The exit plan and conditions should document how a contract will be closed regardless of the reason. A contract can close after the successful completion of the project. Or it could be ended early due to issues.
In all scenarios, it is critical to have contractual definitions of how you will manage certain and higher risk security risks.
Key exit cyber security requirements, arrangements, terms, and conditions
Key exit cyber security requirements, arrangements, terms, and conditions should clearly stipulate when and how the contract should end from a cyber security perspective or in a secure way. Exit plans are not solely for when something goes wrong, but are also important to have for closing a contract securely. You can consider the following when drafting contractual terms in relation to the exit of a contract:
- Agree an exit plan with suppliers up front that includes relevant security requirements
- Consider the management of assets on contract exit. How will physical devices be returned? How will data be deleted?
- Have a clear Joiners, Movers and Leavers (JML) process to cover leavers during and at contract exit. Consider how users’ accounts will be removed.
- Consider how you will confirm that the supplier has completed the exit conditions. How will you check data is deleted and do you need to check?
- Knowledge management and knowledge transfer is also critical for security. How will you maintain the projects or services once the supplier has exited? Will the service continue to be supported?
- Do you need to maintain contacts with the supplier in the event of future security incidents?
- Do you need to have any condition contractually to hold the supplier to after the end of a contract. For example, will you ensure the supplier maintains levels of liability insurance for data protection?
- Consider what might constitute a material breach. It is important to specify in the contract what from a cyber security perspective would constitute a material breach and maintain the right to terminate the contract in the event of a material breach.
Now that we’ve covered the key cyber security requirements, arrangements, terms and conditions, if you are interested in reviewing example contract wording, samples are available for reference along with other example materials in the appendix. Note, these are just examples and you will need to work with your legal team to draft appropriate wording that suits your council’s requirements. To learn about how to monitor compliance of suppliers against the cyber security requirements in the contract, and work collaboratively and proactively with your suppliers, continue on to the next guide: Management. —--- While these resources are updated frequently, the threat landscape is constantly evolving with new risks and vulnerabilities. It is very important to always follow the most up-to-date guidance as given by the NCSC and other related government bodies.