CRISC

Course
Time
6 hours 30 minutes
Difficulty
Advanced
CEU/CPE
7

Video Transcription

00:00
all right. The next element of security operations is looking at third party governments. And we're in the environment today where almost every organization outsources something. Whether we have vendors help us with application development or we need to
00:20
bring in additional programmers
00:23
because of shortage of staff or we bring in network engineers or we simply outsource certain service is to the cloud.
00:31
All of that falls under the category of third party. And if we're going to manage our third party access predictably and well, then we need governance in place.
00:44
So we do talk about these third party providers. Really? It's anything that were outsourcing. Whoever provides those service is that would fall under the category of 1/3 party provider. So we want to make sure that we understand a really important principle,
01:03
and you might just jot it down. I'm gonna say this very specifically.
01:07
Though you can transfer risk,
01:10
you cannot transfer liability or responsibility.
01:15
Can you say that again? You can transfer risk,
01:21
but you cannot transfer responsibility
01:23
or live.
01:26
Here's what I mean by that.
01:27
If I outsource something my dabba to a cloud service provider, okay, they're going to store my information,
01:34
all right, and that cloud service provider has a compromise.
01:40
I am ultimately responsible for the security of information that's under my ownership. As you know, a controller, for instance, the cloud service provider may have violated their service level agreement, and I may have legal recourse.
01:57
But as far as the responsibility for data protection, it's still me,
02:01
right? Just cause I hand off my dad, someone else doesn't alleviate my responsibility. If I'm a health care provider
02:08
and I collect information on patients and I stored at 1/3 party
02:14
whether or not that third party has a compromise, I'm still liable for that information under HIPPA.
02:21
Now again, it doesn't mean that there's no legal recourse. But as Faras HIPPA goes, or as faras laws and regulations about data protection,
02:30
I'm still ultimately liable for that. So I wanna stress now that I give transferring the risk means through the service level agreement, the cloud service provider or the third party provider may be forced to reimburse me,
02:44
but by that time I've already been found liable for violation, and ultimately one of my customers know they know that I have lost their data or that I've allowed it to be compromised. So we have to understand the liabilities with third Party.
03:00
Um, we have to understand who's responsible for what?
03:05
And then if we ourselves or third parties, maybe we're vendors on a project for another organization. What liabilities do we as individuals have a my liable for what my employees do? Maybe, you know, I have to be able to show due care and diligence.
03:23
And then what's the limit to that? Is an Internet service provider responsible for what their users do?
03:30
Do they have to turn over information on their users that have been found to be, uh, performing, You know, illegal activities through there? I s P service is it gets very, very tricky. So the idea is, How do you know? You know, by due diligence,
03:49
you do your research.
03:51
You have your service level agreement and make sure that the security requirements for your organization are documented in the S L A.
04:00
Now, when you're dealing with third parties, you're gonna have different types of procurement documents. Request for information. Just says, Hey, we're considering doing business with you. Tell us a little bit about your company. When were you formed. Who are your principals?
04:15
What's your credit rating? That type of information,
04:18
a request for quote says, and eat the service is what we charge me for them. Or usually it's more requests for proposals for doing service is I need 10 Dell computers. What's the charge? So that kind of ties in with maybe a purchase order, right?
04:35
A request for proposal says, Don't just give me a cost. Give me your approach in your methodology. So I'm looking to upgrade my existing network infrastructure. I'm gonna send request for proposals to many different vendors. And I'm going to see whose strategy is most in alignment with what our needs are.
04:56
Invitation forbid large scale contracts. We bring in vendors. We give them information at a vendor's conference and we asked them to bid on the project.
05:06
Now again, contracts are essential to third party governments to contract types that I would know. First of all, a memorandum of agreement and m o a memorandum of agreement. Or you could see it is M. O. U. Memorandum of understanding.
05:25
The two are technically different, but I think they'll use them both interchangeably on the exams. A memorandum of agreement. Memory engines of understanding are ultimately documentation
05:39
that defines expected responsibilities. So, for instance, if, um,
05:46
we're in, you're in a different department.
05:48
Or let's say I have an expectation that you'll show up even when the building operations air closed in the event of a disaster to restore backup tapes
06:00
that would be documented in an m. O u
06:02
ah, lot of times M o user for internal use and m o a. CZ or with external offenders. So I expect a particular vendor to provide gasoline in the event that we have a regional
06:18
power outage hurricane, something like that. And these are my expectations. Okay, that's memorandum of agreement or understanding service level agreements also legally binding documents that specify again
06:32
what the vendors gonna guarantee Tow us. Usually that's in relation to service or up time.
06:40
So you're gonna guarantee me 99.9997% availability. If I host my website on your service or if I buy your prop
06:49
so get really the big factor in third party relationships. It's our contracts. Are service level agreements again Legally binding. It transfers risk. It does not transfer responsibilities,
07:06
whatever the requirements are. I don't have any assurance other than what exists in the S. L. A

Up Next

CRISC

This course on Certified in Risk and Information Systems Control is for IT and business professionals who develop and maintain information system controls, and whose job revolves around security operations and compliance.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor