Third-Party Security Compliance – CompTIA Security+ SY0-401: 2.2

The compliance of security policies is an important consideration when working with a third-party. In this video, you’ll learn which security policies may be required and how to resolve issues when working with third-part security.

<< Previous Video: Security Policy Considerations with Third-PartiesNext: Change Management >>

When you’re working with a third-party, there’s an additional need to comply with very particular security controls. When you have many different people accessing the same data, you want to be sure that that particular data is safe and secure. Within your own organization, security compliance has its own challenges associated with it. These challenges are even wider when you’re working with a third-party. And then when you introduce new technologies like cloud computing, where your data can exist far outside the scope of both of your organizations, there are additional technical challenges you have to consider.

Sometimes this compliance is not just a good idea, it’s a legal mandate. You are required by law to provide a certain level of security of this data. An example of some of these are HIPAA– this is the Health Insurance Portability and Accountability Act. You also have credit card security such as PCI DSS, which is the Payment Card Industry Data Security Standard. And for federal information security, you have the Federal Information Security Management Act, or FISMA.

The first step to complying with these security requirements is to understand where all of the gaps currently exist in your security. Without understanding those gaps, you’re going to have no idea how to apply security controls. Now that you have your list, you can start resolving some of those security gaps.

Sometimes you can’t apply a type of technology to resolve a particular issue, or resolving that problem may involve a lot of money. And in those cases you have to balance out what the business requirement happens to be with the costs associated with resolving that security concern. This security compliance needs to be checked constantly, so you need to perform periodic audits to make sure that those gaps continue to be covered and that no new problems have occurred with the security compliance. These audits can be remarkably involved and may take a long amount of time to complete. And if you’re working with a third-party, you want to be sure to coordinate your efforts so that your audit goes as smoothly as possible, and you can be assured that all of your security risks have been covered.