Risk Assessments

We are a local entity performing our Third Party Risk Assessments based on the category of the system and information. 

In a recent review, we had push back from a security manager who wants to perform a penetration test of the hosted system, although data is part of public domain, limited adverse effect... (meaning a low impact SaaS) All information is a part of public domain - and system is used for communication. 

My concern is we did not include penetration testing as a part of our contract language, and I want to update procedures accordingly a request from security is not a surprise as we move to forward to implement. This pen test is also not included as a requirement in current documented procedures.

While I know we can utilize the "document and assess" per FedRAMP for Low Impact SaaS, as a go forward, does anyone have recommendations on what we may be missing in our procedure? And how to best explain document and assess to someone that ignored the impact category of the system?

We include in the final assessment /risk review meetings: 

• Summary of risk assessment
• Any control deficiencies (one compensating control was noted)
• Business risk acceptance
• Organizational risk accepted.
• Legal risk accepted.

A few of us in risk were thrown for a loop on this and want to avoid recurrence. We think we have the answer, but want to make sure we are not missing anything.

From an outsider's perspective, it appears to be a difference in opinion on inherent risk introduced due to the use of the vendor's system. You outline that the data in scope is public domain and thus a limited adverse effect was determined. Not knowing the type of data and purpose of the system is a limiter to me, but my guess is that the security manager may see risk in not the disclosure of the information, but the potential for the data to be incorrect due to a loss of integrity, or become temporarily unavailable, which could be caused by the exploit of a weakness in the vendor's system. Incorrect data could then potentially impact your own operations or reputation if your system uses or displays that data to provide services, or the lack of the data's availability may impact your entity's ability to provide services. Clean results from a recent penetration test would be one good addition as a mitigating control in that case. If that risk was assessed and still deemed low impact, and a penetration test is outside of your documented requirements for low-impact SaaS providers, then your policy should be followed for consistency, or updated to reflect a change in the determination of impact.

If others have experience with this process, it would be great to hear additional perspectives!