The citymeetings.nyc logo showing a pigeon at a podium with a microphone.

citymeetings.nyc

Your guide to NYC's public proceedings.
QUESTION

What is the process for reviewing vendors' privacy and security audits before adopting their services in NYC public schools?

1:50:18

·

153 sec

The council member asks if the agency reviewed the vendor's annual privacy and security audit before adopting its services in NYC public schools. The agency head explains that in the case of 'move it', a file transfer solution, the city was impacted by a zero-day vulnerability before it was disclosed, despite the city's strong third-party risk management strategy.

  • The agency head clarifies that 'move it' was not a cloud service, but a file transfer solution used by an impacted agency
  • A zero-day vulnerability in 'move it' was exploited by a threat actor before it was publicly disclosed
  • The city has provisions requiring notification from vendors in case of security incidents
  • But in the 'move it' case, the vulnerability was unknown to the vendor and city before being exploited
Jennifer GutiƩrrez
1:50:18
Can you share a little bit about cloud writers?
1:50:22
I know in in your previous responses, It's not necessarily your unit that works on reviewing cloud writers, but it is kind of like a multiunit process with an OTI to review every agency's cloud writer.
1:50:36
It's my understanding that every vendor through the cloud writer, that every vendor must submit an annual audit of their privacy and security programs to the city.
1:50:47
Did your agency review this audit before move it was a opted into New York City public schools?
Kelly Moan
1:50:55
So so move it in particular was a zero day vulnerability that did not provide a fix upon disclosure.
1:51:04
And so the nuance there, and and for folks, again, who might be listening in, move it to file transfer solution that was used at at an impacted agency and publicly disclosed, again, wanna read rate that this is in the public domain, so I am able to speak about it a bit more broadly.
1:51:24
In the case of move it, Unfortunately, our city agency was one of of hundreds of victims.
1:51:33
That were impacted by a zero day vulnerability that was taken advantage of by a threat actor prior to even to disclosure.
1:51:42
And so I want to reiterate that because, again, we have a strong third party risk management strategy, multiple layers of not just our internal controls, but also managing those from outside of the city domain perspective.
1:51:58
But in particular, the case of move it, The software had a flaw that was not known to move it or the agency.
1:52:06
And ultimately, the threat actor was able to take advantage in point that vulnerability leading to 100 and 100 of victims, not just government entities, but also private sector entities as well.
1:52:19
And so while we have, for example, cloud services agreement, although move it was not a cloud services solution at that we have provisions in there specifically to provide us notification in case there's a incident that's being suffered at a third party so that we are aware of the incident and we're able to ask questions and attempt to curtail any impact on New York City as that incident transpires.
Jennifer GutiƩrrez
1:52:50
Okay.
1:52:51
I have a few more questions.

← Previous Chapter

What is the policy on vendor insurance coverage for victim notification in case of a data breach?

Next Chapter →

How often are city-wide cybersecurity policies reviewed and updated by the Office of Technology and Innovation (OTI)?
Citymeetings.nyc pigeon logo

Is citymeetings.nyc useful to you?

I'm thrilled!

Please help me out by answering just one question.

What do you do?

Thank you!

Want to stay up to date? Sign up for the newsletter.