Despite making some security improvements, the Office of Personnel Management is still struggling to comply with recommendations that the Inspector General's office has made repeatedly – making it vulnerable to another breach.

The fiscal 2015 audit from the OPM's Office of the Inspector General — published just months after the OPM admitted a network hack exposed the personal information of 21.5 million former, current and prospective U.S. employees — stated the agency is vulnerable to another cyberattack, as it continues to struggle to meet many requirements under the Federal Information Security Modernization Act.

“We continue to believe that (the) OPM's management of system authorizations represents a material weakness in the internal control structure of the agency's IT security program,” Michael R. Esser, assistant inspector general for audits, said in the report.

The authorization moratorium creates neglect within the IT security controls of the OPM's systems, he added.

“Combined with the inadequacy and non-compliance of OPM's continuous monitoring program, we are very concerned that the agency's systems will not be protected against another attack,” Esser said.

While the massive OPM hack may have been impossible to prevent, auditors had previously identified weaknesses in the OPM's IT management system, the report said.

“Our recommendations appeared to garner little attention, as the same findings were repeated year after year,” it said.

Additionally, the report strongly suggested the OPM's inability to accurately inventory its systems and network devices severely limits the efficacy of its security controls.

“(The) OPM has implemented a large number of improved security monitoring tools, but without a complete understanding of its network, it cannot adequately monitor its environment and therefore the usefulness of these tools is reduced,” the report stated.

Information security governance changes made this fall by the OPM satisfied a long-standing weakness cited by the OIG. At the OIG's advice, the OPM implemented a centralized information security governance structure where all information security practitioners, including designated security officers, report to the chief information security officer.

Nevertheless, key weaknesses still exist, according to the report. For example, the OPM does not have a thorough inventory of its servers, databases and network devices, which drastically diminishes the effectiveness of its security tools, the report stated. The OIG also found the OPM has not configured its virtual private network servers to automatically log out of remote sessions.

The report also revealed only 65% of employees with “significant security responsibilities” had completed special IT training during the 2015 fiscal year.

“The OPM has been neglecting security best practices for a long time and has not spent enough of its resources, long term, on solving this,” Stu Sjouwerman, founder/CEO of the Clearwater, Fla.-based cybersecurity company KnowBe4, stated. “It is no surprise they are having trouble catching up. Cybersecurity needs to be a much higher priority, especially now.”

“The government needs to change the speed of IT security projects execution,” Ondrej Krehel, founder/CEO of the New York City-based cybersecurity intelligence firm LIFARS, said. “In the past, any government project generally took longer to implement with many corrective actions.”

Krehel also pointed out hackers work with high velocity and speed, and that cybersecurity remediations must run at a similar tempo and with similar precision.

“This is not the current state of actions at many government institutions, which is a combination of a lack of a talent as well as a project management skill set in cybersecurity,” he said. “Cybersecurity is not a cookie cutter solution. Tailoring the proper solution takes multiple steps and proper design is needed.”

Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.

Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Roy Urrico

Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).