Nov 6, 2019

Data Security Lacking

     From a recent study by Social Security's Office of Inspector General (OIG):
Our objective was to determine whether the Social Security Administration’s (SSA) overall information security program and practices were effective and consistent with the requirements of the Federal Information Security Modernization Act of 2014 (FISMA), as defined by the Department of Homeland Security(DHS). ... 
Although SSA established an Agency-wide information security program and practices, we identified a number of deficienciesrelated to Risk Management, Configuration Management, Identity and Access Management, Data Protection and Privacy, Security Training, Information Security Continuous Monitoring, Incident Response, and Contingency Planning. Many of the weaknesses we identified were similar to the deficiencies reported in past FISMA performance audits. SSA’s information security program was “Not Effective” according to DHS criteria. ...
     No details are given in the brief stub of a report released to the public.

4 comments:

Anonymous said...

The key words here are “... according to DHS criteria...”. SSA staff do not operate in the hostile environments that DHS does. That’s setting the bar way too high. But that’s what happens when gov’t employees follow poorly written policies without applying common sense. I think the new COSS can fix that.

Anonymous said...

10:01 - Wow, and I suppose you are an IT security person? Knowing that FISMA sets (changing) standards, that DHS has authorities and agencies are evaluated by government-wide metrics every year for compliance to those guidelines and standards? That OIG does their own analysis of SSA's IT security compliance every year and puts out this report? You know that, right? So your comment that the new COSS can "fix that" was a joke, right?

Anonymous said...

1:52 - Yes, of course, they change due to changing technology and changing threats. The point is that the COSS can set the bar to a reasonable expectation for SSA.

Anonymous said...

11:51 - Nope, he/she cannot.

https://www.dhs.gov/cisa/federal-information-security-modernization-act

FISMA 2014 codifies the Department of Homeland Security’s role in administering the implementation of information security policies for federal Executive Branch civilian agencies, overseeing agencies’ compliance with those policies, and assisting OMB in developing those policies.

The legislation provides the Department authority to develop and oversee the implementation of binding operational directives to other agencies, in coordination and consistent with OMB policies and practices. It also:

Authorizes DHS to provide operational and technical assistance to other federal Executive Branch civilian agencies at the agency’s request;
Places the federal information security incident center (a function fulfilled by US-CERT) within DHS by law;
Authorizes DHS technology deployments to other agencies' networks (upon those agencies' request);
Directs OMB to revise policies regarding notification of individuals affected by federal agency data breaches;
Requires agencies to report major information security incidents as well as data breaches to Congress as they occur and annually; and
Simplifies existing FISMA reporting to eliminate inefficient or wasteful reporting while adding new reporting requirements for major information security incidents.
The Federal Information Security Modernization Act of 2014 amends the Federal Information Security Management Act of 2002 (FISMA).

DHS and OMB set the rules, the agency applies rules and self reports on how well they are doing, the OIG then assesses the agency as well. COSS gets to read teh reports, cannot change anything in the rules.