topic Re: Help, I need your opinion in Governance, Risk, Compliance

Help, I need your opinion

Picasso — Tue, 16 Feb 2021 18:16:50 GMT

Hello,

My name is Paul. This is my first post here. I have come because I am the CISO for a county government and big wigs at the state are pressuring me hard to do something I think is a terrible idea from a security standpoint and right now, I have no one else in my corner. I just wanted to see if other security professionals see the same problems I do, or if I am just overreacting. So here is the scenario... the state is moving towards a new system for the 911 call centers. They have contracted a private company to do security assessments of all of the networks hosting 911 call centers... which I understand. My problem is that the result of this will be the aggregation of the network architecture and vulnerabilities of all of the 911 call centers in the state in the same place. I have offered to spend days with anyone they send reviewing our security practices. I have offered the results of other security assessments we have done as long as they are not uploaded to the repository. But they will not budge and they are now starting to make threats that may end up costing me my job. Before I surrender to protect my job or stick to my guns to do what I believe is the right thing, I would like some alternate viewpoints from other CISSPs out there. Thank you for your time and your thoughts.

Paul

Re: Help, I need your opinion

tmekelburg1 — Tue, 16 Feb 2021 18:36:41 GMT

I wouldn't call this an overreaction but rather into the due diligence category to protect the County. I'd only be comfortable doing this if I could see the risk analysis or third-party risk assessment the State conducted on the Private Company. I'm assuming they have to meet certain security standards to be a vendor for the State because in mine they do.

Re: Help, I need your opinion

Picasso — Tue, 16 Feb 2021 18:43:34 GMT

I appreciate your response... and I understand where you are coming from, but to me, the solarwinds hack changed everything. I am not looking at this from the standpoint of how do I check all of the boxes I need to in order to say I did the right thing. I am looking at this from the standpoint that, no matter how big your are, how much to spend on cyber security, or how good your policy is, safety cannot be guaranteed. Now in most cases, I understand risks have to be accepted. But I think this case is unique because of how dangerous the information could be if it fell into the wrong hands. One 911 call center or 10... maybe not so big a deal. But the vulnerabilities all of the 911 call centers for the whole state in one place? I'm not ok with that.

Re: Help, I need your opinion

tmekelburg1 — Tue, 16 Feb 2021 19:25:54 GMT

I appreciate how much you care and your passion to keep data safe!

I only see this working out if you can talk directly with the State CIO/CISO to voice your concerns. I'd also try and find out what their plans are with the data. How long do you need it? How will it be disposed of? Will we be notified of the disposal?

Hopefully others will weigh in shortly.

Edit: Possibly reaching out to other County CISOs and trying to get them to question this strategy as well before just handing over the data.

Re: Help, I need your opinion

denbesten — Tue, 16 Feb 2021 19:30:05 GMT

Although I agree that aggregation and dissemination of vulnerability reports creates a risk, I think the more defensible position would be about securing the repository and perhaps implementing different levels of access (e.g. politicians need summaries and remediation costs for "everything", whereas techies need details and remediation steps for "their" systems).

I also think it important to identify who "owns" the asset to figure out who gets access to its vulnerability data. Fundamentally, it is the system "owner" that gets to make the final decision (although with "expert" advise). If the State provides the system and pays its bills, denying them access to an assessment of their asset seems like a losing battle.

Also, don't forget about the dollars that assessments bring to remediation budgets.

Re: Help, I need your opinion

CISOScott — Tue, 16 Feb 2021 20:58:07 GMT

So my thoughts are these:

1) Vulnerability assessments, pen tests, etc. are a snapshot in time. It is how vulnerable you were at that moment.

2) If your bosses want to do this and you have voiced your opinion about it and they still want to continue, then that is their choice and their prerogative. I would document their risk acceptance of storing the results in one place and then move hard on fixing the vulnerabilities. Remember, as the system owners they have the choice to accept any risk. Your job as the CISO is to inform them and then document that they knew the risks and accepted them.

3) If they refuse to sign any risk acceptance documents, then work hard on the remediation. Do not let them just hand this off to IT to remediate. You need to take charge and hold Plans of Actions and Milestone (POA&M) meetings. Assign tasks to people or teams to remediate it and track completion. Hold progress meetings to ensure it is not being forgotten about.

4) If you are worried about your county's data being intermingled with others then do what you can to make sure your county's vulnerabilities get fixed. Remember, those assessments are just a snapshot in time and if you fix the vulnerabilities then they hold no danger for you (or at least a mitigated degree of danger).

You have voiced your opinion and now is the time to move on. As a CISO myself, I would not risk my career over this. I would give them the data and then make sure it was no longer accurate for the vulnerabilities with my systems.

Also consider this. If they see the same problem throughout all counties, then they should be able to get more resources to fix it faster and maybe cheaper than if they do one county at a time. You may not be seeing the big picture and they may have more data than you know but they need it all, to come up with an enterprise or statewide solution.

Re: Help, I need your opinion

rslade — Tue, 16 Feb 2021 22:48:37 GMT

> Picasso (Viewer) posted a new topic in Governance, Risk, Compliance on

> My problem is that the result of this will be the aggregation of
> the network architecture and vulnerabilities of all of the 911 call centers in
> the state in the same place.

Well, on the one hand, you could see it as a single point of failure.

On the other hand, a lot of people like the position of "put all your eggs in one
basket--and then guard that basket."

======================
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
"If you do buy a computer, don't turn it on." - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses" 0-387-94663-2
"Viruses Revealed" 0-07-213090-3
"Software Forensics" 0-07-142804-6
"Dictionary of Information Security" Syngress 1-59749-115-2
"Cybersecurity Lessons from CoVID-19" CRC Press 978-0-367-68269-9
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
CISSP refs: [Base URL]mnbksccd.htm
PC Security: [Base URL]mnvrrvsc.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews: [Base URL]mnbk.htm
[Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
http://en.wikipedia.org/wiki/Robert_Slade
https://is.gd/RotlWB http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/

Re: Help, I need your opinion

Steve-Wilme — Wed, 17 Feb 2021 10:20:59 GMT

The problem you're describing could be more of a DR / business continuity issue. It may be worth identifying anyone working in that area at a state level and advising of the continuity risk. Ultimately, as @CISOScott suggested you may be facing a situation in which the decision has already been made and your warnings begin to be perceived as a blocker to change. Allowing that perception to continue would not be a good thing, so you'd need to follow risk management practice and ask for formal acceptance of the risk, rather than allow yourself to get put in the politically inconvenient category.

Re: Help, I need your opinion

Early_Adopter — Wed, 17 Feb 2021 10:53:35 GMT

I’d just add that if there’s a worry about the data going walkies, it’s generally affecting all the uploaders,aggregation is a concern, and the provider isn’t meeting requirements you might consider specifying some (perhaps obnoxious) DRM as a required compensating control, with MFA to access the data and positive review of access logs as a requirement. Classification as Diana points out can then be somewhat enforced, with different views for different groups.

Re: Help, I need your opinion

CraginS — Wed, 17 Feb 2021 13:51:51 GMT

@Early_Adopter wrote:
... the provider isn’t meeting requirements you might consider specifying some (perhaps obnoxious) DRM as a required compensating control, with MFA to access the data and positive review of access logs as a requirement. Classification as Diana points out can then be somewhat enforced, with different views for different groups.

@Picasso

Another aspect: if any of the networks are managed under contract by external providers, the results of the audit are likely intellectual property of the provider, and cannot be maintained by the country gounverment except under specific legal or contractual requirements. And that information control would definitely have to be part of the "get out of jail" test and intrusion agreements between the audit company and the provider, agreements that the county is not a primary participant in.

Craig

Re: Help, I need your opinion

ericgeater — Wed, 17 Feb 2021 14:01:47 GMT

If you view the 3PP as the weak link, ask how they protect client data. Do they easily welcome an audit to assure compliance with their own data protection mechanisms?

And yes, I would ask another CISO in another jurisdiction that uses this particular 3PP vendor, and hear his concerns.

Re: Help, I need your opinion

sergeling — Wed, 17 Feb 2021 14:58:53 GMT

It's definitely something to raise a concern (which many already commented). Not knowing the full detail, I'd just ask you to consider this: How is this different from an external auditor (such as EY or PwC) came in and conduct security assessment of your system? What are your process when handling this kind of scenario/data? (someone already gave great example)

You said you are willing and offered to spend time with them to review security practices and results of other security assessments done before. But whoever saw that they can take notes, and then upload their notes to the repository. How is it different from you uploading the document to repository yourself?

I believe as CISO you are responsible for identifying and explaining the risk. But if management understand the risk and chose to accept it, you should document it and proceed. You can take further action to minimize the accepted risk. For example, encrypt or restrict access to the document uploaded with document management system. Or Improve security posture after the security assessment. As someone already commented, security assessment is a snapshot of how vulnerable you are at that point in time.

Re: Help, I need your opinion

AppDefects — Thu, 18 Feb 2021 02:24:59 GMT

Bottom line @Picasso people do not change and government procurement is broken. Vulnerability assessments and pen tests are not worth the paper they are printed on because often "their scope" is not what you actually need tested. To succeed you need to bring real quantitative data to the debate.

You will be the first to go even if the risk acceptance is documented and approved by your management chain. Look of the bright side, this is a sign to move on to bigger and better things!

Re: Help, I need your opinion

Mel-CyberC — Fri, 05 Mar 2021 01:24:29 GMT

Hi Picasso,

I can understand the concern to share security information and the hesitation. I agree with some others who have stated there may need to be a secured repository to shared security documentation and very sensitive vulnerability information.

I go through security reviews of other security packages that are in the federal cloud services program called FedRAMP. Here major cloud companies provide access to their security authorization packages - the security plan documents, implementation statements, vulnerability scans, AND recent assessment by a third party. Sounds similar to what is being asked of you. However, in order for me to review the package, I have to sign an strict NDA, access is controlled by the cloud provider portal or federal portal for my review, access is time limited, and some add document protections may restrict actions or access (document password that expires). Also, the FedRAMP package information is often detailed enough to answer the control requirement but may not include the sensitive details, some do but most scrub it a bit. Some of the FedRAMP systems I have reviewed are considered HIGH level - meaning the system supports classified level information.

If I'm reviewing a "shared service" for multiple government agencies, I am usually doing what you suggest - they set up a time/location for me to come review. With the whole Covid situation, this has gone somewhat virtual - in that we use a web meeting and they share their screen and either they let me have control to view the documents while they monitor OR they scroll through the documents as I request (slow process).

I also work with private DoD contracting businesses who are now getting security documents together that will need to be shared/reviewed by third party auditors and government clients. And the approach for most has been similar to FedRAMP approach.

Best of luck! Let me know if you have any further questions,

Mel

Re: Help, I need your opinion

RRoach — Mon, 15 Mar 2021 13:24:21 GMT

Looks like maybe a few things going on. From what I can tell, first and foremost is this is a 3rd party assessment or audit. If you ever been through a financial or IG audit regardless of how your policies are or past assessments (which would be be a good reference to identify improvements) they are looking at a snapshot in time for the current state. They might be using some kind of standard (maybe NIST/etc.) but regardless are asking for "proof" because policies, procedures, and configuration (screenshots, scans) in most cases show a control is in place.

1. Using an external company was there any kind of Non Disclosure?

2. Is there any kind of Rules of Engagement?

And more importantly....

3. Did you save any emails about needing more funding for manpower, technology, etc.?

Because bottom line is they will always find something but you at least need to justify/CYA for yourself that everything possible was tried to improve the security posture. Also with the ongoing ransomware and knowing state/municipality politics they are probably less concerned with security and more concerned with having someone to blame it on.$00.02