SoylentNews is people
SoylentNews
A US Senate probe has once again outlined the woeful state of computer and information security within Uncle Sam's civil service.
A committee report (PDF) examining a decade of internal audits this week concluded that outdated systems, unpatched software, and weak data protection are so widespread that it's clear American bureaucrats fail to meet even basic security requirements.
To produce this damning dossiers[sic], the Senate's Permanent Subcommittee on Investigations pored over a decade of findings from inspector-general-led probes into information security practices within the Department of Homeland Security, State Department, Department of Transportation, Department of Housing and Urban Development, Department of Agriculture, Department of Health and Human Services, Department of Education, and the Social Security Administration.
Of those eight organizations, seven were found to be unable to adequately protect personally identifiable information stored on their systems, six were unable to properly patch their systems against security threats, five were in violation of IT asset inventory-keeping requirements, and all eight were using either hardware or software that had been retired by the vendor and was no longer supported.
"Despite major data breaches like OPM, the federal government remains unprepared to confront the dynamic cyber threats of today," the report noted.
"The longstanding cyber vulnerabilities consistently highlighted by Inspectors General illustrate the federal government's failure to meet basic cybersecurity standards to protect sensitive data."
(Score: 4, Insightful) by Anonymous Coward on Wednesday June 26 2019, @03:38PM (1 child)
First, thanks for sharing an being so open about what you do and your role. It's more than understandable why you're posting as AC. You're correct that the whole aspect of contracting reduces things to lowest common denominators - it always does.
But simultaneously you describe exactly why the policies have to be reduced to child level and must be determininstic 'do this, don't do that' rules: If it gets in your way, you do whatever you feel you need to in order to work whether it has been approved or not. You junk the framework that has been established by a group about how to do things safely, and instead trust in your own knowledge and equipment. On an individual basis this is fine and not a problem. In a group environment, however, it is a disaster and a breach waiting to happen. One problem is that not all government employees are as knowledgeable, smart, cautious, or conscientious as you are. Another is people who think they are as smart, cautious, and conscientious as you but are not.
IT policy does blame the customer when something goes wrong when the customer has provably deviated from the policy and something happens. You may be dinged for deviating from it because your management knows that there are statistics waiting to happen. "But otherwise, it wouldn't get done," is a poor excuse. DON'T DO IT, THEN. and when they come to you and ask you why it's not done have all your tickets and contacts with the department stating when you reported it, how, and how you followed up and it wasn't done. You are contacting your helpdesk or resource daily and documenting that, aren't you? Oh, you're not? Why not? Why are you not talking to your manager on a daily basis in a documentable form about your issue?
(Score: 2) by shortscreen on Wednesday June 26 2019, @09:14PM
Not sure if this applies to AC's situation, but in a scenario where the standard procedure for dealing with some problem is to report it to another person who also isn't directly responsible for the matter or can't address it because they lack the authority/capability, a likely outcome is that person 2 starts shooting the messenger and person 1 then doesn't bother reporting problems anymore. This is especially true if person 2 is a manager who likes having yes-men around better than having to listen to inconvenient truths.