Reviewing Security Audit Clauses

Oct 26, 2016

Without established security policies, it can be more difficult to determine the company’s risk level. In entering an agreement with vendors, however, establishing security standards is not sufficient to ensure the protection of customer or proprietary information. Security audits can be used as an agreed-upon mechanism for a company to verify that a vendor is providing the security controls it promised.

Security audits are comprised of methods to evaluate the security of a company’s information system. These include on-site visits and interviewing staff, review of access controls and user practices, and analysis of the network’s configuration and of information handling procedures. Security audits are also carried out to determine a company’s regulatory compliance.

Businesses should know which security requirements are appropriate and how to specify the details of a security audit at the outset of an agreement. Generally, there are three ways to audit:

(1) Customer enters the physical premises to audit the controls directly;
(2) Vendor obtains a third party attestation (SSAE 16) and provides to customer; or
(3) Vendor provides customer with a signed self-attestation of compliance.

Information security audits measure the effectiveness of a company’s security program. Periodic checks of the vendor’s existing security policy enforcement are necessary as shifting data to a vendor will not necessarily relieve a company of its own duty to ensure the security of the information.. Consulting with an attorney experienced with information security audit matters could help ensure that the company’s agreements with vendors are contain the most appropriate audit language.

Heliane Fabian