Security+: Risks Related to Third Parties (SY0-401)
NOTE: This article reflects an older version of the Security+ Exam – please see the current Security+ Certification page for the most up-to-date information.
Introduction
The main purpose of this article is to help you to learn more information on security aspects of data and system integration of third parties, which is a small but significant part of the Compliance and Operational Security domain of the CompTIA Security+ exam.
A third party is any entity not directly involved in business dealings between two primary parties. An illustration of a third party is an application developer hired by a website to modify some or all applications on the website. The two primary parties are the website and each customer that visits it. Since the website operates with customer data, privacy implication may arise from interactions with questionable third-party providers.
There is also a small practice exam quiz at the end of this writing. You can find the answers right after the reference list.
What do You need to Know About On-boarding/Off-boarding Business Partners?
There are privacy and security considerations every time an organization’s systems need to integrate with those of a third party. This third party should have security controls and privacy protection that exceed or at least meet the organization’s minimum standards.
An organization can expand its business through various means, such as partnerships, mergers, and acquisitions. Each of these options is to be preceded by an onboarding process, which represents the initial phase of forming a new business relationship with a third party by allowing it to become intrinsically linked to your organization’s structure.
Overall, onboarding procedures aim at establishing:
- communication standards
- communication protocols
- data formats
- file transfer procedures
- data mapping
- testing
- multilingual support
The diametric opposite of onboarding is off-boarding – a procedure that handles the proper ending of collaborative projects between business parties. Off-boarding should take into account the interests of both the organization and the party that is about to exit. Important aspects related to this process are:
- protecting the physical and digital integrity of an organization’s assets /, e.g., automatically restrict access once a contract expires
- changing settings and technical controls
- termination of contractual obligations
- compliance assurance
- retrieval of valuable knowledge /, e.g., proprietary data, know-how, source codes, etc.
The onboarding and off-boarding are two similar periods of time between business parties also known as “transitioning” in CompTIA parlance. To ensure regulatory compliance, onboarding and offboarding procedures need to be documented.
What Privacy Consideration Need to be Taken into Account when Integrating with Third Parties?
Although every business should pay heed to privacy, doing so is much more important in some areas of business, for example, providing medical care or dealing with any personal data. In essence, an organization should undertake privacy impact assessment before forming a partnership with third parties, because in almost every business relationship there is an exchange of data between partners. So, review all privacy policies of third-party websites if you plan to allow them to access your website.
Visualizations of information flows with respect to interconnected systems, or partner access will pinpoint privacy vulnerabilities. It is advisable for the company to examine the level of adherence to privacy principles and regulations, as well as check whether compliance requirements are met. Every further evaluation of privacy risks should include partners’ assets: websites, social network profiles, sharing platforms, etc. Another reason for privacy concerns is data collection performed by third-party applications, a fact that should prompt company lawyers, legal advisors, or other decision makers to scrutinize the end-user license agreements /EULA/ of these apps.
What Interoperability Agreements do You need to Know for the CompTIA Security+ Exam?
(SLA, BPA, MOU, ISA)
Interoperability agreements define how parties will work together, their rights and obligations, and what the minimum requirements and expectations are. There are several documents that one can use to ensure safe interoperability:
A non-disclosure agreement (NDA) is a written contract that obliges third parties to not share proprietary data with other companies or even departments.
A memorandum of understanding (MoU) indicates convergence of will between the contracting parties. It also indicates an intent for a common line of action. The MoU is often applied in the information industry. It summarizes the responsibilities of the two parties – for instance, one of them is to be responsible for creating a database, whereas the other is to be responsible for the maintenance of the database server.
The MoU is less formal than an NDA and usually does not impose stringent privacy or data protection requirements on parties. It appears that the MoU is a formal alternative to a gentlemen’s agreement as it is used in situations where the parties do not necessarily imply a legal commitment or them for same reason cannot create a legally enforceable agreement.
A Service Level Agreement (SLA) defines the formal specifications of a service contract, in which one party is the customer, and the other one is the service provider. The SLA focuses on matters directly concerned with the level of service to be provided. An example of that in the context of a company that provides technical support would be clauses that determine the response time in the event of an accident (e.g., a technician will be on site within 3 hours) and the type of response (e.g., repair or replacement of damaged parts).
An Interconnection Security Agreements (ISA) is a standard type of agreement for organizations that share connected systems, and it specifies the technical details of the interconnected systems. An ISA sets out important technical, security, and privacy measures about the planning, initiating, maintaining, and discontinuing a business connection between two or more entities. This agreement safeguards the rights of the contracting parties. It is, therefore, important to have it signed well in advance. An ISA must describe in detail the rights and duties of each party.
Blanket Purchase Order (BPO). It is usually applicable to government affairs as it seals the deal between a government agency and a private organization for ongoing purchases of services or goods. Consequently, this kind of contract is used as a simplified formal procedure for easy repeat purchasing between government agencies and vendors/private contractors.
What Risks are involved in Integrating with 3rd Party Services?
Each organization must carefully examine and select its business partners. Other duties that ensue as a result of this process is drafting and reviewing contracts, as well as overseeing their execution. Failure to manage all risks associated with third parties may result in financial loss, adverse regulatory action, litigation, and reputation damage; in fact, it may even impede organizations from establishing useful business ties with other organizations in the future.
Relationships with other business parties usually are part of an organization’s risk assessment. The success of each organization is built upon the foundations laid by good business relations between different entities, i.e. participants in the market.
Companies often fail to take into account risks associated with third-party relationships. Third party risks may vary very much, from something an organization might be familiar with to unexpected privacy risks. Before any third-party interactions to take place, an organization needs to consider all foreseeable legal, compliance, and reputation risks that may ensue. Showing due diligence during this process is recommended. Moreover, a thorough risk assessment can help organizations create adequate third-party policies and procedures in line with the overall business strategy. Hence, screening potential business partners is a conditio sine qua non, but it should be backed up by continuous monitoring throughout the entire duration of their relationship /See the figure “On-boarding / Off-boarding Process”/.
One must not ignore the fact there are a number of risks that can come along with the benefits of signing interoperability agreements with third parties. Upon placing its signature in a document, for instance, one must make sure that he is signing the right document and there are no hidden or unconsidered terms and conditions that may endanger this or other business relationships, and even his entire business.
Data Ownership, Data Backups, & Unauthorized Data Sharing
When it comes to dealing with third parties and data, and there is more than one person involved, some important questions may pop up:
Who owns the data? Is there more than one owner? What part of the data is owned?
Therefore, it is critical to be clearly delineated the matter of data ownership at the very beginning of any business relationship. When data set belongs to a given party, the party in question should take necessary measures to ensure that the data remains in its ownership through various means, such as patents and trademarks.
Looking for info on security+ certification training? Fill out the form below to receive InfoSec Institute's course pricing/details.
Other important aspects that are somehow related to data ownership concern the place and the means of data storage, data ownership, and the destruction of data when the relationship is over. Data is usually preserved on storage devices, and many of these are not so reliable. Therefore, all the important data should be backed up.
Unauthorized data sharing expose organizations to external attacks. Such data can easily be stolen or be used for blackmailing. Third parties should access only data that is related to their business function. An organization must ensure that there are proper data controls that prevent third parties from acquiring access to sensitive information, especially such not related to their primary business function.
Data can be shared with entities outside the organization, provided that there is an agreement in place with the data owners. Facebook is a good example of such practices because the social media giant claimed in March 2017 that it would crack down on third-party surveillance of social data.
If there are no legal restraints, terms of service or privacy policies may allow for sharing data without explicit authorization by end users. Sometimes information is being shared accidentally.
Verifying Compliance and Performance Standards
All documents in the realm of interoperability agreements are subject to verification. Although these documents represent standards on which the parties have reached an agreement, they still need to undergo periodical verification of compliance and performance standards. A detailed review of procedures, an audit, or vulnerability scan/penetration test can achieve this goal. The two parties will decide which method is most appropriate.
Parties must adhere to agreed rights and obligations, compliance requirements, and performance standards pertinent to the agreement. Certain businesses have legally mandated specific requirements, such as those of medical caretakers and other entities that fall within the scope of the laws or standards enumerated below /non-exhaustive list/:
- HIPAA - Health Insurance Portability and Accountability Act
- PCI DSS - Payment Card Industry Data Security Standard
- FISMA - Federal Information Security Management Act
Nevertheless, a business that deals with personal data should always take good care of the security of that data, regardless of the field in which that business operates. On this matter, when two different companies are interoperating, they should ensure that both of them satisfy a minimum level of privacy protection requirements.
Reference List
Barrett, D. (2011). CompTIA Security+ SY0-301 Practice Questions Exam Cram. Available at https://books.google.bg/books?id=dVEquQAACAAJ&redir_esc=y (17/03/2017)
Darril. Third-Party Agreements. Available at http://blogs.getcertifiedgetahead.com/third-party-nda/ (17/03/2017)
Dubrawsky, Ido (2009). CompTIA Security+ Certification Study Guide Exam SYO-201 3E. (17/03/2017)
Dulaney, E. (2010). CompTIA Security+Study Guide: Exam SY0-201. Available at https://books.google.bg/books/about/CompTIA_Security+Study_Guide.html?id=0--CmGf92DwC&redir_esc=y (17/03/2017)
Dulaney, E. & Easttom, C. (2014). CompTIA Security+ Study Guide. Available at https://books.google.bg/books/about/CompTIA_Security+_Study_Guide.html?id=JpM6AwAAQBAJ&redir_esc=y (17/03/2017)
Examcollection.com. Security implications of integrating systems and data with third parties. Available at https://www.examcollection.com/certification-training/security-plus-security-implications-of-integrating-systems-data.html (17/03/2017)
Gibson, D. (2011). CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide. Available at https://books.google.bg/books/about/CompTIA_Security+_Get_Certified_Get_Ahea.html?id=2zSupwAACAAJ&redir_esc=y (17/03/2017)
Hausman, K., Barrett, D., Weiss, M. (2014). CompTIA Security+ SY0-401 Exam Cram. Available at https://books.google.ru/books?id=A0MFCAAAQBAJ (17/03/2017)
Messer (2014). Data Ownership and Unauthorized Data Sharing – CompTIA Security+ SY0-401: 2.2. http://www.professormesser.com/security-plus/sy0-401/data-ownership-and-unauthorized-data-sharing/ (17/03/2017)
Prowse, D. (2011). CompTIA Security+ SY0-301 Authorized Cert Guide. (17/03/2017)