My name is Paul. This is my first post here. I have come because I am the CISO for a county government and big wigs at the state are pressuring me hard to do something I think is a terrible idea from a security standpoint and right now, I have no one else in my corner. I just wanted to see if other security professionals see the same problems I do, or if I am just overreacting. So here is the scenario... the state is moving towards a new system for the 911 call centers. They have contracted a private company to do security assessments of all of the networks hosting 911 call centers... which I understand. My problem is that the result of this will be the aggregation of the network architecture and vulnerabilities of all of the 911 call centers in the state in the same place. I have offered to spend days with anyone they send reviewing our security practices. I have offered the results of other security assessments we have done as long as they are not uploaded to the repository. But they will not budge and they are now starting to make threats that may end up costing me my job. Before I surrender to protect my job or stick to my guns to do what I believe is the right thing, I would like some alternate viewpoints from other CISSPs out there. Thank you for your time and your thoughts.
I wouldn't call this an overreaction but rather into the due diligence category to protect the County. I'd only be comfortable doing this if I could see the risk analysis or third-party risk assessment the State conducted on the Private Company. I'm assuming they have to meet certain security standards to be a vendor for the State because in mine they do.
I appreciate your response... and I understand where you are coming from, but to me, the solarwinds hack changed everything. I am not looking at this from the standpoint of how do I check all of the boxes I need to in order to say I did the right thing. I am looking at this from the standpoint that, no matter how big your are, how much to spend on cyber security, or how good your policy is, safety cannot be guaranteed. Now in most cases, I understand risks have to be accepted. But I think this case is unique because of how dangerous the information could be if it fell into the wrong hands. One 911 call center or 10... maybe not so big a deal. But the vulnerabilities all of the 911 call centers for the whole state in one place? I'm not ok with that.
Although I agree that aggregation and dissemination of vulnerability reports creates a risk, I think the more defensible position would be about securing the repository and perhaps implementing different levels of access (e.g. politicians need summaries and remediation costs for "everything", whereas techies need details and remediation steps for "their" systems).
I also think it important to identify who "owns" the asset to figure out who gets access to its vulnerability data. Fundamentally, it is the system "owner" that gets to make the final decision (although with "expert" advise). If the State provides the system and pays its bills, denying them access to an assessment of their asset seems like a losing battle.
Also, don't forget about the dollars that assessments bring to remediation budgets.
So my thoughts are these:
1) Vulnerability assessments, pen tests, etc. are a snapshot in time. It is how vulnerable you were at that moment.
2) If your bosses want to do this and you have voiced your opinion about it and they still want to continue, then that is their choice and their prerogative. I would document their risk acceptance of storing the results in one place and then move hard on fixing the vulnerabilities. Remember, as the system owners they have the choice to accept any risk. Your job as the CISO is to inform them and then document that they knew the risks and accepted them.
3) If they refuse to sign any risk acceptance documents, then work hard on the remediation. Do not let them just hand this off to IT to remediate. You need to take charge and hold Plans of Actions and Milestone (POA&M) meetings. Assign tasks to people or teams to remediate it and track completion. Hold progress meetings to ensure it is not being forgotten about.
4) If you are worried about your county's data being intermingled with others then do what you can to make sure your county's vulnerabilities get fixed. Remember, those assessments are just a snapshot in time and if you fix the vulnerabilities then they hold no danger for you (or at least a mitigated degree of danger).
You have voiced your opinion and now is the time to move on. As a CISO myself, I would not risk my career over this. I would give them the data and then make sure it was no longer accurate for the vulnerabilities with my systems.
Also consider this. If they see the same problem throughout all counties, then they should be able to get more resources to fix it faster and maybe cheaper than if they do one county at a time. You may not be seeing the big picture and they may have more data than you know but they need it all, to come up with an enterprise or statewide solution.
The problem you're describing could be more of a DR / business continuity issue. It may be worth identifying anyone working in that area at a state level and advising of the continuity risk. Ultimately, as @CISOScott suggested you may be facing a situation in which the decision has already been made and your warnings begin to be perceived as a blocker to change. Allowing that perception to continue would not be a good thing, so you'd need to follow risk management practice and ask for formal acceptance of the risk, rather than allow yourself to get put in the politically inconvenient category.
I’d just add that if there’s a worry about the data going walkies, it’s generally affecting all the uploaders,aggregation is a concern, and the provider isn’t meeting requirements you might consider specifying some (perhaps obnoxious) DRM as a required compensating control, with MFA to access the data and positive review of access logs as a requirement. Classification as Diana points out can then be somewhat enforced, with different views for different groups.
... the provider isn’t meeting requirements you might consider specifying some (perhaps obnoxious) DRM as a required compensating control, with MFA to access the data and positive review of access logs as a requirement. Classification as Diana points out can then be somewhat enforced, with different views for different groups.
Another aspect: if any of the networks are managed under contract by external providers, the results of the audit are likely intellectual property of the provider, and cannot be maintained by the country gounverment except under specific legal or contractual requirements. And that information control would definitely have to be part of the "get out of jail" test and intrusion agreements between the audit company and the provider, agreements that the county is not a primary participant in.