My name is Paul. This is my first post here. I have come because I am the CISO for a county government and big wigs at the state are pressuring me hard to do something I think is a terrible idea from a security standpoint and right now, I have no one else in my corner. I just wanted to see if other security professionals see the same problems I do, or if I am just overreacting. So here is the scenario... the state is moving towards a new system for the 911 call centers. They have contracted a private company to do security assessments of all of the networks hosting 911 call centers... which I understand. My problem is that the result of this will be the aggregation of the network architecture and vulnerabilities of all of the 911 call centers in the state in the same place. I have offered to spend days with anyone they send reviewing our security practices. I have offered the results of other security assessments we have done as long as they are not uploaded to the repository. But they will not budge and they are now starting to make threats that may end up costing me my job. Before I surrender to protect my job or stick to my guns to do what I believe is the right thing, I would like some alternate viewpoints from other CISSPs out there. Thank you for your time and your thoughts.
If you view the 3PP as the weak link, ask how they protect client data. Do they easily welcome an audit to assure compliance with their own data protection mechanisms?
And yes, I would ask another CISO in another jurisdiction that uses this particular 3PP vendor, and hear his concerns.
It's definitely something to raise a concern (which many already commented). Not knowing the full detail, I'd just ask you to consider this: How is this different from an external auditor (such as EY or PwC) came in and conduct security assessment of your system? What are your process when handling this kind of scenario/data? (someone already gave great example)
You said you are willing and offered to spend time with them to review security practices and results of other security assessments done before. But whoever saw that they can take notes, and then upload their notes to the repository. How is it different from you uploading the document to repository yourself?
I believe as CISO you are responsible for identifying and explaining the risk. But if management understand the risk and chose to accept it, you should document it and proceed. You can take further action to minimize the accepted risk. For example, encrypt or restrict access to the document uploaded with document management system. Or Improve security posture after the security assessment. As someone already commented, security assessment is a snapshot of how vulnerable you are at that point in time.
Bottom line @Picasso people do not change and government procurement is broken. Vulnerability assessments and pen tests are not worth the paper they are printed on because often "their scope" is not what you actually need tested. To succeed you need to bring real quantitative data to the debate.
You will be the first to go even if the risk acceptance is documented and approved by your management chain. Look of the bright side, this is a sign to move on to bigger and better things!
I can understand the concern to share security information and the hesitation. I agree with some others who have stated there may need to be a secured repository to shared security documentation and very sensitive vulnerability information.
I go through security reviews of other security packages that are in the federal cloud services program called FedRAMP. Here major cloud companies provide access to their security authorization packages - the security plan documents, implementation statements, vulnerability scans, AND recent assessment by a third party. Sounds similar to what is being asked of you. However, in order for me to review the package, I have to sign an strict NDA, access is controlled by the cloud provider portal or federal portal for my review, access is time limited, and some add document protections may restrict actions or access (document password that expires). Also, the FedRAMP package information is often detailed enough to answer the control requirement but may not include the sensitive details, some do but most scrub it a bit. Some of the FedRAMP systems I have reviewed are considered HIGH level - meaning the system supports classified level information.
If I'm reviewing a "shared service" for multiple government agencies, I am usually doing what you suggest - they set up a time/location for me to come review. With the whole Covid situation, this has gone somewhat virtual - in that we use a web meeting and they share their screen and either they let me have control to view the documents while they monitor OR they scroll through the documents as I request (slow process).
I also work with private DoD contracting businesses who are now getting security documents together that will need to be shared/reviewed by third party auditors and government clients. And the approach for most has been similar to FedRAMP approach.
Best of luck! Let me know if you have any further questions,
Looks like maybe a few things going on. From what I can tell, first and foremost is this is a 3rd party assessment or audit. If you ever been through a financial or IG audit regardless of how your policies are or past assessments (which would be be a good reference to identify improvements) they are looking at a snapshot in time for the current state. They might be using some kind of standard (maybe NIST/etc.) but regardless are asking for "proof" because policies, procedures, and configuration (screenshots, scans) in most cases show a control is in place.
1. Using an external company was there any kind of Non Disclosure?
2. Is there any kind of Rules of Engagement?
And more importantly....
3. Did you save any emails about needing more funding for manpower, technology, etc.?
Because bottom line is they will always find something but you at least need to justify/CYA for yourself that everything possible was tried to improve the security posture. Also with the ongoing ransomware and knowing state/municipality politics they are probably less concerned with security and more concerned with having someone to blame it on.$00.02