Hello all! I did my search on google (did not put all my heart in it though) to find a suitable answer to the question: What informatoin security related points or clauses shall we include in an SLA?. I started by adding a right to conduct a vlnerability assessment on the target systems at least annually or whenever there is a major change in the solution.
Second to test applicable security patches on the underlying system components (including OS, other software, Databases) as recommended by the vendor.


What else can be added???

Sorry for being away for long---had been busy since my last post!!
So the scenario is; Company A (that’s me now ) bought a solution from Company B (company B a big giant of their market), the solution was bought a few years back when no one thought of security seriously (at least now few are thinking of it seriously ). The solution proved to be falling short (infact falling a long way -- short) of any security consideration in it (can you believe the vendor did not enable auditing and logging at the DB level ). And as expected a huge fraud waved the company A on the business dance floor. Company B has been a contractor for Support & Maintenance activities for the solution (a level 2 support contact). After the fraud, company B proposed a security solution (System hardening, application and DB level auditing and putting in a door to shut further frauds through that same channel) for $$$$$$, Now the question; “Can I include clauses in my contract or SLA with company B to force them to implement security controls in the solution? If Yes then how can I word them? If NO!!! Well how can I go about these situations ? Share your thoughts!!

You absolutely need to consult with a lawyer. If you (or anyway) is interested, send me a PM, and I'll provide contact info for the lawyer that I use for my contract work.

Also, just because you include those terms in the original contract, don't expect them to willingly sign and agree to those terms. Their legal team will likely send a red-lined document back with those requirements removed. Then it's up to you to determine whether you still want to do business with them, or see if you can put additional pressure on them to get them to agree to those terms.

It's definitely recommended to include security provisions in contracts. Unfortunately, it sounds like you're going to be on your own to figure out what those need to be for your organization. The only additional advice I can give you at this point is to keep your verbiage broad and high-level. It would be odd to see something as explicit as creating Jails in a contract. It would be better to say something along the lines of, "Access controls and security configurations properly isolate information and limit access to only the individuals and/or groups that require it."