CompTIA Security+ SYO-401

Certification Training
9954 Learners
View Course Now!
33 Chapters +

Summarize the Security Implications Tutorial

1 Summarize the Security Implications of Integrating Systems and data with Third Parties

When you plan to integrate your business data or system with third party vendors, you have to take some precautions and follow appropriate security policies. So, let’s begin this lesson with the objectives listed in the following screen. At the end of this lesson, you will be able to: • Identify threats from a third party • Analyze different types of interoperability agreements • Identify steps to deter third party threats

2 Threats from a Third Party

In this topic, you will learn about threats from a third party. The actual onboarding and offboarding of business partners is a transitional period. If the business relationship is for a longtime, then there can be severe security repercussions, if not properly addressed. It would be impractical to assume that only your company has security and IT policies in place. It would also be impractical to believe that all businesses have the same or even remotely compatible policies and procedures. The procedures for onboarding and offboarding should be clearly documented to ensure consistency of application and compliance with regulations or contractual obligations. Onboarding is the process of adding new employees to the identity and access management system of an organization. In the onboarding process, one of the important documents is the interoperability agreement. The first step in onboarding a new business partner is to know their policies, and whether those are relevant to you. The relevant policies will cover areas where the two companies come together to interact. You may avoid conflicting policies in a business relationship. We need to be clear about every business partner. For instance, when you sign a contract with a cloud company to use some virtualized service or a cloud platform, you partner with that company. Well-defined procedures have to be in place for adding new people or companies into your ranks. These procedure need to define exactly what they can and cannot do, expectations, liabilities, and so on. The same procedure must be used to end partnership with people or companies. Offboarding is the reverse of onboarding process. It is the removal of an employee’s identity from the access management system once they leave the organization. In some scenarios, you need to off-board the employee before onboarding them. For example: When a user changes roles within the company, you off-board them from the previous role to ensure they are off their previous role, and then on-board them into a new role. This is a process of changing their rights to the new department, or the new role they will be serving in the company. Now, let’s move to another component that involves third party in your business, which is Social Media. Social Media helps connect with people, but it can be a point of malware infection due to infected or malicious sites attached to its main pages. It is also a medium for social engineering attacks, or even obvious data leakage. Since Social Media is easily accessible, and used by millions, it is important for a policy to clearly define the type of posts as allowed and not allowed for employees and business partners. It is seen that many companies simply do not allow social media, and this may be an option that your company or you may have to consider at some point of time. The same concept applies for any application that allows ease of communication. While using such apps, there are chances of information leakage outside the company. The risk of using such communication apps within the company network or premises should be evaluated, and most importantly clearly define the type of allowed and disallowed communication. The other issues with Social Media are the intentional and accidental leakage of data and material. Messages and images posted on Social Media can be viewed by competitors and other agencies. There are practices to avoid issues such as, restriction on searching social media sites, and accessing information about a rival or a competitor company. Social Media opens a new door of espionage, fraud, and data theft.

3 Interoperability Agreements

In this topic, you will learn about different interoperability agreements. We recently mentioned the use of interoperability agreements while discussing onboarding and offboarding third party business partners. These are operational agreements that define the roles of each business partner. There are several types of interoperability agreements and policies, but in this topic we will cover only the critical ones, which include: Service Level Agreement, Business Partners Agreement, Memorandum of Understanding, and Interconnection Security Agreement. Service Level Agreements, also known as SLAs, is a contract between a supplier and a customer. It defines the level of service to be provided by the service provider. Most SLA’s include a response time for every reported issue or concern. In other words, SLAs include maximum duration of the allowed downtime, and the level of response against it. Additionally, SLAs specify the level of guaranteed uptime. Higher the guaranteed uptime, greater would be the cost associated with the SLA. The concepts of a company’s MTTR, RTO, and other risk assessment values are considered while crafting an SLA. In addition to the mentioned points, SLA is a vital document to set the level of expectations for the minimum downtime, acceptable level of service, plan of recovery, and most importantly, how quickly the recovery takes place. Finally, SLA also covers the customer’s options of compensation, if the provider fails to fulfill the agreed obligations and the customer’s penalties in the event of late payment or non-payment. A Business Partners Agreement or BPA, is a contract between two entities indicating their business relationship. It defines the expectations and obligations of each partner in the endeavor. A BPA should include details about the decision-making process, management style, and how business capital is to be allocated. Moreover, the level of salary, benefits, and other distributions such as, whether new partners can be added, dispute resolution, outside competing activities or conflicts of interest, and how to handle dissolution or death, should be mentioned in the BPA. This document establishes an agreement between two parties, and comprises the summary of responsibilities between them. This is less formal than the other mentioned agreements. It is a quick reference agreement that summarizes the responsibilities between the parties. These memorandums are simple, and should be reinforced with deeper connects once business grows between the two entities. However, it is important to note that these memorandums don’t make them legally bound to all the listed points. This is an agreement between two organizations with connected network systems. If networks share any sort of connection, an interconnection security agreement is required. It documents the technical standards and requirements of the two systems, including the security needs and expectations. Interconnection Security Agreements should be detailed, and specifically define expectations and responsibilities of maintaining security over a communications path between two company’s networks.

4 Third Party Threats

In this topic, you will learn the steps to deter third party threats. When working with third party businesses or individuals, you must examine the privacy considerations of that organization. For example, medical facilities and banks require a certain advanced level of privacy to their information and networks. It is essential to have minimum level of privacy protection, when working with other companies or parties. Once the partnership with a third party business or company is established, and the policies and procedures are in place, there are day-to-day operations that must be considered. One of the critical concerns in ongoing operations is the concept of risk awareness. This needs to be reviewed by joint parties regularly in a conference, face-to-face meeting, or a recorded telephone call. Moreover, risk awareness involves evaluating assets, vulnerabilities, and threats, to clearly define an organization’s risk levels that may develop on either end of the partnership. One risk that should be constantly addressed, is unauthorized sharing of data. Certain mechanisms should be devised to prevent the third party or business partner from accessing restricted data. Risk awareness involves user and employee trainings, as well as meetings and evaluations. Unauthorized data sharing is a form of data leakage. Only authorized personnel should be allowed to access assigned data. There is always a threat from employees of the other businesses in terms of sharing data with unauthorized users or the business partner with whom it is not supposed to be shared. A process is required that defines how data is to be handled, and how to address the situation of unauthorized data sharing. Moreover, the organization should conduct regular meetings to prevent sharing of unauthorized data. To enforce data authorization, it is important to define the ownership of data. The data ownership agreements between the businesses should clearly define, who is authorized to access the data, and how they should access it. Since physical data backups consume a lot of space, experts recommend the use of cloud or third party storage for backups. Here, the third party vendors take up the responsibility of constantly maintaining the backups. For such vendors, you can use the SLA policy to determine how quickly the data should be made available. The problem with such storage solution is that you have very little or no control over who can access it from the public cloud. There are many litigious documents that are created and signed in the security industry. These policies and procedures protect your network and environment. When you are working with other companies, it is important you follow your own policies to protect data from the liability of these businesses. Like checking security audits and logs, this is an important and mostly overlooked tasks. It is imperative that you regularly review the agreement, especially living agreements that change regularly, and verify compliance on both sides. This protects you and your associated third party business.

6 Summary

• Onboarding is the process of adding new employees to the identity and access management system of an organization. • Offboarding is the process of removing an employee’s identity from the access management system once they leave the organization. • Social Media can be a point of malware infection due to infected or malicious sites attached to the main pages. • Service Level Agreement, Business Partners Agreement, Memorandum of Understanding, and Interconnection Security Agreement are different types of Interoperability Agreements. • It is vital for two or more associated parties to regularly review the risk awareness. With this, we conclude the lesson, ‘Summarize the Security Implications of Integrating Systems and Data with Third Parties.’ The next lesson is, ‘Implement Appropriate Risk-mitigation Strategies.’

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

Request more information

For individuals
For business
Phone Number*
Your Message (Optional)
We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Work Email*
Phone Number*
Job Title*