Post-OPM Breach: Closing Today's Federal Security Gaps

Email     |     Share  
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8
Next Post-OPM Breach: Closing Today's Federal Security Gaps-5 Next

Recognize the Auditor's Role in Cybersecurity

With security becoming an increasingly grave concern within the public sector, government agencies need to take steps to conduct not only rigorous internal audits, but extend them with external audits that provide objective perspectives. Specifically, auditors need to apply a risk-based approach in their assessments in order to more effectively anticipate and mitigate threats to critical assets and systems that contain sensitive or regulated information. Auditors need to hold all agencies to the highest best practice standards and frameworks like the CSF and be able to explain deficiencies, as well as recommend remediation strategies in each of the CSF's core functions: identify, protect, detect, respond and recover.

Additionally, auditors need to become more acquainted with cyber-risk models in order to understand an increasingly complex set of attack vectors that vary based on a threat actors' motivation, skill level and access. As cyber exploits move into mobile technology, cloud computing, and social media, auditors need to stay current with how exploits are evolving, and be diligent and explicit on how organizations can strengthen their defense-in-depth strategies. 

Early in June it was reported that the Office of Personnel Management (OPM), a civilian-run government agency, experienced a data breach of its computer systems, giving suspected Chinese state-sponsored hackers access to up to four million records of former and current federal employees. The hack was so extensive that the retrieved information stemmed as far back as 1985. However, new reports show that the attack could be more than four times more devastating than initially estimated, and the number of people impacted could increase. In fact, the tally of those affected is now being revealed as the OPM sends out notices to people who are potentially impacted. Even more unnerving is that a 2014 audit uncovered security inadequacies within the OPM system, yet they were not reported until several months after detection.

Unlike previous major cyber attacks we have seen over the last year, the exposed data was not just limited to PII (Personally Identifiable Information) such as Social Security numbers, birthdates, and bank information. During this breach hackers accessed highly confidential employee background checks, containing information on their friends, family and past employment. Even private details such as mental illness treatments, lie detector test results, bankruptcy filings, and run-ins with the law were retrieved. At this point, according to Yo Delmar, vice president, GRC Solutions, MetricStream, we are unaware of the full impact of this breach; but if history is any indicator, it's highly likely that those responsible for the hack may already be using the stolen information in malicious, and highly illegal, ways.

Following the massive breach, what we must now focus on is what can be done at the federal level to prevent such devastating reoccurrences. According to Delmar, there are several steps that need to be taken in order to address today's security gaps in government. These include: fully understanding the details of the NIST's Cyber Security Framework (CSF) and actively putting practices into action; developing and implementing a remediation plan to ensure security standards are being met; closing the gap in response time and maintaining transparency throughout with key stakeholders; recognizing the auditor's evolved role in cybersecurity; and understanding where federal security investments should be headed.


Related Topics : Unisys, Stimulus Package, Security Breaches, Symantec, Electronic Surveillance

More Slideshows

infra100-190x128 Top 10 Strategic Technology Trends for 2017

Here are the top 10 strategic technology trends that will impact most organizations in 2017. Strategic technology trends are defined as those with substantial disruptive potential or those reaching the tipping point over the next five years. ...  More >>

Compliance4-190x128 GRC Programs: Building the Business Case for Value

Experience shows that organizations that manage GRC as an integrated program — involving people, processes and technologies — are more successful in delivering value to their organizations ...  More >>

Social14-190x128.jpg 10 Ways to Improve Your Social Media Security Policy and Posture

When phone calls, video conference information, pictures, chat logs, etc. are all stored in a central location via social media, a potential hacker has access to just about everything, quickly and easily. ...  More >>

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.