CyberEye

Blog archive
Cyberecurity’s not done until the paperwork is finished

Cybersecurity’s not done until the paperwork is finished

The Veterans Affairs Department has been dinged once again by the Government Accountability Office for  lack of follow-through in its cybersecurity operations. In a recent report, VA Needs to Address Identified Vulnerabilities,  the GAO warned that unless VA’s security weaknesses are fully addressed, “its information is at heightened risk of unauthorized access, modification and disclosure, and its systems at risk of disruption.”

The problem cited in the report is not so much that VA is doing a bad job securing its networks and systems, but that it has not properly documented security activities and has not developed action plans and milestones for correcting problems.

Documentation and planning are more than busywork. Although it is true that checking boxes and creating reports will not by themselves improve IT security, without them it can be difficult if not impossible to assure what has been done, that it has been done properly and that it can be repeated if necessary.

These processes can make the difference between constantly fighting brushfires and being able to effectively protect an agency enterprise and improve  its security posture.

To quote a rule well-known to every government worker: The job’s not finished until the paperwork is done.

Because of its size and the amount of personal and other sensitive information it maintains, the VA is a high-value target. In January, a defect in VA’s web-based eBenefits system exposed personal data of thousands of veterans and their dependents. And in 2010, a nation-state-sponsored attack took advantage of weak technical controls to gain “unchallenged and unfettered access” to VA systems, the GAO said.

These were fairly recent hits, but the fact remains that development of an effective information security program has been a major management challenge for the department since the late 1990s.

This does not mean that VA has no information security. VA’s Network Security Operations Center in 2012 responded to an attack by outsiders, analyzing the scope of the incident and documenting its responses. Even so, “VA could not provide sufficient documentation to demonstrate that these actions were effective,” GAO said.

This problem is not limited to VA. A recent governmentwide review by GAO found that agencies were not able to document effectiveness of their incident response about 65 percent of the time.

In the case of the 2012 VA incident cited, forensics analysis data was not available because of a lack of storage space. The department’s incident response policies also did not provide the incident response team with access to systems logs needed to fully assess the extent of the breach, which raises questions about the effectiveness of the response.

The problems are part of a vicious circle in government cybersecurity. Incident response teams are stretched thin, and their top priority is responding to the problem at hand. Documentation and policy enforcement often take a back seat. But without effective documentation and policies, it can be hard to move beyond crisis management to effectively managing risk.

As I have said before, regulatory compliance does not equal security, but it can provide an essential baseline for achieving more effective security.

Posted by William Jackson on Dec 05, 2014 at 1:08 PM


Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.