The legal side of network security relies on a number of different agreement types. In this video, you’ll learn about standard operating procedures, interoperability agreements, and other common agreements.
Every organization has their own set of processes and procedures for handling their IT operations. These are your standard operating procedures. And although they’re called your standard procedures, these are the important day-to-day procedures that make sure that all of your systems and your applications remain secure. These are detailing things that occur every day, and they’re usually a very extensive list of processes and procedures that you normally use on your network.
For example, what is the process and procedure when a new account needs to be made? Are there a set of permissions that need to be signed off on? Is there a form that needs to be filled out? All of these things should be standardized so that every single account follows exactly the same process. There should be a standard operating procedure for the backup and the handling of your backup data. There should be an SOP for how you handle encryption in your organization. And there should be standard operating procedures for everything else that occurs on a day-to-day basis.
Usually these are well documented, and as you can imagine, they may be an extensive amount of documentation because you have so many different standard operating procedures in your environment. In some cases, your organization may need to comply with important industry regulations, and these legal requirements are built in to all of your standard operating procedure documents.
Every organization is going to work with a third party to provide some type of products and services between the two. There is a legal aspect to IT security that revolves around these interoperability agreements. For example, you may have a third party that provides web hosting for your organization or perhaps your payroll services are outsourced to a third party. So some of your important and sensitive data may be in the hands of someone else.
It may be important to set up an agreement beforehand so that everybody understands the type of security that will be required for this data and what type of access controls may be in place to make sure that data remains secure. These are usually legal agreements, and it requires that you bring in part of your legal team, or you have a lawyer make sure that all of this documentation meets the requirements for your organization.
There are a number of other common agreements that you’ll find in information technology. One common one is the SLA or Service Level Agreement. This is an agreement between two parties that dictates what the minimum level of services would be required. For example, if you’re requiring some network access from a third party, you might want to require a particular amount of up time. There may be an agreement for response time and management of any problems and anything else that needs to be a minimum level of service.
Organizations that have longer term and broader relationships may create a Business Partners Agreement or a BPA. This is the type of agreement you might find, for example, between a manufacturer and a reseller. And if you’re part of the United States Federal Government you may be required to agree to an Interconnection Security Agreement or an ISA. This defines security controls, especially when different departments of the US Federal Government are connecting to each other.
A relatively less formal agreement is a Memorandum of Understanding or an MOU. This is a document that details something that both sides can agree to, but it may not necessarily be a signed contract. The next step above an MOU is a Memorandum of Agreement. This is where both sides will agree to the specific information in the Memorandum of Agreement. This may not be a legal document with legal language, but it’s something where both sides can agree to certain terms. For example, both sides may agree to promote and support the joint use of their facilities. That would be perfect language to add to a Memorandum of Agreement.
Category: CompTIA Security+ SY0-501