From: ars technica
Two separate “penetrations” exposed 14 million people’s personal info.
***
While OPM instituted continuous monitoring of some systems using security information and event management (SIEM) tools, those tools covered only 80 percent of OPM’s systems according to a fiscal year 2014 audit by OPM’s Internal Office of the Inspector General (OIG) audit team. And as of October 2014, monitoring didn’t yet include contractor-operated systems, according to the same organizational oversight.
“The OCIO (Office of Chief Information Officer) achieved the FY 2014 milestones outlined in the roadmap which included quarterly reporting for high impact systems,” the OPM OIG reported in its audit. “The next stage in the OCIO’s plan involves requiring continuous monitoring by contractor-operated systems and implementation of the DHS Continuous Diagnostic and Mitigation program.” In other words, OPM had no idea what was going on inside contractor-provided networks and only a limited grasp on what was going on within its own network.
Leave a Reply