Fundamental Information Security Controls for Third Parties

During contract negotiations with vendors, when there is an information technology component to the contract, particularly a “Cloud” or “Software-as-a-Service” component, we must consider how we protect the College in the event of a breach or other misuse of those technology components. Below are the fundamental controls that need to be covered. On the following page is an information security addendum that we should negotiate to be added to  contracts that include an information technology component, particularly services that deal with data classified as “Protected” or “Sensitive” per the College’s data classification policy.


  • Make sure the organization implements appropriate physical and technical safeguards that are in line with accepted industry standards (ISO 27001/2, NIST 800-53, COBIT, CIS Critical Security Controls)

  • Know what access rights the provider has, and who owns what data.

  • Understand what data is encrypted, when it is encrypted, and who manages the encryption keys.

    • Is data encrypted both in transit and at rest?

    • Do we, the customer manage the keys, or does the provider manage the keys?

  • Under what circumstances are data released to third-parties?

    • Protected & Sensitive Data: None unless required by law.

  • Make sure you have contractual support for a data breach and forensics investigations.

  • Make sure the limits on the contractual support are appropriate for the perceived cost of an incident. A data breach can cost $50 USD per person affected.

  • Know where the data is being stored. Insist on the data being stored in a geolocation that is acceptable:

    • Protected Data & Sensitive Data: Insist on USA.

  • Know that you can periodically retrieve the complete data set for disaster recovery / sudden business closure - companies in the cloud can disappear:

    • Annual / Quarterly Data Extract

  • Know if your data is in a shared location of isolated from other customers.

  • Know how your data is destroyed when:

    • It is no longer needed in the system.

    • The contract is terminated

  • Obtain a right to audit in the event of a data breach, or substantial information security incident if possible, and based on the data set.

    • Protected Data: Insist on it.

    • Sensitive Data: Attempt it.

  • Make sure the vendor is in compliance with relevant laws and regulations (and agrees to maintain compliance contractually):

    • Credit Cards

      • PCI-DSS (Obtain Attestation of Compliance (AOC))

      • MA 201-CMR-17

    • Social Security Numbers, Bank Account Numbers, Driver's License Numbers, Financial Account Numbers

      • MA 201-CMR-17


Contract Addendum


You can read the College's information security contract addendum on Google Drive here.