S 5.87 Agreement regarding connection to third party networks

Initiation responsibility: IT Security Officer, Top Management

Implementation responsibility: Head of IT, IT Security Officer

More and more companies and government agencies are connecting their networks which were previously sealed off from the outside world to groups of networks, known as extranets. When connecting one's own internal network to a third party network, it is necessary to conclude a detailed data connection agreement (DCA) before becoming connected. This agreement must define specifically who will receive access to one's own network under the terms of the agreement, under what conditions and to which areas and services of one's own network external parties should be given access. It is equally important to reach agreement on communications in the other direction, i.e. the question of who in one's own organisation should have access to an external network, with what access rights and under what conditions.

Such an agreement should cover the following elements:

• a summary of what the agreement covers
• definition of responsibilities (who is responsible for ensuring that the terms of the contract are complied with?)

• points of contact should be appointed for both organisational and technical problems and especially for security-relevant events
• the necessary technical information, i.e. definitions regarding
  • what services (e.g. telnet, ftp, http) are made available,
  • what IT platforms, applications and data formats are supported,
  • the level of availability which must be guaranteed (performance, maximum failure rate),
  • who may or must log what, where the logged data should be stored and who is to be allowed access to the logged data (this can be especially important in emergency situations),
  • to what extent there should be regular exchange of logged data,
  • the security safeguards which must be guaranteed.
• a non-disclosure agreement, i.e. an agreement to the effect that information which one of the parties has acquired as a result of working with another party must not be disclosed to outsiders

• a liability and compensation provision (areas requiring clarification in this respect should include the conditions for the suspension of the network connection, liability for computer viruses or hacker attacks, contractual penalties for non-performance and assumption of liability where third party content is utilised)
• arrangements as regards the duty to provide information on security gaps that have come to light
• a stipulation as to what data may be used for which purposes (e.g. as regards the reuse of the results of work)
• a statement of the extent to which other contractual partners are included in the agreement e.g. through common use of applications or as service provider for one of the contractual partners
• the term of the agreement (the pace at which technology develops dictates that agreements regarding the use of technology must be continuously modified).

The agreement should be concluded by persons who will also bear the responsibility for adherence to it. For this purpose, it is usually necessary to clarify who should be responsible for the network connection, as normally different parts of a company or government agency will be involved. It is a good idea here to form a team whose members will include as a minimum the IT Security Officer, the Head of IT, the Specialists Responsible and the Data Privacy Officer. Whenever any critical decisions have to be made, e.g. whether the connection should be temporarily suspended due to problems, all the above-named persons should be involved, as experience suggests that their individual interests can be quite different.

Before a network connection is activated, all security deficiencies on both sides should be resolved. A way should also be found here of satisfying oneself as to the IT security level of one's partner, for example by means of basic security checks or spot checks on site. Under no circumstances should the elimination of security gaps be pushed back into real-time operation, as experience indicates that these are given lower priority than simple availability problems.

Only those services which have been contractually agreed upon and are also absolutely necessary should be made available to third parties. Which areas third parties should be able to access in one's own network must be made dependent on the type of relationship that already exists between the communication partners and on one's trust in one's communication partners. Where the partners are abroad, it is imperative to consider the national legislation to which those partners are bound, e.g. in the areas of cryptography and copyright.

Should any security incidents occur through the network connection, it must be clearly defined who is allowed to suspend the connection, when, who must be informed of this and what escalation steps are envisaged.

Review questions:

• Are all security-related aspects specified in writing in an agreement before connecting one's own network to a third party network?
• Has it been defined who is allowed to access what areas and services of the respective other network from one's own network?
• Are points of contact appointed both for organisational and technical questions regarding the network connection?
• Are all security gaps eliminated and the required security level verifiably achieved before the network connection is activated?
• Has it been specified who must be informed and what escalation steps are to be initiated in the event of security problems caused by the network connection?