Page 1 of 3 Sample Security Controls Matrix Tactics for Negotiating Security Provisions Disclaimer This document is a case study of a hypothetical company. The matrix below represents a hypothetical company’s posture as it relates to a particular standard—in this case, CIS 20. This type of matrix can be prepared for other standards, such as ISO 27002, NIST 800-53, etc. Bear in mind, however, that the matrix is specific to a particular company and, in some cases, to a particular venture. This document is not intended to be used as a generic reference, but rather, it is an example document of the type of deliverable that can assist transactional attorneys in negotiating security provisions. Overview The intent of this document is to present a case study based upon a fictitious organization—in this scenario a software as a service (SaaS) provider (“SaaSCorp”)—targeting mid-size to large companies. As it is awarded contracts, SaaSCorp’s customers impose certain security provisions by way of a Master SaaS Agreement. One of the provisions stipulates that SaaSCorp represent and warrant that administrative, physical, and technical safeguards are in place that are no less rigorous than those set out in the CIS 20 standard. 1 SaaSCorp’s attorney is concerned about whether SaaSCorp can make those representations, as she does not wish for her organization to be in breach immediately upon execution of the contract. For this reason, she engages a cyber security company to assess SaaSCorp’s cyber program against the CIS 20 standard (and other security provision requirements) for this type of industry/venture for the purpose of building a matrix she can use in this and subsequent contract negotiations. Negotiation Tactics Oftentimes security standards are negotiated in an all or nothing fashion, but SaaSCorp’s attorney recognizes that she may be able to break up a standard control by control, for granular negotiations. Her negotiation tactics include the following strategies 1. Determine which controls/items have already been completed so that she can accept them outright 2. Identify those controls/items that could be completed with low to moderate difficulty and at reasonable cost 3. Negotiate out controls/items that are not applicable to SaaSCorp’s security program requirements for this engagement 4. Defer, for a period of time, certain controls/items that are considered difficult to implement or are costly 5. Offer, as an alternative, a liability supercap in lieu of completing a control/item 6. Put in place, as an alternative, additional insurance coverage in lieu of completing a control/item 7. Shift back to the customer, for a price discount, responsibility for a control/item 1 CIS 20 was selected in this exercise in part because of its division of security controls into 20 defined categories.
Disclaimer: This document represents a hypothetical case study involving a fictitious organization, for educational purposes, and does not refer to any specific or actual organization
Requirement/ControlDescription Status
Difficulty CapEx OpExNotes
Easy Medium Hard $ $$ $$$ $ $$ $$$
12.BoundaryDefense Complete X X SaaSCorphasboundarycontrolssuchasfirewallsandintrusiondetectionsystemsinplace,andcandemonstratehavingmetthisrequirement.
17.SecuritySkillsAssessment&AppropriateTrainingtoFillGaps Tactic2:QuickWin X X SaaSCorpcanmeetthisrequirementwithrelativeeasebyleveraging3rd
partysolutionstoassessexistingsecurityskillsandprovidetrainingcourses.18.ApplicationSoftwareSecurity Complete X X SaaSCorphasadocumentedsecuresoftwaredevelopmentprocessinplace,
andcandemonstratehavingmetthisrequirement.
19.IncidentResponseandManagement Tactic4:Deferforoneyear X X
