OPM still vulnerable to cyber attack – FISMA audit

The data breaches admitted by the federal Office of Personnel Management (OPM) this past summer compromised the personal data of 22.1 million past and present federal employees. Public outcry was understandably vociferous, especially when it was revealed that much of the data was unencrypted; OPM director Katherine Archuleta resigned following widespread castigation for presiding over the security debacle; and government agencies rushed to fix their cybersecurity defenses in response.

According to the newly released FY 2015 FISMA audit report from the OPM’s Office of the Inspector General (OIG), however, the OPM is still struggling “to meet many FISMA requirements.”


The Federal Information Security Management Act (FISMA) requires federal agencies to implement information security programs to ensure the confidentiality, integrity, and availability of their information and IT systems, including those provided or managed by other agencies or contractors.

It mandates that directors of federal agencies should oversee information security policies and practices that:

  • Provide information security protections that adequately reflect the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of information or information systems.
  • Comply with the requirements of FISMA and related policies, procedures, standards, and guidelines, as developed by NIST.
  • Ensure that information security management processes are integrated with agency strategic and operations planning processes.

The OIG reports that “In the wake of this data breach, OPM is finally focusing its efforts on improving its IT security posture. Unfortunately, as indicated by the variety of findings in this audit report, OPM continues to fail to meet FISMA requirements, and we now have additional concerns with the manner in which the agency is attempting to quickly fix problems that were decades in the making.”

In short, “we are very concerned that the agency’s systems will not be protected against another attack”.

Information security best practice

Good information security is, it should scarcely need saying, the responsibility of all organizations – not just federal departments.

An information security management system (ISMS), as set out in the international standard ISO 27001, provides a risk-based approach to information security that enables organizations of all sizes, sectors, and locations to mitigate the risks they face with appropriate controls.

According to the latest ISO Survey, there was a 17% growth in the number of ISO 27001 certificates in North America last year. As more and more organizations seek to implement best-practice information security based on the Standard, an ISO 27001 qualification is something that IT executives, compliance managers, and management systems professionals can no longer afford to be without.

Implementing an ISO 27001-compliant ISMS and achieving registration to the Standard can be a complicated undertaking, so ensuring you have the right skills to lead or audit an ISO 27001 project is essential to its success.

And with IT Governance’s Cyber November training offers, achieving industry-recognized qualifications is easier than ever.

Cyber November training offers

Book your place on one of our interactive Live Online training courses before midnight, November 30, 2015, and get bestselling implementation guidance and tools for free:

  • ISO27001 Certified ISMS Foundation Online

Buy before midnight, November 30, 2015, and get ISO27001/ISO27002 – A Pocket Guide and An Introduction to Information Security and ISO27001:2013 – A Pocket Guide (list price $29.90) free.

Find out more >>

  • ISO27001 Certified ISMS Lead Implementer Online

Buy before midnight, November 30, 2015, and get The Case for ISO27001:2013 and Nine Steps to Success – An ISO27001:2013 Implementation Overview (list price $75.90) free.

Find out more >>

  • ISO27001 Certified ISMS Lead Auditor Online Masterclass

Buy before midnight, November 30, 2015, and get the Lead Auditor Toolkit (list price $130) free.

Find out more >>

What is Live Online training?

Our unique, real-time Live Online training courses let delegates study from any location across the US and acquire the knowledge to implement and audit compliance with international IT standards and best-practice frameworks. They also deliver the opportunity to achieve industry-standard IBITGQ qualifications that support the development of senior careers in information security management and IT governance.

“The key benefit was the savings in cost for travel. The second was being able to fully participate in the classroom setting without having to travel. The live audio and video components provide a near in-person experience. IT Governance was viewed as a lead player in this space. Previous experience with IT Governance has always been positive.”