by Prem Iyer, CISSP / PMP
In an earlier post, Preparing for the Fight, I discussed that most agencies are ill-prepared when it comes to protecting their assets against the latest cyber threats. This point was validated last month when the Government Accountability Office (GAO), as part of the Federal Information Security Management Act of 2002 (FISMA), reported that persistent weaknesses in information security controls, due to incomplete implementation of security programs, resulted in a very serious spike in incidents across agencies.
The lack of follow through on security programs contributes to a rise of more than 650% in security incidents over the past five years. That is not a small number. In fact, it is downright baffling to see such a spike in occurrences among 24 key agencies. It means that across the board, the adequacy and effectiveness of information security policies and practices are lacking.
In the past year, hundreds of recommendations have been made to agencies and, while many agreed that something needed to be done, many didn’t take the necessary action that was required. Most agencies are lacking in the following areas: education and training, continuous monitoring of systems, effective remediation and resolution of incidents in a timely fashion.
Ironically, last month marked the 8th annual National Cyber Security Awareness Month. It is a joint effort by the Department of Homeland Security, National Cyber Security Alliance and the Multi-State Information Sharing and Analysis Center in order to drive awareness and education around the information security issue.
The theme of the month was “Our Shared Responsibility,” which drives home the fact that each one of us has a role to play in securing cyberspace. This focus and attention is critical and a much needed reminder that we must boost our cyber security efforts. In the cases of these 24 agencies, not only do they need to be aware of the weaknesses in their security posture, but they need to take action and be held accountable.