Posted: 2:03 am EDT
An independent accounting firm hired by State/OIG determined that the State Department’s IT incident response and reporting (IR&R) program was not operating effectively. Specifically, of the 25 cyber security incidents evaluated, Williams, Adley found that five were miscategorized, six were not remediated in a timely manner, one was not identified in a timely manner, one was missing incident information, four were not reported to the U.S. Computer Emergency Readiness Team (US-CERT) in a timely manner, and two were not reported to US-CERT as required.
The deficiencies in the IR&R program occurred primarily because of inadequate communication between the Bureau of Information Resource Management (IRM) and the Bureau of Diplomatic Security (DS) and inadequate management oversight that would ensure that personnel within the Department’s incident response team fully complied with prescribed categorization guidelines, reporting requirements, and remediation timelines.
Without an effective IR&R program, the Department may be unable to properly identify weaknesses, restore IT operations in a timely manner, and identify and respond to cyber security incidents, which could potentially lead to interruptions of critical operations and hinder the Department’s ability to achieve its core mission.
Williams, Adley determined that the Department’s IR&R program was not operating effectively for the months of September and October 2014. Specifically, Williams, Adley reviewed the Department’s handling of 25 cyber security incidents out of 303 incidents (CAT 1 to CAT 6) reported during the scope period8 to determine whether the Department complied with its information security policies and procedures.
According to the audit, remediation of one denial of service attack took over 200 hours, remediation of four malicious code attacks took between 174 hours and 312 hours, and remediation of one probe attack took over 175 hours.
Here’s the proposed solution according to the audit:
DS officials stated that a proposed solution was currently being developed that would improve the responsiveness of and communications between DS and IRM. Specifically, the Department would create a Joint Concept of Operations, via a Memorandum of Understanding, that would enhance the current capabilities of the DS Foreign Affairs Cybersecurity Center. Although the Memorandum of Understanding was in the initial drafting phase as of the date of this report, it is a proposed solution that, when fully implemented, will allow the Department to approve a Joint Security Operations Center concept that will potentially consolidate core IRM and DS cyber security functions and thus strengthen the responsiveness of and communications between IRM and DS. This effort will serve as the first step in improving communications between IRM and DS.
The State Department’s response to the OIG requests that the two recommendations be closed due to agency actions but also expressed concerns over the OIG’s use of this press article from nextgov cited in the audit:
WaPo reported about the down email system due to hacking concerns here and we did a blogpost of the incident here (see State Department’s Computer Systems Hacked, 5th Known Agency Breach This Year?).
Read the full OIG report here: Management Assistance Report: Department of State Incident Response and Reporting Program (PDF).