In its FY 2003 evaluation of the effectiveness of the Department’s information security program, OIG noted significant improvements since its 2002 report (IT-A-02-06, September 2002), but found several key areas of security that still require senior management attention. The Department recognizes that much more must be done to develop fully and ensure the continuity of its systems security program. It has provided an overview of its management approach to information security in its FY 2003 draft Cyber Security Program Management Plan.
During the first quarter of FY 2003, the Department’s Chief Information Officer (CIO) asked the National Institute of Standards and Technology’s Computer Security Expert Assist Team (CSEAT) to conduct an independent review of its information security program, paying particular attention to what the Department suspected to be its weakest areas. The Department concurred with the CSEAT observations and recommendations and noted in its third quarter corrective action plan report to OMB that it would be taking action to implement each of CSEAT’s 17 recommendations. OIG also found that the Department developed, and was implementing, a systems authorization plan to provide certification and accreditation for its new and existing major applications and general support systems.
However, OIG noted several areas that still require senior management attention. There was a material weakness in internal controls regarding the Department’s financial management system, and a plan of action and milestones process to correct this material weakness has not been reported to OMB in the quarterly corrective action plans. The CIO reported in comments to a draft of this report that major elements of the auditor findings are represented in different elements of the plan of action and milestones process. However, OIG notes that a comprehensive plan of action and milestones process addressing all aspects of the material weakness has not been developed. Although a number of building blocks for a Department IT security program are being developed, they are still immature and cannot yet be used as management tools.
Also, even though the Diplomatic Security Training Center and Foreign Service Institute separately track training, OIG found that the Department does not centrally track training for its personnel with significant responsibilities for information and information systems security. Some overseas missions OIG visited while conducting IT inspections had developed mission-wide information systems security plans, and OIG’s technical evaluations identified several weaknesses in mission information security management and technical and operational controls.
The results from OIG’s two surveys were mixed and contained both improvements and setbacks from the previous year. In the first survey, for example, in FY 2003, bureaus reported that 77 percent of their applications had security-level determinations (up from 72 percent in FY 2002). However, only three percent of applications had security plans (down from 15 percent in FY 2002). From the second survey, OIG learned that all five selected systems had a security-level determination, but none had been certified and accredited.
This report presents the results of OIG’s evaluation work in assessing the security of the Department’s IT resources. Several recommendations OIG made to correct the deficiencies identified in this evaluation either were already made in prior reports or will be made in reviews currently under way. The two recommendations contained in this report reflect the importance of making progress toward the completion of identifying, documenting, and creating linkages in IT security work that is currently under way within the Department.
The Department is in agreement with the findings and recommendations of the report and reiterated its commitment to continued emphasis on cyber security to develop fully the initiatives that it has undertaken.
