What can we learn from these government agencies that are failing external audits in protecting our data?
From Charles Robbins
August 30, 2021
What can we learn from these government agencies that are failing external audits in protecting our data? In general, these agencies “consistently failed to implement certain key cybersecurity requirements including encryption of sensitive data, limiting each user’s access to the information and systems needed to perform their job, and multi-factor authentication”. From reading through these three simple tasks, at your organization, it begins with an assessment. We contact the platform developer to get their CSF certification, the data on their penetration tests and their encryption standard. Oh, if you are at a government agency or large enterprise, the developer is missing all three. Failure point 1.
In your assessment, you check 25 random accounts. In the first five you have checked, the users have too much access and have not met their security credentials requirements and training. Failure point 2. In the assessment, we can use their station under our login and there is not 100% MFA. Failure point 3. This type of audit does not need to take expensive external teams to find your problems. Any executive can do this inspection. We do ask executives all the time why they are not aware of these issues. Once leaders start to get control of their own departments, they can fix the data security issues by applying the NIST standard.
TechR2 does ISO 31000 Assessments for our clients and for IBM’s clients.