Third-Party Governance

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
8 hours 25 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:00
>> Let's take a little bit of
00:00
a look at third-party governance.
00:00
When we're talking about third-party governance,
00:00
we're looking to outsource work.
00:00
We're hiring vendors, contractors, subcontractors.
00:00
We need a structure in place
00:00
>> so that we can appropriately
00:00
>> manage risks that go
00:00
along with these third-party providers.
00:00
Sometimes people will mistakenly think,
00:00
I've gotten rid of my risk I've outsourced it.
00:00
I don't have to worry about that anymore.
00:00
Those of us that have been around for a while,
00:00
know that's laughable because sometimes you
00:00
introduce new risk by handing
00:00
off the work that used to be underneath
00:00
your direct management to a third party.
00:00
We don't in any way consider ourselves free of risk.
00:00
We certainly haven't done risk avoidance.
00:00
What we've done is risk transference.
00:00
We're not even 100 percent guaranteed
00:00
that we've done risk transference,
00:00
but that's the idea.
00:00
When we talk about risk transference,
00:00
we're talking about sharing the
00:00
potential for loss with a third party.
00:00
We only get that guarantee
00:00
that they'll share in the loss with us if there's
00:00
a breach through a service level agreement
00:00
which we'll look at.
00:00
Now, service level agreement is a portion of
00:00
the contract or could be
00:00
a separate contract that is legally binding.
00:00
The focus, if we're going to frame this
00:00
in the context of the IT environment.
00:00
If you think about outsourcing
00:00
software program development,
00:00
or outsourcing the storage
00:00
of data to a Cloud service provider.
00:00
That service level agreement is going to commit and
00:00
give us a certain degree of uptime guarantee,
00:00
a certain level of security,
00:00
certain guarantee that they
00:00
follow a set of processes and procedures.
00:00
But we need to make sure
00:00
the third-party governance aspect of our organization
00:00
makes sure that the needs of
00:00
the organization are satisfied
00:00
through the service level agreement.
00:00
That's really all we can count on.
00:00
Honestly, service level agreement
00:00
is just a commitment, It's a promise.
00:00
We want to make sure that we have
00:00
some means of having third-party assurance that
00:00
the provider is keeping to
00:00
the letter in the terms of
00:00
their service level agreements.
00:00
In this portion, the SLA is where
00:00
fiduciary transference of risk happens,
00:00
meaning where there is the guarantee that we will have
00:00
some financial compensation based
00:00
on the degree to which
00:00
the provider fails to meet their service level agreement.
00:00
That's one of the things and I would stress to
00:00
you from a test-taking perspective,
00:00
responsibility is ours to make sure that
00:00
the provider service level agreement meets our needs.
00:00
We can anticipate the service provider offering
00:00
any additional protections other
00:00
than what's specified in the SLA.
00:00
Part of third-party governance is
00:00
to make sure that our contracts,
00:00
anything that we enter into, any agreement,
00:00
that we enter into in
00:00
a legally binding manner has to make sure
00:00
that it's in conjunction
00:00
with our organizational responsibilities
00:00
and requirements.
00:00
Now, so many things today are being outsourced.
00:00
Everything's being outsourced.
00:00
I talked about or we'll talk about in
00:00
a few minutes using cloud service providers.
00:00
You've probably heard of software as
00:00
a service or some of the others.
00:00
Quite honestly, just about everything
00:00
is provided as a service today,
00:00
there's Business Continuity as a Service,
00:00
Incident Management as a Service,
00:00
Identity Management as a Service,
00:00
all these different types of services that are provided.
00:00
For those of you may be that have heard ITIL,
00:00
ITIL is all about
00:00
IT service management and provides a set of
00:00
standards and guidelines on
00:00
how service management should be handled.
00:00
Now, on the slide,
00:00
nothing particularly testable here,
00:00
but the idea is when we talk
00:00
about this as a service element,
00:00
we're taking work that we used to do
00:00
in-house and we're outsourcing to a third party.
00:00
Again, the governing entities that handle
00:00
our third-party governance need to make
00:00
sure that what we're doing
00:00
meets our own internal requirements.
00:00
We can never count on the vendor to cater what
00:00
they do to us so we
00:00
find a vendor that already
00:00
meets our requirements or is willing to cater to us.
00:00
But we don't expect that to happen without negotiations,
00:00
without a legal commitment.
Up Next