Strengthening Information Security Controls
In 2008, GAO reported that major federal agencies continue to experience significant
deficiencies in information security controls.
- Most agencies did not implement controls to sufficiently prevent, limit, or detect access to computer networks, systems, or information, even in the face of growing and evolving threats to information resources.
- Agencies did not always manage the configuration of network devices to prevent unauthorized access and ensure system integrity.
- Agencies did not always patch key servers and workstations in a timely manner.
- Agencies did not always assign duties to different individuals or groups, so that one individual did not control all aspects of a process or transaction.
- Agencies did not always maintain complete continuity of operations plans for key information systems.
An underlying cause for these weaknesses is that agencies have not fully or effectively implemented agencywide information security programs, as required by the Federal Information Security Management Act of 2002 (FISMA) and OMB in its oversight role.
Although agencies have reported progress in implementing information security
requirements, dramatic increases in reported incidents involving data loss
or theft, computer intrusions, and privacy breaches underscore the need for
further improvements.
^ Back to topWhat Needs to Be Done
Federal agencies should implement the hundreds of recommendations made by GAO and inspectors general to resolve prior significant control deficiencies and information security program shortfalls.
- Agencies need to implement controls that prevent, limit, or detect access to computer resources.
- Agencies should manage the configuration of network devices to prevent unauthorized access and ensure system integrity.
- Opportunities also exist to enhance policies and practices necessary for implementing sound information security programs. To implement these programs, agencies must create and maintain inventories of major systems, implement common security configurations, ensure staff receive information security training, test and evaluate controls, take remedial actions for known deficiencies, and certify and accredit systems for operation.
- Agencies also need to implement controls that reduce the chance of incidents involving data loss or theft, computer intrusions, and privacy breaches.
^ Back to topKey Reports
- Information Security: Actions Needed to Better Protect Los Alamos National Laboratory's Unclassified Computer Network
- GAO-08-1001, September 9, 2008
- Summary (HTML) Highlights Page (PDF) Full Report (PDF, 49 pages) Accessible Text Recommendations (HTML)
- Information Security: Federal Agency Efforts to Encrypt Sensitive Information Are Under Way, but Work Remains
- GAO-08-525, June 27, 2008
- Summary (HTML) Highlights Page (PDF) Full Report (PDF, 74 pages) Accessible Text Recommendations (HTML)
- Information Security: TVA Needs to Address Weaknesses in Control Systems and Networks
- GAO-08-526, May 21, 2008
- Summary (HTML) Highlights Page (PDF) Full Report (PDF, 62 pages) Accessible Text Recommendations (HTML)
- Information Security: Progress Reported, but Weaknesses at Federal Agencies Persist
- GAO-08-571T, March 12, 2008
- Summary (HTML) Highlights Page (PDF) Full Report (PDF, 35 pages)
- Information Security: Protecting Personally Identifiable Information
- GAO-08-343, January 25, 2008
- Summary (HTML) Highlights Page (PDF) Full Report (PDF, 34 pages) Accessible Text
- Information Security: IRS Needs to Address Pervasive Weaknesses
- GAO-08-211, January 8, 2008
- Summary (HTML) Highlights Page (PDF) Full Report (PDF, 31 pages) Accessible Text Recommendations (HTML)