When buying information systems, one of the most important things is to create unambiguous and measurable information security requirements for the contract. For example, the OWASP Application Security Verification Standard contains a good set of requirements, which can be used as a basis. The contract must also always include the right to audit the system / service you have purchased.
If you are buying maintenance for an information system or the service you are buying is SaaS-based, require the vendor to fix any security issues within a certain timeframe; for example, fixing critical issues in a week, fixing major issues in three weeks, and fixing minor issues in the next version at no extra cost. In other cases, the supplier should at least be required to correct any problems identified during the warranty period. At the same time, in both cases, agree on contractual sanctions if the requirements set out in the contract are not met.
The EU Data Protection Regulation must be taken into account when buying information systems. If the supplier is in the role of processor of personal data, the regulation requires the following to be clarified in the contract:
- Object and duration of processing
- Nature and purpose of processing
- Type of personal data and groups of data subjects
- Duties and rights of the controller
When concluding an agreement, also agree on compensation obligations that take into account the risks posed by the EU Data Protection Regulation. These can be reduced by transferring liability in the form of indemnities to the supplier where possible. Also, make sure that the data protection and security available is adequate for the data being processed.
Before implementing an information system or service, make sure by auditing that the requirements set out in the contract are fulfilled as promised. The audit verifies compliance with the requirements set out in the agreement. In addition to this, the security of the service must continue to be taken care of on a regular basis, for example through audits on a pre-agreed schedule.