Sorry for being away for long---had been busy since my last post!!
So the scenario is; Company A (that’s me now ) bought a solution from Company B (company B a big giant of their market), the solution was bought a few years back when no one thought of security seriously (at least now few are thinking of it seriously
). The solution proved to be falling short (infact falling a long way -- short) of any security consideration in it (can you believe the vendor did not enable auditing and logging at the DB level
). And as expected a huge fraud waved the company A on the business dance floor. Company B has been a contractor for Support & Maintenance activities for the solution (a level 2 support contact). After the fraud, company B proposed a security solution (System hardening, application and DB level auditing and putting in a door to shut further frauds through that same channel) for $$$$$$, Now the question; “Can I include clauses in my contract or SLA with company B to force them to implement security controls in the solution? If Yes then how can I word them? If NO!!! Well how can I go about these situations ? Share your thoughts!!