Cyber Threats and Vulnerabilities Place (Federal) Systems at Risk.... Again...
Yesterday, the good men and women at the Government Accountability Office (GAO) brought us the testimony of Gregory C. Wilshusen, Director, Information Security Issues before the Subcommittee on Government Management, Organization, and Procurement; House Committee on Oversight and Government Reform. I was thinking to use this testimony in order to highlight the security and auditing challenges that Federal systems are facing. Nearly 12 hours after the GAO published this report, the Israeli State Comptroller issued his report (Google translation from an Hebrew news article here). It is shocking to read the similarities. Both GAO and State Comptroller report severe security vulnerabilities that are simply being ignored (I'm being polite). What should happen in order to get someone authorities to take an action?
Here are some tidbits of the GAO report. It is true for every modern country :
Information security is a critical consideration for any organization that depends on information systems and computer networks to carry out its mission or business. It is especially important for government agencies, where maintaining the public's trust is essential. The need for a vigilant approach to information security has been demonstrated by the pervasive and sustained computerbased (cyber) attacks against the United States and others that continue to pose a potentially devastating impact to systems and the operations and critical infrastructures that they support.
GAO was asked to describe (1) cyber threats to federal information systems and cyberbased critical infrastructures and (2) control deficiencies that make these systems and infrastructures vulnerable to those threats. To do so, GAO relied on its previous reports and reviewed agency and inspectors general reports on information security.
...In previous reports over the past several years, GAO has made hundreds of recommendations to agencies to mitigate identified control deficiencies and to fully implement information security programs.....
...Over the past several years, we and the IGs have made hundreds of recommendations to agencies for actions necessary to resolve prior significant control deficiencies and information security program shortfalls. For example, we recommended that agencies correct specific information security deficiencies related to user identification and authentication, authorization, boundary protections, cryptography, audit and monitoring, physical security, configuration management, segregation of duties, and contingency planning. We have also recommended that agencies fully implement comprehensive, agencywide information security programs by correcting shortcomings in risk assessments, information security policies and procedures, security planning, security training, system tests and evaluations, and remedial actions. The effective implementation of these recommendations will strengthen the security posture at these agencies. In addition, the White House, the Office of Management and Budget (OMB), and certain federal agencies have continued or launched several governmentwide initiatives that are intended to enhance information security at federal agencies.
Do we need yet another cyber security mandate? IMO it would good if we start to follow the regulations, mandates and policies that are in place today.
