Dive Brief:
- A recent report from the Office of the Inspector General (OIG) says HHS needs to beef up data security and procedures.
- Ranging from continuous monitoring management to contractor systems, there were ten areas where HHS was found to be lacking.
- "Exploitation of these weaknesses could result in unauthorized access to, and disclosure of, sensitive information and disruption of critical operations for HHS," said Ernst & Young, the business management consulting firm which conducted the audit for OIG.
Dive Insight:
According to the OIG report, the ten areas that need to be improved are: continuous monitoring management; configuration management; identity and acccess management; incident response and reporting; risk management; security training; plan of action and milestones; remote access management; contingency planning; and contractor systems.
Ernst & Young finds HHS has not implemented a program to continuously monitor, update and finalize policies and procedures on how operational divisions address, implement strategies, and report on HHS metrics.
Also, the agency has not implemented oversight processes to enforce incident response and reporting procedures, nor has it implemented procedures to ensure system inventories are completed, accurate and effectively managed.
Several operational divisions failed to address risks found in configuration baseline compliance and vulnerability scans performed through Security Content Automation Protocol tools, and to consistently implement account management procedures for shared accounts, new, transferred, and terminated personnel.
Completion of role-based training for security responsibilities or for personnel using IT systems was not monitored. Milestones in plans of action were not consistently documented and some operational divisions have not developed finalized remote access policies and procedures.