by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
FCW : September 15, 2015
September 15, 2015 FCW.COM 25 are in short supply in both industry and government. In the financial sector, for instance, four primary agencies are responsible for examining tens of thousands of institu- tions, as the Government Accountability Office detailed in a July report. Although NBC News quoted Dmitri Alperovitch, co-found- er of computer security company CrowdStrike, as saying that hackers could wreak “absolute havoc on the world’s financial system for years” by altering electronic bank records, there are only a handful of IT-proficient regulators. Among the findings in GAO’s recent report: • The Federal Deposit Insurance Corp. has 60 “premium IT examiners” to review more than 4,000 financial institutions. • The Office of the Comptroller of the Currency has 100 IT specialist examiners to monitor 1,500 institutions. Auditors and regulators: Time to hire more IT grunts? • The National Credit Union Administration has roughly 50 IT specialists for the 6,200 credit unions it monitors. • The Federal Reserve System has some 85 IT examiners for the 5,500 institutions under its watch. GAO auditors said a generalist examiner who has some IT training often reviews the cybersecurity situation at small and midsize banks, which means those institutions are receiving less-than-optimal analysis and advice. A similar scarcity persists in IG offices. At NASA, Martin said, there are 80 auditors in the IG’s office, but only five of them have IT expertise. “They are very difficult to retain,” Martin said of IT-pro- ficient auditors. “We tend to poach from each other in the IG community.” The lack of expertise hinders thorough reviews. “I think every agency has no doubt dozens of IT audits or reviews that should be done” but aren’t due to a lack of tech-savvy auditors, he added. What auditors should know Martin has criticized the checklist nature of Federal Infor- mation Security Management Act reports in the past, noting that FISMA “doesn’t get down onto the ground” to deeply assess security. “You don’t want to have a bus driver be the flight examin- er for a Boeing 747 pilot just because he can follow a check- list,” said Montana Williams, senior manager of ISACA’s Cybersecurity Practices. “If you’re not a cybersecurity pro- fessional, how can you audit cybersecurity?” Among the skills regulators and auditors should have is “detailed knowledge of the operating systems and the technology in operation” at the agencies or institutions they’re monitoring, said Gregory Wilshusen, GAO’s direc- tor of information security issues. “They have to understand security policies and proce- dures and how they are implemented, and they have to understand technical security controls to be able to judge, ‘Are they implemented and operating as intended?’” he added. Those skills can be difficult to pick up on the fly, which is why some experts advocate looking for people who have an IT background. “I’ve found the best IT auditors are former IT grunts,” notes Mack, an IT auditor and author of the ITauditSecu- rity blog. The blog keeps a running tally of the skills IT auditors should have, from basic typing to understanding permissions and knowing how networks, applications and databases interact. However, Williams and Martin both said that even IT- proficient auditors need continuous training to stay sharp. Williams plugged the Cybersecurity Nexus training program he runs at ISACA. Martin said IGs need to find specialized training for their auditors because the Council of the Inspec- tors General on Integrity and Efficiency’s training program does not offer the necessary cybersecurity courses. Martin added that tech can be a boon, not just a burden, for regulators and auditors, and he cited the analytics work done by the National Science Foundation’s IG as an example. In the meantime, experts advise making the most of the resources you have. “We matrix our teams,” said Martin, explaining that one IT pro can support a bigger team of reviewers to make audits more effective. n “We tend to poach from each other in the IG community.” PAUL MARTIN, NASA 0915fcw_016-025.indd 25 8/24/15 4:26 PM
August 30, 2015
September 30, 2015