I'm not sure what a "control weakness" is, but if only 328 were found, someone ought to consider expanding the scope a little. When I build a large JS project, I usually see that many vulnerabilities in ONE project - never mind 50 local government entities. Open question to any 'local government' IT employees: Do YOU think your shit is modern, up-to-date, and secure?
A "control weakness" means there are controls in the ICS (Internal Control System) that do not do their job. Controls are how an organization makes sure things are done right on the risk-management level. For example, a control could be "Backups are tested with a real restore test once a year" or "The process to detect attacks is reviewed and updated once a year". With defective controls ("weakness" is an euphemism here) things may still be done right, but it is rather unlikely. To make matters worse, with
Reading the linked article on ZDnet, it includes a graphic from Australia's Office of the Auditor general which highlights 11 entities with the caption, "None of the 11 entities met our benchmark for information security".
Well, okay... But the same graphic includes the Capability-Maturity Model scale on it's vertical axis. That's as much a process or capability assessment framework, as opposed to being purely specific to software vulnerabilities.
It does go on to say that, "nearly half of the 328 weakn
Jesus Oz, Get with the plan
I doubt there would be more vulnerabilities in those systems than those that are unboxed and put on the net every day.
I'm not sure what a "control weakness" is, but if only 328 were found, someone ought to consider expanding the scope a little. When I build a large JS project, I usually see that many vulnerabilities in ONE project - never mind 50 local government entities. Open question to any 'local government' IT employees: Do YOU think your shit is modern, up-to-date, and secure?
A "control weakness" means there are controls in the ICS (Internal Control System) that do not do their job. Controls are how an organization makes sure things are done right on the risk-management level. For example, a control could be "Backups are tested with a real restore test once a year" or "The process to detect attacks is reviewed and updated once a year". With defective controls ("weakness" is an euphemism here) things may still be done right, but it is rather unlikely. To make matters worse, with
Well, okay... But the same graphic includes the Capability-Maturity Model scale on it's vertical axis. That's as much a process or capability assessment framework, as opposed to being purely specific to software vulnerabilities.
It does go on to say that, "nearly half of the 328 weakn