[ISN] Cybersecurity’s not done until the paperwork is finished

http://gcn.com/blogs/cybereye/2014/12/va-cybersecurity-documentation.aspx By William Jackson GCN.com Dec 05, 2014 The Veterans Affairs Department has been dinged once again by the Government Accountability Office for lack of follow-through in its cybersecurity operations. In a recent report, VA Needs to Address Identified Vulnerabilities, the GAO warned that unless VA’s security weaknesses are fully addressed, “its information is at heightened risk of unauthorized access, modification and disclosure, and its systems at risk of disruption.” The problem cited in the report is not so much that VA is doing a bad job securing its networks and systems, but that it has not properly documented security activities and has not developed action plans and milestones for correcting problems. Documentation and planning are more than busywork. Although it is true that checking boxes and creating reports will not by themselves improve IT security, without them it can be difficult if not impossible to assure what has been done, that it has been done properly and that it can be repeated if necessary. These processes can make the difference between constantly fighting brushfires and being able to effectively protect an agency enterprise and improve its security posture. […]