regulatory Touch Points (continued)
Rule or Scheme Implications for Cloud, Outsourcing and Enterprise Software and Systems
Payment Card Industry - Date Security Standard (PCI DSS)
PCI Security Standards Council. Transactional Security and Payment industry issues.
Red Flag Rules FTC - - applies to financial institutions and related “covered persons” - - focused on identity theft. Can apply to creditors who may not consider themselves financial institutions; some cut backs in scope in December 2010.STATES - - almost all states have laws requiring disclosure of suspected privacy or security breaches
Lawyer Rules - - bar and court restrictions on outsourcing
Multiple requirement relating to patient confidentiality and files
Forensics, e-Discovery and other court and trial related
rules
e-Discovery. Record-keeping. Operation of trial. Requirements for access to old files and emails.
FISMA (Federal Information Security Management Act of
2002)
Important. Establishes: a “framework for managing information security that must be followed for all information systems used or operated by a federal government agency or by a contractor or other organization on behalf of a federal agency. This framework is further defined by the standards and guidelines developed by NIST.”
Appendix B (continued): Privacy Law Touch Points
Rule or Scheme Implications for Cloud, Outsourcing and Enterprise Software and Systems
Gramm-Leach-Bliley Requires financial institutions to provide consumers privacy notices explaining the institutions' information-sharing practices.
HIPAA (Health Insurance Portability and Accountability Act)
Practices and rules for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. Significant privacy elements.
FERPA (Family Educational Rights and Privacy Act) Protects the privacy of students’ education records.
COPPA (Children's Online Privacy Protection Act ) Rules for the online collection of personal information from children under 13.
European Privacy Directive Rules relating to the confidentiality of electronic data and the notification of regulatory authorities and subscribers for data security breaches.
Other international regimes Rules and regulations relating to privacy.
Appendix C: What We Examine When Assessing “Security”
NIST SP 800-53 defines the security controls required by FISMA (as summarized by SecureIT at: www.secureit.com/resources/WP_FISMA_and_SAS_70.pdf):
- Risk Assessment - Personnel Security - Awareness and Training
- Certification and Accreditation
- Configuration Management
- System and Information Integrity
- System Services and Acquisition
- Physical and Environmental Protection
- System Protection
- Security Planning - Media Protection - Incident Response- Maintenance - Contingency
Planning- Access Control
- Identification and Authentication
- Accountability and Audit
- Communications Protection
Presenters
Howard WettanWhite & Case [email protected](650) 213 0354
Peter LabereeLaberee Law [email protected](609) 654 0003
Michael AtkinsManaging [email protected](540) 349 8888
Brian PeisterPresidentiSecure [email protected](201) 240-9819