5.3 Third-party risk
📘CompTIA Security+ (SY0-701)
When organizations work with third parties such as vendors, service providers, or contractors, it’s essential to have formal agreements that define responsibilities, expectations, and security requirements.
These agreements help manage third-party risk — meaning they help ensure that the third party won’t harm the organization’s confidentiality, integrity, or availability (CIA) of data and systems.
Let’s go through each of these key agreement types in simple terms.
1. SLA (Service-Level Agreement)
Definition:
An SLA is a contract that defines the expected level of service a vendor must provide.
It includes performance standards, availability requirements, and response times.
Purpose:
To make sure the service provider meets agreed-upon performance targets and security expectations.
Common IT Usage:
- Cloud service providers define uptime (e.g., 99.9% availability).
- IT support vendors define response time for incidents (e.g., critical issue response within 1 hour).
- Data centers define network latency or backup frequency.
Key Elements:
- Uptime/Availability — how long systems must be online.
- Response Time — how fast support must respond to an issue.
- Resolution Time — how long it should take to fix an issue.
- Performance Metrics — measurable targets for services (e.g., bandwidth, latency).
- Security Requirements — encryption, data protection, and incident response expectations.
- Penalties — what happens if the vendor fails to meet the SLA (e.g., credit, refund, or termination).
Exam Tip:
The SLA focuses on measurable service performance and enforceable expectations.
2. MOA (Memorandum of Agreement)
Definition:
An MOA is a formal agreement between two or more parties that defines specific responsibilities and actions they agree to perform.
Purpose:
To describe how each party will work together and what each is responsible for, without necessarily being a legally binding contract.
Common IT Usage:
- Between two government or partner organizations sharing data securely.
- Between a company and a research partner agreeing to share network resources or threat intelligence.
Key Elements:
- Roles and Responsibilities — who will do what.
- Shared Goals — what the collaboration aims to achieve.
- Resource Sharing Rules — how systems, tools, or data will be accessed.
- Security and Compliance — how to maintain confidentiality and protect data.
Exam Tip:
An MOA is more detailed than an MOU (see below) and often outlines responsibilities, not just intentions.
3. MOU (Memorandum of Understanding)
Definition:
An MOU is a non-binding document that outlines the general understanding or intent of two or more parties to cooperate.
Purpose:
To establish that both sides intend to work together, but it usually does not create legal obligations.
Common IT Usage:
- Two organizations agreeing to explore future cybersecurity collaboration.
- Agencies planning to share information during a potential security incident.
Key Elements:
- Intent of Collaboration — general goals or objectives.
- Scope — what the cooperation involves.
- Duration — time period of understanding.
- Non-binding Nature — indicates it’s not a legal contract.
Exam Tip:
An MOU expresses mutual intent, while an MOA describes specific commitments.
4. MSA (Master Service Agreement)
Definition:
An MSA is a broad contract framework that defines general terms and conditions for future transactions or projects between parties.
Purpose:
To simplify future work — new projects can be added under the same MSA without renegotiating all terms.
Common IT Usage:
- Between an IT outsourcing company and a client for multiple upcoming projects.
- Between a managed security service provider (MSSP) and a business for ongoing cybersecurity services.
Key Elements:
- Overall Responsibilities — what each party is accountable for.
- Payment Terms — how and when payments are made.
- Dispute Resolution — how disagreements will be handled.
- Security Policies — how data and systems will be protected.
- Sub-agreements or Work Orders — added under the same MSA for individual projects.
Exam Tip:
An MSA covers the general rules for the relationship, while SOWs (below) define specific project details.
5. SOW (Statement of Work)
Definition:
A SOW is a detailed, project-specific document that defines exact work to be performed, deliverables, and deadlines.
Purpose:
To clearly describe what the vendor will do, how, and when.
Common IT Usage:
- When a vendor installs new network hardware or performs a security audit.
- When a consultant is hired to implement a firewall or a vulnerability management system.
Key Elements:
- Scope of Work — tasks, goals, and deliverables.
- Timeline — start and end dates.
- Performance Standards — how success is measured.
- Roles and Responsibilities — who does what.
- Security Requirements — compliance with internal and regulatory security policies.
Exam Tip:
An SOW is specific to a project, often written under an MSA.
6. NDA (Non-Disclosure Agreement)
Definition:
An NDA is a legal agreement that requires one or more parties to keep certain information confidential.
Purpose:
To protect sensitive or proprietary information shared during business relationships.
Common IT Usage:
- Before discussing network design, source code, or incident details with vendors.
- When contractors access internal systems or confidential client data.
Key Elements:
- Definition of Confidential Information — what must be kept secret.
- Obligations — how the information must be protected.
- Duration — how long confidentiality must be maintained.
- Consequences of Violation — penalties or legal actions for breaches.
Exam Tip:
The NDA protects confidentiality — a core security principle.
7. BPA (Business Partnership Agreement)
Definition:
A BPA defines the roles, responsibilities, and financial obligations of partners working together in a joint business venture.
Purpose:
To clarify how the partners will share profits, losses, decision-making authority, and security responsibilities.
Common IT Usage:
- Between two companies that jointly provide managed IT or cybersecurity services.
- When developing and maintaining shared technology infrastructure.
Key Elements:
- Ownership Structure — who owns what.
- Roles and Responsibilities — duties of each partner.
- Financial Arrangements — profit/loss sharing.
- Governance — who makes decisions and how.
- Security and Compliance — each partner’s responsibility for protecting shared data and systems.
Exam Tip:
The BPA is about partnership and shared responsibility, often used when two businesses collaborate on a joint IT service or venture.
Summary Table
| Agreement Type | Full Form | Purpose | Binding? | Focus Area |
|---|---|---|---|---|
| SLA | Service-Level Agreement | Defines expected service levels and performance | Yes | Measurable service quality |
| MOA | Memorandum of Agreement | Details specific responsibilities between parties | Often Yes | Defined actions/responsibilities |
| MOU | Memorandum of Understanding | Outlines mutual intent to cooperate | Usually No | General understanding |
| MSA | Master Service Agreement | Sets general terms for future projects | Yes | Overall relationship framework |
| SOW | Statement of Work | Defines specific project tasks and deliverables | Yes | Project details and timeline |
| NDA | Non-Disclosure Agreement | Protects confidential information | Yes | Confidentiality |
| BPA | Business Partnership Agreement | Defines business partnership roles and obligations | Yes | Shared operations and profits |
Key Takeaways for the Exam
- SLA → Focuses on performance and service quality metrics.
- MOA vs MOU → MOA is more formal and specific; MOU is informal and general.
- MSA → Sets the overall relationship rules.
- SOW → Defines specific project details under an MSA.
- NDA → Protects confidential data.
- BPA → Defines partnership structure and shared responsibilities.
