| Model Contracts Project |
|
The Model Contracts project has been developed under the direction of
Jeffrey Ritter, CEO of
Waters Edge Consulting and recipient of the American Bar Association’s Cyber Space Excellence Award for
his work in “providing solutions to legal barriers in electronic commerce.” At the ISAlliance GlobalComm Executive Panel, Ritter is
discussing the benefits of model terms with former ISAlliance Executive Director Dave
McCurdy. The Model Contracts Project is supported by:
The Model Contracts deliverables consist of two best practices guides:
Phase I of the Model Contracts Project was completed in 2005:Contracting for Information Security in Commercial Transactions - An Introductory Guide. This is a resource for contract-based, market driven improvements in business operations. It not only improves security, regulatory compliance, it lowers B2B transaction costs and the legal fees associated with maintaining compliance. PURCHASE the introductory guide for $29.95! For 2007, we have continued the Model Contracts Project with Phase II, giving greater emphasis to standards-based information security controls. ISAlliance has published Volume II: Model Contract Terms for Certified Information Security Management. The new book delivers guidance on the contracting side of implementing prevailing international information security standards, notably ISO 17799, BS 7799 and ISO 27001. ISAlliance Members capitalized on the opportunity to develop and produce this companion guide. April 27, 2007 - NY AG Settles Data Breach
Case With Chicago Company [As reported in SANS News Bites, #35) The New York Attorney General's (AG) office has reached an agreement with a Chicago company that neglected to inform the owner of the data of a data breach until two months after the fact. The agreement stipulates that CS Stars LLC will "implement precautionary procedures, comply with New York's notification law in the event of another security breach, and pay $60,000 to the AG's office for investigation costs." On May 9, 2006, a CS Stars employee noticed that a computer was missing. CS Starts computer held data that belonged to the New York Special Funds Conservation Committee, including names, addresses, and Social Security numbers (SSNs) of approximately 540,000 individuals. That organization did not learn of the breach until June 29, 2006. The FBI was notified of the breach on the same date, and the AG's office was alerted to the situation on June 30. The FBI told CS Stars not to send notification letters to people affected by the breach because it could interfere with their investigation; in mid-July, the FBI gave permission for notification letters to be sent. On July 25, 2006, the FBI discovered the computer had been stolen by a cleaning company employee; the computer was recovered and there did not appear to have been any unauthorized access to the data. New York's Information Security Breach and Notification law requires organizations maintaining personal data to inform the owners of those data immediately in the event of a security breach. (SANS Editor, Honan, comments on the story): Where third parties are charged with managing and/or protecting your data, that data still belongs to you and you are ultimately responsible for it. This story highlights why you should ensure that any contracts or SLA agreements between you and the outsourcing company contain provisions to ensure that you are alerted to any security incidents relating to your data. Purchase the Model Contrect Terms for Certified Information Security Management Systems to achieve this assurance! Section 4 of our new book contains these model provisions! |
