We are updating the Vendor Summary portion of our Information Security Program. I have read that vendor contracts should contain a confidentiality statement pursuant to GLB (which I understand) and a contact should also include a statement of compliance with the Red Flag Rules. I take this second part to mean they should have a process in place to detect and notify us of any breach or suspected breach of systems or customer information. Am I thinking along the right lines or should I be looking for something else?