Saturday, 29 August 2015

Labor Department CIO Defends Security Efforts

A senior IT official at the Labor Department is defending its cybersecurity efforts in the wake of a critical report by the department’s inspector general’s office.

Chief Information Officer Dawn Leaf, in a letter to the Labor Department’s assistant inspector general released this week, expressed “concerns with the completeness and accuracy” of the federal watchdog’s July 2015 cybersecurity report

In the letter, Ms. Leaf said that despite a $4.1 million budget cut to the Labor Department’s IT modernization funding for the 2015 fiscal year, as of Aug. 14 the agency has implemented two-factor authentication for 80% of its system’s privileged users and 78% of its general users. She expects to achieve full compliance by the end of September.

Those efforts required assistance from multiple agencies and “diverted substantial resources, amounting to thousands of hours of staff time,” she said.

A Labor Department spokesperson declined to comment on the letter.

Among other issues, the inspector general July report chided the agency for not implementing stronger system access controls sooner, despite repeated warnings of security weaknesses over the past five years. The report said the agency didn’t start beefing up access control until a massive data breach at the U.S. Office of Personnel Management came to light.

A spokesperson for the inspector general’s office told CIO Journal on Friday it stands by the report.

The OPM disclosed in early June that hackers had accessed personnel records as part of at least two 2014 cyberattacks. OPM director Katherine Archuleta resigned in early July after damage reports grew to include the theft of more than 21 million Social Security numbers and 19.7 million forms that detailed mental-health histories and other background material on current and former employees, job applicants and their families. Some federal lawmakers have since called for the resignation of agency CIO Donna Seymour.

Referring to the use of Personal Identity Verification cards – smartcards issued to federal employees to access government facilities and information systems – the report said the Labor Department “only recently began implementing this requirement” to boost card security measures after the OPM breach.

“Had DOL implemented the requirement earlier, it could have prevented unauthorized access to DOL’s computer networks and systems by 11 separated employees who still had active accounts after their departure,” the report said, based on a review of the agency’s access controls.

In her letter, Ms. Leaf said agency officials were briefed on access-control and other risk management strategies back in August 2012, as part of an agency-wide Identity and Access Management program launched in 2011, which sought to automate account management processes and “enable user-based PIV Card authentication for all users to all DOL systems, including DOL cloud-based system,” such as cloud email.

The program was chartered and approved by the agency’s IT Project Review Board last year, she said.

More recently, Ms. Leaf said the agency scrambled to meet broad security goals set by the so-called Cybersecurity Sprint, a government-wide initiative launched in June 2015 by Federal CIO Tony Scott that gave government agencies a 30-day window to shore up IT vulnerabilities, identify threats and tighten access controls.

View the original content and more from this author here: http://ift.tt/1PXKY6J



from cyber security caucus http://ift.tt/1Ucu1uX
via IFTTT

No comments:

Post a Comment