[unisog] unisog Digest, Vol 20, Issue 33

Cary, Kim Kim.Cary at pepperdine.edu
Wed Nov 30 15:36:23 GMT 2005

Hi Kathee,

Our colleagues at other Universities are requiring their 'outsourced' or ASP
type service partners to be contractually responsible for security &
confidentiality breaches. I'm thinking of touchnet, collegenet, that
outsourced alumni item and maybe more that I don't know about. Also, I'm
wondering about if the same kind of contract language to safeguard against
liability for breaches due to vendor access to systems or caused by
professional services from support partners.

I don't know if we're doing this, but we might benefit from the same type of
provisions in our contracts. Would the Security Committee be interested in
this type of safeguard?


On 11/30/05 4:00 AM, "unisog-request at lists.sans.org"
<unisog-request at lists.sans.org> wrote:

> Date: Tue, 29 Nov 2005 16:50:34 -0600
> From: Chris Green <cmgreen at uab.edu>
> Subject: Re: [unisog] Security standard compliance language in
> contracts
> To: Unisog <unisog at lists.sans.org>
> Message-ID: <BFB2375A.244B0%cmgreen at uab.edu>
> Content-Type: text/plain; charset="US-ASCII"
> On 11/29/05 11:55 AM, "Mayne, Jim" <J.Mayne at tcu.edu> wrote:
>> We are looking at using a firm to provide online W2's. If we were to work
>> with
>> this company does anyone have any suggested language to put in the contract
>> regarding compliance with security standards and if so for which standards?
> Hit send when I meant to hit save as draft...
> In our HIPAA business associate agreement, we say things like:
> " Reporting of Unauthorized Use.  Business Associate will promptly report to
> Covered Entity any use or disclosure of the PHI not provided for in this
> Agreement upon becoming aware of it and any security incident of which it
> becomes aware; """
> We don't call out a specific security standard (other than applicable law
> such as HIPAA) but there is lots of language to push the remediation onto
> the business associate.  We haven't found one general enough for us to adopt
> much less push it out upon others.
> Push disclosures and threats onto them and have real penalties.  I don't
> know how much insurance has taken off for this world but you could require
> they be insured for X$ and let that be the insurance company's problem to
> enforce.
> I'm sure your Legal Department will help craft the right risk mitigations.
> -- 
> Chris Green
> UAB Data Security, 5-0842

More information about the unisog mailing list