Page 1139 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1139
specify availability such as with maximum downtimes. With this in
mind, an organization should have a clear idea of their requirements
when working with third parties and make sure the SLA includes these
requirements.
In addition to an SLA, organizations sometimes use a memorandum of
understanding (MOU) and/or an interconnection security agreement
(ISA). MOUs document the intention of two entities to work together
toward a common goal. Although an MOU is similar to an SLA, it is
less formal and doesn’t include any monetary penalties if one of the
parties doesn’t meet its responsibilities.
If two or more parties plan to transmit sensitive data, they can use an
ISA to specify the technical requirements of the connection. The ISA
provides information on how the two parties establish, maintain, and
disconnect the connection. It can also identify the minimum
encryption methods used to secure the data.
NIST Special Publication 800-47, “Security Guide for
Interconnecting Information Technology Systems,” includes
detailed information on MOUs and ISAs.
Addressing Personnel Safety and Security
Personnel safety concerns are an important element of security
operations. It’s always possible to replace things such as data, servers,
and even entire buildings. In contrast, it isn’t possible to replace
people. With that in mind, organizations should implement security
controls that enhance personnel safety.
As an example, consider the exit door in a datacenter that is controlled
by a pushbutton electronic cipher lock. If a fire results in a power
outage, does the exit door automatically unlock or remain locked? An
organization that values assets in the server room more than
personnel safety might decide to ensure that the door remains locked
when power isn’t available. This protects the physical assets in the
datacenter. However, it also risks the lives of personnel within the
