VA Revamping Cybersecurity Strategy

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/va-revamping-cybersecurity-strategy-a-8461

With the federal government clearly in in the bullseye of hackers, the
Department of Veterans Affairs is revamping its cybersecurity strategy
under its new CIO, LaVerne Council, who took over the job last month.

Last week, Council formed an Enterprise Cybersecurity Strategy Team that's
charged with delivering an enterprise cybersecurity strategic plan, a VA
spokesman tells Information Security Media Group. The VA's Veterans Health
Administration is the United States' largest integrated healthcare system,
with more than 1,700 sites of care serving almost 9 million veterans each
year.

"The plan will help VA achieve transparency and accountability while
securing veteran information," the spokesman says. The team is led by Susan
McHugh-Polley, a VA senior executive program manager, and comprises an
undisclosed number of leaders, subject matter experts and support staff
from areas throughout VA's information and technology division.

"The team's scope includes management of current cybersecurity efforts as
well as development and review of VA's cybersecurity requirements and
operations holistically - from desktop to software to network protection,"
the spokesman says. Upon completion, a summary of the plan will be made
available once it has been presented to Congress.

Council was unavailable for comment on the new project.

The move to reassess VA's cybersecurity efforts come at a time when several
other federal government units have been hit with sophisticated
cyberattacks, including the Internal Revenue Service, the Office of
Personnel Management and, most recently, the Pentagon.

The VA also has been seeing a dramatic rise in cyberthreats this year, the
VA's former acting CIO, Steph Warren, noted at recent monthly media
briefings before Council took over as CIO last month. Warren served as
acting CIO for about two years after the departure of former CIO, Roger
Baker. Warren continues to serve as the VA's deputy CIO.

In other leadership changes, Stanley Lowe, deputy assistant secretary for
information security, on Aug. 6 announced to his team that he is retiring
effective Aug. 22 after 25 years in federal service, according to a memo
the VA shared with ISMG.

Details about the transition of the information security leadership at VA
will be revealed in the coming weeks, he noted in his memo.

Protecting Vets' Data

While it's yet to be determined how the VA's cybersecurity strategy might
change once the new team assembles a refreshed plan, it's been using a
defense-in-depth approach to protect the data the department holds on
veterans.

"While the defense-in-depth approach protects from inbound threats and
contains other data exposing incidents, VA relies on employees to protect
veteran information they handle and transmit," explains a report issued in
June by the VA that summarizes information security activity.

The VA's defense-in-depth strategy includes using the Department of
Homeland Security's Einstein 3intrusion protection system as its perimeter
defense.

That system has been helping VA to fend off a rising flood of threats
facing the department, Warren said.

For instance, information security activity reports from the VA for May and
June illustrate the volume of cyberthreats being contained and blocked each
month at the VA - and how those incidents are soaring:

- Suspicious/malicious email blocked/contained: 73.9 million in May vs.
103.1 million in June.
- Intrusion attempts blocked/contained: 336.4 million in May vs. 389.3
million in June.
- Malware blocked/contained: 574.7 million in May vs. 680.2 million in June.

Team Effort

At a July 1 media briefing, Warren said that he had being pulling together
in recent months leadership from the VA's cybersecurity, IT services and
operations areas "to talk about what we need to do to in this increasing
threat environment, in terms of raising our game, adding more protection."

The group met three times in June, including meeting with VA business and
administrative managers, he noted. Among the topics that were part of those
discussions were "how do we change boundary protections to tighten things
down even further; social media ... and locking it down further; and
reconfiguring systems to further minimize access points," Warren said.

A VA information security fact sheet issued in July also provides a look at
other key elements of the VA's cybersecurity efforts.

For instance, the VA says it:

- Has 587 information security professionals;
- Allocated $200 million in 2014 for information security;
- Monitors 4.5 million emails per day, with more than 75 percent blocked
due to malware and other malicious activity;
- Tracks and defends against 55,000 new malware variants per day;
- Safeguards 750,000 connected network devices;
- Has encrypted 100 percent of the 438,394 desktops and laptops on the VA
network.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!