Organizations should develop security control requirements for information systems and incorporate performance standards relating to security features in their software licensing and development contracts. The standards should ensure software is consistent with an organization's overall security program. In developing security standards, organizations may wish to reference the methodology detailed in the IT Handbook's "Information Security Booklet." Organizations may also refer to other widely recognized industry standards.
Contracts should also address a vendor's ongoing responsibilities to protect the security and confidentiality of an organization's resources and data. The agreement should prohibit vendors and their contractors and agents from using or disclosing an organization's information except as necessary to provide contracted services. Further, organizations should seek a guaranty from vendors that software does not and will not contain any back doors or disabling devices that would permit unauthorized access to the application or any of the organization's systems or data. For mission-critical software, contracts and licenses should explicitly state that the vendor will not use software features that enable them to remotely disable software in the event of a dispute with the purchaser. Additionally, contracts and licenses should state that the organization may only be deprived of its software use through a court order.
Software development packages may include significant update, modification, training, operational, and support services that require a vendor's access to an organization's customer data. These aspects of the relationship trigger service provider requirements under the federal banking agencies' "Interagency Guidelines Establishing Standards for Safeguarding Customer Information" that implement Section 501(b) of the Gramm-Leach-Bliley Act. The guidelines expressly state that organizations shall require service providers by contract to implement appropriate measures designed to meet the security objectives of the guidelines.
Vendor Liability Limitations
Subcontracting and Multiple Vendor Relationships