Additionally, coordination with other components, resource limitations, and quickly changing technology were each cited as obstacles to managing the programs. Eighteen reported competition between security and operations priorities, including that security personnel sometimes reported to their ordinary chain of command instead of the CISO, with the result that security concerns were under-prioritized. The surveyed CISOs expressed a number of concerns. GAO also administered surveys to, and conducted interviews with, each of the CISOs to determine what challenges CISOs had faced in managing their cybersecurity programs. According to GAO, the remaining 13 agencies had only partially defined their CISO’s role and risked “limiting ability to effectively oversee these agencies’ information security programs.”
Of the 24 agencies, GAO found that only 11 had defined their CISO’s role for all activities. The assessment identified 11 activities the CISO is responsible for, including periodic risk assessments, policies and procedures, security plans, training, incident response, and contingency planning, among others. In reviewing how agencies had defined the roles of their CISOs, the assessment measured the agencies’ practices against the requirements of the Federal Information Security Modernization Act of 2014, as well as against guidance from the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB). Second, GAO wanted to identify the challenges that CISOs faced in developing and implementing their agencies’ security programs. First, it sought to find out whether agencies had defined their CISOs’ roles in accordance with federal law and guidelines. The assessment, which evaluated 24 agencies and departments, had two goals. Government Accountability Office (GAO) released a report detailing its findings about how federal agencies’ CISOs have fared in managing their own cybersecurity programs.
Just one month before New York unveiled its new proposed rule, the U.S.
#Ciso roles and responsibilities nist how to#
Some have speculated that New York’s proposed rule will serve as a model for other states and the federal government but as state and federal regulators grapple with how to best protect financial institutions, they would do well to study federal regulators’ experiences with protecting their own agencies. Other requirements include safeguarding information accessible to third-parties, building a cybersecurity workforce, and developing a response plan for cyber incidents. Recognizing that cyberattacks target both government and private sector organizations, New York regulators are looking to bolster oversight of financial companies’ cybersecurity practices with a new rule that would require those companies to establish a cybersecurity program and designate a Chief Information Security Officer (CISO) to manage it. Signs of the nation’s vulnerability include a recent hack of 20 million personnel records from a government agency and another hack of 40 million credit card accounts from Target. The United States faces an impending “cyber Pearl Harbor,” according to former Defense Secretary Leon Panetta.
0 kommentar(er)
