In addition, you should always include detailed security requirements in the counterparty/matching agreement, not just a simple and vague statement that indicates the need to monitor the security of the information. However, some suppliers adopt the audit concept and apply it in such a way that it limits the unacceptable. IBM is perhaps the best example of this, both because of its dominant market share in certain segments and the shocking scope of its standard audit clause. b) payment errors. If such audits or audits reveal any error or discrepancy, this error or disparity is immediately corrected and any money due or due to the company or contractor is immediately paid by the other party. A conclusion for all organizations, from the largest to the smallest: “but check trust” is an old Russian proverb that Ronald Reagan often cited during his presidency. And for good reason; In a variety of life situations, you have to validate something is as promised. When it comes to information security and data protection, you need to be able to verify the third parties responsible for your organization`s information, using appropriate controls. If you are not entitled to an audit clause as part of your matching contracts, you may, if necessary, remove your ability to conduct such a review. It is customary for software providers to incorporate clauses in their licensing agreements that give suppliers the right to call audits or other mechanisms to ensure that the products conceded are used in a manner consistent with the agreed licensing restrictions. Most software consumers would agree, perhaps reluctantly – that these rules are useful. After all, the life of a software provider is its products and, if it allows the use of these products without a proper license, it risks both financial losses and harm to the value of its intellectual property. When the processing or storage of information is outsourced to another company, the organization that provides access to their information and/or systems to their BA or to another type of counterparty or provider, its responsibility for protecting that information is also not outsourced (although some are really trying to do so through all kinds of complex contractual clauses).
The 2013 HIPAA omnibus rule makes this clear by stating that Schedule A.15.1 of ISO/CIS 27001:2013 recommends that relationship providers use the right to review clauses. And then I once again asked lawyers to strengthen contracts with our various types of business partners, including a right of review. I wanted to check not only after an offence, but at any time, if I deem it necessary, to protect our inventory of information. This time, the view of the legal office had changed. They agreed that it was a good idea and, from that point on, we included a right to an audit clause in all contracts with trading partners who have had access to or in any way have our information resources. Such a clause is a good idea for all types of organizations of all sizes, not only as a way to demonstrate the necessary diligence, but also to be proactive in preventing data breaches and security incidents. Here are three compelling reasons why you should be entitled to verification clauses in matching contracts. (d) communication. The company has the right to verify the contractor`s accounts and records only after notification of a written notification to the person whose accounts and records must be verified in accordance with the communications provisions of this agreement.