GAO Report on Information Security in Federal Government

October 20, 2011/Frederick Scholl/, ,

Do you think your information is secure within the federal government?  You can make your own decision by reading the recent Information Security assessment by the Government Accountability Office (GAO).  Some observations by GAO are expected, others are disturbing.  Here are some statements that caught my attention:

 

1.  Growth in reported incidents from 2006 to 2010 of 650%.  Will the number of incidents simply overwhelm security staff?

2.  The GAO noted that the IRS has not yet fully implemented required components of its security program.  “…financial and taxpayer information remain unnecessarily vulnerable to insider threats and at increased risk of unauthorized disclosure, modification, or destruction;  financial data are at increased risk of errors that result in misstatement;  and the agency’s management decisions may  be based on unreliable or inaccurate financial information”  A private business operating under SOX compliance, for example, would not be able to survive this type of report.

3. Regarding the FDIC, “…the Federal Deposit Insurance Corporation did not have policies, procedures, and controls in place to ensure the appropriate segregation of incompatible duties, adequately manage the configuration of its financial information systems and update contingency plans.”

4.  Regarding the National Archives and Records Administration, “..the agency did not always protect the boundaries of its networks by ….a firewall, enforce…use of complex passwords, limit users’ access to systems to what was required for them to perform their official duties.”

 

The most disturbing observation by the GAO was that no agency has fully implemented an agencywide security program.  In this case the GAO is referring to a security management program, including framework and activities for assessing risk, developing security procedures and monitoring effectiveness.  This is a basic security management gap, which should be addressed and without which security technology will not be effective.

 

To summarize the report, in the GAO’s words:  “Persistent governmentwide weaknesses in information security controls threaten the confidentiality, integrity, and availability of the information and information systems supporting the operations and assets of federal agencies.”

It seems like we need better security leadership to address these problems, not better technology.

Posted in
Tags: , ,

Frederick Scholl

Frederick Scholl is an accomplished Global Senior Information Security Risk Manager. Dr. Scholl earned a BS and Ph.D. in Electrical Engineering from Cornell University. In 1991, Fred founded Monarch Information Networks, LLC to enable forward-thinking organizations to protect their information. Previously, he co-founded Codenoll Technology Corporation (NASDAQ: CODN). He chaired the IEEE committee that wrote the first standard for Ethernet communication over fiber optic links, now used world-wide.

Book an Appointment for Cybersecurity Issues

Request an appointment with Dr. Fred Scholl. We will discuss any cybersecurity issues you have.

Book an Appointment

More Good Reading

Healthcare: Time to Review Your Cybersecurity Plan

Cybersecurity Thrives in An Organizational Context

The First National Cybersecurity Summit

New Privacy Laws Require Security Professionals Up Their Game

Cybersecurity Workforce Development: Real or Imagined Problem?

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58