GAO says agencies must improve controls over high-impact systems
A government watchdog recently scrutinized the information security systems of two-dozen federal agencies and found many lacking in several key security areas.
The Government Accountability Office (GAO) surveyed 24 federal agencies and found the following issues with overall cybersecurity:
— Some agencies had not always effectively implemented access controls, e.g. protecting system boundaries, authenticating users, authorizing access, and monitoring system activities.
— Some agencies had issues stating current patching known software vulnerabilities and also having valid contingency plans in place.
— Some agencies had not fully implemented key elements information security programs. These included both security plans and remedial action plans.
Cyber attacks from nations
Of the 24 agencies surveyed by the GAO, 75 percent (18 agencies) stated that cyber attacks from “nations” are the common threat to the security of their systems. More specifically, cyber attacks received via email were, by far, the most common — and also the most serious.
During fiscal year 2014, 11 of the 18 agencies reported a combined 2,267 cyber incidents on high-impact systems. And nearly a quarter of that group of reported incidents involved the installation of malicious code.
Report: Government Organizations Rank Last in #CyberSecurity https://t.co/xs5SOj4xVx #EmergencyManagement pic.twitter.com/IiKxENCmhQ
— EDM Digest (@EDMDigestCom) April 18, 2016
GAO: weaknesses should be addressed
The GAO concluded after thorough analysis that the selected agencies should “address weaknesses in access and other controls.” This includes implementation of missing elements of current information security systems, as well as more timely maintenance of existing systems so as to reduce risks associated with unauthorized access, modification of highly sensitive data.
Examples of agencies included in the study include the National Aeronautics and Space Administration (NASA), the Nuclear Regulatory
Commission (NRC), the Office of Personnel Management (OPM), and the Department of Veterans Affairs (VA).
#TodaysReports Information Security: Agencies Need to Improve Controls over Selected High-Impact Systems https://t.co/ThsLZ2NfSk
— U.S. GAO (@USGAO) June 21, 2016
Comments are closed.