GAO Report Points Out Continued Government IT Security Weaknesses
A report (GAO-08-496), which GAO presented to Congress during a hearing several weeks ago, summarized agency progress in performing key control activities, the effectiveness of information security efforts, and opportunities to strengthen security, based upon prior audits, federal policies, and inspectors general reports, according to an article by Jill Aitoro on GovernmentExecutive.com.
In the area of access controls, GAO found that 19 of 24 major agencies reported weaknesses, including failure to identify and authenticate users, enforce measures to ensure access is appropriate, encrypt sensitive data on networks and mobile devices, and monitor network activities.
In an Information Week article by George Hulme, he states, "You'd think federal agencies would have clearly heard the message: citizens want their personal information maintained securely and responsibly. And so does the legislature. If they've heard the message, they certainly haven't listened."
The article goes on to state, "At first blush, these results might not seem so bad. After all, 22 of 24 agencies have developed 'policies requiring personally identifiable information to be encrypted on mobile computers and devices.'
That's a start. But the devil is in the implementation and enforcement of polices. Anyone can set a policy requiring data be encrypted. Just as anyone can set a policy to live within a budget, lose weight, quit smoking, or start exercising. Follow-through is the tough part.
And that's the rub here, according to the GAO: 'Gaps in their [federal agency] policies and procedures reduced agencies' ability to protect personally identifiable information from improper disclosure.'
According to an SC Magazine story by Sue Marquette Poremba, "Only two agencies – Treasury and Transportation – meet all the recommendations for compliance, while two others – Small Business Administration and National Science Foundation – met none, the GAO report said."
Given the focus on compliance over the last several years, it is unconscionable to me that two departments could score a complete goose egg on compliance. It is especially unnerving that one is connected to small business and another to science. The Small Business Administration should be leading the way, given the number of members that are likely to have Sarbanes-Oxley issues this coming year and the many who are probably wrestling with PCI compliance. And you'd like to think that scientists would be quick to embrace the kind of technology existing to automate a lot of this process.
The U.S. Congress certainly has plenty of legislation floating around to add further compliance pressures to corporate America. Perhaps it's time they focus on getting their own governmental IT security compliance in order.
Contributed by Mark Tordoff
Comments