Part 2: Cyber Terms and Conditions to Consider When Purchasing

Writer’s note: You can read part 1 of this series here. But before I get into part 2 of my blog on Cyber T’s and C’s when purchasing, an announcement. My last blog post for my engagement as a featured contributor will be the week of March 29. I just want to say (in case I forget) thanks to everyone who has read and commented on my various blogs and to GovLoop for the opportunity and platform.

Without further ado, let’s wrap this procurement conversation up!

SOC2/SOC3 (Service Organization Control)

This one should be baked into your procurement terms and conditions. I won’t go into the history of how SOC (Service Organization Control) reports came to be. But if you are interested, check out this link.

Basically, the SOC reports are intended to demonstrate that the third party that is housing your data (e.g. SaaS providers) have adequate security controls in place. These controls are centered around the areas of security, availability, processing, integrity and privacy. If you are looking to procure services, especially online, and the vendor doesn’t have a SOC report, that should be a warning.

What’s the difference between a SOC2 and 3 reports? It’s in the reporting. A SOC3 report is a general use report, one that can be shared with anyone. A SOC2 report tends to be more detailed and comprehensive than a SOC3 report and is restricted to those that are affiliated with the company or current/prospective customers. A company cannot self-audit (sorry!); SOC reports can only be conducted by an independent CPA or accounting-type organization.

If you are looking at vendors, ask for the SOC2 report — don’t settle for the SOC3.

NOTE: When asked for a SOC2 report or an AOC (attestation of compliance related to meeting Payment Card Industry, or PCI, requirements), I have seen companies try to share their hosting company’s report/AOC. For example, most SaaS solutions that take online payments don’t actually own the infrastructure to host their software online. They work with Microsoft, Amazon, Rackspace, etc. I have seen vendors share those company’s SOC2 or AOC. This does you no good as the audit is on the host’s security controls, not the software vendor in this example. Don’t fall for it. They need to provide their SOC2, etc., that is specific to their service. Otherwise, you have no objective way of knowing what security steps they’ve taken!

Integration With Security Tools

This can get fairly technical, but I will try to keep it at business-speak. As we move to more of an online way of working, many agencies are adopting cloud-friendly or cloud-centric applications. One such tech you might be aware of is SSO (single sign-on) and MFA (multifactor authentication).

This is a lot of tech to swallow (check this out if you’re really interested in the specifics), but here it is in a nutshell. SSO is where you can use your work username and password to access other services, even if they are procured through a third party, such as Workday or Salesforce. The external service basically has a way to query if the username and password you’re providing is associated with you.

Pretty nice and fewer accounts to keep track of! MFA is like what the banks have been doing for over a decade. Upon logging into your banking website, they will send a text to your phone with a one-time code you have to enter. Not all MFA is text-based. There are lots of other options, but the principle is the same. Using two forms of identification, you have to prove you are who you claim to be.

Why am I explaining all this? If your procurement terms and conditions don’t call this out as a requirement, you might be inviting companies who are not taking current trends (I daresay what should be considered standard) into consideration. Additionally, both of these ‘features’ enhance your organization’s security.

MFA is pretty obvious, but SSO is very helpful too. Not only does it provide convenience for your users, but if something were to happen with your employee it’s quicker and easier to address. For example, if they are let go, instead of trying to make sure you’re changing 30 different usernames and passwords, you can disable the account at the source and you’ve now secured all those different services!

There are other tools and services you might want to account for, but they are too numerous to list out here. Get with your IT or InfoSec departments for more recommendations.

Don’t Turn the Screw Too Tight Though!

This last suggestion is for all my fellow governmental InfoSec colleagues. Keep the bigger picture in mind, meaning if you make your T’s and C’s so restrictive, no one is going to want to bid on your project. I have personally been involved in RFP/RFQs (requests for proposals and requests for quotes) that have had so many restrictions and requirements placed on the bid that no one submitted or qualified.

If you are lucky enough to have your purchasing department ask for your input, instead of adding everything but the kitchen sink, consider for a moment what is really important to you and the enterprise. What would you be willing to fight to see included versus what is something that might be nice to require but doesn’t minimize a lot of cyber risk? I have found if you take a pragmatic, business-centric approach to your cyber T’s and C’s, the business will appreciate it and you’ll probably be able to approach purchasing again with recommendations down the road.

Hope you found this helpful/interesting, and I will see you next week!

Interested in becoming a Featured Contributor? Email topics you’re interested in covering for GovLoop to [email protected]. And to read more from our Winter 2021 Cohort, here is a full list of every Featured Contributor during this cohort.

Lester Godsey is the Chief Information Security and Privacy Officer for Maricopa County, Arizona, which is the fourth most populous county in the United States. With over 25 years of higher education and local government IT experience, Lester has spoken at local, state and national conferences on topics ranging from telecommunications to project management to cybersecurity and data. His current areas of professional interest center around IoT (Internet of Things) technology and data management and the juxtaposition of these disciplines with cybersecurity. You can follow Lester on LinkedIn.

Leave a Comment


Leave a Reply

Avatar photo Nicole Blake Johnson

It has been a pleasure reading your posts, Lester! Even for us non-technical folks, this is fascinating and very pertinent. It’s empowering to know what to ask and look out for when it comes to terms and conditions. I didn’t realize single sign-on had those benefits when shoring up accounts for departing employees. And your note on taking a business-centric approach to cyber terms and conditions is so key. That’s how we all start to see our security teams as allies and enablers.

Lester Godsey

Thanks Nicole! This experience has confirmed what I’ve suspected – that I can talk on this topic indefinitely :-). Thanks again for the opportunity and platform!