WEBVTT

00:00.180 --> 00:07.170
A big issue when it comes to I.T. Security are third party agreements there's more than a high probability

00:07.170 --> 00:12.410
that you're going to have to be dealing with third parties for all kinds of different situations.

00:12.420 --> 00:19.020
Now what I want to do in this episode is actually talk about the legal fees I guess or the formality

00:19.200 --> 00:23.550
of the types of documents that we run into when we're dealing with third parties.

00:23.550 --> 00:29.340
It's not my job to tell you exactly what goes into these but just more of an overview so that if you

00:29.340 --> 00:34.830
come into a situation where you need to work with somebody to share data or you want to go into business

00:35.100 --> 00:41.010
with another entity to make money you have some idea at least of the type of documents that are out

00:41.010 --> 00:41.220
there.

00:41.220 --> 00:45.390
So what I'd like to start off with is a business partners agreement

00:49.880 --> 00:57.090
a business partners agreement is the most generic of all the documents we're going to see in this episode.

00:57.230 --> 01:02.260
If two entities want to do business together they better come up with some type of agreement.

01:02.520 --> 01:08.580
A good BPA is going to include number one the primary entities who are the partners that are going to

01:08.580 --> 01:10.230
be working together.

01:10.230 --> 01:12.740
Second is going to be some form of timeframe.

01:12.900 --> 01:20.570
And if it is ongoing then some methodology for dissolution in the future if necessary third will be

01:20.570 --> 01:26.960
financial issues things like for example how much investment is each partner putting in how much draw

01:26.960 --> 01:32.570
can each partner take depending on profitability for example and what type of auditing methodologies

01:32.570 --> 01:36.680
are going to take place next is management.

01:36.920 --> 01:40.840
If you have partners what are the functions of those partners.

01:40.880 --> 01:47.420
Also when do we have partner meetings and the type of record keeping to be kept as well as the location

01:47.480 --> 01:49.540
of all partnership records.

01:49.900 --> 01:56.060
BP aides are incredibly common in the private sector pretty much any time you're going to be doing business

01:56.060 --> 01:57.380
with another entity.

01:57.380 --> 01:59.570
You're going to be setting up a BPA.

01:59.630 --> 02:08.210
Now the other thing we see a lot is I am doing something to work in I.T. infrastructure but I need some

02:08.210 --> 02:10.550
kind of service in particular.

02:10.550 --> 02:12.860
I need for example an ISP.

02:12.950 --> 02:19.370
So in that case I need to work out what's known as a service level agreement a service level agreement

02:19.580 --> 02:24.830
is nothing more than an agreement between me who is getting the service and my service provider.

02:24.830 --> 02:30.360
Let's take a look at that.

02:30.400 --> 02:35.340
The first thing that any good SLA is going to have is the service to be provided.

02:35.350 --> 02:42.580
So if I'm going to be working with an ISP it will define that I'm hoping to be provided Internet at

02:42.610 --> 02:46.600
a certain quantity with a certain amount of time.

02:46.600 --> 02:53.110
Second will be some form of minimum uptime in some situations you can actually see a maximum uptime

02:53.110 --> 03:00.130
although that is fairly rare with us is the big one is minimal uptime as well as potential penalties

03:00.160 --> 03:04.140
or discounts for not achieving a minimum uptime.

03:04.300 --> 03:06.900
Number three would be some form of response time.

03:07.000 --> 03:14.310
If this service is not working what type of response time does the service provider guarantee to me

03:14.320 --> 03:16.370
in order to rectify the situation.

03:17.410 --> 03:22.960
With response time would be for example contacts if I have a problem who is my direct ready to pick

03:22.960 --> 03:26.230
up the phone contact to deal with this particular issue.

03:26.590 --> 03:30.930
And last a start and an end date for this particular service.

03:31.060 --> 03:36.750
Now being a private sector guy I see a lot of BPA is an SL in my life.

03:36.790 --> 03:42.340
However there's a few other types of documents that I want to talk about that are well in my opinion

03:42.340 --> 03:44.040
more governmental.

03:44.040 --> 03:48.820
Now I'm not to say these don't show up in the private sector but you see them a lot within government

03:48.850 --> 03:49.850
entities.

03:49.870 --> 03:56.400
Now the first one I want to talk about is called the interconnection security agreement or an essay.

03:56.530 --> 04:03.100
Now the essay has been around for a while but you really got its big name from a very famous document

04:03.100 --> 04:07.670
called the NIST 800 dash 47.

04:07.690 --> 04:14.800
So this document really worked hard to quantify how two government entities in particular United States

04:14.830 --> 04:20.580
federal government entities can make data interconnections in a safe and secure way.

04:20.590 --> 04:22.330
So let's run through an essay

04:26.700 --> 04:32.940
The first part of any essay is going to be the statement of requirements basically that we're asking

04:32.940 --> 04:33.720
two questions here.

04:33.720 --> 04:38.000
Number one why are we interconnecting so from 10000 feet.

04:38.070 --> 04:40.650
What is the motivation for this interconnection.

04:40.650 --> 04:44.220
Second we define what systems are interconnected.

04:44.220 --> 04:51.300
We don't just say what two organizations we're usually talking about one data center and a tickler office

04:51.300 --> 04:53.370
type of description.

04:53.520 --> 04:59.620
Second are going to be what NIST calls system security considerations.

04:59.640 --> 05:06.180
So basically they're asking a lot of questions here exactly what information is going to be interconnected

05:06.180 --> 05:06.920
here.

05:06.990 --> 05:09.750
Which direction is this information going to go.

05:09.750 --> 05:12.130
Does it go one way does it go both directions.

05:12.950 --> 05:15.380
Third what services are going to be involved.

05:15.380 --> 05:17.540
Is this an HDTV connection.

05:17.570 --> 05:18.770
Is this e-mail.

05:18.800 --> 05:22.840
What exactly is the service that's being used here.

05:23.030 --> 05:29.480
And then fourth is going to be whatever authentication authorization or encryption methodology is are

05:29.480 --> 05:31.490
going to be done to make that connection.

05:31.490 --> 05:34.520
Next you're going to have some type of top alogical drawing.

05:34.520 --> 05:39.230
Now what I mean by this is we have some torrent of technical drawing that's going to show the actual

05:39.230 --> 05:47.930
connection locations and points IP addresses CSU D.S. use whatever you need to technically define how

05:47.930 --> 05:49.690
that's going to work.

05:49.820 --> 05:54.050
Last NIST calls a signature authority.

05:54.050 --> 06:00.710
Now really what they're talking about here is a timeframe for this interconnection as well as scheduling

06:00.710 --> 06:05.870
technical reviews and security reviews for that interconnection itself.

06:05.870 --> 06:10.910
Now if there's one thing I wanted you to notice was we were going through that I say is that it didn't

06:10.910 --> 06:17.180
talk about who's in charge or how much this is costing or what if we have a legal issue.

06:17.300 --> 06:18.940
That's not the job of NASA.

06:18.950 --> 06:21.650
The essay is a technical document.

06:21.650 --> 06:27.940
So most of the time expressly when you're dealing with public entities that are trying to work together.

06:28.070 --> 06:35.900
Most essays are reinforced with something we call a memorandum of understanding or also known as a memorandum

06:35.960 --> 06:42.120
of agreement and M-O you or an M.O. A is not a contract.

06:42.140 --> 06:48.500
But it's pretty close to a contract expressly when you're talking about two public agencies that otherwise

06:48.500 --> 06:52.900
would have no formal legal methodology of dealing with each other.

06:52.910 --> 06:58.660
However it does look like a contract for example you'll have things like the purpose of the interconnection.

06:58.700 --> 07:06.530
Why aren't these two different entities making some form of third party agreement to interconnect whatever

07:06.530 --> 07:08.680
they might want to interconnect.

07:08.690 --> 07:14.990
Number two you're going to have relevant authorities who are the people in charge on either end of this

07:15.320 --> 07:20.510
who would be the people to speak for this particular not a contract.

07:20.570 --> 07:25.630
Number three it will specify the responsibilities of both organizations.

07:25.700 --> 07:32.780
For example downtime responsibilities for billing any legal issues that come out as a side issue of

07:32.780 --> 07:33.570
this.

07:33.590 --> 07:41.710
It clearly defines what responsibility goes to what organization last it's going to define the terms

07:41.710 --> 07:44.490
of the ingredient.

07:44.620 --> 07:52.690
For example costs if this entire amélia is based on a leased line who's going to be paying for it.

07:52.690 --> 07:54.330
How will the billing be handled.

07:54.580 --> 08:01.800
And then last like all good not contracts there will be stipulations for terminating or re-authorizing

08:01.810 --> 08:04.630
the interconnection on an as needed basis.

08:04.630 --> 08:09.760
I know a lot of these third party agreements start to come off like a bit of an alphabet soup but the

08:09.760 --> 08:11.840
exam really does stress these.

08:12.010 --> 08:16.600
Make sure you're familiar with the four different types of third party agreements we've talked about

08:16.600 --> 08:21.630
in this episode and make sure you're clear as to the function of each one of those four.