Cybersecurity’s not done until the paperwork is finished

[InfoSec News <alerts () infosecnews org>]

http://gcn.com/blogs/cybereye/2014/12/va-cybersecurity-documentation.aspx

By William Jackson
GCN.com
Dec 05, 2014

The Veterans Affairs Department has been dinged once again by the 
Government Accountability Office for lack of follow-through in its 
cybersecurity operations. In a recent report, VA Needs to Address 
Identified Vulnerabilities, the GAO warned that unless VA’s security 
weaknesses are fully addressed, “its information is at heightened risk of 
unauthorized access, modification and disclosure, and its systems at risk 
of disruption.”

The problem cited in the report is not so much that VA is doing a bad job 
securing its networks and systems, but that it has not properly documented 
security activities and has not developed action plans and milestones for 
correcting problems.

Documentation and planning are more than busywork. Although it is true 
that checking boxes and creating reports will not by themselves improve IT 
security, without them it can be difficult if not impossible to assure 
what has been done, that it has been done properly and that it can be 
repeated if necessary.

These processes can make the difference between constantly fighting 
brushfires and being able to effectively protect an agency enterprise and 
improve its security posture.

[...]

--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/