When you have a security assessment conducted on your enterprise there is always an opportunity for improvement. No enterprise is perfect. By which I mean, show me a perfect environment and I will give birth to a unicorn.
There is always a list of findings that spill out of an assessment and it is usually in the best interest of the organization to remediate the findings. Lest they suffer the indignation of being dragged to the stocks at midday. Sadly, I have lived through multiple companies where there was less of a concern with fixing the issues than there was of making the findings "go away". IT managers who were on the hook for the items did not want to continually explain to senior management what was taking so long.
From Aljazeera America:
“When the right degree of security diligence is not applied to systems, disgruntled insiders or malicious outsiders can exploit security weaknesses and may gain unauthorized access,” said the report.
The IRS instituted a number of "planned corrective actions" (PCAs) in response to previous TIGTA reports about security shortcomings in the agency, but the new TIGTA report said that those PCAs, considered “closed” or completed by the IRS, were inadequate.
“During our audit, TIGTA determined that eight (42 percent) of 19 PCAs that were approved and closed as fully implemented to address reported security weaknesses from prior TIGTA audits were only partially implemented.”
It appears that there was a lack of effort on the part of IRS IT folks to do things right the first time. This may have led to a potential breach of taxpayer data. In this case apparently 42% of the issues were basically brushed under the carpet or done in a half assed fashion in the hopes that no one would notice.
This is not an uncommon practice.
At one company that I worked for there was an issue in that a commonly used administrative password was reused repeatedly. This gave a user local administrative access to a Windows system. That particular set of credentials was quite possibly one of the worst kept secrets I've ever had to keep. Well, myself and several hundred other people. Oh, did I mention it was a generic account?
The respective IT manager was given this item to remediate and he chose to play dumb. Although, as I reflect on it, this manager might might not have been playing after all. Suffice as to say there was a change at the senior management level soon after and this manager chose to adopt the position that they had no idea what I was talking about when I asked if the item had been addressed.
It was maddening.
There was more of an impetus on dealing with the CIO's pet project list than doing the fundamentals correctly. The IRS report from the aforementioned article is analogous of this type of behaviour.
Further from the article,
It too placed fault at the ability of the agency to successfully implement the management reforms of security problems it had already been alerted to or identified.
“An underlying reason for these [security] weaknesses is that IRS has not effectively implemented portions of its information security program,” that report said.
For a security program to be successful there needs to be backing from senior management. They need to support their staff. Enable security with the ability to execute and provide a safe framework for the enterprise to operate within. Security needs to be seen (and act) as a partner within an IT organization instead of an adversary. When half measures and evasion are relied upon by IT groups rather than doing things right the first time everyone suffers at the whim of the law of unintended consequences. It is far simpler to fix the problem in most cases than the waste energy trying to avoid it.
Security should be seamless. The security team should not be buried so far down the organizational stack that they can't see daylight. IT teams should not strive for mediocrity. Don't approach security issues like an Ostrich and bury your head in the sand. Find that common ground and earn your thumbs up moment.
(Image used under CC from striatic)