Third Party Connectivity
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Hey there Cybrary friends.
00:00
Welcome to the HCISPP certification course
00:00
with Cybrary, third-party connectivity.
00:00
My name is Schlaine Hutchins and I'll
00:00
be your instructor for this course.
00:00
Today we have a short video on
00:00
trust models for third-party interconnections,
00:00
technology standards, and connection agreements.
00:00
As we discussed in
00:00
a previous module around third parties,
00:00
what the definition of a third party is,
00:00
and we talked a little bit about
00:00
what needs to go into those agreements.
00:00
We're going to go a little bit deeper in this module.
00:00
Data-sharing between the primary entity and
00:00
the third parties must be done in
00:00
according with applicable laws and regulations,
00:00
as well as the terms of
00:00
contracts and data-sharing agreements.
00:00
A key responsibility of the primary entity is
00:00
to enforce minimum necessary
00:00
>> controls or lease privilege
00:00
>> when determining the amount
00:00
and type of data that needs to be
00:00
used by the vendor to carry
00:00
out its contractual responsibilities.
00:00
For example, does the vendor
00:00
actually need data that can be tied back
00:00
to an individual or if
00:00
the identified data will be sufficient?
00:00
If the vendor's employees will be
00:00
accessing the primary entity systems,
00:00
it's important to make sure that the vendor is aware
00:00
of the entity's policies and procedures.
00:00
Processes will need to be in place to
00:00
onboard and or terminate vendor
00:00
employee access to
00:00
the primary entity systems as they join,
00:00
leave, or change jobs at the vendor.
00:00
When data must be transferred
00:00
>> from one entity to another,
00:00
>> it's important to consider the safeguards
00:00
that need to be in place to ensure its protection.
00:00
For example, encryption is
00:00
a key consideration when
00:00
data is sent over the public network.
00:00
Primary entities and third-party
00:00
>> vendors must understand
00:00
>> applicable laws and what offers them
00:00
safe harbor in the event of a security incident.
00:00
The way a vendor will use and store information
00:00
is critical to understanding
00:00
>> the risk to the information.
00:00
>> For example, will data be encrypted at rest?
00:00
Will vendor employees be allowed to use
00:00
their own PCs or technology access information?
00:00
Does the vendor have a BYOD policy?
00:00
Additionally, a discussion around
00:00
data sharing must include discussion of
00:00
data destruction or return
00:00
in the event of a relationship between
00:00
a primary entity and a third party when
00:00
the relationship ends or the agreement is terminated.
00:00
Not only should do those terms be
00:00
spelled out in contracts and agreements,
00:00
but the primary entity should ensure
00:00
the termination actions are carried out.
00:00
The primary entity should expect
00:00
the following controls from a vendor.
00:00
Some example of physical controls include
00:00
things such as visitors must be
00:00
escorted at all times in
00:00
sensitive areas of an office or facility.
00:00
Datacenters must have
00:00
strict physical access entry procedures.
00:00
Sensitive areas must be monitored,
00:00
for example, by cameras or security guards.
00:00
Datacenters must have appropriate
00:00
>> environmental controls,
00:00
>> such as fire suppression and
00:00
protection and alternate power supplies.
00:00
Logical controls should include
00:00
things such as users must only receive
00:00
access for which they are authorized and are
00:00
required to perform their job functions.
00:00
Password standards must be in place.
00:00
Laptops and other mobile devices must be
00:00
adequately protected in the event
00:00
they are lost or stolen,
00:00
such as encryption or remote device wipe capabilities.
00:00
Termination procedures must be
00:00
followed to remove access in
00:00
a timely manner when a user changes
00:00
jobs or no longer works for the vendor.
00:00
As an example, most recently it was reported in
00:00
February of 2020 that health share of Oregon,
00:00
the state's largest Medicaid
00:00
coordinated care organization,
00:00
exposed the records of 654,000
00:00
patients due to a laptop
00:00
being stolen from its transportation vendor.
00:00
The vendor was contracted to conduct
00:00
non-emergent medical transportation services.
00:00
In November of the previous year,
00:00
a break-in and theft occurred at the vendor's offices.
00:00
The laptop contained members' names,
00:00
contact information, dates of birth,
00:00
and medical ID numbers.
00:00
The purpose of a connection agreement is
00:00
to establish how connectivity will
00:00
occur to and from
00:00
the primary entities with the third party.
00:00
It helps to identify how data will flow and
00:00
how it will be secured along the flow path.
00:00
The agreements may include
00:00
diagrams to show the data flow.
00:00
Now let's test your knowledge.
00:00
What would be an appropriate control for
00:00
sending data over the public Internet to a vendor?
00:00
[NOISE] You guessed it, encryption.
00:00
True or false: technical standards to be
00:00
included in a vendor agreement
00:00
would include network connectivity,
00:00
physical, and technical controls.
00:00
[NOISE] That answer is true.
00:00
One more, connection agreements
00:00
should include information for how the data will
00:00
flow and how the data
00:00
will be [NOISE] secured.
00:00
Correct.
00:00
Awesome job. Today we discussed trust models,
00:00
technical standards,
00:00
and connection agreements for third-party connectivity.
00:00
Coming up next will be
00:00
the regulatory and standards environments.
00:00
>> See you soon.
Up Next
