Risk Awareness with Third-Parties – CompTIA Security+ SY0-401: 2.2

How can an organization manage risk when a third-party is involved? In this video, you’ll learn the fundamentals for risk awareness when working with other organizations.

<< Previous Video: Privacy Considerations with Third-PartiesNext: Data Ownership and Unauthorized Data Sharing >>

When working with third parties you should always have some aspect of risk awareness. You’re obviously connecting two systems together when you’re working with a third party. And hopefully, the technical part of that has gone off without a hitch. But of course, you have to consider the security aspects of that as well. Ideally everyone gets together before this connection is made, and you all agree on exactly what security controls are going to be in place once this connection is alternately made. Both sides also have to understand what the risks are, because ideally one side or the other is going to be opening themselves up for some type of security or privacy concern.

Both sides of the business relationship probably have certain security policies in place, and obviously those security policies must be followed. But when you’re working with a third party you have to balance together what resources you’ll have available. You have to understand what the business requirements of this relationship are, and then you have to understand the risk of all of those things and balance them all together. Very often this risk is managed through the use of agreements. And when these agreements are in place everyone should have an understanding of the risk, and how these risks are handled throughout the relationship.

A good example of this might be something dealing with data backups. If you have a third party who’s providing data into a database and you happen to own the equipment that is holding the database, who is now responsible for backing up that data? Once the backups are made what happens to that information? Is it stored on site? Is it stored off site? Is a copy sent to the third party? And then who has access to that backup data? And when you store the backup data now where is that information going to be stored? Who will have access to that storage facility? And how will that data be retrieved if you ever need to get information off of the backups?

That’s just a single aspect of how the data is managed between these third parties and it’s only dealing with backups. You obviously have to consider the risk for the entire business process not just the backups. And that’s why it’s important to have all of these risks determined from the very beginning. Especially, when you’re working with a third party.