Transcript of interview with Legal

Compliance
Data Protection
Risk Management

Auditor: I’d like to discuss how legal considerations relate to information security. How are security requirements incorporated into client & vendor contracts?

Manager: Information security terms like confidentiality, data handling, access restrictions, and liability are included in our standard contracts based on templates we’ve developed.

Auditor: Good to hear. And what review process exists for new technologies or partnerships with security impacts?

Manager: We complete due diligence and risk assessments on vendors. Contracts go through an approval workflow including security and compliance teams to ensure appropriate clauses are present.

Auditor: Excellent. How does legal advise internal teams regarding security regulations and obligations?

Manager: We provide training to various departments on relevant regulations whenever new policies or controls are introduced. pertaining to their data practices and systems. Ad-hoc legal guidance is given

Auditor: That covers some key points. Lastly, how would you describe collaboration between legal and infosec teams?

Manager: Very open communication and tight partnership. We support security’s initiatives while ensuring adherence to regulations. Joint response on incidents as well.

Auditor: What role does legal play in security risk assessments and vulnerability disclosure?

Manager: We advise on risk assessment methodologies to align with legal obligations. For vulnerabilities, we help guide responsible disclosure balancing transparency and liability concerns.

Auditor: How are potential security-related legal issues escalated and addressed?

Manager: Infosec teams flag items to legal through designated channels. We provide guidance to mitigate risks while maintaining compliance obligations.

Auditor: What security expertise and background exists within the legal team?

Manager: Some team members specialise in data privacy and IT regulations. We pursue ongoing education on technical topics to strengthen legal-infosec collaboration.

Auditor: How could security-related legal practices be improved?

Manager: Additional data mapping and records of processing activities could better demonstrate compliance evidence if ever questioned. More proactive risk analysis as well.