Even NASA's infosec regime needs work: audit

The USA’s NASA needs to do more to implement an agency-wide information security framework, according to an audit from the aerospace agency’s Inspector General.

The report into the audit finds that while NASA has made progress in implementing an agency-wide program, the agency has not fully implemented key management controls essential to such an initiative.

Auditors asserted that they believe this condition exists because the Office of the CIO has not developed an information security plan to effectively manage its resources.

“In addition, the Office is experiencing a period of transition with different leaders acting in the Senior Security Officer role, which has caused uncertainty surrounding information security responsibilities at the Agency level,” the report states.

The report also finds that NASA lacks an agency-wide risk management framework for information security and an information security architecture.

Auditors recommend developing such a framework and architecture as part of an organisation-wide information security program plan. This will require agency-wide involvement, from senior leaders to frontline systems operators.

The report also found NASA should also consider appointing a permanent senior security officer that can take responsibility for developing an agency-wide approach to security.

“NASA’s high profile and sensitive technology makes the Agency an attractive target for hackers, and it is vital the Agency develop an integrated view of its information security program to protect its data and resources,” the report concludes.

Image courtesy of Billy Brown under CC