By Colleen Kave, J.D.
Report provides recommendations for risk avoidance and improved security.
The Consumer Product Safety Commission’s (CPSC) Office of Inspector General (OIG) retained the services of Defense Point Security (DPS) to conduct a penetration and vulnerability assessment of the agency’s IT systems. In its report, DPS identified the need for improvement of CPSC’s security controls to defend against cyberattacks (OIG Report on the Penetration and Vulnerability Assessment of CPSC’s Information Technology Systems, June 11, 2019).
The assessment was performed in accordance with the Council of the Inspectors General on Integrity and Efficiency’s (CIGIE) Quality Standards for Inspection and Evaluation (QSIE). The objective of this penetration test was to assess the security of CPSC’s information technology (IT) infrastructure by identifying, cataloging, and safely exploiting security vulnerabilities. Pinpointing ways to improve the agency’s security posture would allow CPSC to eliminate security weaknesses that could have a significant negative impact on the confidentiality, integrity, and availability of agency information systems and data.
DPS concluded that CPSC’s security controls require improvement to more effectively detect and prevent certain cyberattacks. During the time DPS was performing its assessment, CPSC experienced an unrelated network outage which led to a suspension of fieldwork. Also, early in the testing phase, DPS discovered improperly posted sensitive information which was publicly accessible via widely-used search engines and CPSC.gov. DPS notified CPSC immediately about this discovery.
While CPSC’s web application protections were generally sound at the time of testing, DPS found multiple issues which, in combination, create a substantial risk to agency systems and data.
CPSC senior management and IT staff received a briefing on the assessment results last month. DPS provided 40 actionable recommendations addressing issues of physical security, controls over sensitive information, system configuration, authentication, and other system security issues. When completed, these recommendations will significantly improve the information technology security posture of the agency. CPSC concurred with the report’s findings, and management has already implemented some of the recommendations.
MainStory: TopStory ReportsandStudiesNews
Interested in submitting an article?
Submit your information to us today!Learn More
Product Liability Law Daily: Breaking legal news at your fingertips
Sign up today for your free trial to this daily reporting service created by attorneys, for attorneys. Stay up to date on product liability legal matters with same-day coverage of breaking news, court decisions, legislation, and regulatory activity with easy access through email or mobile app.