An information security colleague of mine wrote this: “Information security is such an important part of contracting for a technical solution and, when it comes to getting the programming or software-as-a-service security a client wants, asking for “reasonable care” on its own doesn’t cut it. That just leads to arguments when things go wrong, as they often do. Someone in the contracting process needs to understand and articulate auditable security requirements specific to the application and/or hosting.”