Vendor contracts include minimum cybersecurity requirements

Implementation steps

1. 1

   Develop a standard security addendum for vendor contracts

   Work with legal to create a vendor security addendum that covers: breach notification timelines (typically 72 hours), data handling and encryption requirements, restrictions on sharing data with subprocessors without notice, the right to request audit evidence such as SOC 2 reports, and the vendor's obligation to maintain a security program. Apply this addendum to all new contracts and renewals with high-risk vendors.

   docusign ironclad google-docs confluence notion
2. 2

   Negotiate security requirements into existing high-risk vendor contracts

   For vendors already under contract who have high-risk access to your environment, seek to add a security addendum at the next renewal or via contract amendment. Prioritize vendors with access to sensitive data or production systems. Keep a log of which vendors have security requirements in their contracts and which do not, along with planned remediation dates.

   docusign ironclad salesforce hubspot confluence
3. 3

   Track breach notifications and enforce contractual obligations

   When a vendor notifies you of a breach, verify the notification timeline against your contract. Document the incident, assess your exposure, and take action as appropriate. If a vendor fails to meet contractual security obligations, engage your legal team. Track all vendor security incidents and their resolution in your incident log.

   jira servicenow confluence drata vanta

Evidence required