Our Security+ fast track continues, and in this article we will look at terms that are used in conjunction with 3rd party integration and associated risks.
Sooner or later your company grows larger and start to make business with other companies. Your business applications and data needs to be accesses by your partners and customers.
This lesson will teach you about concepts that can help you deal with data protection when such situation happens.
Lets get going.
On-boarding/Off-boarding business partners
Well the name says it all. The best practice is to have a policy or procedure defined when such event occurs. This could encompass what kind of access is needed, to what data at what circumstances. For example you can setup a secure VPN for your supplier.
Social media networks and/or applications
Social networks are phenomenon of our time. If you use them right way they can offer you great benefits. Your marketing department can use these media for marketing company, product promotion or general feedback from customers.
There are however also some risk associated with social network missuses. If your employees are not trained well they could accidental leak private information.
Your policy should also outline how to use these media the proper way.
There are several agreements that can be signed between two entities when they decided to work together for common goal. Here are the most often used:
Service Level Agreement is a formal document between two parties that defines what service is being offered. For example when you order a MPLS VPN service to meet you branch connectivity needs, you will agree with provider what level of service you have in terms of access rates, quality of service, service availability.
Business partner agreement is yet another document that can be signed between partners when you decide to go do business together. It may contain things like profit sharing, cost sharing and so on.
A less bilateral document called Memorandum of Understanding describes a gentlemen agreement between two companies that plan to do a business together. It outlines what they are trying to accomplish together.
Interconnection security agreement is a document that mandates what actions needs to be taken when connecting or disconnecting to a business partner. It focuses on technology side of the partnership. An example can be found here.
When you have many partners and customers, you need to make sure that the data they are working with are safe and confidential. You would not like of partner A could access partners B data, or use your network as a transit.
Before we can mitigate the risks we first need to aware of it. Risk awareness training is important not only for your own staff, but for partners and suppliers. They can all help you solidify the integrity of your company.
Unauthorized data sharing
When you are working with a partner make sure you are only giving access to data that are needed to complete the workflow. This way you minimize the risk of unauthorized data sharing. You also need to be clear on how your partner will protect your data within their infrastructure.
When you working on a project for a customer you may often involve some of your partners to deliver sub-service. For example your company may take care of server part while your partner will deliver the network infrastructure.
In such case you need to agree where you will store project documents such as sales orders, design documents, configuration scripts and others. You also need to decide who will present these documents to end customers – this may for example affect the document form, logos, forms and so on.
As I mentioned above, when data ownership is sorted out, it is vital to agree who will protect the data against loss. Usually the data owner is responsible for this part.
Follow security policy and procedures
As my colleagues would say, stay calm and carry on. At your company you have certain procedures how to handle data, perhaps depending on security level. Make sure that your business is also aware and follows the policy when handling the data.
Review agreement requirements to verify compliance and performance standards
When you have everything written, make sure that you and your partner know and understand the requirements for using data that he is access. Performance standards can describe what level of resources will the partner have, for example in virtualized environments this can encompass the pool of RAM, CPU or Storage.
And we came to a very end of this article. As I always I hope you learned something useful and see you in next post in the series which will cover some strategies to reduce risks.