The Broadcasting Board of Governors' response to cybersecurity incidents and its newly developed policy and procedures were the subject of a cutting review by auditors at Williams, Adley & Company-DC.
BBG supports federally-funded broadcast outlets throughout the world, including its most well-known product, Voice of America. As a global journalistic organization, the agency's IT systems are under regular attack from nation states and criminal groups, making strong, proactive response to cybersecurity incidents a top priority.
Audit: Broadcasting Board of Governors Incident Response and Reporting
"Williams, Adley determined that BBG's [incident response and reporting] program was not operating effectively," according to a new report by the agency's inspector general, which cited the BBG's response to eight cyber incidents reported to the security team last year. "As an organization with international exposure, BBG's information systems are subject to serious threats that can have adverse effects on organizational operations, assets and individuals."
The agency failed to properly report the incidents on several fronts.
BBG officials did not categorize any the incidents by severity — a scale from zero to six, as required by US-CERT; three incidents were not reported in a timely manner, with two not reported at all; and another event was not recorded as a security incident at all, despite clearly being a compromise.
Part of the problem, according to the report, was BBG's lack of an established policy and procedure for reporting these incidents. However, the IG said this probably wouldn't have actually helped in these cases.
"Even if the policies and procedures had been in place, the deficiencies would most likely have persisted," the IG wrote, as the guidance — finalized in May 2015 — does not match the best practices outlined by US-CERT and the National Institute of Standards and Technology.
"BBG did not include other essential processes in the policy and procedures, including risk assessment, host security, network security, malware prevention and user awareness and training," the report states. "In addition, BBG did not incorporate other vital information in its incident handling procedures regarding precursors and indicators such as a process for event correlation, evidence retention and an incident handling checklist."
The IG recommended an update to BBG's Computer Security Incident Response Policy and its Computer Security Incident Response Procedure to better align with the latest NIST standards.
BBG management agreed with the recommendation and said the agency will start work on the update immediately.
Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.
