Develop a Remediation Plan
As previously noted, an audit in 2014 revealed significant flaws within the OPM's security program. Not only were this civilian-run agency's investments in security woefully inadequate, its lax attitude towards security has been known for quite some time. In fact, the audit report on the OPM's cited "material weakness" in 2013 was escalated to "significant deficiency" in 2014. After the initial audit in 2013, the OPM should have put a remediation plan in place within 30 days, yet the organization did nothing, and unfortunately, its negligence backfired.
Further, the OPM had difficulties meeting some of the basic "101s" of its security, including authorization, controls testing, and security program planning. Since thorough assessments and control testing were not adequately carried out, the OPM was unaware where the security gaps were and therefore was unable to put an effective remediation plan in place.
As a first step in security remediation planning, organizations must ensure that they fully understand the threat landscape, prioritize a true risk profile, and stay attuned to emerging risks that may threaten the organization's operational integrity, reputation and risks. Next, the plan needs to be fully supported in the organization from the top down to ensure its effective and timely adoption. Finally, should the plan not be implemented, authorities need to be in a position to deliver severe consequences when standards are not met.
Post-OPM Breach: Closing Today's Federal Security Gaps
Post-OPM Breach: Closing Today's Federal Security Gaps
Early in June it was reported that the Office of Personnel Management (OPM), a civilian-run government agency, experienced a data breach of its computer systems, giving suspected Chinese state-sponsored hackers access to up to four million records of former and current federal employees. The hack was so extensive that the retrieved information stemmed as far back as 1985. However, new reports show that the attack could be more than four times more devastating than initially estimated, and the number of people impacted could increase. In fact, the tally of those affected is now being revealed as the OPM sends out notices to people who are potentially impacted. Even more unnerving is that a 2014 audit uncovered security inadequacies within the OPM system, yet they were not reported until several months after detection.
Unlike previous major cyber attacks we have seen over the last year, the exposed data was not just limited to PII (Personally Identifiable Information) such as Social Security numbers, birthdates, and bank information. During this breach hackers accessed highly confidential employee background checks, containing information on their friends, family and past employment. Even private details such as mental illness treatments, lie detector test results, bankruptcy filings, and run-ins with the law were retrieved. At this point, according to Yo Delmar, vice president, GRC Solutions, MetricStream, we are unaware of the full impact of this breach; but if history is any indicator, it's highly likely that those responsible for the hack may already be using the stolen information in malicious, and highly illegal, ways.
Following the massive breach, what we must now focus on is what can be done at the federal level to prevent such devastating reoccurrences. According to Delmar, there are several steps that need to be taken in order to address today's security gaps in government. These include: fully understanding the details of the NIST's Cyber Security Framework (CSF) and actively putting practices into action; developing and implementing a remediation plan to ensure security standards are being met; closing the gap in response time and maintaining transparency throughout with key stakeholders; recognizing the auditor's evolved role in cybersecurity; and understanding where federal security investments should be headed.
