Just as there is a life cycle for software development, there is a life cycle for contracting and this cycle must be managed as well to assure information security for the organization. While there are a variety of formal models promoted by contract management software vendors, the typical phases include:
- vendor selection
- negotiation
- contract creation
- managing contract change
- compliance monitoring, and
- contract renewal or termination.
Information security has an important role to play in each of these phases, from vetting the security posture of the vendor and assessing the security of their product offerings to assisting with compliance monitoring. Many companies do a decent job at vendor selection and even create an excellent security addendum for their contracts. However, many companies fail to effectively monitor the vendor’s compliance with the contract in general and the security addendum in particular. One of my mantras is “you must inspect what you expect.” Document in the security addendum how you will audit compliance, and then do it!