Risk Assessments

 View Only

  • 1.  Inherent Risk - Physical Access

    This message was posted by a user wishing to remain anonymous
    Posted 07-28-2021 08:26 AM
    This message was posted by a user wishing to remain anonymous

    We have a secured campus and maintain a well established policy for vetting non-employees prior to providing them any building access.  A key pass is required to use the elevator, enter staircases, and gain entry to each floor.  Should vendors with physical access to our facilities (janitorial services, external security guards, routine facility maintenance technicians, etc.) be included in calculating the vendor's the inherent risk score?  Or should we omit vendor access from our inherent risk rating, placing reliance on our strong physical access control environment (which didn't work for Target's breach caused by an HVAC vendor)?  Interested in hearing your thoughts...


  • 2.  RE: Inherent Risk - Physical Access

    Posted 07-28-2021 08:51 AM

    Unattended facility access is, in my opinion, absolutely a part of a vendor's risk profile.

                    This is the area where the apocryphal story of the HVAC vendor hacking the network comes into play.

                    Cleaners, maintenance folk, caterers, or whoever is left to their own devices in your secure facility technically has a higher risk associated.  Granted, it is mitigated easily by things like clean desk policy, locked offices, etc.

    That said, there is also an old saw that if you want to get a message to the cleaning staff, put it on a post it note and leave it on your keyboard. They will get the message with blinding speed most times.

     

    Now, to drill down a little more, I have in the past considered this sort of access to be 'incidental access', which is a moderate risk, rather than a high risk.  It's a muddy middle ground where you have folks who are non-staff that could [but probably won't] look at, remember, or even take, private docs or data.

     

    Short form: yes there is risk, but it's also not huge risk.

     

    Thanks,

          Dave

     

    David Howe

    Chief Information Officer

     

     




    Original Message


  • 3.  RE: Inherent Risk - Physical Access

    Posted 07-28-2021 08:52 AM
    Hey there - An outside service provider's physical access, regardless of their service type or job function, is still factored into the inherent risk scores we apply as there can still be potential security and safety concerns if the individual(s) have not undergone formal background checks, as an example. The risk mitigation approach is not as strong considering their access within the building is limited based on assigned badge access capabilities but it should certainly be factored into the inherent and ongoing risk management activities your team institutes.
    Original Message


  • 4.  RE: Inherent Risk - Physical Access

    This message was posted by a user wishing to remain anonymous
    Posted 07-28-2021 09:56 AM
    This message was posted by a user wishing to remain anonymous

    Physical access should definitely be considered/factored into the inherent risk score along with whether access will be accompanied or unaccompanied.  Obviously, accompanied access carries much lower risk, but a vendor could see/overhear something sensitive while onsite which could be a concern.  Unaccompanied access can cause higher concern from a security risk and vendor should be checked to ensure that they conduct background checks at minimum.  From an internal standpoint, limiting access to secure areas is also key to mitigate security risks.
    Original Message


  • 5.  RE: Inherent Risk - Physical Access

    This message was posted by a user wishing to remain anonymous
    Posted 07-28-2021 10:40 AM
    This message was posted by a user wishing to remain anonymous

    ​We definitely consider onsite service providers a vendor and they will go through our normal vendor risk assessment process.  For consultants or temps that have access to our network, we run them through our new employee process.  For janitorial staff and repair personnel, we put in protection clauses in the contract (eg, they are responsible for losses and damages caused by their employees) as well as review and get evidence of their screening and hiring process.
    Original Message