This message was posted by a user wishing to remain anonymous
We are a local entity performing our Third Party Risk Assessments based on the category of the system and information.
In a recent review, we had push back from a security manager who wants to perform a penetration test of the hosted system, although data is part of public domain, limited adverse effect... (meaning a low impact SaaS) All information is a part of public domain - and system is used for communication.
My concern is we did not include penetration testing as a part of our contract language, and I want to update procedures accordingly a request from security is not a surprise as we move to forward to implement. This pen test is also not included as a requirement in current documented procedures.
While I know we can utilize the "document and assess" per FedRAMP for Low Impact SaaS, as a go forward, does anyone have recommendations on what we may be missing in our procedure? And how to best explain document and assess to someone that ignored the impact category of the system?
We include in the final assessment /risk review meetings:
- Summary of risk assessment
- Any control deficiencies (one compensating control was noted)
- Business risk acceptance
- Organizational risk accepted.
- Legal risk accepted.
A few of us in risk were thrown for a loop on this and want to avoid recurrence. We think we have the answer, but want to make sure we are not missing anything.