Security Incident Investigations

Security Incident Investigations

#Why is this Important
#Sample RFP Language
#Sample Contract Clauses

Why is this Important:
Many institutions of higher education have state notification laws that they must follow if any confidential information regarding its constituents is impermissibly disclosed to third parties or otherwise made available to third parties through a data breach. In addition, as the inherent value of data grows, institutions will want to make sure that they are dealing with vendors who take data security seriously. This type of provision requires a contracting third party to notify the institution in the event of some sort of breach or disclosure and work with the institution to manage such incidents. Such clauses may also require contracting third parties to maintain appropriate access control and other logs to facilitate investigating security incidents with respect to the institution's data.

Appendix 1 ISO/IEC 27002:2005, Reference 6.2.3(b)(4); (j); (p)

Many examples required the third party to cooperate with the institution in security incident investigations and to maintain logs appropriate for such investigations.

Criticality: Category 1, Category 2, and Category 3 (State notification laws bring category 1 into play)

Sample RFP Language:

  1. What procedures and methodology does the Proposer have in place to manage security incidents including detection, notification, and investigation to mitigate any damage and to restore any lost Institution data? [Include definition of security incident if it has not been defined in the RFP Definitions section already.]


Sample Contract Clauses:

  1. In order to ensure the ability to investigate security incidents, [Vendor] agrees to retain all authentication logs for a minimum of three (3) months from the creation of such logs.
  2. [Vendor] agrees to provide the Institution with the name and contact information, including phone number and email address, of at least one security contact who will respond to the Institution in a timely manner, dependent on criticality.
  3. [Vendor] agrees to shut down ALL access to the Institution's application on [Vendor]'s system within XX minutes notice from the Institution's security representative.
  4. Any product provided by [Vendor] must provide detailed logging of its transactions, including but not limited to: Privileged access to any sensitive information, including IP addresses of the user and original user name; Account creation, deletions, and modifications; Failed attempts to access data; All Logins (failed and successful) with IP address, using date, time, and user ID; Any OS patch or OS configuration changes and the user and IP address making them; Any changes to files in the web application directories, and the user and IP address making them; Any log file deleted and the user and IP address making the change; Any log file changed by the non-owing process and the user and IP address making the change; Service start/stop any service or server (i.e., any reboot of service or server outside of the normal maintenance window); and changes to firewall configuration files; and the user and IP address making the changes. Note, passwords should be excluded from all audit records, including records of successful or failed authentication attempts.
  5. It is presumed that the consequences of a virus, Trojan, or worm infection; intrusion by unauthorized third-parties; or similar security breaches are not beyond the control of [Vendor]." Note: Can be used as a qualifier of the Force Majeure clause.


common security items

Questions or comments? Contact us.

Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).