Information Technology (IT) is the backbone of businesses around the world. In fact, IT has brought the transformation in the way businesses are performed across the globe. The disruptive IT innovations have drastically changed the traditional use of IT to bring in the business innovations that include business intelligence, business analytics and business automation. The IT has given the required reachability, scalability and mobility to the businesses and enriched the underlying information that is being processed, managed and serviced resulting in massive Top line and Bottom line growth. Thus, information assets have become the key ingredient of business success and its reputation on one hand and the Confidentiality, Integrity and Availability (CIA) of these information assets have become the most vulnerable constituents that has the power to make legal, regulatory and privacy issues and may result in loss of reputation or even a total closure of business at worst.

The Master Service Agreements and Service Contracts have emerged over the years to include the necessary Information Security Contracts and Security Annexures to deal with and safeguard the CIA aspects of the information assets. It has now become the standard business norm to establish the Information Security Contracts or a Security Annexure when ever an organization outsources its IT based services to a third-party service provider. This is to ensure that the service provider applies the best efforts to confirm the information security best practices are followed and adopted when dealing with the confidential and sensitive information assets of the organisation they serve to.

What is an Information Security Contract?
An Information Security Contract is an agreement between the Organization and a Service Provider that documents and legally binds the expected information security best practices to be followed by the Service Provider. Generally, this agreement is initiated by the Organization (referred as Customers going forward)in order to ensure the service provider who is dealing with and managing the confidential and sensitive information assets of the Organization put’s its best efforts to adopt the best information security practices and meets the expected level of CIA’s to safeguard the information assets being managed by the service provider.

Typically,the Information Security Contract will include:
• Statement of Work that clearly defines the expected work to be carried out by the service provider.

• Data Security Requirement that identifies all the data security requirements,obligations and expected information security safeguards.

• Standard Information Security requirements containing minimum security baselines standards that service provider must adopt and implement. This includes accepted level of Information security governance,risk and compliance controls that must be in place.

A good and implementable Information Security Contract/Security Annexure should ensure adequate security control clauses to safeguard the CIA aspects of the business operations and the underlying information assets

Contents of Information Security Contract
The Information Security Contract should contain the clauses and statements that mandate adoption and implementation of appropriate layers of security defence by the service provider. It should be adequate enough to seek the assurance that a service provider is/will effectively deal, handle and manage the confidential and sensitive assets and safeguard the CIA’s of it. The clauses and statements should insist for the existence of appropriate information security controls from the following information security domain:

• Organization of information security
• Security policies, procedures & guidelines
• Risk Management
• Threat Management
• Incident Management
• Information Asset Management
• Identity and Access Management
• Application Security Management
• Secure Configuration Management
• Change Management and others

Balancing the Information Security Contract to meet preferred level of security requirements
It is a general observation that information security professionals sometimes come up with very stringent Information Security Contracts / Security Annexures insisting for multiple layers of security defences and over protecting the information assets resulting in making Information Security as a disabler to business operations. It is therefore essential to jointly (Customers and Service Providers) asses and analyse the exposure to security risks and arrive at right level of security defence that provides assurance of safeguarding the CIA’s of information assets being handled by the Service Provider. The recommended steps are:

• Asses
• Gap Analysis to assess the impact of weak/ inadequate security controls
• Risk Mitigation

Achieve WIN-WIN by instituting right Information Security Contract
A good and implementable Information Security Contract/Security Annexure should ensure adequate security control clauses are documented and agreed upon to safeguard the CIA aspects of the business operations and the underlying information assets. This can be achieved by

• Involving KEY business users,legal advisors, IT/HR and Facility Personals to ensure all risks are assessed and security gaps if any are addressed through appropriate security control clauses(s)
• Agreeing up on exceptions and their compensating controls to minimize residual risks
• Agreeing up on for “ongoing risk assessments”, “impact analysis and risk mitigation”
• Developing and implementing project specific security operations guide that covers all of the security control clauses, their respective owners and the expected controls in place. This should be monitored and reviewed till the end of the project