1
00:00:00,005 --> 00:00:02,001
- [Narrator] One of the
most important components

2
00:00:02,001 --> 00:00:04,000
of managing vendor relationships

3
00:00:04,000 --> 00:00:05,009
is ensuring that appropriate agreements

4
00:00:05,009 --> 00:00:08,008
are in place to ensure interoperability

5
00:00:08,008 --> 00:00:10,008
and require that the vendor provide

6
00:00:10,008 --> 00:00:12,003
a level of service consistent

7
00:00:12,003 --> 00:00:14,008
with the customer's expectations.

8
00:00:14,008 --> 00:00:16,009
As an organization begins to evaluate

9
00:00:16,009 --> 00:00:19,004
a new vendor relationship,
it should establish

10
00:00:19,004 --> 00:00:22,009
service-level requirements, or SLRs,

11
00:00:22,009 --> 00:00:25,004
that describe the
organization's expectations

12
00:00:25,004 --> 00:00:27,007
of the vendor during the relationship.

13
00:00:27,007 --> 00:00:29,004
These requirements may address

14
00:00:29,004 --> 00:00:31,002
any concerns that the customer has

15
00:00:31,002 --> 00:00:33,007
for the quality of service
provided by the vendor.

16
00:00:33,007 --> 00:00:37,001
For example, service-level
requirements may include

17
00:00:37,001 --> 00:00:38,006
system response time,

18
00:00:38,006 --> 00:00:40,000
service availability,

19
00:00:40,000 --> 00:00:42,004
data preservation requirements,

20
00:00:42,004 --> 00:00:45,006
or any other parameter
specified by the customer.

21
00:00:45,006 --> 00:00:49,005
Once an organization negotiates
these SLRs with the vendor,

22
00:00:49,005 --> 00:00:51,000
it should document the results

23
00:00:51,000 --> 00:00:54,001
in a service-level agreement, or SLA.

24
00:00:54,001 --> 00:00:57,001
The SLA is a written
contract between the vendor

25
00:00:57,001 --> 00:00:59,000
and the customer that describes

26
00:00:59,000 --> 00:01:01,007
the conditions of service
and penalties the vendor

27
00:01:01,007 --> 00:01:03,006
will incur for failure to maintain

28
00:01:03,006 --> 00:01:06,000
the agreed upon service levels.

29
00:01:06,000 --> 00:01:07,004
There are many other vehicles

30
00:01:07,004 --> 00:01:09,002
available to organizations seeking

31
00:01:09,002 --> 00:01:11,009
to formalize relationships
with their vendors.

32
00:01:11,009 --> 00:01:14,008
A memorandum of understanding or MOU

33
00:01:14,008 --> 00:01:17,003
is simply a letter written
to document aspects

34
00:01:17,003 --> 00:01:18,008
of the relationship.

35
00:01:18,008 --> 00:01:20,004
MOUs are commonly used

36
00:01:20,004 --> 00:01:22,006
when a legal dispute is unlikely

37
00:01:22,006 --> 00:01:23,007
but the customer and vendor

38
00:01:23,007 --> 00:01:25,009
still wish to document their relationship

39
00:01:25,009 --> 00:01:28,003
to avoid future misunderstandings.

40
00:01:28,003 --> 00:01:30,003
MOUs are commonly used in cases

41
00:01:30,003 --> 00:01:32,005
where an internal service provider

42
00:01:32,005 --> 00:01:34,006
is offering a service to a customer

43
00:01:34,006 --> 00:01:37,008
that is in a different business
unit of the same company.

44
00:01:37,008 --> 00:01:40,008
Business partnership agreements, or BPAs,

45
00:01:40,008 --> 00:01:42,009
exist when two organizations agree

46
00:01:42,009 --> 00:01:45,006
to do business with each
other in a partnership.

47
00:01:45,006 --> 00:01:48,004
For example, if two
companies jointly develop

48
00:01:48,004 --> 00:01:51,002
and market a product,
the BPA might specify

49
00:01:51,002 --> 00:01:53,000
each partner's responsibilities

50
00:01:53,000 --> 00:01:55,002
and the division of profits.

51
00:01:55,002 --> 00:01:58,009
Interconnection security
agreements, or ISAs,

52
00:01:58,009 --> 00:02:00,003
include details on the way

53
00:02:00,003 --> 00:02:02,004
that two organizations will interconnect

54
00:02:02,004 --> 00:02:05,006
their networks, systems, and/or data.

55
00:02:05,006 --> 00:02:09,002
The ISA provides details on
connection security parameters

56
00:02:09,002 --> 00:02:10,008
such as the encryption standards

57
00:02:10,008 --> 00:02:13,007
and transfer protocols that will be used.

58
00:02:13,007 --> 00:02:16,000
Security and compliance are key issues

59
00:02:16,000 --> 00:02:19,002
during the negotiation of
agreements with vendors.

60
00:02:19,002 --> 00:02:22,001
As the organization develops
service-level requirements,

61
00:02:22,001 --> 00:02:25,000
it should include its
minimum security requirements

62
00:02:25,000 --> 00:02:26,005
in the agreement.

63
00:02:26,005 --> 00:02:28,007
For example, the customer might state

64
00:02:28,007 --> 00:02:31,003
that it expects all
information will be encrypted

65
00:02:31,003 --> 00:02:33,006
both at rest and in transit

66
00:02:33,006 --> 00:02:37,006
using AES 256-bit encryption.

67
00:02:37,006 --> 00:02:39,003
As you review a proposed agreement

68
00:02:39,003 --> 00:02:41,000
from a security perspective,

69
00:02:41,000 --> 00:02:43,000
you should ensure that
the agreement includes

70
00:02:43,000 --> 00:02:45,002
appropriate provisions that protect

71
00:02:45,002 --> 00:02:46,008
your organization when it comes

72
00:02:46,008 --> 00:02:49,003
to both security and compliance.

73
00:02:49,003 --> 00:02:51,006
The agreement should document all security

74
00:02:51,006 --> 00:02:54,001
and compliance requirements
and it should also

75
00:02:54,001 --> 00:02:56,005
allow the customer to verify compliance

76
00:02:56,005 --> 00:02:59,001
and performance standards
through monitoring

77
00:02:59,001 --> 00:03:00,007
conducted either by the customer

78
00:03:00,007 --> 00:03:03,004
or by an independent third party.

79
00:03:03,004 --> 00:03:05,003
Agreements should also ensure the right

80
00:03:05,003 --> 00:03:08,003
of the customer to audit the
vendor through assessments

81
00:03:08,003 --> 00:03:10,007
conducted by the customer
or a third party.

82
00:03:10,007 --> 00:03:13,004
These assessments may
include on-site visits,

83
00:03:13,004 --> 00:03:15,008
the exchange and review of documents,

84
00:03:15,008 --> 00:03:19,007
and the review of policies,
processes, and procedures.

85
00:03:19,007 --> 00:03:21,006
Contracts and agreements
are an important part

86
00:03:21,006 --> 00:03:24,006
of the relationship between
a customer and a supplier.

87
00:03:24,006 --> 00:03:26,005
Taking the time to clearly document

88
00:03:26,005 --> 00:03:28,007
an agreement avoids misunderstandings

89
00:03:28,007 --> 00:03:30,008
in the early stages of a relationship

90
00:03:30,008 --> 00:03:32,002
and protects both parties

91
00:03:32,002 --> 00:03:34,001
in the event of a dispute later on.