If you are in a position where you either give or receive IT Security audits, please stop what you’re doing and read this right now (if you haven’t already).
It’s the 2014 security audit by OPM’s inspector general office of audits. Katherine Archuleta resigned last Friday as head of the U.S. Office of Personnel Management and I’m guessing she wishes she had read it a little more carefully.
My experience indicates that a large of percentage of people reading this line ignored my admonition to read the audit. You’re down here, blissfully skimming through paragraph 4, thinking “Read an audit? Who actually reads those things? Don’t we all employ people to just sum those things up and give us the highlights? That’s the only reason people like Ken have jobs.”
So, if you’re one those really important people who don’t read actual audits, I have good news and bad news. Good news is, sure, I’ll pull out a couple of highlights for you. Bad news is, I’m probably not in a position to see any audit that is personally meaningful to you so you might get “Katherine Archuleta’d” at some point in the future. Sorry.
As promised, some of the highlights –
The first item mentioned in the report is the failure to have a proper security governance organization. This extends all the way to not having a properly implemented Risk Executive Function. The 2010 audit pointed this out as well, so they’ve been on notice for four years now. The 2014 audit drops this issue from a material deficiency (audit talk for really big deal) to a significant deficiency (kind of a big deal) on the basis that OPM now has a plan in place. Seriously?!?! 4 years and you have a plan?
They are in the dark. They have no valid inventory of servers, databases, or network devices. They have implemented an SOC but are not monitoring all of their systems. They have no mature vulnerability scanning program. No multi-factor authentication is required to access key systems.
Most successful business people have a little bit of lawyer in them. When you show them a contract, they’ll read it. They’ll talk to their lawyers, but they won’t accept any blanket advice. The lawyers they trust will bring risks to the forefront, not downplay them.
My suggestion is that you get a little bit of auditor in you. It’s a skill you need.