Hey, Versailles! Berry Friends, Welcome to the A C I s t p certification course with Sai Buri third party connectivity.
My name is Shalane Hudgens, and I'll be your instructor for this course.
Today we have a short video on trust models for Burt, party interconnections,
technology standards and connection agreements.
As we discussed in a previous module around third parties, what the definition of a bird party is on. We talked a little bit about what needs to go into those agreements were going to go a little bit deeper in this module.
Data sharing between the primary entity and the third parties must be done in according with applicable walls and regulations, as well as the terms of contracts and data sharing agreements.
A key responsibility of the primary entity is to enforce minimum necessary controls or lease privilege when determining the amount and type of data that needs to be used by the vendor to carry out its contractual responsibilities.
does the vendor actually need data that can be tied back to an individual
or, if de identified, data will be sufficient
if the vendors employees will be accessing the primary entity system?
It's important to make sure that the vendor is aware of the entities, policies and procedures
processes will need to be in place, toe on board and or terminate Bender employees access to the primary entity systems as they join, leave or change jobs at the vendor.
When data must be transferred from one entity to another,
it's important to consider the safeguards that need to be in place to ensure its protection.
encryption is a key consideration when data is sent over the public network.
Primary entities and third party vendors must understand applicable laws and what offers them safe harbor. In the event of a security incident,
the way of Bender will use and store information is critical to understanding the risk to the information.
For example, will data be encrypted at rest?
Will vendor employees be allowed to use their own PCs or technology access information?
Does the vendor have a B Y O D policy?
Additionally, a discussion around data sharing must include discussion of data destruction or return in the event of a relationship between a primary into tea and third party when the relationship ends or the agreement is terminated.
Not on Lee should those terms be spelled out in contracts and agreements, But the primary entity should ensure the termination actions are carried out.
The primary entity should expect the following controls from a vendor.
Some example of physical controls include things such as visitors must be escorted at all times in sensitive areas. Oven office
Data centers must have strict physical access entry procedures.
Sensitive areas must be monitored, for example, by cameras or security guards.
Data centers must have appropriate environmental controls, such as fire suppression and protection and ultimate power supplies.
should include things such a Z users must only receive access for which they are authorized and are required
to perform their job functions.
Password standards must be in place.
Laptops and other mobile devices must be adequately protected in the event there, lost or stolen,
such as encryption or remote device wipe capabilities.
Termination procedures must be followed to remove access in a timely manner when the user changes jobs or is no longer works for the vendor
as an example. Most recently, it was reported in February of 2020 that health share of Oregon, the state's largest Medicaid coordinated care organization exposed the records of 654,000 patients due to a laptop being stolen from its transportation bender.
The vendor was contract ID to conduct non emergent medical transportation services
in November of the previous year. Ah, break in and theft occurred at the vendors offices. The laptop contained members, names, contact information, dates of birth and medical I D members.
The purpose of a connection agreement is to establish how connective ity will occur to and from the primary entities with the third party.
It helps to identify how data will flow and how it will be secured along the flow path.
The agreements may include diagrams to show the data flow.
Now let's test your knowledge.
What would be an appropriate control for sending data over the public Internet to a vendor?
You guessed it encryption.
Technical standards to be included in a vendor agreement would include network connectivity,
physical and technical controls.
That answer is true.
connection agreements should include information for how the data will flow and how the data will be
secure. Correct. Awesome job.
So today we discuss trust models,
technical standards and connection agreements for third party connective ity.
Coming up next will be the regulatory and standards environments