On-boarding and Off-boarding Business Partners – CompTIA Security+ SY0-401: 2.2


As you start and end projects with business partners, the security process becomes an important consideration. In this video, you’ll learn about some best-practices around on-boarding and off-boarding business partners.

<< Previous Video: Recovery Time ObjectivesNext: Security Implications of Social Media >>


On-boarding is the process of bringing a new partner into your organization. This is a little bit different than hiring a person who will be an employee of the company. Instead, this is a third party organization or a third party individual who will now have access to assets, data, and other things that are within your organization. Obviously there will be a number of legal agreements that have to be resolved before any on-boarding can occur. You’re bringing someone into the organization who is not an employee so they don’t have any responsibility that a normal employee might have.

Usually agreements are made regarding the type of data someone might have access to, or what should happen if there are any problems with that person on the inside of your organization. Once we’ve completed the legal requirements, we can get to work with putting together the technical pieces that will allow this on-boarding process to occur.

One of the first things that usually occurs is you need some type of connection to the third party. They’re probably going to gain access to information within your organization, and you might need to access data and resources that are in their organization. Usually you accomplish this by building an encrypted tunnel between the locations. You can use your existing public internet connection, but instead encrypt the data on both sides so that even though the information is going across the internet, all of the data is still protected.

If all of the information and resources will be in the same data center, there’s still usually a physical segmentation between your equipment and their equipment. And at the very least, there’s a logical segmentation that will keep your data protected from the third party, usually with a firewall or some other type of security device in between.

Once we’ve built the road that will allow all this data to traverse, we need to create some way to authenticate access into either our network or the remote side. In those particular cases, we need to put together some standard authentication mechanism. Usually this is done through a third party authentication server that’s running Radius or Tacx Plus. This will allow us to create usernames that will allow people from the on-boarding organization to gain access to the internal resources of our company.

You should also audit your security controls to make sure they’re working properly. The third party that’s now on-boarded should have access to the data they need, but you should make sure that you’re limiting that access inside of your organization. These projects that require the on-boarding of another organization may be very short term or they might last for years, but eventually the project or requirement will come to an end, and you’ll need to begin the off-boarding process.

Ideally the time frame and details of off-boarding this third party should’ve been figured out well during the beginning phase of the on-boarding. This way you’ll know exactly the process we’ll go through, you’ll know the frames that everyone will be expecting, and you’ll be assured that the entire process would have been covered from end to end without missing any steps in between.

One of the questions you’ll need to have answered is, how do you separate the systems that you’ve been using and return them to their proper owners? If there’s a clear delineation between your equipment and the third party, then that’s probably something that’s very easy to determine. But occasionally on these projects, you have equipment that’s being shared by both organizations. And so the off-boarding process will need to determine how to properly remove that equipment and return it to the rightful owner.

Perhaps even more important is what happens to the data itself. Who owns the data? And when you are now off-boarding, who gets to keep that data? Do both sides of the organization maintain ownership of the data? Is only one side going to now have access to that information? All of this obviously needs to be determined before the off-boarding process even occurs.

And of course, everybody needs to be completely aware of when the final connection will be terminated between the two organizations, especially if you’re dealing with lease lines where a termination of a link may require 30 days or more to have that re-enabled. You don’t want to turn off a connection and then realize there is more work to be done. So this is an extremely important date to consider during the off-boarding process.