Contract Monitoring

Contract Monitoring
System / Application / Process Implementation
  1. Identify the individual(s) responsible for monitoring the contract.
  2. During project status meetings:
    1. Assess and review status reports regarding progress made in areas identified in item 1.l above
    2. Identify new areas or security requirements that may arise from changes in scope
  3. If applicable, perform or request audit of vendor security practices and procedures and/or perform penetration test
System / Application / Process Final Test and Prior to Sign-Off
  1. Test system/ application/ process security functionality required in the agreement
  2. Review progress reports and verify that areas identified in item 1.l above were completed.
  3. If applicable, perform an application scan
System / Application / Process Post-Implementation
  1. Follow up with system/ application/ process owner.
    1. Require owner to perform a risk assessment based on policy (annual if high risk or mission critical and bi-annual otherwise)
    2. Review with the owner the risk assessment results. Any concerns? Any problems? Any unknowns that need to be addressed with the vendor?
  2. Follow up with the vendor. Are access logs available? Any pending items need resolving? Are things on their end as expected? Any owner concerns? Any risk assessment identified deficiencies to bring up?
  3. Based on risk (annually or bi-annually), resubmit third-party information security assessment survey to assess what has changed, what needs closer scrutiny, or identify inconsistencies with previous assessments
  4. Establish a working relationship with your vendor
  5. As possible, participate in vendor's product improvement committee. What changes are been considered? How would they impact the institution's risk and security postures?
  6. Review security incidents involving the system/ application/ process. Are these due to contract non-compliance?
  7. If applicable, based on agreement, require subsequent assurance tests.

Questions or comments? Contact us.

Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).