5.3 Flashcards
Third-party risk assessment, agreement types
A condition outlined in a contract between an organization and a third-party that says that the organization is allowed to perform a security audit on the third-party.
Right-to-audit clause
A document that defines the purpose and scope of a penetration test.
It includes when the test will happen, what systems are included or exempted from the test, the IP address ranges that will be tested, contact information of people to notify in case something goes awry, how to handle sensitive data, and whether the test occurs internally or externally.
Rules of engagement
Documents that verify the authenticity and thoroughness of an internal security audit. This is produced by a third-party to the organization with which it has an agreement.
These documents might be required for compliance with industry standards.
Evidence of internal audits
The most common way for an organization to verify the security of a third-party
Pentesting
The process of evaluating the security of third-party products, from raw materials to the final deliverable.
Includes communication between the organization and third-party, IT systems, patches, physical security, etc.
Supply chain analysis
The process of bringing in an outside contractor to evaluate the security of your organization and provide recommendations.
This knowledgeable third-party may be able to provide a different perspective and seasoned skills that can benefit the company.
Independent assessment
The process of investigating and getting more information about a company before doing business with them.
Due diligence
When there is something that might compromise the judgement on either side of the business relationship. It may prevent the two companies from doing business with each other.
Ex. A third-party you want to do business with also works with your competitor.
The third-party employs a relative of your organization’s executive.
Conflict of interest
The process of ongoing management and assessment of the vendor relationship that keeps going even after the contract is signed.
Includes regular financial health checks, IT security reviews, news articles, and social media posts.
Vendor monitoring
A simple way to find out more information about how a vendor does business. A method used to carry out due diligence.
The results are used to update a vendor risk analysis. It also allows you to recommend solutions to the vendor for better security.
Includes questions about their due diligence process, their disaster recovery plans, their storage methods, etc.
Questionnaire
SLA stands for
Service-Level Agreement
MOA stands for
Memorandum of Agreement
MOU stands for
Memorandum of Understanding
MSA stands for
Master Service Agreement
WO stands for
Work Order
SOW stands for
Statement of Work
True/False
WO and SOW are the same thing
True
A document that lists the minimum terms for services provided.
This document is typically used between customers and service providers
Ex. Uptime, response time agreement
Ex. No more than 4 hours of unscheduled downtime, and during any downtime, a technician should be dispatched
Ex. The customer is required to keep spare parts onsite
SLA
NDA stands for
Non-Disclosure Agreement
BPA stands for
Business Partners Agreement
A document that provides very broad common goals between two organizations that would like to work together. Both sides agree in general to the contents.
This is NOT a signed, legal contract.
MOU
A document that describes in detail the relationship between two organizations that want to work together. It is one step above the MOU.
This is a legal document, and may have some legally-binding information, but is NOT a legally-binding contract.
MOA
A document that sets the terms between two organizations that want to work with each other. It may even include terms that make the framework to cover future transactions.
This is a legally-binding contract.
Used as a foundation that additional services will use going forward between the two companies.
Ex. How billing works, terms of service, how payment system works.
MSA
A document that includes a detailed breakdown that lists what services will be provided and when. It lists specific items that need to be completed.
Used in conjunction with the MSA to avoid renegotiating basic terms of the contract, instead focusing on detailed, specific tasks.
In essence, it helps evaluate whether the job was done properly.
Ex. The scope of the job, the location, deliverables schedule, acceptance criteria, etc.
WO / SOW
A document that prevents confidential information in the agreement from being disclosed.
A legally-binding contract.
Ex. Trade secrets, business activities, etc.
NDA
2 types of NDAs
Unilateral/one-way
Bilateral/mutual
A document that describes the financial details associated with the agreement, and what type of ownership stake is acquired as part of the agreement. This document is made when two organizations begin a formal relationship.
It also describes who makes business decisions - documenting specific individuals and scope.
It also details what happens when things go wrong - financial issues, disaster recovery, etc.
BPA
4 things a BPA lists
Financial details
Ownership stake
Business decisions
Contingency plans