From: United States House of Representatives Committee on Oversight and Government Reform
Statement for the Record
Social Security Administration: Information Systems Review
Gale Stallworth Stone, Deputy Inspector General, Social Security Administration
***
Before I review the reporting metrics that revealed significant deficiencies in SSA’s information security controls, I want to highlight the importance of the Agency’s efforts to implement NIST’s Information System Continuous Monitoring (ISCM) strategy. Continuous monitoring helps organizations maintain ongoing awareness of information security, vulnerabilities, and threats to support risk-management decisions. ISCM calls for organizations to implement tools and processes that maintain situation awareness of all systems; maintain an understanding of threats and threat activities; assess all security controls; collect and analyze security-related information; and communicate security status across the organization.
We reported that SSA has “defined” its ISCM strategy, but the Agency continues to rely on manual and procedural information-security methods in situations where automation may be more effective. ISCM requires active risk management by organizational officials, and it is most effective when automated, however we recognize that many aspects of the strategy, especially for legacy data systems as entrenched and complex as SSA’s, are not easily automated. SSA’s commitment to implementing a comprehensive ISCM strategy—to provide ongoing security monitoring and updates—is of critical importance. Considering the current threat of cyber attacks facing government agencies, a thorough continuous-monitoring program is necessary in any information security system.
Leave a Reply