Saturday, September 30, 2023

GAO Reports – Week of 9-23-23 – Cybersecurity Audits

This week the Government Accounting Office (GAO) published a report on “Cybersecurity Program Audit Guide”. Rather than the normal GAO report on the results of an audit, this report outlines “the methodologies, techniques, and audit procedures they [auditors] need to evaluate the components of agencies' cybersecurity programs and systems.” It identifies six major components of a cybersecurity program audit:

• Asset and risk management: developing an understanding of the cyber risks to assets, systems, information, and operational capabilities.

• Configuration management: identifying and managing security features for system hardware and software and controlling changes to the configuration.

• Identity and access management: protecting computer resources from modification, loss, and disclosure by limiting authorized access.

• Continuous monitoring and logging: maintaining ongoing awareness of cybersecurity vulnerabilities and threats to an organization's systems.

• Incident response: taking action when security incidents occur.

• Contingency planning and recovery: developing contingency plans and executing successful restoration of capabilities.

No comments:

/* Use this with templates/template-twocol.html */