Domain 5 · 5.3 Third-Party Risk

5.3.3 Agreement Types

SLA, MOA, MOU, MSA, SOW, NDA, BPA.

17 min

Agreement types are formal documents that define the business relationship, security requirements, and operational expectations between organizations or internal departments.

Core Business Agreements - SLA (Service Level Agreement): A formal contract between a provider and a customer that specifies minimum uptime, performance metrics, and availability. It often includes financial penalties if the provider fails to meet these standards. - MOU (Memorandum of Understanding): A non-binding agreement between parties (often within the same parent organization or government agencies) that outlines a common path of action. It describes intended mutual goals without necessarily involving a legal contract or the exchange of money. - MOA (Memorandum of Agreement): A more formal version of an MOU that outlines specific responsibilities and actions each party must take to achieve a goal. It often serves as a precursor to a legal contract. - MSA (Master Service Agreement): A high-level contract that governs the entire relationship between two parties. It establishes general terms (such as payment terms or dispute resolution) so that future specific projects don't need to renegotiate basic legalities. - SOW (Statement of Work): A highly specific document that defines the deliverables, timelines, and technical tasks for a particular project. It is typically nested under an MSA.

Specialized Security Agreements - NDA (Non-Disclosure Agreement): A legal contract used to protect confidentiality. It prohibits parties from sharing sensitive information (intellectual property, trade secrets) with unauthorized third parties. - BPA (Business Partners Agreement): A legal document specifically used between strategic partners (like a manufacturer and a reseller) that details profit-sharing, levels of authority, and expectations for the partnership. - ISA (Interconnection Security Agreement): A technical document that specifies the security requirements, encryption standards, and communication protocols used when two organizations connect their IT infrastructures.

Industrial Standards and Frameworks - PCI DSS (Payment Card Industry Data Security Standard): A mandatory industry standard for any organization that processes, stores, or transmits credit card data to prevent fraud. - ISO/IEC 27001: An international standard defining best practices for an Information Security Management System (ISMS). - NIST RMF (Risk Management Framework): A comprehensive framework (SP 800-37) used by federal agencies and private companies to manage security and privacy risks throughout a system's life cycle.

Quick recall - Guaranteed uptime/penalties? SLA. - Internal cooperation/no money? MOU. - Protecting trade secrets? NDA. - Connecting two networks? ISA. - Credit card security? PCI DSS. - Project tasks and deadlines? SOW.