Cybersecurity focus by HHS, other federal agencies 'abysmal'

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.fiercehealthit.com/story/cybersecurity-focus-hhs-other-federal-agencies-abysmal/2015-02-23

A new study from The Brookings Institution slams federal agencies for doing
a poor job of making cybersecurity part of their strategic plans.

While federal officials tend to talk the right talk--it points to President
Obama's cybersecurity plans outlined in his State of the Union
Speech--federal agencies fail to back that talk up with action.

After passage of the Government Performance and Results Modernization Act
of 2010, federal agencies were required to set out a strategic plan. The
U.S. Department of Health and Human Services' plan is one of the most
detailed at 125 pages--and also one of the most IT-focused. Overall,
however, the study's authors call the focus on cybersecurity "abysmal,"
according to Kevin Desouza, associate dean for research at the college of
public programs at Arizona State University and a non-resident senior
fellow of Governance Studies at the Brookings Institution, in a blog post.

The Defense and Energy departments are notable exceptions, Desouza says.
Overall, half of the federal agency strategic plans don't mention
cybersecurity at all, and few discuss cybersecurity efforts in detail.

"The major issue that we uncovered was that even though the threats of
attacks to critical infrastructure are at an all-time high, most of the
agencies lack clear plans on how to invest in capabilities to actually deal
with these threats and also in the agencies where they had clear plans or
clear actions, there were no real performance evaluation metrics to
actually uncover if these investments are actually going to pay off,"
Desouza tells Federal News Radio.

The Department of Veterans Affairs, which has suffered a number of
embarrassing breaches, in November redirected $60 million to its
cybersecurity efforts. However, a series of reports from the Inspector
General continues to hammer the agency for its lack of discipline and
accountability for effective oversight of its IT projects.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!