This week the Government Accounting Office (GAO) published a report on “Cybersecurity Program Audit Guide”. Rather than the normal GAO report on the results of an audit, this report outlines “the methodologies, techniques, and audit procedures they [auditors] need to evaluate the components of agencies' cybersecurity programs and systems.” It identifies six major components of a cybersecurity program audit:
• Asset and risk management:
developing an understanding of the cyber risks to assets, systems, information,
and operational capabilities.
• Configuration management:
identifying and managing security features for system hardware and software and
controlling changes to the configuration.
• Identity and access management:
protecting computer resources from modification, loss, and disclosure by
limiting authorized access.
• Continuous monitoring and
logging: maintaining ongoing awareness of cybersecurity vulnerabilities and
threats to an organization's systems.
• Incident response: taking action
when security incidents occur.
• Contingency planning and
recovery: developing contingency plans and executing successful restoration of
capabilities.
Posts
No comments:
Post a Comment