Agencies struggle to document responses to cybersecurity incidents

How good is your agency's incident response?

As in any job, in cybersecurity it’s the paperwork that gets you. In a recent study, the Government Accountability Office found that agencies are doing an incomplete job in documenting their response to security incidents.

The GAO studied a sample of 40 incidents in fiscal 2012 at six agencies to get a statistical picture of overall practices at 24 major executive branch agencies. In about 65 percent of the cases, it found that incident response activities were not fully documented.

Most agencies identified the scope of the incident, but often did not demonstrate that they knew the impact of it. Other responses, such as actions to prevent recurrence of an incident, often were not shown. Each of the agencies studied had some type of an incident response plan, but none was comprehensive.

The Office of Management and Budget and the Department of Homeland Security oversee agencies’ cybersecurity activities, but neither had addressed incident response practices in their CyberStat reviews.

These shortfalls come at a time of increasing rates of cyber incidents at agencies, from 34,840 in fiscal 2012 to 46,160 in fiscal 2013.

The study does not necessarily mean that agencies are not doing a good job in their cybersecurity and incident response, but without a plan for documenting it, it is difficult to say how good a job is being done.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above