HHS OIG: HHS Information Security Program Rated ‘Not Effective’
The Department of Health and Human Services Office of Inspector General has published the findings of its annual evaluation of the HHS information security programs and practices, as required by the Federal Information Security Modernization Act of 2014 (FISMA). It was determined that the HHS information security program has not yet reached the level of maturity to be considered effective.
The independent audit was conducted on behalf of the HHS’ OIG by Ernst & Young (EY) to determine compliance with FISMA reporting metrics and to assess whether the overall security program of the HHS met the required information security standards.
The HHS was assessed against the Identify, Protect, Detect, Respond, and Recover functional areas of the Cybersecurity Framework across the FISMA domains: Risk management, configuration management, identity and access management, data protection and privacy, security training, information security continuous monitoring (ISCM), incident response, and contingency planning.
The levels of maturity for information security are...