Summary
The Department of the Treasury relies heavily on information systems--and on the public's trust in its work. Information security is therefore critical to Treasury operations. In support of its annual audit of the government's financial statements, GAO assessed the effectiveness of (1) Treasury's information security controls in protecting the confidentiality, integrity, and availability of the department's systems and data and (2) Treasury's implementation of its departmentwide information security program. In assessing the adequacy of Treasury's information security program, GAO focused on the effectiveness of its departmentwide policies and processes, rather than on bureau-specific directives and guidance.
The Department of the Treasury and its key bureaus have not consistently implemented information security controls to protect the confidentiality, integrity, and availability of their information systems and data. Several bureaus have reported effective controls over their systems. However, longstanding information security weaknesses in access and software change controls, segregation of duties, and service continuity have been consistently identified at certain key Treasury bureaus, such as IRS and the Financial Management Service. Weaknesses at these bureaus place the sensitive information managed by the bureaus at increased risk of unauthorized access, use, disclosure, disruption, modification, or destruction. Moreover, bureaus have not consistently implemented key information security requirements. An analysis of performance data for the 11 Treasury bureaus that reported on these requirements for fiscal years 2002 and 2003 reveals that most Treasury systems did not meet certain key information security requirements in fiscal year 2003 and that the percentage of systems that meet certain requirements has decreased from fiscal year 2002. The information security weaknesses and inconsistent implementation of security controls at Treasury bureaus exist, in part, because Treasury's departmentwide security program, while evolving, has not yet been fully institutionalized across the entire department. During fiscal year 2003, Treasury launched or expanded several initiatives to implement key elements of its program. However, additional actions are needed to effectively and consistently implement information security controls throughout the department.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change
from "In process" to "Implemented" or "Not implemented" based on our follow up work.
Director:
Team:
Phone:
Robert F. Dacey
Government Accountability Office: Information Technology
(202) 512-3317
Recommendations for Executive Action
Recommendation: To improve oversight and compliance with Treasury's information security program, the Secretary of the Treasury should direct the chief information officer to assess the staffing and resource requirements for performing the department's oversight and compliance efforts to ensure that departmental information security policies are effectively and consistently implemented throughout the organization.
Agency Affected: Department of the Treasury
Status: Implemented
Comments: In March 2007, GAO verified that Treasury, in response to an OMB request and GAO's recommendation, has performed an information technology workforce analysis. This analysis assessed staff and resource requirements and described efforts to ensure that the department's information security policies are effectively implemented across the agency.
Recommendation: To improve oversight and compliance with Treasury's information security program, the Secretary of the Treasury should direct the chief information officer to designate a senior agency information security officer.
Agency Affected: Department of the Treasury
Status: Implemented
Comments: GAO verified in March 2007 that Treasury, in response to GAO's recommendation and as required by the Federal Information Security Management Act of 2002, has designated a senior agency information security officer.
Recommendation: To improve oversight and compliance with Treasury's information security program, the Secretary of the Treasury should direct the chief information officer to examine existing reporting processes and implement procedures to enhance the reliability and completeness of the bureau-provided information required for day-to-day management of information security.
Agency Affected: Department of the Treasury
Status: Implemented
Comments: In March 2007, GAO verified that Treasury has, in response to GAO's recommendation, implemented an automated tool to assist the agency's bureaus in their efforts to provide security data that is thorough and reliable.
