Ethics, Governance & Vendor Contract Management
Key Takeaways
- The ASIS International Code of Ethics obligates certified professionals to perform duties with honesty, diligence, and safeguarding of confidential information.
- Bid evaluation should use a weighted scoring methodology established before proposals are received so vendor selection is not driven solely by lowest price.
- An indemnification clause requires a vendor to compensate the client for losses caused by the vendor's negligence or breach of contract.
- A liability insurance requirement, evidenced by a certificate of insurance naming the client as additional insured, ensures the vendor can financially cover claims.
- Contract monitoring requires ongoing tracking of SLA performance, vendor business reviews, and invoice reconciliation, not a sign-and-forget approach.
Two Halves of One Section
Domain 2, Task 5 (governance and ethics) and Task 6 (contract management) are clustered into a single CPP study-guide section because both concern the standards by which a security program conducts business with integrity -- internally through ethical conduct, and externally through disciplined vendor relationships.
Governance Standards and Ethical Behavior
Corporate governance is the system of rules, practices, and processes by which an organization is directed and controlled, balancing the interests of stakeholders including shareholders, employees, customers, and regulators. Security leaders participate in governance by ensuring the security function operates within -- and helps enforce -- the organization's control environment, rather than positioning security as exempt from the rules it enforces on others.
Individual and corporate ethical behavior in security management is guided by generally accepted ethical principles: honesty, objectivity, confidentiality, competence, and avoidance of conflicts of interest. The ASIS International Code of Ethics codifies these expectations for certified professionals, obligating members to:
- Perform duties with honesty, diligence, and responsibility.
- Observe the precepts of truthfulness, accuracy, and prudence, without deception.
- Be faithful and diligent in discharging professional responsibilities.
- Be exemplary in obeying the law and following ethical standards of the profession.
- Safeguard confidential information and disclose it only as legally and ethically required.
A CPP is expected to protect confidential information -- proprietary business data, investigation findings, personnel records -- even where no specific law mandates it, because the ethical duty of confidentiality extends beyond the legal minimum.
Conflicts of Interest and Gifts
Governance standards also require security professionals to disclose, not merely avoid, situations where personal interest could improperly influence a business decision -- for example, a director evaluating a guard-service RFP whose family member holds a financial stake in one of the bidding vendors. Generally accepted ethical practice requires disclosing the relationship to a supervisor or compliance officer and recusing from the decision rather than relying on personal judgment to stay unbiased. Similarly, accepting gifts, hospitality, or favors from current or prospective vendors above an organization's stated threshold creates the appearance of impropriety even absent an actual quid pro quo, and most corporate codes of conduct require such gifts to be declined, reported, or aggregated to the organization rather than kept personally.
Compliance
Compliance is the function that ensures the organization adheres to applicable laws, regulations, industry standards, and internal policy. Security intersects with compliance in areas such as data protection (privacy law), anti-corruption (e.g., anti-bribery statutes affecting security vendors operating internationally), workplace safety, and licensing requirements for the security industry itself (guard licensing, firearms permits). A CPP-credentialed manager should recognize when a security decision requires compliance sign-off -- for example, before implementing biometric access control, before conducting covert workplace surveillance, or before contracting with a vendor in a jurisdiction with heightened anti-corruption exposure.
Request for Proposal (RFP) and Bid Evaluation
Task 6 shifts to the contract lifecycle, beginning with sourcing a vendor. An RFP formally solicits competitive bids for a defined scope of work -- a guard-service contract, a video-management-system integration -- and should specify scope, evaluation criteria, timeline, and required qualifications so that bids are comparable. Bid evaluation should use a weighted scoring methodology established before bids are received (e.g., price 30%, technical capability 30%, past performance/references 25%, financial stability 15%) so that vendor selection is defensible and not driven solely by lowest price -- a security program that always awards to the cheapest bidder frequently pays for it later in service failures.
Service Level Agreements (SLAs)
Once a vendor is selected, the SLA defines the measurable performance standards the vendor is contractually obligated to meet -- response times, uptime percentages, staffing fill rates, reporting turnaround -- along with the remedies (service credits, penalties, termination rights) that apply if those standards are missed.
| Contract Element | Purpose |
|---|---|
| Scope of work | Defines exactly what services/deliverables are included |
| SLA metrics | Measurable performance thresholds and remedies for shortfalls |
| Indemnification clause | Vendor compensates client for losses from vendor negligence/breach |
| Liability insurance requirement | Ensures vendor can financially cover claims (client is often named as additional insured) |
| Termination clause | Conditions under which either party may end the agreement |
Contract Law Fundamentals
CPP candidates should recognize, though not draft, core contract-law concepts: a valid contract requires offer, acceptance, and consideration; an indemnification clause shifts financial responsibility for certain losses from one party to the other, most commonly requiring the vendor to indemnify the client for losses caused by the vendor's negligence; and a liability insurance requirement, commonly evidenced by a certificate of insurance naming the client as an additional insured, ensures the vendor has the financial capacity to make good on that indemnification obligation rather than merely promising to.
Contract Monitoring
Signing the contract is not the end of the security manager's responsibility. Contract monitoring requires ongoing tracking of SLA performance against contracted metrics, regular vendor business reviews, invoice reconciliation against contracted rates, and documented escalation when performance slips -- the same discipline applied to internal KPI tracking. A contract that is filed away and never revisited provides no real protection regardless of how well it was negotiated; the exam consistently favors answers that describe active, ongoing contract governance over a sign-and-forget approach.
The ASIS International Code of Ethics obligates certified professionals to which of the following?
A contract clause requiring the security-guard vendor to compensate the client for losses arising from the vendor's negligence is known as a(n):