US federal agencies have poor cyber risk management
The US Government Accountability Office (GAO) has conducted a forensic audit into the cybersecurity risk management practices of 23 federal agencies, finding a number of serious shortcomings.
The audit found that 16 of the agencies had not fully established a cybersecurity risk management strategy.
In addition, 17 have not fully established agency- and system-level policies for assessing, responding to and monitoring risk, and 13 had not fully established a process for coordinating between their cybersecurity and enterprise risk management programs for managing all major risks.
All of the agencies audited reported challenges in hiring and retaining key cybersecurity management-level staff, while 19 reported challenges managing competing priorities between operations and cybersecurity.
Other common challenges involve establishing and implementing consistent policies and procedures (reported by 18 agencies), establishing and implementing standardised technology capabilities (18), receiving quality risk data (18), using federal cybersecurity risk management guidance (16), developing an agency-wide risk management strategy (15) and Incorporating cyber risks into enterprise risk management (14).
On the positive side, 22 of the 23 agencies had established the dedicated role of cybersecurity risk executive.
The GAO also gave 58 recommendations for the 23 agencies to bolster their approach to cybersecurity risk management, including the development of processes for agencies to share methods for addressing cybersecurity challenges.
The remaining 57 recommendations were for individual agencies, and covered areas including developing or updating cybersecurity risk management strategies, requiring various departments to conduct organisation-wide risk assessments and establishing processes for coordination between cybersecurity and enterprise risk management functions.
The audit found that cybersecurity represents a growing threat to government agencies. In the 2017 financial years, federal agencies reported a total of 35,277 incidents to the US CERT.
By way of example, the report notes a recent joint alert from the Department of Homeland Security and the FBI stating that cybercriminals linked to the Russian government had been targeting federal government IT systems since at least March 2016.
Frameworks for data sharing, as opposed to data release, need to be developed to preserve...
Nearly half of security professionals at public sector organisations in markets including...
The merger between or reshuffling of functions of two public sector organisations provides a...