Information Security Standards and Certifications in Contracting
When organizations contract for outsourced IT services, they look for assurances that the vendor will provide adequate security, often in the form of a security schedule or annex to the contract, or by reference to a widely accepted information security standard. In some cases, the customer insists as well on a certification or audit by an expert third party.
Business managers and lawyers often have only the vaguest notions of what these schedules, standards, and certifications mean. They rely on the organization’s IT staff or consultants for “the technical stuff.” But in the end it is the business managers and lawyers who determine what the organization needs, operationally and contractually. To do that well, they should have at least a basic understanding of the more common information security standards and certifications.
More Than Two Years Later, Federal Agencies Issue GLBA Final Model Privacy Form
On Tuesday, the Office of the Comptroller of the Currency (OCC), the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), the Office of Thrift Supervision (OTS), the National Credit Union Administration (NCUA), the Federal Trade Commission (FTC), the Commodity Futures Trading Commission (CFTC), and the Securities and Exchange Commission (SEC) (the "Joint Agencies") issued the Final Model Privacy Form under the Gramm-Leach-Bliley Act (GLBA). Financial institutions may rely on the model privacy form as a safe harbor to provide disclosures under the GLBA privacy rule (12 CFR part 40 (OCC); 12 CFR part 216 (Board); 12 CFR part 332 (FDIC); 12 CFR part 573 (OTS); 12 CFR part 716 (NCUA); 16 CFR part 313 (FTC); 17 CFR part 160 (CFTC); and 17 CFR part 248 (SEC)). Among other things, the Final Model Privacy Form is designed to be more consumer-friendly. The Final Rule can be found here. The opt-out model form can be found here. The no opt-out model form is here. For more on the history, read on.
Continue Reading...
