cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ericgeater
Community Champion

Re: Help, I need your opinion

If you view the 3PP as the weak link, ask how they protect client data.  Do they easily welcome an audit to assure compliance with their own data protection mechanisms?

 

And yes, I would ask another CISO in another jurisdiction that uses this particular 3PP vendor, and hear his concerns.

---
I've always said, "There's nothing an agnostic can't do if he really doesn't know whether he believes in anything or not."
sergeling
Newcomer III

Re: Help, I need your opinion

It's definitely something to raise a concern (which many already commented). Not knowing the full detail, I'd just ask you to consider this: How is this different from an external auditor (such as EY or PwC) came in and conduct security assessment of your system? What are your process when handling this kind of scenario/data? (someone already gave great example) 

 

You said you are willing and offered to spend time with them to review security practices and results of other security assessments done before. But whoever saw that they can take notes, and then upload their notes to the repository. How is it different from you uploading the document to repository yourself?

 

I believe as CISO you are responsible for identifying and explaining the risk. But if management understand the risk and chose to accept it, you should document it and proceed. You can take further action to minimize the accepted risk. For example, encrypt or restrict access to the document uploaded with document management system. Or Improve security posture after the security assessment. As someone already commented, security assessment is a snapshot of how vulnerable you are at that point in time.

AppDefects
Community Champion

Re: Help, I need your opinion

Bottom line @Picasso people do not change and government procurement is broken. Vulnerability assessments and pen tests are not worth the paper they are printed on because often "their scope" is not what you actually need tested. To succeed you need to bring real quantitative data to the debate.

 

You will be the first to go even if the risk acceptance is documented and approved by your management chain. Look of the bright side, this is a sign to move on to bigger and better things!