pay careful attention to vendor information security practices
Data ownership
data ownership is a common issue
clearly convey data ownership in contracts and agreements
customer typically wants to retain uninhibited ownership of information
limit vendor’s rights to use the information to activities performed on behalf of, and with the knowledge and consent of the customer
Secure deletion
contract should require the vendor securely delete all customer information within an acceptable period of time after the relationship ends
Data sharing
include language in vendor agreements that prohibits the vendor from sharing customer information with third parties without explicit consent from the customer
Data protection
include data protection requirements in the contract
important if the vendor is the sole custodian of critical information from the customer
specify that vendor is responsible for preserving the information
implement fault tolerance and backup procedures
may specify exact controls to use
Data escrow
data escrow places a copy of your org’s data with a neutral third party who protects the data
will release data to you if the vendor goes out of business or otherwise fails to meet obligations