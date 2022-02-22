There are deficiencies in the infrastructure of hardware and software used for cyber defense of the Ministry of National Defense (Sedena), which put at risk the operation of the agency headed by Luis Cresencio Sandoval.

This is the conclusion of a review by the Superior Audit of the Federation (ASF), which warns that the deficiencies found could affect the integrity, availability and confidentiality of the information handled by the Sedena.

The ASF He said that said conclusion was reached when analyzing the review of the information provided by Sedenarelated to the administration and operation of the cybersecurity controls of the Secretariat.

He explained that the guidelines, infrastructure and computer tools in this area were analyzed. For this, the document Center for Internet Security (CIS) Controls IS Audit/Assurance Program.

In said document, 20 controls are established, made up of 171 activities to carry out the evaluation and identification of the strategies, policies, procedures and controls of cyber defense implemented in the Sedena.

The ASF He said that in the analysis carried out, it was identified that only two controls are acceptable, four need to be strengthened and 14 lack control.

He pointed out that, in relation to the response and management of cybersecurity incidents, it was detected that the Sedena It lacks the definition of a cybersecurity incident response procedure.

He added that no evidence was presented to prove that the Secretary of National Defense has communication with organizations, authorities, computer emergency response team or any other group, in order to notify vulnerabilities or incidents of great importance.

Likewise, the audit pointed out that tests of cybersecurity incident scenarios are not carried out with the users of the Sedenain order to validate that the response strategy defined by the dependency is adequate and sufficient, in the event of a contingency.

There was no evidence of penetration tests and red team exercises, in order to identify unprotected information and devices, nor of the documentation and follow-up given to what was reported in said tests, he explained.