Risky Business: Contract Review for Security Pros

not that anyone asked but I have to use the handheld mic because if I use a lav mic my beard gets all up in it and uh makes noises so and every audio guy I've ever worked with said oh we'll just clip it onto your beard now we're not doing that thank you [Applause] Nathan this story starts in 2004 just getting started in the security industry blue teamer working as an analyst I've just found a breach working as a sock analyst my stomach is in knots I want to throw up sweating a little bit because that breach started an hour ago didn't really like that feeling worked hard became a better analyst got pretty good at that

job 10 years later similar situation feeling sick sweaty poems I've got a vendor that's not delivering on a contract doesn't feel too good I'm about to walk into my boss's office and tell them I've got a problem this talk is so you don't end up in that

spot I am not Sparticus Spartacus is the handsome fellow in that photo uh I have spent 20 years in information security I've pretty much done every job there is in information security at this point uh these days I focus a lot on governance and governance touches contracts I review about 60 contracts a year it just so happens that the nature of the organization I work for we've got a lot of different lines of business a lot of it cont contracts come come through I'm looking at a lot of them uh I love hiking animals obviously and I spend a lot of time volunteering with scouting America I'm actually taking 40 youth to summer camp in three

days so good luck to me on that that's slightly more scary than this so talk on legal ease we're of course going to have some legal Le to start uh information provided here is not and is not intended to constitute legal advice instead all information is for General informational purposes only I am a stakeholder not an attorney I am here representing Security's voice at the table if you hear something that sounds like a good idea you should talk to your company's lawyer about it it I am not speaking as a representative of my employer these are only my opinions anything that sounds smart in this presentation is due to the very smart lawyers and co-workers that I've

worked with over the years anything stupid you hear in this presentation is all me and all legal Clauses that we're going to see today we're we're going to be looking at some Leal Le uh are it's going to be examples most are pulled from publicly available contracts on the internet uh again talk to your Council about what what works for your organization so if we want to get involved with legal the first thing we need to do is get a SE at the table and the three key steps here are starting a relationship with them reaching out and leading with value if you want to get involved in your organization's Contracting you AB absolutely need to

show up with value if you show up with nothing they're going to tell you to take a hike number two you need to learn the language we're going to talk about some of the most important language you're going to need to look for as we go through the talk today and finally you need to build trust with legal and don't waste crises if something goes wrong from Contracting perspective in your organization use it to make your standard terms better don't waste that use that as leverage to move the peanut forward so when we're building that relationship rule number one is be humble I'm guessing most folks here have had the situation where someone comes up

to you and tells you I've I've found a major security issue in our environment and we need to fix it right now don't worry about Change Control let's do it and look at that person a certain way legal is looking at you the same way when you first start this relationship you are not the expert in this situation you have not gone to law school you have not taken the elsat be humble when you show up understand that you're not the expert and be ready to make suggestions but also accept no for an answer rule number two Do no harm Contracting is one of the slowest activities your organization does lawyers work on lawyers timetables

they do not work on your timetable this stuff takes time there's negotiation you're waiting for lawyers on both sides of the party we need to make sure we don't slow that process down any further that means very much so not being the department of no as we work through this you need to have a good sense of risk understand where you can accept risk in contracts and you need to make sure you are allowing the business to get the services it needs finally start at home don't walk into legal and say I want to review every sing single contract that comes through the organization that touches it they're going to say no start with your

own Security Services contracts find places where you can add value there and make the suggestion hey we should have this language on all of our contracts you are more of a stakeholder on your own Department's contracts you have more leverage to get it in and if the lawyer thinks it's smart you're going to be add able to add it to your standard

terms so let's start by talking about the anatomy of a contract if you have ever done an application Security review if you have ever audited a firewall rule set if you have ever done any type of threat modeling you've got the right skill set to read a contract it is the exact same thing where we're going through line by line and asking ourselves what is the worst thing that could happen with this particular

line so one of the first things you're going to find in every contract is something called defined terms they're just definitions the important thing you need to know here is if we look at the very F two first words up there security inent those are capitalized defined terms in a contract are going to start with capitals real easy way to identify them as you're reading through security incident may not mean what you think it means when you first read through the contract you need to read through what the definition is and what's included in it so here we've got some legal a security inance shall mean attempted or successful unauthorized access to an information system storing customer data

does not include minor incidents that occur on a daily basis such as scans pings unsuccessful random attempts to penetrate computer networks or servers maintained by the business associate So reading that that looks that looks pretty reasonable for security incident but we can do better and this is one of the places you can add value your lawyer is going to read this and say hey hey this looks pretty standard for the industry as a security professional you're going to read that and you're going to say you know what this environment gets popped by a Golden Ticket attack that may not touch any systems that are housing my data but I absolutely want to know if one of my

vendors suffers a Golden Ticket attack if their OCTA instance gets breached but no none of my data gets touched those are all things want to know about so and you're going to see this convention as we go through this I'm going to highlight things I'd like you to keep an eye on in red or an information system providing a critical security control for customer data all right we've just expanded the definition of security incident and when we talk about breach notification this will get pulled in and we hear about more of what we need to know to keep our assets safe

the next thing we're going to be looking at as we walk through a contract are our obligations your obligations common one that I see in almost every SAS contract responsibility for users you are responsible for any activities that occur under your account and any use of the service by any user your employees or any third party to whom you facilitate or permit access to the services and all liabilities or other consequences arising as if they were your own acts sounds pretty reasonable at first glance but take a look at that how does that go wrong under this language am I responsible if they've got a bug in their Authentication Protocol and someone does something under one of my

organizations accounts yeah yeah I am so except through any failure of authentication functions in the services again we just closed a big hole where we'd be responsible for someone else getting hacked we don't control their security processes but we under the contract would have been liable for that activity this is a place where having a security engineer or security professional reading the contract adds value and increases the strength of your

agreement as we're reading through our contracts we also want to read through their obligations the supplier obligations and these are generally grouped in three buckets deliverables indemnities and warranties all slightly different deliverables are probably the one that we're all most familiar with what am I paying for what am I going to get deliverables are also the area of the contract that when you're reading it you should absolutely spend the most time thinking about much like breaches they are it's an infrequent event that you're going to get litigious with a contract it's an unlikely event most of the time you're going to negotiate through it with your supplier and it's not going to go to the

courts so focus on your deliverables what do I want when do I want it by who needs to be working on this at what point does delay become unacceptable we've all been through projects where things go sideways we've all been through terrible implementations you want to draw on your knowledge of that and make sure everything in your deliverable spells out that that's not going to happen again think about the worst implementation you've had in right language that says we're not going to have that when we do this one indemnities are a guarantee that you're getting from your vendor and they're a special type of guarantee indemnities are a type of guarantee where we agree upfront that if

you break any of the terms in this section it's a material breach of the contract and we're going to agree beforehand what the supplier is going to pay or do or credit in order to rectify that there's no hey I think this is an issue you don't Indemnity says all right this happened it's in the contract you need to start paying number one thing we need to look at with that is IP infringement you guys may remember sko Linux suing everyone that was you using Linux if you're old enough that that's actually an old guy thing at this point um the we don't want a similar situation for our own organization we want to be

in a position where when we are negotiating a contract we know that if the vendor puts some code they aren't licensed for in their software in their product and that and we get sued because they put it in there they're going to pay for the defense we don't have to pay for the attorneys they're going to take care of the court fees they're going to settle it we don't have to spend a dime your lawyers probably already have this in there if they don't talk to them about it warranties are similar to indemnities warranties instead said though you have to prove that a it was breached and B you have to uh proof that there were damages so in Indemnity we

can say that regardless of whether I can show damages this is worth $55,000 a day if you breach this Indemnity warranties you actually have to show uh damages one that I always put in every single contract is a harmful code warranty if I am receiving any code or if I'm going to a web portal where I may be exposed to an exploit that is going to impact one of our users browsers we're putting in a harmful code warranty that says hey everything you deliver to us will be free of uh harmful code at the time of

delivery now as we move into the next next section of contracts which is probably where you're going to spend the most time negotiating an important thing to remember is the cost of a contract is not the risk of a contract your marketing department may be paying $10,000 for something that deals with customer data and enriches it a bit if you have a pii breach that's going to cost you a a lot more than $10,000 just for the stamps to mail the notifications so we need to make sure that when something goes wrong our vendors are able to cover our losses so we've taken an interesting approach to this and what we've done is we look at vendors and we rank them in

terms of high medium or low risk I don't have a perfect process for you to decide if a vendor is high risk or medium risk or low risk if you've been the field long enough you probably can sniff out a little bit what we do is we send out ve vendor questionnaires you may get some answers back that are handwavy or you may get answers back that are very detailed and show they know their stuff those are the things we're looking for as we're assessing risk we're looking to do you do pentest have you had a thirdparty check if you are doing security the way you say you're doing security across the top we've got our

different data sets because each data set has a different value a different cost in a breach Phi cost per record is different than PCI cost PCI cost we're going to see our transaction costs go up for payments so that's entirely based on how many purchases we're doing volume wise and what we did is we did a fair analysis on this just doing large buckets if you're not familiar with Fair what you do is on on the left side in the columns we've got risk we're we're mapping that to a probability maybe a high-risk vendor we think they'll be breached within 0 to three years maybe a moderate vendor were thinking they're going to be breached within 3 to 10

years a lowrisk vendor we're thinking they're going to be breached within 10 to 20 years and then we've got estimates on the cost of our data set this doesn't have to be perfect dbir is great to get data on this do what you can what we did is we bucketed it and we've got a little bit of a heat map here that indicates where it's going to be the most expensive for us if we have breach with this vendor where's it going to be the least expensive for us and we can accept the most risk and in order to complete our limitation of liability which is the maximum amount that our supplier will pay out on this particular

contract we fill out the heat map with numbers on the high end in the orange squares that's going to be where your retainer is for your insurance all right if you're not familiar with the term retainer that's very similar to deductible the insurance guys are going to cringe a little bit at me saying that but it's close enough for these purposes uh so that's where your orange G is going to sit and then you need to decide as an organization what's the minimum liability you're willing to accept from a vendor and this at least gives you a starting point as to where you want to be at the end of negotiation how much risk you want to want them to

take on now one thing you're going to see from your vendors is they do not if it's a $10,000 contract their insurers won't allow them to take on $5 million in Risk so one of the key Concepts you want to think about here is the term super cap what that says is hey maybe you're a marketing vendor and for most things I'm paying $10,000 for your service $10,000 is the maximum amount of money I can get back but if we have a pii data breach we're going to Super cap that at $5 million so we can be made whole if you're not meeting your obligations and we suffer all of this is a negotiation ask you would be surprised

what you can get from your

vendors so what's your board care about con Contracting and what are the industry standard terms we should have in our contracts what should we be making sure we add here we just talked reading through it but what should we be putting in in terms of in terms of an information security terms addendum to our contract well an industry group has an answer for that the National Association of corporate directors is the industry group for Boards of directors and they worked with the Internet Security Alliance they've put this out since 2017 it's the director's handbook on Cyber risk oversight if you have not read this document and you ever have to do a presentation that's reporting up you

should read this whole document in particular though in this document tool D in the appendix the supply chain and third-party risk management questions list several questions that your board should be asking your leadership about cyber security and there are actually 10 specific things that they want to see in your contracts how's that for leverage to get some security terms in the contracts we're not going to go through all 10 just because I've got 30 slides as it is and we're for fire hosing this I'm going to focus on the ones where I can give you some ideas and add value first one we're going to talk about is cyber security policies you want to make sure your vendors have

cyber security policies I am not going to read you this legal Le the important thing I want you to see here is we go down to item n you can throw the kitchen sink in your language do you have standards that you require of your own business throw some of that stuff into your standard information security language do not be afraid to put in what you need and the other thing I will tell you with these long items where you've got multiple things you're asking for sometimes it's more interesting to see what the vendor won't agree to in this Clause so if you go into a negotiation and you're getting item C asset invent crossed out that's a really interesting

thing for you to be Crossing out from third party risk management perspective H maybe I've got some additional questions for your Tech Team now Personnel policies uh supplier will be required to perform a web-based criminal background check uh one of the things that we often throw in here is notification obligations if you remove some someone for a reason related to your personnel policies we want to know because that's a potential bad actor that could have done bad stuff with their account that they've gotten our environment we want to go through the logs and see what they did not everyone's going to agree to this a lot of people are going to cite confidentiality that's okay even if you

don't get it 340% of your vendors might agree to it and that's 30 or 40% of your vendors that you've got a Insider threat program

for access controls throw in what you require from an access control perspective make sure they're meeting your standards here we've got uh password complexity requirements and supplier will Implement single sign on and multiactor authentication we available I can't tell you how many times before we put this stuff in contracts that we got to implementation and oh we do SSO internally you need your own account to log into our portal well if it's in here you promised me SSO you can put this in your deliverables as well but go ahead map your standards over to your contract language keep it reasonable keep it to your critical controls things like Authentication things like encryption but map that

stuff directly into your standard

terms encryption backup recovery I am a big believer that backup and Recovery are better dealt with in slas than in Your Standard Security terms if you have slas and your slas have penalties service credits make sure you have a chronic failure section where if they continuously fail to meet your slas you can either terminate them or they owe you money not credits money backups and Recovery take care of themselves with availability metrics from that because now the provider has a financial incentive to make sure you get the availability you need for your information now if it's critical information yes maybe you additionally need backup and recovery but the vast majority of your contracts it's not going to be the end

of the world if the vendor has data loss it's all operational data that's being enriched you know go from there secondary access to data this is where they get you marketing comes in with a very cheap contract but we're going to the vendor is going to sell every single piece of customer data you hand to them if it's cheap make sure you understand what happens to your data and what they are allowed to do to it andure you retain ownership of all your data if you don't know what your data is worth go ask a vendor what they'll pay you for it and multiply that number by 10 to 20 all

right countries with data access this is another one that we need to take a look at we're we're big on keep everything in the United States we don't want to deal with gdpr we don't like that lot of extra obligations there we have lots of vendors that have people supporting us out of Europe out of India out of um Japan we push for a list I highly recommend pushing for a list because you will find interesting things like oh yeah we've got a group of guys that support out of mova I don't know that Eastern Europe is where I want regulated data as access from at minimum you're going to want exclude ofac countries that's the office

of foreign Access Control those are embargoed countries your cubas your Russia your North koreas we do not want them touching our stuff we can get in legal trouble for that so that's going to be a no-go breach notification this is another fun one make sure you've got a time period in here reasonable is not a time period we also want to know if there is reasonable suspicion of a breach not just if there is a breach we do not want our vendors to be able to perpetually delay notifying us until they confirm that there is a breach oh we didn't log anything related to that data so we don't know for sure whether there was a breach or not so you

don't have to notify it's happened make sure suspicion of a breach is sufficient also you can see in red here I've got or any system providing critical security controls for confidential information again we don't just want our data we also want the systems protecting our data include in breach notification that's our golden ticket that's our OCTA getting popped we want to make sure that we're getting notification we can turn things off if we're at

risk thirdparty audit we want someone to be checking what these vendors are doing you're going to run into a lot of smaller vendors a lot of Mom and Pops that hey what we're doing with this is uh we run pentests we we we have a p test are on staff we're running vulnerability scans we're running uh web app scans that's great you're checking yourself I don't know that your configurations are correct I don't know that you're even qualified to do that we want qualified third parties performing pentests we want them performing sock twos also for my GRC folks in the room how much time do you spend chasing sock twos that don't change the risk profile

of your vendor add some language that if that sock 2 is qualified or there's anything that requires a management response in that sock too when it's issued annually they have to notify you all of a sudden you've just cut 60 70% of who you need to follow up with and they're in the business of notifying you when they have a problem

but we've got some more good stuff for you and and these are a couple items that I'd really like everyone to take back to their legal organization have a discussion see if you can get it added to your stuff risk acceptance I want to talk about this you're you're going to run into situations where you want something in the contract as a security stakeholder and the business wants the contract let's just accept it how do we decide who gets to say this is okay to accept Well here here's my suggestion for solving that problem first thing we need to know is is this a non-negotiable I'm not for things like Phi PCI let's let's do PCI

I'm not going to negotiate on whether you have a rocker not I I want your I want your compliance noted there because I need that for my compliance with PCI you don't have that we're not doing business with you those are easy ones we're putting ourselves at risk but then you've got the situations where it's not so clearcut and we want to run the numbers down so what we're going to take a look at is what do we think is the frequency of this risk and what do we think the cost is we're going going back to that limitation of liability Matrix what do we actually think our potential exposure here is if we're going to our example of

marketing in the $10,000 contract we've got a th000 records of pii estimate 400 bucks a record you know we we've got decent exposure there and if even if you annualize that over three years for a high-risk vendor you're you're still in several hundred, that is way more cost than that contract but we also need to know what kind of money that's saving marketing if that's saving them $2 million risk can be good too in contracts we can have contracts where it's going to save the business $2 million a year so we've got to take our annualized loss and subtract that off of the money we're saving or the money we're making coming out of this

contract and your either going to be negative you're going to be close or you're going to be positive if you're if you're positive and you're making more money it's an easy risk acceptance decision this is it's not a non-negotiable hey let let's go ahead let's make the business some money this is a good place for us to take risk this is a good place for security to say yes we're supporting what the business wants to do when you're upside down on it though when and your risk exposure way outweighs what you're going to be saving with this contract your business already has a methodology set up for who should be able to accept this and it's your

purchase limitations your managers only have a certain number amount of money they can spend your directors only have a certain amount of money they can spend your VPS only have a certain amount of money they can spend this money is is part of this contract this isn't a $10,000 contract this is a $100,000 risk contract so do we need to bring that to the director to the VP to the CFO as part of the purchase strategy for this contract that's where I suggest you should be placing the risk and having a risk owner accept it because the business has already decided these people within your organization can make decisions about spending that much money and whe whether it's worth it or

not the final one I've got for you is my favorite one and I want everyone to take this one back and put in their standard language this is the canary Clause I have a 100% true positive rate with this Clause supplier attests that at the time of this agreement supplier is not aware of any current or prior undisclosed breach bre that would impact the security of customer data you can do all the third- party risk assessment questionaire as you want to if they have to sign in a legal document that they are not currently under breach you're going to find some really interesting things when people cross this line out I've only had two vendors that have

refused to accept this language both of those vendors we walked away from both of those vendors disclosed a breach within 6 months of when we walked away 100% true positive rate on that I don't know anything else you get 100% true positive rate with in information security put this in your standard

language so hopefully you've learned a few things about Contracting hopefully you've got a few ideas to take back to your legal team hopefully you've got a good idea of how to approach your legal team and get them bought in to adding this stuff to your contracts and hopefully you're going to be sleeping easier soon I'm happy I take questions at this

point Lisa um do you have anything in your contracts related to Fourth and nth parties so the the question is do we have anything related to fourth or nth parties and the answer is yes and I do recommend adding some language to that uh we have language to the effect of any subcontractor you engage as part of delivering this must adhere to the same no less stringent requirements than what we are placing on you and that way it basically flows down all the way through however many parties you're subcontracting to

thanks hey Brandon uh question about the harmful code Clause that you mentioned do you define that in the beginning of your contracts and if so H how did you define that exactly so that's a great question for your Council I can offer a suggestion but I would say defer to your Council on how we should be defining harmful code um we are generally taking a laundry list approach to that where we are saying uh viruses malware ransomware uh um you know uh browser hijack attacks and and we're listing out a number of different examples of it and then finishing with or any other piece of code that's designed to uh negatively impact the functioning of the

system for the uh vendor hey Brandon uh for the vendor questionnaires are you typically using an in-house based questionnaire or are you going with like an industry standard like a Sig or cake or something else to do the evaluation and how often are you doing the evaluations of those is like an ongoing thing only at renewal time only at changes of contract um just curious on your process yeah great question um I hate the sigs um I I'll just be blun about that I am not a fan of the sigs uh what what we generally do is we've got a mix of very highlevel compliance and governance questions and I've got a I've got a few zingers in there like what is

your minimum key length and Cipher mode for any encryption uh I like that one because the I'm testing how long the company takes to get back with that if it takes you two weeks to figure out what your encryption standard is okay I know you don't really have a well-defined encryption standard on the other hand I've run into vendors where I've popped it to their sales engineer on the call and they are like oh yeah 2048 AES GCM mode okay you guys have a solid engineering practice I find that one's a good litmus test for me just to see where their engineering program is so we we try to mix up which ones we've got in

terms of frequency uh risk based I is the best answer I've got for you um at minimum renewal time uh but you know risk based we're we're looking for more

frequently hi is there any appreciable difference between um a SAS contract oh sorry oh okay yes hi is there any appreciable difference between I I still can't hear you noise I'll walk up to you hi hi is there any appreciable difference between a SAS based uh contract and a contract for software that's going to be on Prem that you've noticed so like an AWS or something else like a product that is completely off Prem versus something you're going to have on your servers all right so so SAS versus on Prem uh one of the big things that we see is uh issues with the maturity of SAS vendors um it's pretty straightforward doing an on-prem

contract because you know we've been doing on Prem since the80s you know that that's nothing new SAS vendors the B one of the big things we're looking for is when I ask for your sock to are you giving me Amazon's or a or uh Azure sock 2 and saying oh yeah we've got sock 2 yeah no that that's not for you that's for them um other things that we see there uh normally you're going to have restrictions on pen testing with your SAS providers they don't want every single customer having a custom set of things a lot of that comes down to understanding uh what best practice is why can't you agree to this stuff and

can they give you a reasonable response as to why they're pushing back on language if they've got a good compensating control that's fine and the the thing we find is the more mature the SAS vendor normally they've got some language in their standard agreement that maps to what we're trying to do and we can lean on

that think I think we have time for about one more question hey Brandon uh the question is related to the SAS services and availability in the first presentation Alex I believe was up here in this room talk it could have been the other room could have been this I don't know talk about a availability is very important with this you know now Cloud first type uh security you know Cloud first Services uh availability and you mentioned about slas uh you know building in uh buil-in compensation for when slas you know get breached and I feel like normal like service providers provide okay well we have like 99.9 SLA availability well that's great but then they don't talk

about they don't Prov provide you options for that compensation back do you have any guidelines for how to develop that like and present back to the service provider of slas that are breached and how compensation works yeah so um so I there are a couple a couple ways to answer that uh your really big providers your Amazon you're probably not going to be able to push back on their slas they're big you were not the 100b gorilla the the 900lb gorilla in that situation you you are the tiny little Chihuahua that's barking um so in in those cases I'm less looking at that and I'm more looking at limitation of liability if things go completely sideways can we

cover our losses that way and what do we need to do from an engineering perspective as a Comm sayyan control because also you might might not be able to fit stuff in the contract but you may be able to engineer around those risks so that's also something to look at with the big ones with the smaller ones uh it you know because everything's a SAS service today you you're working with a lot of smaller vendors uh those smaller SAS vendors uh we're going to be looking at uh where where are they starting at you you need to set up a realistic case for them and I find we this is getting into negotiation tactics a bit

um but I if you can set up a realistic scenario for them listen you we're saying you guys have had a breach you've had two breaches of your SLA you've had three breaches of your SLA it keeps happening we're having our business impacted we're having our customers angry with us we need compensation at that point for that reputational hit if you're able to set up the realistic scenario for them that's where I find that they are willing to have a conversation it may not be direct dollars it may be alternative things but you know you you've got to go into a negotiation knowing what the set of potential acceptable outcomes are for you so um sorry I don't have one answer

for that but it you know it depends

So Adam said can we do that with vicarious liability and my answer is I would have to defer to a lawyer to answer that question uh I do not know all right guys that about wraps it up can we give a nice round of applause for Brandon was a wonderful uh in-depth analysis all right guys we'll take about a 10-minute break and we'll be back here for our next talk thank you