The US Department of Health and Human Services could try harder when it comes to cybersecurity, according to a report released earlier this month. Its Inspector General found weaknesses in several areas, and gave its information security program a ‘not effective' rating.
The Department’s Inspector General commissioned Ernst & Young to audit its compliance with the Federal Information Security Modernization Act (FISMA). FISMA is a framework to assess how well organizations are supporting information security controls around federal operations and data.
The framework assesses organizations in five areas (identify, protect, detect, respond, and recover), across five maturity levels. To reach level four, which FISMA calls 'managed and measurable', an organization must collect information about the effectiveness of policies and procedures, assess them, and make necessary changes.
"Based on the results of our evaluation, we determined that HHS’ information security program was ‘Not Effective’ as it did not meet the ‘Managed and Measurable’ level in the following functional areas: Identify, Protect, Detect, Respond, and Recover," the report said.
The Department attained level three for its identify and protect areas, which means that they are consistently implemented, but lack effectiveness measures. For the other areas, (detect, respond, and recover), it only reached level two (defined). This means that policies and procedures are formalized and documented but not implemented consistently.
Identifying weaknesses across a variety of areas, the report found opportunities for improvement in risk management, configuration management, identity and access management, data protection and privacy, security training, information security continuous monitoring, incident response, and contingency planning.
DHHS didn’t always follow or update risk management practices, and in one operating division there was no process for identifying the software that it had installed, meaning that it couldn’t include this in its risk management operations.
The Department is working on a Continuous Diagnostics and Mitigation program with the Department Of Homeland Security, which the report hoped will help bolster its cybersecurity maturity rating.
The topic of Governance, Risk and Compliance will be covered throughout the free-to-attend conference at Infosecurity Europe in London from 4-6 June. See all the talks on Governance, Risk and Compliance here. Infosecurity Europe is the leading European event for information and cyber security; find out more and secure your free visitor badge.
