CCISO (712-50) Executive Decision Simulation

In this simulation, you will practice executive-level strategic thinking. You must balance the operational need for fast, remote third-party support against the critical requirement to maintain strict endpoint security and identity non-repudiation.

Executive Briefing

You are the Chief Information Security Officer (CISO) for TransGlobal Logistics. The company has recently signed a multi-million dollar contract with an external Managed Security Service Provider (MSSP) to co-manage your global fleet of edge firewalls and intrusion prevention systems.

The VP of Infrastructure and the Vendor Management Office (VMO) want to onboard the vendor's engineers immediately. The vendor has requested remote administrative access to your security appliances to begin their tuning and maintenance work.

Business Context

                Business Objective: Ensure 24/7 uptime of the global supply chain network by allowing expert third-party engineers to resolve incidents rapidly.
Risk Appetite: Extremely low tolerance for unauthorized administrative changes. A supply chain breach originating from a vendor is currently ranked as a Top 3 enterprise risk by the Board.
Operational Constraint: The vendor's engineers prefer to use their own company laptops (BYOD from their perspective) and requested a shared generic "admin" account to avoid constant credential rotation as their team members change.

            

You must approve the remote access architecture. Your decision must protect the organization from third-party compromise while still allowing the vendor to fulfill their contractual obligations.

Decision Scenario

The vendor is pushing for speed and convenience, arguing that provisioning company laptops and individual accounts will delay their service delivery by weeks. However, granting administrative access to your core security devices from unmanaged endpoints using shared accounts violates fundamental security governance. You must select the strongest access model to mitigate this third-party risk.

Question

When considering using a vendor to help support your security devices remotely, what is the BEST choice for allowing access?

A. Vendor uses their own laptop and logins using two factor authentication with their own unique credentials

B. Vendor uses a company supplied laptop and logins using two factor authentication wit same admin credentials your security team uses

C. Vendor uses a company supplied laptop and logins using two factor authentication with their own unique credentials

D. Vendors uses their own laptop and logins with same admin credentials your security team uses

Executive Hint: Think about two critical governance concepts: "Endpoint Assurance" (can you guarantee the laptop isn't infected?) and "Non-Repudiation" (can you prove exactly which human being made a change?). How do you achieve both?

Strategic Analysis

1. What is the real problem

Third-party risk is one of the highest threat vectors for modern enterprises. Providing remote access to a vendor involves two massive vulnerabilities: the endpoint they are connecting from (which could be compromised by malware) and the identity they are using (which could be shared or stolen).

2. Business vs Security Perspective

The business values speed and frictionless onboarding (favoring BYOD and shared accounts). Security requires verifiable trust. As a CISO, you cannot sacrifice attribution and endpoint integrity just to save a few days of onboarding time, especially when granting access to core security devices.

3. Risk and Impact Analysis

If an unmanaged vendor laptop is infected with ransomware, a VPN connection gives that ransomware a direct path into your network. Furthermore, if the vendor uses a shared "admin" account and accidentally takes down a firewall, you will have zero forensic ability to prove which specific vendor employee caused the outage, destroying your ability to enforce SLA penalties.

4. Why the Correct Answer is BEST (Option C)

Option C represents the gold standard for third-party risk management. By requiring a company supplied laptop, you maintain Endpoint Assurance (ensuring your EDR, DLP, and patch management are present). By requiring unique credentials with Two-Factor Authentication (MFA), you achieve strict Non-Repudiation (you know exactly who is logging in and can prove it).

5. Why Other Options are Weaker

Option A: While it provides unique credentials, allowing a vendor to use their own laptop creates a massive blind spot. You cannot enforce or verify the security posture of an unmanaged endpoint.

Option B: Using a company laptop is good, but sharing the same admin credentials as your internal team destroys accountability. Shared accounts violate the principle of non-repudiation.

Option D: This is the worst-case scenario. It combines an untrusted, unmanaged endpoint with anonymous shared administrative access, representing a critical governance failure.

6. MINI LESSON: Third-Party Governance Principles

• Endpoint Assurance: Never extend trust to a device you do not manage or cannot continuously verify.
• Non-Repudiation: Every action on a critical system must be tied to a single, identifiable human being. Shared accounts make accountability impossible.
• Least Privilege: Even with a company laptop and unique credentials, the vendor should only have the minimum access required to do their job.

EXECUTIVE TAKEAWAY: You can outsource the operational work, but you can never outsource the accountability. Always control the endpoint and mandate unique identities.

Advance Your Executive Leadership

Master the intersection of business strategy, governance, and cybersecurity risk management.

Explore More CCISO Simulations