Did you know Cybrary's video training is FREE? Join more than 2,500,000 IT and cyber security professionals, students, career changers, and more, growing their careers on Cybrary.
In this Security Implications of Integrating Systems and Third Party Organizations lesson you'll learn strategies for managing risk when external entities become part of your internal business operations. We begin by introducing onboarding for new employees as well as business partners & vendors, what concerns arise using social media, the various types of service delivery and support services agreements there are and other. [toggle_content title="Transcript"] Summarizing the security implications of integrating systems and data with third party organizations. The first item we'll talk about is on-boarding and off-boarding business partners. For on-boarding, whenever you introduce new people, new contractors, new personnel into your business environment, you're introducing new risk. There are security concerns you should have. On-boarding has to do with bringing new employees or business partners up to speed on the security protocols and objectives within your organization. You have to allow them time to understand the security practices within your organization. That is the on-boarding, as you're bringing them on board, you introduce them to your policies. Introduce the personnel, introduce the staff, introduce your business partners to your policies so that everybody is on the same page. For off -boarding, this is when you're letting staff go or you're ending business partnerships with other organization. For off-boarding it ensures that employees or partners leaving the organization and the business do not pose a security threat or risk to the organization. They should go through exit interviews, they should ensure that we have knowledge of all responsibilities they had, all access they had such that some of these access we could disable. You don't want people that have left the organizations or have no business relationships any further, to still have access to your network environment. Social media networks and applications, we need to be very careful in this day and age. There is a lot of dependence on social media: Facebook, twitter and some other ones like that. We have to be very careful how much information or the nature of the information we let out on some of these pages. Information going out to these media have to be properly reviewed to ensure that they actually mean what they mean. It is possible that individuals are trying to say something but end up typing something else. We also have to be careful so that sensitive or personally identifiable data or private information is not disclosed through some of these media. Also applications that we have these days. We have a lot of apps that are used for access from organizations. A lot of organizations create their own apps. We have to be careful how much information is captured by these apps, what information could be disclosed about the organization as well. What these apps have access to on media on which they are installed. All of these pose a security responsibility of the organization so we must look into them in more detail to ensure that there is no breach of confidentiality or even integrity and availability of information through the use of these media and these apps. Inter-probability agreements, these are agreements that are put in place to spell out the terms of agreement between different entities working towards a mutual goal. Two or more entities working towards a mutual goal have to come up with these Inter-probability agreements such that they have a common understanding of what the goals will be or what the goals are so that no one organization is working counter to other organizations that are in the agreement. The service level agreement is an agreement understanding between two entities. This could be internal to an organization or external to an organization. Organization A is providing organization B a service. Both have to sit down to agree on the level of service to be delivered. What is expected? How often is it expected and what is the baseline? So that if something is lacking, organization B who's receiving the service knows how to better respond or correct organization A providing the service. So between these two organizations, there has to be the service level agreements. Service level agreements could also be formed within an organization itself. It could be between departments such that we know between two departments, the level of service that is required, the level of service that has been agreed so that we can keep a benchmark as to, is the service dropping or are we meeting the service agreement? Business partner agreements have to be formed within organizations such that multiple organizations that are working towards a common goal understand the agreements that are between or that service these goals. The Business partner agreements describe how businesses would be conducted amongst the partners. We have general agreements, we have limited agreements, we have business agreements, limited liability agreements, general agreements and joint partnership agreements. All these agreements have to be arrived at. They have to be carefully spelt out so that every entity understands their responsibilities. The memorandum of agreements, this relates the terms of cooperation between two organizations wishing to seek a common goal. They have to come up with what we call the memorandum of agreement. In this agreement they spell out their individual responsibilities. They spell out their area of authority, their jurisdictions and responsibilities towards the achievement of the common goal between the two organizations. These have to cover things like their security policies, their procedures, their policies, their practices and standards so that every entity understands carefully their responsibilities towards the common goal. The inter-connection security agreement, this agreement details how information between two organizations will securely connect and share information in a secure fashion. We want to have two organizations explain to each other these methods or these protocols or these services are required for our systems to directly connect to your own systems so that we can effectively, securely and confidently share information without data breach, confidentiality, integrity or availability disappointments. Organizations have to sit together and agree on the terms, the protocols, the network architecture so that data could be securely shared amongst both organizations without any compromise to the security goals. [/toggle_content]