Originally published on agiloft.com

You have decided to take charge of your contract management with a CLM solution automating tasks, reducing your legal risk, and accelerating revenue recognition. Now, it is time to make sure that this same solution provider is as savvy about data security as they are about contract automation.

If the daily headlines of ransomware attacks and natural disasters are any indication, now more than ever, your CLM solution provider should have a strong understanding of the threat landscape.

In Agiloft's most recent White Paper, Checking Your Digital Armour: The Critical Elements of Enterprise Digital Security, we identify the areas where data is most susceptible and how to protect it in the interests of business continuity. Specifically, we outline the topics and questions we recommend reviewing with any current and future vendors entrusted with your contract data.

The first question we recommend is: may I see your Consensus Assessment Initiative Questionnaire (CAIQ) or Cloud Controls Matrix?

Every significant cloud vendor has completed the Consensus Assessment Initiative Questionnaire (CAIQ) or Cloud Controls Matrix. You can see if they have any obvious vulnerabilities—such as weak ciphers, unpatched applications, or an insecure network. Security conscious vendors will have this information available and a sense of pride in sharing it with you, subject to an NDA.

Still, a strong CAIQ is not sufficient for most organizations to move forward and entrust their data with a vendor’s software. We would also recommend requesting the results of the most recent third-party application vulnerability and network scans.

Once you feel confident with their performance on these basic reports and evaluations, you will want to see how they stack-up in the most widely accepted standard that evaluates not only how well the CLM vendor protects their own data but how well they protect customer data. This is a SOC Type 2 certification.

The second question: Do you have your SOC2 Type 2 certification, and may I see the report?

From President Biden’s recent cybersecurity Executive Order to the SolarWinds hack, it is clear that the best way to protect your data is to assume that someone is after it, all the time.

SOC 2 Type 2 reports assess organizational controls related to confidentiality, integrity, security, and availability of data. If a provider is SOC 2 Type 2 certified that is a good indication that their environment is secure and they have no security gaps capable of exploitation by bad actors. This becomes increasingly important as we see more high-profile breaches resulting from third-party vulnerabilities.

The third question: request an annotated diagram of the hosting infrastructure showing the primary server(s), any replica servers, and the backup infrastructure.

Grabbing headlines almost as often as cyberattacks, natural disasters are another threat to an organization’s data stability. Remember, your data ultimately lives somewhere—likely a datacenter. If a natural disaster seems too farfetched a risk, then there are much simpler factors that can lead to the destruction of data: people. Since the invention of the delete button, data has sustained a long history of disappearing at the most inconvenient times.

All hardware has the potential to fail, and all people make mistakes. The only sure way to maintain continuous access to your contract data is server redundancy. From disasters to deletion, neither needs to interrupt business operations if server redundancy is in place. No information is lost if the live server is replicated in real time to a distant facility. The third question above will reveal where the vendor stands in terms of their replica servers and back-up infrastructure.

The fourth question: can you show us how you would configure permissions to address complex requirements, and how we could change this configuration when needed?

The last element of security that smart companies are addressing with their CLM vendors is access and configuration permissions. When it comes to security, good housekeeping means that only those who need to see the data are the ones with access.

Today, you may want to specify that Contract Managers can view all contracts while salespeople can only view the contracts related to the customers they work with, but in the future, you may want certain Contract Managers to have limited visibility of contract data. Your CLM solution must be configurable enough to support your current requirements but also able to adapt to future needs. Otherwise, employees are given access to all contract details and sensitive business information.

These sorts of lax permissions increase the chances of a security breach and expose the organization to undue risk.