The U.S. Government Accountability Office (GAO) has released a new cybersecurity guide in response to the increasing risks facing federal IT systems. The GAO Cybersecurity Program Audit Guide offers comprehensive guidance for conducting cybersecurity performance audits. This guide is designed with two basic objectives. First, assist Congress, federal departments, state and local auditors, private sector organizations, and non-profits in identifying weaknesses in cybersecurity programs. Second, recommend fixes.
The guide, developed with input from federal officials and industry experts, outlines the methodology for cybersecurity control audits according to professional standards. It includes practical examples of audit procedures to assess various aspects of agency cybersecurity programs, rectify weaknesses, and prevent cyberattacks.
The guide focuses on auditing cybersecurity programs in several critical areas, including asset and risk management, configuration management, identity and access management, contstant monitoring, incident response, and contingency planning and recovery.
“By adhering to this guidance, both the public and private sectors will be better prepared to protect the government’s vital information systems against cybersecurity attacks.”
Gene L. Dodaro, GAO
It emphasizes flexibility, allowing organizations to adapt and adjust audit techniques based on their specific audit goals and demands.
The GAO’s development of this guide stems from its recognition of the escalating cybersecurity threats and the need for comprehensive audits to identify weaknesses and recommend corrective actions. The guide draws on GAO’s experience in issuing information security and cybersecurity audit reports over the past three decades.
The guide’s creation involved collaboration with various groups. They were the federal Office of Inspectors General, public accounting firms, state audit offices, and experts from federal, state, local, private, and non-profit sectors.
Source: Cybersecurity Program Audit Guide
Other News: GAO Prods Feds to Assess Their Potential Response to Catastrophic Cyber Attacks (Opens in a new browser tab)