U.S. GAO - Cybersecurity: Agencies Need to Fully Establish Risk Management Programs and Address Challenges

U.S. GAO - Cybersecurity: Agencies Need to Fully Establish Risk Management Programs and Address Challenges: To protect against cyber threats, federal agencies should incorporate key practices in their cybersecurity risk management programs.These key practices include:Designating a cybersecurity risk executiveDeveloping a risk management strategy and policiesAssessing cyber risksCoordinating between cybersecurity and enterprise-wide risk management functionsAll but one of the 23 agencies we reviewed designated a risk executive. However, none of these agencies fully incorporated the other key practices into their programs.We made 58 recommendations to federal agencies to help improve their cybersecurity risk management programs.codeKey practices for establishing an agency-wide cybersecurity risk management program include designating a cybersecurity risk executive, developing a risk management strategy and policies to facilitate risk-based decisions, assessing cyber risks to the agency, and establishing coordination with the agency's enterprise risk management (ERM) program.