NASA OIG: Cybersecurity Management and Oversight at the Jet Propulsion Laboratory
"Multiple IT security control weaknesses reduce JPL's ability to prevent, detect, and mitigate attacks targeting its systems and networks, thereby exposing NASA systems and data to exploitation by cyber criminals. ... We also found that security problem log tickets, created in the ITSDB when a potential or actual IT system security vulnerability is identified, were not resolved for extended periods of time - sometimes longer than 180 days. ... Further, we found that multiple JPL incident management and response practices deviate from NASA and recommended industry practices. ... Finally, while the contract between NASA and Caltech requires JPL to report certain types of IT security incidents to the Agency through the NASA SOC incident management system, no controls were in place to ensure JPL compliance with this requirement nor did NASA officials have access to JPL's incident management system. Collectively, these weaknesses leave NASA data and systems at risk. Despite these significant concerns, the contract NASA signed with Caltech in October 2018 to manage JPL for at least the next 5 years left important IT security requirements unresolved and instead both sides agreed to continue negotiating these issues. As of March 2019, the Agency had not approved JPL's plans to implement new IT security policies and requirements NASA included in its October 2018 contract."
NASA Needs A New Chief Information Officer, earlier post
"NASA's CIO has been asleep at the wheel for years. Its time for a reboot."
from NASA Watch http://bit.ly/2x3bXMo
via IFTTT
沒有留言:
張貼留言