DOE Cyber-Security Audit Shows Incident Reporting, Management Hurdles
An audit of the Department of Energy's Cyber Security Incident Management Program outlined a number of challenges facing the agency.An audit of the Department of Energy's Cyber Security Incident Management Program found that duplicative efforts and the inconsistent reporting of cyber incidents are challenging security management. Released earlier this month, the audit by the DOE's Office of Inspector General paints a picture of an agency in need of a unified cyber-security management strategy as it works to deal with these issues. Among the report's findings was that independent, partially duplicative incident-management capabilities exist and are costing more than $30 million a year. In particular, the department's Joint Cybersecurity Coordination Center (JC3) provided response and advisory services and maintained supporting computer forensics and assistance in investigating and preserving cyber evidence even as at least two other organizations performed similar functions. In addition, the audit found that cyber-security incidents were not consistently identified or reported to the JC3 as required. For example, 91 of 223 reported incidents at seven sites were not reported within the required time frames. Ten incidents involving the loss of personally identifiable information were reported up to 15 hours after discovery, as opposed to the 45 minutes required by policy. In some cases, the incident reports did not contain "essential information" such as the date and time an incident occurred and the number of machines affected, ultimately meaning the information provided to law enforcement agencies and the U.S. Computer Emergency Readiness Team (US-CERT) was incomplete, the report said. "In the absence of an effective enterprise-wide cyber-security incident-management program, a decentralized and fragmented approach evolved that placed the department's information systems and networks at increased risk of compromise," according to the report. "The department's current reporting and cyber incident management structure also increases the risk that it will be unable to satisfy both internal and external response and reporting requirements."
Former US-CERT Director Mischel Kwon said the report is not as bad as it may seem, and instead illustrates an agency working to address operational and structural issues.