| 🏠 Back to Exam Syllabus | 📺 RooCloud on YouTube | 🌐 RooCloud Practice Exams |
CISSP 12.11 - Third-Party Connectivity
This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series examines the risk of wiring your network to someone else’s, part of Domain 4. It explains why the moment you plug into a partner their weaknesses become yours, and why the paperwork, the risk review, and the safeguards must come first, before anyone connects a single cable.
What this episode covers
- Fused risk — connecting two networks shares their threats and vulnerabilities, so plan every interconnection in advance.
- Memorandum of understanding — a written statement of shared intent, a formal handshake that is not usually legally binding.
- Interconnection security agreement — the technical document defining posture, risks, and each side’s responsibilities.
- Risk assessment first — paperwork alone will not surface real hazards, so never skip security for a deadline.
- Safer alternatives — an extranet over a VPN, a shared private cloud, or fully separate secure collaboration tools.
- Cloud and remote workers — treat both as third parties, leaning on a cloud access security broker and company-owned equipment.
- Telecom and resilient links — carriers are third parties too, so match technology and build redundancy across diverse paths.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
Why is a direct link between two organizations dangerous?
Because connecting two networks fuses their risks. The instant your environment touches another entity’s, their threats and vulnerabilities become shared with yours, and a breach on their side can flow straight into yours and vice versa. That is why any interconnection, physical or virtual, must be planned in careful detail long before the cabling goes in, much like joining two houses with an open hallway where a fire or intruder in one now threatens both.
Which documents govern a third-party link before it goes live?
Two agreements bookend the process. It usually opens with a memorandum of understanding, a written statement of shared intent that is a formal handshake rather than a binding legal contract, sometimes called a letter of intent. It then closes with an interconnection security agreement, the serious technical document that spells out the security posture, the risks, and the responsibilities each side carries for guarding the shared path. Back both with a full risk assessment.
What safer alternatives exist to a direct connection?
Several, and a direct link is rarely the only option. You can stand up an extranet, hosting shared servers the partner reaches over a VPN rather than opening your internal network. You can build a shared private cloud between the two parties, so only project-related content ever crosses. Or you can keep all data fully separate and simply use secure email, file sharing, and collaboration tools, like meeting in a neutral conference room.
How do cloud services and remote workers fit third-party connectivity?
A cloud provider is itself a third party, so as you adopt more services the interaction with your on-premises equipment deepens, calling for clear security policies and, where possible, a cloud access security broker that enforces your rules between users and the cloud. A remote worker is another flavor of third-party connectivity; confine them to extranet or public-facing systems where you can, and issue company-owned, company-controlled equipment rather than trusting personal devices.
How do telecom providers and WAN choices shape third-party connectivity?
Most long-distance links ride on a provider’s infrastructure, so that carrier is a third party too. Carriers offer leased lines, which are dedicated point-to-point connections, along with label-switched and VPN services over shared infrastructure, and a newer software-driven approach routes traffic dynamically across links to balance performance and cost. Keep the link resilient with redundancy and failover, using multiple carriers or diverse physical paths so a single cut does not take you offline.
📚 Master the ISC2 CISSP Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in CISSP 12.11 - Third-Party Connectivity.