Project Management Central

Please login or join to subscribe to this thread

Topics: Consulting, Government, Procurement Management
Please provide your opinion regarding a vendor situation
Network:300



We have contracted with a a vendor to implement a solution (A Tax system). One of the features of the solution is to build a public facing website. We asked the vendor before we signed the contract to list all 3rd party applications that are integrated into their tool. Nothing was disclosed.
Now we have found that the vendor plans to use DotNetNuk (DNN) to build the website. We like DNN as a tool but it is open source and we are a conservative government agency. The vendor is willing to amend the contract language so they would work with DNN if there is a problem, and partner with us if there was a security breach. My management team wants the vendor to be fully accountable if there is a security breach because of DNN. The vendor says it is unheard of for a company to warrant any company's tool even if it is integrated into their solution.
Have you had experience dealing with this situation? What are your thoughts about who is right.
Sort By:
Network:865



Destiny -

Whether it was an internal team in your agency proposing to use a third-party component or a vendor doing so, if you have policies or standards regarding the validation of these and constraints on their usage, those should cover the full scope of the solution.

Sounds like a contract amendment is required based on negotiation between your internal control partners and the vendor on the specific wording that will satisfy both parties.

One possible outcome might be that the vendor might indicate they are unable to deliver the solution without using DNN and if so, either the contract could be terminated early or there would need to be a change based on their use of a different tool which has been blessed by your contrl partners.

Kiron
Network:300



We are working on an amendment to the contract. I hope we can negotiate and find a solution that benefits both parties.

Since the vendor chose to integrate the 3rd party application (DNN) into their solution, should they be responsible if there is a security issue? I think that is really my question to the PM community.
Network:2339



The vendor needs to show that they have taken security precautions. Will they scan the solution? Will they follow security coding practices? They should be required to provide you with proof that they did these. In addition, I would probably plan to rescan the solution for security flaws and put it in the contract that the solution will not be accepted until all security concerns have been addressed.
If a breach does eventually occur due to the technical solution they provided, then the contract should be worded that they will be responsible for correcting the code.
...
1 reply by Destiny Olivas
May 02, 2018 3:47 PM
Destiny Olivas
...
Thank you for your response.
Everything you mentioned was included in the initial contract with the vendor. I think we just need to amend the contract to state something along the lines of.... the vendor needs to conform to the same security measures for 3rd party apps as they would for their own solution.
Network:300



May 02, 2018 3:39 PM
Replying to Dinah Young
...
The vendor needs to show that they have taken security precautions. Will they scan the solution? Will they follow security coding practices? They should be required to provide you with proof that they did these. In addition, I would probably plan to rescan the solution for security flaws and put it in the contract that the solution will not be accepted until all security concerns have been addressed.
If a breach does eventually occur due to the technical solution they provided, then the contract should be worded that they will be responsible for correcting the code.
Thank you for your response.
Everything you mentioned was included in the initial contract with the vendor. I think we just need to amend the contract to state something along the lines of.... the vendor needs to conform to the same security measures for 3rd party apps as they would for their own solution.
Network:18



Hi Destiny,
Hi everyone,

From experience, it will be unlikely that your vendor accept to take the full responsibilities in case of a breach. A breach can come from a software update by your IT-Team several years after your project completion or more. They will take known case studies such as multinational companies or government agencies which get hack all the time to tell you that this is impossible to protect you against everything and all the time due to the multiple entry points that hackers can find. Look to your risk register once again and for a scenario like this, "acceptance" could be your way out. I know this is not what your management team would like to hear, so in such case you should have a meeting with your Infrastructure Solution Architect and brainstorm with her/him on how could you make your data unusable for a third party in case of hacking (focus on one or two entry points and make sure that when hacked through this door, make sure that they find a total mess rather than a structured file as if they use the right key).

Hope it did help.
Carl
...
1 reply by Destiny Olivas
May 02, 2018 5:00 PM
Destiny Olivas
...
I agree with you Carl.

Thank you!
Network:300



May 02, 2018 4:46 PM
Replying to Carl Boucavel
...
Hi Destiny,
Hi everyone,

From experience, it will be unlikely that your vendor accept to take the full responsibilities in case of a breach. A breach can come from a software update by your IT-Team several years after your project completion or more. They will take known case studies such as multinational companies or government agencies which get hack all the time to tell you that this is impossible to protect you against everything and all the time due to the multiple entry points that hackers can find. Look to your risk register once again and for a scenario like this, "acceptance" could be your way out. I know this is not what your management team would like to hear, so in such case you should have a meeting with your Infrastructure Solution Architect and brainstorm with her/him on how could you make your data unusable for a third party in case of hacking (focus on one or two entry points and make sure that when hacked through this door, make sure that they find a total mess rather than a structured file as if they use the right key).

Hope it did help.
Carl
I agree with you Carl.

Thank you!
Network:99152



Destiny,

Seems to me that the vendor is already in breach of contract. They were requested to disclose 3rd party product and they fail to do so.

I guess your legal department is looking into it.

To me they are responsible for the security of their solution in the first place, isn't that in the contact.

What was in the RFP? are they still qualified? What is the impact on your IT infrastructure? many questions that should have been before the contract was signed.

Lessons Learned, add a clause concerning 3rd party application in your standard contract.
Network:12093



Hi Destiny, getting the "vendor to be fully accountable if there is a security breach" is too little too late, as with government or corporate, the sky is the limit in how much you (the organization) can be sued for when it comes to security/privacy breaches. "We asked the vendor before we signed the contract to list all 3rd party applications that are integrated into their tool. Nothing was disclosed" is your way out, if you indeed have evidence that you asked and it wasn't disclosed. At the same time, you probably didn't disclose that you did not want open source. Anyway, have the contract amended, tell the vendor to find another solution to either replace that third party or make it secure, or replace your vendor entirely, assuming you haven't gone too far down the track. This is really an issue for the legal or procurement department to assist.
Network:1344



Destiny,
I agree with all above , It would be best if everything was written with full requirements and prepared the contract accordingly but now the best solution is to re negotiate and find common ground and move on, this is a good lesson learn for future implementation
Network:300



Thank you all for your replies but we did add verbiage into the contract about notifying us about 3rd party applications, scanning and notification of breaches etc. And, you are all correct that this could be considered a breach of contract.

This solution is very specialized, there are maybe 2 vendors who can deliver this particular solution. We did do an RFP and only a couple vendors replied. This was the best vendor and we could mitigate delivery risks because they were already working with another county in our state. I want to keep a good partnership with this vendor, there is no other vendor that can do this work so the solution is not as easy as turning the issue over to legal and suing.
I think I agree with Carl, I need to have a conversation with our security folks to see how we can mitigate the risk of a security breach.
Thanks all!

Please login or join to reply

Content ID:
ADVERTISEMENTS

"The most incomprehensible thing about the universe is that it is comprehensible."

- Albert Einstein

ADVERTISEMENT

Sponsors