The U.S. Department of Veterans Affairs stores and deals with a lot of sensitive information on veterans and their families every day, so the results of a recent report by the department's Office of Inspector General is not a welcome sign. According to the audit, VA is lacking in cyber security disciplines where one would expect administrators to be much better, such as identity management and configuration management.
"VA has made progress developing policies and procedures but still faces challenges implementing components of its agency wide information security risk management
program to meet FISMA requirements," according to the audit. "While some improvements were noted, FISMA audits continued to identify significant deficiencies related to access controls, configuration management controls, continuous monitoring controls, and service continuity practices designed to protect mission-critical systems."
The report said the weakness in access and configuration management resulted from the agency not having comprehensive control over all servers and network devices. There are flimsy procedures in place to identify and remediate security vulnerabilities across the system and proliferating network devices, the audit said. It is recommended that the current acting assistant security for information and technology implement new measures to mitigate these vulnerabilities by Linda Halliday, assistant inspector general for audits and evaluations.
Specifically, VA needs to secure web-based services that might allow hackers or malicious users access to VA systems. There are also areas of the VA IT system with critical information which could be accessed by unauthorized parties, the audit said. Weak passwords and users granted unnecessary system privileges also must be fixed, as well as the implementation of multifactor authentication for remote access, which is not yet utilized by VA. All in all, there were 32 recommendations made to VA, with two of these being addressed by the end of fiscal year 2012.
Technology reporter Robert Strohmeyer wrote on InformationWeek that widely ignored security best practices should be used by businesses and government agencies as a preventative measure for any attacks that may occur. One key that many do not undertake is training users in best practices, as one study pointed out that 77 percent of companies offer no regular training to users. Other cyber security measures that business and government alike should consider include encryption of cloud data, use of encryption keys and a meticulous plan for what to do in case there is a breach.
Security News from SimplySecurity.com by Trend Micro.