InfoSec Clauses to be included in SLAs

[pentester]

Hello all! I did my search on google (did not put all my heart in it though) to find a suitable answer to the question: What informatoin security related points or clauses shall we include in an SLA?. I started by adding a right to conduct a vlnerability assessment on the target systems at least annually or whenever there is a major change in the solution.
Second to test applicable security patches on the underlying system components (including OS, other software, Databases) as recommended by the vendor.


What else can be added???

[ajohnson]

What's the scenario? It'd be best to consult with a lawyer, but you're going to want to look at hiring processes, internal audit (i.e. how frequently permissions are reviewed), access controls, controls over data stored and in-transit, physical security, SDLC, policies, security assessments, etc.

I'd be surprised if they let you do vulnerability assessments or penetration tests. I don't let any of our customers do that with our applications (high-level summary results are provided). However, I do allow them to conduct on-site audits and provide anything they ask for, within reason. You may want to see if you can perform an annual visit as well.

[pentester]

Sorry for being away for long---had been busy since my last post!!
So the scenario is; Company A (that’s me now ) bought a solution from Company B (company B a big giant of their market), the solution was bought a few years back when no one thought of security seriously (at least now few are thinking of it seriously ). The solution proved to be falling short (infact falling a long way -- short) of any security consideration in it (can you believe the vendor did not enable auditing and logging at the DB level ). And as expected a huge fraud waved the company A on the business dance floor. Company B has been a contractor for Support & Maintenance activities for the solution (a level 2 support contact). After the fraud, company B proposed a security solution (System hardening, application and DB level auditing and putting in a door to shut further frauds through that same channel) for $$$$$$, Now the question; “Can I include clauses in my contract or SLA with company B to force them to implement security controls in the solution? If Yes then how can I word them? If NO!!! Well how can I go about these situations ? Share your thoughts!!

[tturner]

Can you select another vendor that is already doing it the right way?

[ajohnson]

You absolutely need to consult with a lawyer. If you (or anyway) is interested, send me a PM, and I'll provide contact info for the lawyer that I use for my contract work.

Also, just because you include those terms in the original contract, don't expect them to willingly sign and agree to those terms. Their legal team will likely send a red-lined document back with those requirements removed. Then it's up to you to determine whether you still want to do business with them, or see if you can put additional pressure on them to get them to agree to those terms.

[pentester]

Many thanks dynamik for your input and advice!

Well my management does not want to go legal on this... dont know why, but a big NO! So now I am looking to get some standard clauses to be included in the SLA that will bind the application developers to release security patches/upgrades/updates for the period of support contract (I thought its by default like this  ). Any thing that I ask them to do they will say "its a new request and you need to route it via commercials" (for example I asked them to jail FTP users into their home directories---errr this is a new requirement ... and I am like what the  ).. Anyhow whats done is done! For the future I need some explicit clauses that will force them to patch/reconfigure a flawed software/OS/Databases etc. Why explicit? Because they are white collar bandits and my management is ------- just like others in the big world... so I need some textual statements that will literally force a bad system solution vendors to fix an error as part of their maintenance agreement that leads to a fraud or a security incident! By the way am I right in demanding this protection ??

[ajohnson]

It's definitely recommended to include security provisions in contracts. Unfortunately, it sounds like you're going to be on your own to figure out what those need to be for your organization. The only additional advice I can give you at this point is to keep your verbiage broad and high-level. It would be odd to see something as explicit as creating Jails in a contract. It would be better to say something along the lines of, "Access controls and security configurations properly isolate information and limit access to only the individuals and/or groups that require it."

[Haz3]

Another point of view:
An insecure, poorly designed product with proper patching and support is still insecure.  The basic fix is a secure development & testing process, the better fix is adoption if a security framework such as ISO27001.

Our contracts contain several security clauses including requiring the service to be pen tested at a risk based frequency by alternating members of a mutually approved panel of pen testing companies.  They organise the pen test - we get visibility of the reports and remedial actions (but it is a high risk, regulated industry).

Pen testing is only part of the answer.