CRISC

Course
Time
6 hours 30 minutes
Difficulty
Advanced
CEU/CPE
7

Video Transcription

00:01
having just talked about emerging risks, while third Party risks are very relevant as well. And Maura and Maur, we're outsourcing. What used to be internal service is
00:12
we're outsourcing out the service providers. You know, specifically, if you think about the cloud and how much of our software, our infrastructure, our business continuity, disaster recovery Service's are being turned over to somewhere else. So, of course, in that case, we gotta focus. We have to think about
00:30
third party management, third party governance.
00:34
And
00:35
if I was going to sum up this section in a sentence, you have tohave a service level agreement,
00:42
period.
00:43
Hey, so the point I want to make with that is you were only guaranteed what you're guaranteed. And with a cloud service provider, what you're guaranteed is documented in a service level agreement. In other elements, it may be managed by contract or, you know, maybe also a service level agreement. But the idea is
01:03
we can't take for granted.
01:04
What are service providers were gonna guarantee us?
01:08
Well, it just stands to reason that they would
01:11
Nope, it doesn't.
01:12
Well, of course they're going to do, you know,
01:15
not necessarily always go back to the S L a two year contracts, and that's really where you have the assurance of what the providers gonna provide. Now, when I say assurance, there's nothing that's 100% right, so I can have a service. Awful provider promised me the moon,
01:34
and many providers will do that. It's all about sales. It's all about the dollars.
01:38
So in addition to having a good service level agreement, I often also have to make sure that that service level agreement is monitored, Um, by an external third party. I also have to make sure that our internal third party governance division has evaluated the contract
01:56
versus the needs of our organization.
01:59
And then we'd look ATT audit to say yes. This service provider meets their service level agreements, and they're considered and were considered to have a high degree of assurance. Now, again, we think about this with cloud service is particularly,
02:15
but we also know that's relevant to any third party surfaces that we would be using

Up Next

CRISC

This course on Certified in Risk and Information Systems Control is for IT and business professionals who develop and maintain information system controls, and whose job revolves around security operations and compliance.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor