US federal agencies have poor cyber risk management


By Dylan Bushell-Embling
Tuesday, 06 August, 2019


US federal agencies have poor cyber risk management

The US Government Accountability Office (GAO) has conducted a forensic audit into the cybersecurity risk management practices of 23 federal agencies, finding a number of serious shortcomings.

The audit found that 16 of the agencies had not fully established a cybersecurity risk management strategy.

In addition, 17 have not fully established agency- and system-level policies for assessing, responding to and monitoring risk, and 13 had not fully established a process for coordinating between their cybersecurity and enterprise risk management programs for managing all major risks.

All of the agencies audited reported challenges in hiring and retaining key cybersecurity management-level staff, while 19 reported challenges managing competing priorities between operations and cybersecurity.

Other common challenges involve establishing and implementing consistent policies and procedures (reported by 18 agencies), establishing and implementing standardised technology capabilities (18), receiving quality risk data (18), using federal cybersecurity risk management guidance (16), developing an agency-wide risk management strategy (15) and Incorporating cyber risks into enterprise risk management (14).

On the positive side, 22 of the 23 agencies had established the dedicated role of cybersecurity risk executive.

The GAO also gave 58 recommendations for the 23 agencies to bolster their approach to cybersecurity risk management, including the development of processes for agencies to share methods for addressing cybersecurity challenges.

The remaining 57 recommendations were for individual agencies, and covered areas including developing or updating cybersecurity risk management strategies, requiring various departments to conduct organisation-wide risk assessments and establishing processes for coordination between cybersecurity and enterprise risk management functions.

The audit found that cybersecurity represents a growing threat to government agencies. In the 2017 financial years, federal agencies reported a total of 35,277 incidents to the US CERT.

By way of example, the report notes a recent joint alert from the Department of Homeland Security and the FBI stating that cybercriminals linked to the Russian government had been targeting federal government IT systems since at least March 2016.

Image credit: ©iStockphoto.com

Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.

Related Articles

Building secure AI: a critical guardrail for Australian policymakers

While AI has the potential to significantly enhance Australia's national security, economic...

Building security‍-‍centric AI: why it is key to the government's AI ambitions

As government agencies test the waters of AI, public sector leaders must consider how they can...

State government agencies still struggling with securing user access

Audit reports have shown that Australian government agencies in four states experience challenges...


  • All content Copyright © 2024 Westwick-Farrow Pty Ltd