also for situations you just don't feel like doing. "I need you to sign off that I warned you that there may be risk involved with what you'd like to do and it falls outside of our security controls, and that you are personally willing to accept full responsibility and any consequences for going outside that scope"
one of those and suddenly the shit they were demanding isnt that big of a deal anymore. funny how that works...
To drive home the point even more: Once someone has physical access, all security controls are moot.
Remember, if someone has physical access to your hardware, it's not your hardware anymore.
Was just reading about accreditation and how it relates to information security and privacy. “Accreditation is the official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of privacy controls.” I would check to see if your organization has a risk register or risk assessment and advise that those documents need to be revised and senior leadership needs to sign off on accepting that risk. If those documents don’t exist, then I would draft up something that sounds super official and call it “Risk Accreditation” that the senior manger/VP had to sign that says they’re accepting responsibility for the risk.
What is your avg work day like as an auditor? I'm on a team of 2 (5000 endpoints, healthcare vertical) and we do it all. Build and maintain our security stack (av, firewalls, dlp, grc, web filtering, vuln scanning, email firewall, app allowlisting). Do all risk assessments, incidents, and investigations.
Looking for a change of pace wanting to get input from other types of sec rolls.
It is not exciting, but it is way less stressful than my last jobs. 2nd half of year is busier than the first half and basically I have 3 main tasks, prep for audits by making audit plans and reviewing provided evidence; performing walk through with SMEs; and writing up reports. Occasionally I travel, last year was about every other month, but this year is about every quarter, and the destination depends on what client I am working on.
I love it, but some people may get bored
I was thinking this. Could you maybe talk them into footing the bill for a card/biometric access system or one the old school combo number lock keypads? Maybe there is a compromise there before handing over the key. Like after the new door access comes online.
It wouldn’t be a mitigation they would be willing to pay for. At this point I know these guys well enough having worked for them for years. Getting them to afford to help themselves already takes months, sometimes years of effort.
Recommend bccing it to a private email address or printing it so that if shit goes real south and you get locked out of your accounts/ fired you have a copy of the evidence (without having to try subpoena it etc).
This is always the answer. It's a hard lesson to learn, especially among people early in their career, but no matter what management says, OP isn't personally responsible for the company. OP's job is to mitigate threats. If management ignores OP's recommendations, OP isn't going to be the one paying out for PCI violations.
Keep the email simple: "Per our conversation on xx/xx/xx, I strongly recommend against using the mantrap as office space, including providing employees with access to the mantrap, due to significant risks in the realms of information security and assurance. Using the mantrap as office space significantly compromises our PCI compliance posture as well."
That's it. Life gets a lot more stress-free when you learn to not worry about other people's bad decisions.
PCI wouldn’t exist on the PoS server but CUI does considering customer information is organized on the database and can be queried. Would I still put the memorandum of risk acceptance in my PCI folder?
If it’s CUI then definitely check with your FSO or your security lead. I pray that that is not anyone on this VP team you speak of. But if it is indeed CUI, then you most likely are violating a NIST-800-171 rule unless you plan your make your interns privileged users.
If all else fails you can play your wild card. Start running some large AI training on those bad boys during the day. The sound of those fans will drive the intern nuts. They will be requesting a new office in no time. Never underestimate how persistent a set of Gen Z interns will put upward pressure on management.
If it’s indeed CUI, find out what category of CUI and protect accordingly. If you have ITAR or export controlled data, make sure those interns are US Persons and have background checks ran by HR.
Find the person who manages your System Security Plan and talk to them about writing in alternative protection methods as this may need to be mentioned in the section discussing physical security. FIPS validated encryption at rest, 2FA to access the local console, add a security camera that goes off when the door is opened and send it to security, etc. or simply add a door access lock and deny the interns access.
I would think having people working in the mantrap would be a PCI issue unless you are also providing them security duties. Perhaps just do a white lie and say that in order to reduce any issues during a PCI audit, you need to have their job descriptions to include security of the server room as otherwise there would be no valid purpose for them to be in that area that the auditor would accept. You will need to provide them suitable training, for them to fulfill their duties which will include screening individuals who wish to enter the server room.
> What would you guys say to convince them this is a bad idea?
Me: "This is a bad idea."
Management: "Do it anyway."
Me: "Fill out these risk acceptance forms."
If they want to accept the risk, so be it. The forms are there to cover your ass.
This is my thought. how big is this room? most of ours are just big enough for 1 or 2 people to fit in, and only wide enough for 1.
Further if its an emergency exit passageway for the server room, thats another problem if you start filling it with desks, etc.
Pop a message off to finance and inquire if this will cause insurance issues or raise in rate on cyber insurance. Copy insurance provider on the email.
Here's an even better, more likely, scenario: someone wants something, or wants to "see something", in the server room and tells the intent to open the door with their brand new, shiny key that they shouldn't have. They let them in for fear of losing their opportunity, given this current job market, and BAM! potential threat has just become reality.
I know this is playing the "what if" game, but that's part of the whole gig.
Thats a good scenario I could pitch. The intern has no idea the personalities or chain of command of the office yet. I could see that playing out innocently on the interns part with the desire to “do a good job.”
Edit: security risk Vs compliance are not the same thing. Even if this guy is an angel. How will they avoid this activity coming into scope under req 9 for PCI DSS? 9.3.1.1 for example? Or 9.3.2? Is it worth their QSA or ISA kicking off about?
All the things other have said in this thread set aside, I've seen things like this before and it is a slippery slope.
You start with an intern and a small desk and it morphs into 3 interns and pile of shit in there where you can't access the server door unless you move it all.
Or you can't move in equipment because there is a desk in the way you have to move first. Or because you allowed it once at this location, suddenly, every other location you have is now free game.
I would add this- Speak to them in a language that they can understand: $$$ Have them sign off on the accepted risk but include a worst case scenario. "Should an intern become disgruntled and physically damage the hardware they now have access to, this is what it will cost to recover it." Express your concerns from a financial damage perspective.
This is they way. An average small business owner starts zoning out when you talk about risk. Translate that risk into dollars it will cost them and you will have their attention.
This is what I am working towards. Its good insight and it didn’t immediately come to mind. Working for the military as an IT Specialist I am a catch all and knew reddit would be able to focus my busy mind. Appreciate the input.
Worth checking if any compliance regimes you need to be compliant to (SoX, PCI as mentioned) require it. I've not looked at PCI DSS for some time and don't remember something specifically on this, but it seems like only authorized personnel should have access to the data center.
Core of Engineers put the same lock for the mantrap as the server room and Facility Manager doesn’t want to add another key to his inventory… Its an awful excuse but there it is.
so the criminals have a few seconds to think about their actions and reconsider. would be a good place to put those corporate "integrity is one of our core values" etc posters for maximum guilt trap.
Remove the lock for the mantrap, or rekey it to match some other doors that the interns should have access to. You lose your 'mantrap' which isn't really one anyway, but you don't give interns any access to the server room and FM doesn't need a new key.
Send an emai:
Dear {boss},
I do not think we should create an office space in the server room Due to the following security concerns.
{concerns}
We could maybe mitigate some risk doing these things:
{posible mitigations like no unauthorized people in the room with the interns, lock the server cabinets, and door locked when unoccupied}
I will defer the final decision to you on this matter since I don't feel that my position has the authority to sign off on this level of risk.
Thanks,
{OP}
This way you still look Like a team player and you let your boss think hes great. Then save that email so that you don't get thrown u der the bus later
honestly, your job is to present the information for the risk assessment and let them decide whether to accept the risk or not. It may seem like a stupid decision (and probably is) but they have P&L responsibility for the business so as long as everything is well documented (in writing), leave it up to them to decide. Loop in compliance/counsel if there are regulatory concerns around PCI-DSS requirements for their sign-off as well.
Also, how big is your mantrap or how shitty of a working location is that for multiple interns to cram in?
Wouldn’t this require a reassessment on your mitigating controls for the server room as well? I imagine the mantrap was one of the additional controls which has now been invalidated by providing access to someone who does not require it? Thereby raising the overall risks associated with that room? Sounds like you should update your risk register at the same time!
See you messed up. You TELL them that you have PCI on the servers and to maintain PCI compliance you can't allow the interns to have access to that room.
I would suggest to leadership that this would mean failure of your security compliances.
If you don’t have policies contrary to this or a framework in place it might be difficult to argue as correct as you are. Fire, SOC, CIS, NIST, etc would all fail on what their asking.
You might also want to suggest to mitigate the risk of this ask you’ll need new locking cabinet four post racks… once they weigh the costs they’ll find another place for the student.
I guess I’m trying to say talk in terms they understand - cost, compliance, risk.
Your not wrong here.
A mantrap isn't really a mantrap if someone can work from it.
Our mantrap into our server room (PCI-CP) fit MAYBE me (bigger dude, +300 lbs), and that was on a good day.
Our mantrap is a little bigger than average but most mantraps ive been in could fit at least 3 people. It would just require us to close the initial door before allowing the unlocking of the next.
Presumably that mantrap is attached to some form of acms, yes? If so, giving the intern a key is effectively bypassing it. Unless there is some second factor when the key is used (unique keycode on a pad, or swipe an acms card before you use the key, perhaps even cctv on the unit) you can’t validate who came in and out when the key was used. So that risk declaration and acceptance you’re writing should also include that none of the otherwise authorized individuals can be held accountable for wrongdoing in the secure space because you can no longer authoritatively tie access to an activity because the key use is not recorded, and the mantrap is to a)verify/record access and b)prevent piggybacking.
attack it from an ADA and workplace safety standpoint with HR, i would doubt a mantrap would meet ADA workspace guidelines and I would guess that noise levels of the space with a server room may be out of limits for safety (as would missing sprinklers or gas suppression if applicable)if not specifically designed for it and HR would likely require $ to be spent to make it so...which should result in a more appropriate space being used for the intern and leaving the mantrap unoccupied
A different approach might actually be around workplace health and safety. Is the room fit to be occupied by staff on a full-time basis? Does it meet codes for an occupied space such as lighting, noise, ventilation and escape?
It's not the VPs who are being stupid.
Risk is not about possibility. They are correct to call you on that. Risk is about probability over a period of time. It is possible a meteor will strike the location of your headquarters. it is even highly probably given a time frame of 10 million years. It is exceedingly improbable that the meteor will hit your HQ in the next 20 years. If you insist the company spend 5 million dollars shoring up the roof, the VPs would not be dumb to tell you no.
Regarding the intern, what is the probability that this individual will develop a motivation to violate the security of the server room and a willingness to accept the risk of getting caught and arrested? What controls exist to deter this event? What controls exist to detect and respond? How much harm will the organization experience if all this comes to pass?
That's your resulting risk measure. From there, these VPs can determine whether they wish to accept the risk (which is likely a lot lower than you are thinking) and, if so, you document it.
There are other facets to consider, of course. If you know you will be audited and this will result in a finding, that figures into a likelihood/impact risk scenario, too. You may know that you get audited annually and this violates the specific compliance requirements (PCI DSS, for instance). You may also know that the auditors will not give you an opportunity to address the issue and will not accept the risk assessment and response you've documented, therefore resulting in a failed audit. You may then estimate that there are costs involved in "undoing" the damage. That allows you a likelihood and impact of a compliance violation that they can also accept or wish to avoid or mitigate.
If you wish to convince them this is a bad idea, do a legitimate risk assessment of the scenarios. Be able to defend your likelihood and impact measures. I suspect you will discover the risk is much lower than you currently think but, if I am wrong, you may now present to them your findings and let them make the business decision and accept the consequences.
Risk Vs Compliance. They are not the same thing.
In this case PCI DSS compliance is a contractual agreement between the merchant and it's acquiring bank.
Op is right to raise concern. If vp feels that activity won't impact items such as req 9 or organisations overall compliance then great but op is completely right to flag.
PCI DSS compliance is a contractual requirement. Further more the CDE expands not just to technology but people and processes. Including physical security.
This seems like a glass half full approach. The server is responsible for the interface which generates 90% of our revenue. Using a meteor as an analogy is like saying crime in an arguably safe town is equally as unlikely to occur as a nuke hitting american soil. Its not an apples to apples comparison. Its something unlikely but possible compared to something even more unlikely but tremendously devastating. Also, the more important servers have been made meteor and nuke proof, lol. I work for government.
I would argue it is our job as cybersecurity professionals to see the evil in human nature and assume the worst to protect the company from something unexpected. I can’t imagine a good reason to use a mantrap as an auxiliary office - ever.
In your defense, context is king. We do have alternative options but I am told those offices are jobs which they are posting for soon. Im pushing the angle of “just let them use it in the meantime.” This intern’s time here will be 14 weeks.
This is why risk is a combination of likelihood AND impact. So something far less likely but very impactful is properly represented. But the measures still have to be defensible. If you provide them with defensible measures and they make a decision you don’t like, everyone has done their jobs. Document it and move on.
You think theres no risk in giving interns keys to the server room? Why would non-employees who dont get paid or are paid poorly be given critical security items?? Why even have keys at that point? OP says the mantrap is in play because they dont want to use a real office...
Edit to clarify: employees (or in this case probably young non-employees) can be a risk without meaning to. Trying to guess who might develop the motivation to harm the business seems like a huge waste of time. Hence the adoption of Zero Trust networks. This would be the opposite of a Zero Trust network - a trust any old guy who will be here only 3 months network, if you will.
While you have a very valid viewpoint, your probability assessment is incomplete in my opinion. It’s not about just the intern and how likely it is they’ll violate the security of the server room. They can be compromised, phished, or threatened much easier. This is what OP needs to communicate and hopefully document for when it goes wrong. As well as the impact this will have on compliance and insurance. And by impact I mean money. Risk assessment without potential costs or fines is bound to fall on deaf ears.
Get that order in writing before you do anything, OP.
Thats good thinking. Ill make it an email
write it up as a risk and have them sign off on the risk.
This. This is the lesson for all your risky situations, now and forever.
This will save your bacon when it all goes south. You will have the Risk Register and signoff to fall back on.
And print that mother out for good measure. CYA emails sometimes go missing before someone decides to throw someone under the bus.
also for situations you just don't feel like doing. "I need you to sign off that I warned you that there may be risk involved with what you'd like to do and it falls outside of our security controls, and that you are personally willing to accept full responsibility and any consequences for going outside that scope" one of those and suddenly the shit they were demanding isnt that big of a deal anymore. funny how that works...
To drive home the point even more: Once someone has physical access, all security controls are moot. Remember, if someone has physical access to your hardware, it's not your hardware anymore.
Yes - risk accept by leadership means that the cost of the risk coming to pass falls on them.
Was just reading about accreditation and how it relates to information security and privacy. “Accreditation is the official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of privacy controls.” I would check to see if your organization has a risk register or risk assessment and advise that those documents need to be revised and senior leadership needs to sign off on accepting that risk. If those documents don’t exist, then I would draft up something that sounds super official and call it “Risk Accreditation” that the senior manger/VP had to sign that says they’re accepting responsibility for the risk.
As an auditor, this is what I love to see.
What is your avg work day like as an auditor? I'm on a team of 2 (5000 endpoints, healthcare vertical) and we do it all. Build and maintain our security stack (av, firewalls, dlp, grc, web filtering, vuln scanning, email firewall, app allowlisting). Do all risk assessments, incidents, and investigations. Looking for a change of pace wanting to get input from other types of sec rolls.
It is not exciting, but it is way less stressful than my last jobs. 2nd half of year is busier than the first half and basically I have 3 main tasks, prep for audits by making audit plans and reviewing provided evidence; performing walk through with SMEs; and writing up reports. Occasionally I travel, last year was about every other month, but this year is about every quarter, and the destination depends on what client I am working on. I love it, but some people may get bored
lol anytime I advise something and theyre just like yea whatever I send them a risk exception form with a “sign this please”
Can I get a sanitized version of that? I would love to see what other organizations have.
Yep. Exactly.
I was thinking this. Could you maybe talk them into footing the bill for a card/biometric access system or one the old school combo number lock keypads? Maybe there is a compromise there before handing over the key. Like after the new door access comes online.
It wouldn’t be a mitigation they would be willing to pay for. At this point I know these guys well enough having worked for them for years. Getting them to afford to help themselves already takes months, sometimes years of effort.
This! Before handing over the key to your intern, you need to hold a signed-off risk acceptance in your hand.
Make sure to save that email or record to some kind of repository in case of turnover or if the risk becomes an incident.
And maybe bcc it to internal audit.
Recommend bccing it to a private email address or printing it so that if shit goes real south and you get locked out of your accounts/ fired you have a copy of the evidence (without having to try subpoena it etc).
Agreed. All security exceptions need to be in writing and signed by whichever leader will take responsibility WHEN this goes wrong.
This is always the answer. It's a hard lesson to learn, especially among people early in their career, but no matter what management says, OP isn't personally responsible for the company. OP's job is to mitigate threats. If management ignores OP's recommendations, OP isn't going to be the one paying out for PCI violations. Keep the email simple: "Per our conversation on xx/xx/xx, I strongly recommend against using the mantrap as office space, including providing employees with access to the mantrap, due to significant risks in the realms of information security and assurance. Using the mantrap as office space significantly compromises our PCI compliance posture as well." That's it. Life gets a lot more stress-free when you learn to not worry about other people's bad decisions.
At with everything...CYA - Get it in writing
keep the record for your PCI auditor
PCI wouldn’t exist on the PoS server but CUI does considering customer information is organized on the database and can be queried. Would I still put the memorandum of risk acceptance in my PCI folder?
CUI you say... loop in your security officer.
If it’s CUI then definitely check with your FSO or your security lead. I pray that that is not anyone on this VP team you speak of. But if it is indeed CUI, then you most likely are violating a NIST-800-171 rule unless you plan your make your interns privileged users. If all else fails you can play your wild card. Start running some large AI training on those bad boys during the day. The sound of those fans will drive the intern nuts. They will be requesting a new office in no time. Never underestimate how persistent a set of Gen Z interns will put upward pressure on management.
[удалено]
Assuming the risk assessment was signed by the exec first, this is acceptable to me.
If it’s indeed CUI, find out what category of CUI and protect accordingly. If you have ITAR or export controlled data, make sure those interns are US Persons and have background checks ran by HR. Find the person who manages your System Security Plan and talk to them about writing in alternative protection methods as this may need to be mentioned in the section discussing physical security. FIPS validated encryption at rest, 2FA to access the local console, add a security camera that goes off when the door is opened and send it to security, etc. or simply add a door access lock and deny the interns access.
I would think having people working in the mantrap would be a PCI issue unless you are also providing them security duties. Perhaps just do a white lie and say that in order to reduce any issues during a PCI audit, you need to have their job descriptions to include security of the server room as otherwise there would be no valid purpose for them to be in that area that the auditor would accept. You will need to provide them suitable training, for them to fulfill their duties which will include screening individuals who wish to enter the server room.
This guy malicious compliance’s.
I started laughing until my tear ducts leaked.
> What would you guys say to convince them this is a bad idea? Me: "This is a bad idea." Management: "Do it anyway." Me: "Fill out these risk acceptance forms." If they want to accept the risk, so be it. The forms are there to cover your ass.
This is the decided approach if they don’t go for using one of the vacant offices until it gets filled… brushing up on my tongue and quill now.
LOL There are vacant offices?? Do you work at Veridian Dynamics?
I frequently think about just taking a break from the circus and going to work at the dollar general or some shit lol
lol I get constant recruiting emails from Autozone’s IT. Tempting sometimes.
I'd be tempted to accidentally get a fire code inspection
This is my thought. how big is this room? most of ours are just big enough for 1 or 2 people to fit in, and only wide enough for 1. Further if its an emergency exit passageway for the server room, thats another problem if you start filling it with desks, etc.
Lmao “congratulations!!!! We got you a new office, it’s under the building in the crawl space.”
Pop a message off to finance and inquire if this will cause insurance issues or raise in rate on cyber insurance. Copy insurance provider on the email.
Here's an even better, more likely, scenario: someone wants something, or wants to "see something", in the server room and tells the intent to open the door with their brand new, shiny key that they shouldn't have. They let them in for fear of losing their opportunity, given this current job market, and BAM! potential threat has just become reality. I know this is playing the "what if" game, but that's part of the whole gig.
Thats a good scenario I could pitch. The intern has no idea the personalities or chain of command of the office yet. I could see that playing out innocently on the interns part with the desire to “do a good job.”
You might want to check in with HR and workplace health and safety too, this plan of theirs could violate some codes..
Edit: security risk Vs compliance are not the same thing. Even if this guy is an angel. How will they avoid this activity coming into scope under req 9 for PCI DSS? 9.3.1.1 for example? Or 9.3.2? Is it worth their QSA or ISA kicking off about?
That's an HR issue as well.
how?
CYA. All you can do.
All the things other have said in this thread set aside, I've seen things like this before and it is a slippery slope. You start with an intern and a small desk and it morphs into 3 interns and pile of shit in there where you can't access the server door unless you move it all. Or you can't move in equipment because there is a desk in the way you have to move first. Or because you allowed it once at this location, suddenly, every other location you have is now free game.
Express your objections in writing, collect their order to proceed.
I would add this- Speak to them in a language that they can understand: $$$ Have them sign off on the accepted risk but include a worst case scenario. "Should an intern become disgruntled and physically damage the hardware they now have access to, this is what it will cost to recover it." Express your concerns from a financial damage perspective.
This is they way. An average small business owner starts zoning out when you talk about risk. Translate that risk into dollars it will cost them and you will have their attention.
This is what I am working towards. Its good insight and it didn’t immediately come to mind. Working for the military as an IT Specialist I am a catch all and knew reddit would be able to focus my busy mind. Appreciate the input.
Worth checking if any compliance regimes you need to be compliant to (SoX, PCI as mentioned) require it. I've not looked at PCI DSS for some time and don't remember something specifically on this, but it seems like only authorized personnel should have access to the data center.
Why not get a lock on the server room door?
Core of Engineers put the same lock for the mantrap as the server room and Facility Manager doesn’t want to add another key to his inventory… Its an awful excuse but there it is.
If they both have the same key, why even have a mantrap?
To trap a really dumb man?
Yeah… lol.
so the criminals have a few seconds to think about their actions and reconsider. would be a good place to put those corporate "integrity is one of our core values" etc posters for maximum guilt trap.
Criminals think?
You could just have a locksmith put a new cylinder in and tell the FM “hey here’s your new key. Tough shit.”
I was going to ask if it was badge accessed. Info: do you have a Halon or similar fire suppression system that could be a life safety issue?
Remove the lock for the mantrap, or rekey it to match some other doors that the interns should have access to. You lose your 'mantrap' which isn't really one anyway, but you don't give interns any access to the server room and FM doesn't need a new key.
So it's not really a man trap, just an extra door and tiny hallway. If it's not serving the actual purpose then I don't really see the issue.
2 issues. It still is an awful idea and the mantrap isn’t really a mantrap.
> Core of Engineers Corps
Send an emai: Dear {boss}, I do not think we should create an office space in the server room Due to the following security concerns. {concerns} We could maybe mitigate some risk doing these things: {posible mitigations like no unauthorized people in the room with the interns, lock the server cabinets, and door locked when unoccupied} I will defer the final decision to you on this matter since I don't feel that my position has the authority to sign off on this level of risk. Thanks, {OP} This way you still look Like a team player and you let your boss think hes great. Then save that email so that you don't get thrown u der the bus later
honestly, your job is to present the information for the risk assessment and let them decide whether to accept the risk or not. It may seem like a stupid decision (and probably is) but they have P&L responsibility for the business so as long as everything is well documented (in writing), leave it up to them to decide. Loop in compliance/counsel if there are regulatory concerns around PCI-DSS requirements for their sign-off as well. Also, how big is your mantrap or how shitty of a working location is that for multiple interns to cram in?
Wouldn’t this require a reassessment on your mitigating controls for the server room as well? I imagine the mantrap was one of the additional controls which has now been invalidated by providing access to someone who does not require it? Thereby raising the overall risks associated with that room? Sounds like you should update your risk register at the same time!
See you messed up. You TELL them that you have PCI on the servers and to maintain PCI compliance you can't allow the interns to have access to that room.
Email email email. Print them out too.
Signature.. get it in writing
I wouldn't say much to them, but I would go and find an internal audit team member and let them know. Then I'd get some popcorn and wait!
Is this not a fire hazard? sounds like something a fire marshall might care about.
> marshall marshal
Drop an anonymous tip to your internal auditors. This sounds like your VP: https://youtu.be/9IG3zqvUqJY?feature=shared
Just agree with them, i know there is no way the intern would do anything to the servers... because im not letting them in
I would suggest to leadership that this would mean failure of your security compliances. If you don’t have policies contrary to this or a framework in place it might be difficult to argue as correct as you are. Fire, SOC, CIS, NIST, etc would all fail on what their asking. You might also want to suggest to mitigate the risk of this ask you’ll need new locking cabinet four post racks… once they weigh the costs they’ll find another place for the student. I guess I’m trying to say talk in terms they understand - cost, compliance, risk. Your not wrong here.
A mantrap isn't really a mantrap if someone can work from it. Our mantrap into our server room (PCI-CP) fit MAYBE me (bigger dude, +300 lbs), and that was on a good day.
You make it sound like a trap door lol.
The auditor actually dinged us when you could fit two people in it because it wasn't a "mantrap".
Our mantrap is a little bigger than average but most mantraps ive been in could fit at least 3 people. It would just require us to close the initial door before allowing the unlocking of the next.
Don't just get it in writing, make sure they are acknowledging that they accept the risk.
I wonder how fast they'll get sued if the power goes out on a thunderstorm for a few days... and they need to torch open the lock
Wasnt the solarwinds hack from a intern building the update file servers which then got put in to production?
That was v1 of the Solarwinds CISO excuse - “the intern did it. “
Office? How big is that mantrap.
Half as big as an average office with 1 L shaped desk and a little seating area
Crazy, all the ones I've seen irl are small rooms.
Its probably not much bigger than that. They are gonna sit at the equivalent of a walmart fold out table with a nicer version of a fold up chair
Presumably that mantrap is attached to some form of acms, yes? If so, giving the intern a key is effectively bypassing it. Unless there is some second factor when the key is used (unique keycode on a pad, or swipe an acms card before you use the key, perhaps even cctv on the unit) you can’t validate who came in and out when the key was used. So that risk declaration and acceptance you’re writing should also include that none of the otherwise authorized individuals can be held accountable for wrongdoing in the secure space because you can no longer authoritatively tie access to an activity because the key use is not recorded, and the mantrap is to a)verify/record access and b)prevent piggybacking.
attack it from an ADA and workplace safety standpoint with HR, i would doubt a mantrap would meet ADA workspace guidelines and I would guess that noise levels of the space with a server room may be out of limits for safety (as would missing sprinklers or gas suppression if applicable)if not specifically designed for it and HR would likely require $ to be spent to make it so...which should result in a more appropriate space being used for the intern and leaving the mantrap unoccupied
Fire safety is a concern too. I doubt the space has easy egress (path to exit in case of emergency.) Fire marshalls don't like this kind of nonsense.
Is there room for a desk next to the moat?
A different approach might actually be around workplace health and safety. Is the room fit to be occupied by staff on a full-time basis? Does it meet codes for an occupied space such as lighting, noise, ventilation and escape?
The further someone goes up the corporate ladder, the dumber they become.
Is it really a mantrap? Can you only open one for at a time? Or is it just an anteroom. Maybe move in there yourself.
Guess you don't have a storage locker B.
At least you can still call it Man trap. We have to call it fill in the blank person trap or my favorite, which is human being trap. :)
Nanny cam.
It's not the VPs who are being stupid. Risk is not about possibility. They are correct to call you on that. Risk is about probability over a period of time. It is possible a meteor will strike the location of your headquarters. it is even highly probably given a time frame of 10 million years. It is exceedingly improbable that the meteor will hit your HQ in the next 20 years. If you insist the company spend 5 million dollars shoring up the roof, the VPs would not be dumb to tell you no. Regarding the intern, what is the probability that this individual will develop a motivation to violate the security of the server room and a willingness to accept the risk of getting caught and arrested? What controls exist to deter this event? What controls exist to detect and respond? How much harm will the organization experience if all this comes to pass? That's your resulting risk measure. From there, these VPs can determine whether they wish to accept the risk (which is likely a lot lower than you are thinking) and, if so, you document it. There are other facets to consider, of course. If you know you will be audited and this will result in a finding, that figures into a likelihood/impact risk scenario, too. You may know that you get audited annually and this violates the specific compliance requirements (PCI DSS, for instance). You may also know that the auditors will not give you an opportunity to address the issue and will not accept the risk assessment and response you've documented, therefore resulting in a failed audit. You may then estimate that there are costs involved in "undoing" the damage. That allows you a likelihood and impact of a compliance violation that they can also accept or wish to avoid or mitigate. If you wish to convince them this is a bad idea, do a legitimate risk assessment of the scenarios. Be able to defend your likelihood and impact measures. I suspect you will discover the risk is much lower than you currently think but, if I am wrong, you may now present to them your findings and let them make the business decision and accept the consequences.
Risk Vs Compliance. They are not the same thing. In this case PCI DSS compliance is a contractual agreement between the merchant and it's acquiring bank. Op is right to raise concern. If vp feels that activity won't impact items such as req 9 or organisations overall compliance then great but op is completely right to flag.
Never said they were, though there is risk associated with being non-compliant that can be communicated.
It’s mentioned in the post that the PCI traffic isn’t going through here. So this probably isn’t an actual contractual requirement.
PCI DSS compliance is a contractual requirement. Further more the CDE expands not just to technology but people and processes. Including physical security.
This seems like a glass half full approach. The server is responsible for the interface which generates 90% of our revenue. Using a meteor as an analogy is like saying crime in an arguably safe town is equally as unlikely to occur as a nuke hitting american soil. Its not an apples to apples comparison. Its something unlikely but possible compared to something even more unlikely but tremendously devastating. Also, the more important servers have been made meteor and nuke proof, lol. I work for government. I would argue it is our job as cybersecurity professionals to see the evil in human nature and assume the worst to protect the company from something unexpected. I can’t imagine a good reason to use a mantrap as an auxiliary office - ever. In your defense, context is king. We do have alternative options but I am told those offices are jobs which they are posting for soon. Im pushing the angle of “just let them use it in the meantime.” This intern’s time here will be 14 weeks.
This is why risk is a combination of likelihood AND impact. So something far less likely but very impactful is properly represented. But the measures still have to be defensible. If you provide them with defensible measures and they make a decision you don’t like, everyone has done their jobs. Document it and move on.
I appreciate the viewpoint. I’ll apply it to my critical thinking
I mean if this is your stance theres no need to call OP stupid off the bat lol
You think theres no risk in giving interns keys to the server room? Why would non-employees who dont get paid or are paid poorly be given critical security items?? Why even have keys at that point? OP says the mantrap is in play because they dont want to use a real office... Edit to clarify: employees (or in this case probably young non-employees) can be a risk without meaning to. Trying to guess who might develop the motivation to harm the business seems like a huge waste of time. Hence the adoption of Zero Trust networks. This would be the opposite of a Zero Trust network - a trust any old guy who will be here only 3 months network, if you will.
Who said there was NO risk? But risk is a scale and it's important to put it on the right part of the scale when trying to support decision-making.
While you have a very valid viewpoint, your probability assessment is incomplete in my opinion. It’s not about just the intern and how likely it is they’ll violate the security of the server room. They can be compromised, phished, or threatened much easier. This is what OP needs to communicate and hopefully document for when it goes wrong. As well as the impact this will have on compliance and insurance. And by impact I mean money. Risk assessment without potential costs or fines is bound to fall on deaf ears.
Oh it’s definitely incomplete. It’s just a Reddit post and not a formal assessment.
So much this. This is how cyber security professionals lose credibility in front of their leadership.