Last in a series on some practical legal mumbo jumbo (disclaimer: IANAL) for your Master Consulting Agreements (MCA). This one was particularly interesting to put in; it’s really interesting to see who catches it, but it was an amazing (in retrospect) observation that led us to include the language.
The Trigger Event: A virus outbreak. We had been hit before, and the executive group was not fond of losing their email for a day or two, so we implemented fairly tight lockdowns to get things under control – email scanning, virus signature updates pushed via SMS, aggressive patching for IE, and plenty of email warnings against opening mystery attachments. After many months with no outbreaks, we were surprised when we got hit fairly bad one summer. When we traced to the source of the outbreak, we found it was a consultant’s PC – woefully behind in OS and Virus patches and updates.
Our Director of Operations was rightfully peeved, as his group put in a lot of overtime to get things cleaned up. Especially aggravating / amazing was the fact that this consultant was working for a technology vendor, helping us on a major, high-profile technology implementation.
How can you trust a consultant’s tech skills when they can’t even perform the basics on their own PC?
Well, we lost the argument for a credit on their next invoice, but we did make a change to our standard MCA, adding the following sections:
[contractor] agrees that it has installed virus checking software on all computers owned by [contractor] that will be attached to [company]‘s wide area network, and that the virus tables are being updated at intervals exceeding no greater than 7 days. [contractor] also agrees that the virus checking software is run continuously to monitor the state of these computers and is additionally used to check external media. [contractor] agrees that all external media brought onto [company] premises shall be scanned for viruses by a member of [company]‘s IT staff designated by the [company], prior to installation of said media on any of [company]‘s computer equipment.
[contractor] agrees that it has installed all appropriate Microsoft software updates (also known as Critical Updates and Service Packs) on all computers owned by [contractor] that will be attached to the [company]‘s wide area network and that run any version of Microsoft Windows. [contractor] agrees that all computers brought onto [company] premises shall be checked for Critical Updates and Service Packs by a member of [company]‘s IT staff designated by the [company], prior to connection of said computer to [company]‘s wide area network.
Should a virus, worm, or security breach be deemed by [company] to be introduced to the system by [contractor], [contractor] will at its expense and [company]’s sole choice either repair the damage to any and all affected machine(s) or reload the machine(s) with the most recent valid full backup and update it with the incremental backups provided said backups are available, current and valid.
This is always good for a comment from the contractor / consultant, but these are (I feel) fairly common sense additions, and very simple to enforce.
- The easiest way to avoid any problems is to not attach your Windows PC to my network. Insist on using my PCs, my licensed copies of development / productivity tools, etc. This approach actually solves other issues, like software licensing and internet access controls.
- For an operations group with good, tight processes, it literally takes minutes to check for the latest pathes and virus signatures.
- At the very least, this focuses attention on the consulting firm’s technical abilities. How should you feel when the expensive tech expertise does not have confidence in their own controls?