Interoperability Agreements – CompTIA Security+ SY0-401: 2.2

Before entering into a business arrangement, it’s always good to have a set of agreements that include security considerations. In this video, you’ll learn about interoperability agreements such as service level agreements, business partner agreements, and more.

<< Previous Video: Security Implications of Social MediaNext: Privacy Considerations and Data Ownership with Third Parties >>


When working with third parties or outsource services, there are certainly technical agreements in place, but there are also legal agreements in place as well, in the form of interoperability agreements. You can think of this if you’re working with a third party that provides you with web hosting, or with payroll, or with management of your firewall. In each of those cases, there’s probably data that is being seen, viewed, or stored by a third party. And in that particular case there needs to be agreement of what happens with that data.

You might also be concerned with the hiring process from the third party, especially if they have access to sensitive information. You might also want to know more about the access controls that are in place so that if somebody is at the third party, they’re only going to have access to exactly what’s required to perform that third-party service. If you’re planning to start this relationship with a third-party provider, you may want to consider getting your own legal department involved from the very beginning. That way, if there any problems during this process, those particular issues can be resolved at the very start of this relationship and not once things have already begun.

One common agreement type is a memorandum of understanding. This is not a legal signed contract, but it is a memo that is sent from one side to the other that talks about things that are important to consider during this relationship– things like the confidentiality of data, or anything else that needs to be brought up and understood by both sides. If a third party is providing you with services, there’s probably also going to be a service level agreement. This is going to define what the minimum is going to be for those services that are being provided to you. And it might also provide you with information about how much uptime is expected, or what the response times might be for certain issues. There’s also usually penalties involved with the service level agreement, so that if the service levels aren’t met, you will then be compensated in some way.

If your manufacturing product, or you’re reselling someone else’s manufactured product, you might also have an agreement in place called a business partners agreement. This particular agreement defines the role of each side and defines during this business process what the terms are for reselling the equipment and the restrictions that might be placed on a reseller. If you’re part of the United States Federal Government and you need to connect to a third party, you might also be required to have an interconnection security agreement, or an ISA. This ensures that the connection that’s being built between your part of the government and the third party will have the proper security controls in place to make sure that all of that information will stay secure.