Reviewing Contracts in Software

Painting USS Code 39 in Software Reviewing Contracts

The IS auditor who is examining IT governance needs to examine the service agreements between the organization and its key IT-related suppliers Contracts should contain several items: Service levels Contracts should contain a section on acceptable service levels and the process followed when service interruptions occur Service outages should include an escalation path so that management can obtain information from appropriate levels of the supplier s management team Quality levels Contracts should contain specifications on the quality of goods or services delivered, as well as remedies when quality standards are not met Right to audit Contracts should include a right-to-audit clause that permits the organization to examine the supplier s premises and records upon reasonable notice Third-party audits Contracts should include provisions that require the supplier to undergo appropriate and regular audits Audit reports from these audits should be available upon request, including remediation plans for any significant findings found in the audit reports Conformance to security policies Suppliers should be required to provide goods or services that can meet the organization s security policies For instance, if the organization s security policy requires specific password-quality standards, then the goods or services from suppliers should be able to meet those standards Protection and use of sensitive information Contracts should include detailed statements that describe how the organization s sensitive information will be protected and used This is primarily relevant in an online, SaaS

(Software as a Service), or ASP (application service provider) model where some of the organization s data will reside on systems or networks that are under the control of a supplier The contract should include details that describe how the supplier tests its controls to ensure that they are still effective Third-party audits of these controls may also be warranted, depending upon the sensitivity of the information in question Conformance to laws and regulations Contracts should require that the supplier conform to all relevant laws and regulations This should include laws and regulations that the organization itself is required to conform to; in other words, compliance with laws and regulations should flow to and include suppliers For example, if a health-care organization is required to comply with HIPAA (Health Insurance Portability and Accountability Act, a US law that requires specific protections of patient health-care information when in electronic form), any suppliers that store or manage the organization s health-care-related information must be required to also be in compliance with HIPAA regulations Incident notification Contracts should contain specific language that describes how incidents are handled and how the organization is notified of incidents This includes not only service changes and interruptions, but also security incidents The supplier should be required to notify the organization within a specific period, and also provide periodic updates as needed Source code escrow If the supplier is a software organization that uses proprietary software as a means for providing services, the supplier should be required to regularly deposit its software source code into a software escrow A software escrow firm is a third-party organization that will place software into a vault, and release it to customer organizations in the event of the failure of the supplier s business Liabilities Contracts should clearly state which parties are liable for which actions and activities They should further specify the remedies taken should any party fail to perform adequately Termination terms Contracts should contain reasonable provisions that describe the actions taken if the business relationship is terminated NOTE While the IS auditor may not be required to understand the nuances of legal contracts, the auditor should look for these sections in contracts with key suppliers The IS auditor should also look for other contractual provisions in supplier contracts that are specific to any unique or highly critical needs that are provided by a supplier