Contractual security terms
Meet Sam and their boss Sandeep. They're approaching year end and, based on projections, will need to hire more staff next year to keep up with the workload. Reviewing and adjusting the security and privacy elements of the standard contractual commitments that third-party suppliers sign regularly leads to several back-and-forth discussions, and takes a considerable amount of time. Sandeep is looking for options to streamline the process and increase efficiency.
Problem statement
Negotiating relevant security and privacy commercial terms with third-party suppliers can require significant effort and time-consuming revisions:
- Discussing changes to contractual security terms often requires input from multiple teams and subject matter experts on both sides.
- Contractually negotiated security controls can be disconnected from other due diligence processes.
- Negotiations and reinforcing reasonableness of specific safeguards and preempting third-party pushback is tricky when using a set of custom requirements.
- Maintaining up-to-date safeguards to account for regulatory and industry trends requires a program of continual review and validation.
- Maintaining customized contractual security measures places the onus on legal teams to explain technical security concepts.
Overall, these issues extend the contracting process, make agreements resource intensive for all parties, and result in increased costs.
How MVSP can help
MVSP addresses these issues by providing a simple, repeatable, and measurable set of minimum controls that are both easy for the solution provider to understand and complete, and are easy to include as part of your contractual security terms. While MVSP controls are designed to be a baseline, they are built from the ground up to represent the building blocks and industry best practices expected to be present in a secure and mature enterprise solution.
In detail, using MVSP means:
- No need to reinvent the wheel – Using MVSP means you don’t have to design and maintain your own custom set of security terms.
- Alignment – By aligning all areas of your vendor selection, due diligence, and contractual commitments to a single set of industry-backed controls, you reduce the likelihood of pushback on individual controls or last minute surprises.
- Standardization – By relying on a set of industry-backed controls, you reduce pushback and the need to reinforce why specific controls are needed.
- Clarity – Using MVSP as a baseline provides a clear basis to flag issues and push for remediation requirements as part of contractual commitments.
- Industry influence – As the ubiquity of MVSP increases within the industry, these controls become table stakes for software and services, driving the broader industry to improve and adapt to the ever growing security and privacy requirements of modern systems.
"Aligning the Information Protection Addendum’s safeguards with the MVSP has significantly improved our third-party privacy and security risk management processes."
Google Privacy Legal
Useful links
- Minimum Viable Secure Product website
- Example: Google Information Protection Addendum
- Example: Salesforce Supplier Security Exhibit