Strengthening Information Security Controls

In 2008, GAO reported that major federal agencies continue to experience significant deficiencies in information security controls.

• Most agencies did not implement controls to sufficiently prevent, limit, or detect access to computer networks, systems, or information, even in the face of growing and evolving threats to information resources.
• Agencies did not always manage the configuration of network devices to prevent unauthorized access and ensure system integrity.
• Agencies did not always patch key servers and workstations in a timely manner.
• Agencies did not always assign duties to different individuals or groups, so that one individual did not control all aspects of a process or transaction.
• Agencies did not always maintain complete continuity of operations plans for key information systems.

An underlying cause for these weaknesses is that agencies have not fully or effectively implemented agencywide information security programs, as required by the Federal Information Security Management Act of 2002 (FISMA) and OMB in its oversight role.

Although agencies have reported progress in implementing information security requirements, dramatic increases in reported incidents involving data loss or theft, computer intrusions, and privacy breaches underscore the need for further improvements. 

^ Back to topWhat Needs to Be Done

Federal agencies should implement the hundreds of recommendations made by GAO and inspectors general to resolve prior significant control deficiencies and information security program shortfalls.

• Agencies need to implement controls that prevent, limit, or detect access to computer resources.
• Agencies should manage the configuration of network devices to prevent unauthorized access and ensure system integrity.
• Opportunities also exist to enhance policies and practices necessary for implementing sound information security programs. To implement these programs, agencies must create and maintain inventories of major systems, implement common security configurations, ensure staff receive information security training, test and evaluate controls, take remedial actions for known deficiencies, and certify and accredit systems for operation.
• Agencies also need to implement controls that reduce the chance of incidents involving data loss or theft, computer intrusions, and privacy breaches.

^ Back to topKey Reports

Information Security: Actions Needed to Better Protect Los Alamos National Laboratory's Unclassified Computer Network

GAO-08-1001, September 9, 2008

Summary (HTML)   Highlights Page (PDF)   Full Report (PDF, 49 pages)   Accessible Text   Recommendations (HTML)

Information Security: Federal Agency Efforts to Encrypt Sensitive Information Are Under Way, but Work Remains

GAO-08-525, June 27, 2008

Summary (HTML)   Highlights Page (PDF)   Full Report (PDF, 74 pages)   Accessible Text   Recommendations (HTML)

Information Security: TVA Needs to Address Weaknesses in Control Systems and Networks

GAO-08-526, May 21, 2008

Summary (HTML)   Highlights Page (PDF)   Full Report (PDF, 62 pages)   Accessible Text   Recommendations (HTML)

Information Security: Progress Reported, but Weaknesses at Federal Agencies Persist

GAO-08-571T, March 12, 2008

Summary (HTML)   Highlights Page (PDF)   Full Report (PDF, 35 pages)  

Information Security: Protecting Personally Identifiable Information

GAO-08-343, January 25, 2008

Summary (HTML)   Highlights Page (PDF)   Full Report (PDF, 34 pages)   Accessible Text

Information Security: IRS Needs to Address Pervasive Weaknesses

GAO-08-211, January 8, 2008

Summary (HTML)   Highlights Page (PDF)   Full Report (PDF, 31 pages)   Accessible Text   Recommendations (HTML)