Information Security: Big Gaps Remain

Federal agencies have reported mixed progress in securing their systems and implementing key security activities, according to a report issued late last week by the Government Accountability Office (GAO).
The report, titled INFORMATION SECURITY: Concerted Response Needed to Resolve Persistent Weaknesses assesses the status of federal agencies’ efforts to secure information systems and opportunities to enhance federal cybersecurity.
“In fiscal year 2009,” the report says, “ agencies collectively reported an increasing percentage of personnel receiving security awareness training and specialized security training, but a decreasing rate of implementation for other key activities when compared to fiscal year 2008.” In addition, it adds, “ federal systems continued to be afflicted by persistent control weaknesses.”
An underlying cause for information security weaknesses, according to the report, is that they have not yet fully or effectively implemented key elements of an agencywide information security program, as required by the Federal Information Security Management Act (FISMA). As a result, they may be at increased risk of unauthorized disclosure, modification, and destruction of information or disruption of mission critical operations. Such risks are illustrated, in part, by the increasing number of security incidents experienced by federal agencies.
The report cites several examples of such incidents.
At least 13 inspectors general, it says, reported that their agencies had insecure configuration settings, or had not applied needed patches in a timely manner, or both. In addition at least 15 inspectors general reported that their agency did not adequately assess security controls such as those recommended by the National Institute of Standards and Technology (NIST).
Consequently, according to the report, a broad array of federal information and systems remain at risk. For instance, the information security program for the classified computer network at the Los Alamos National Laboratory (LANL) has not been fully implemented. Specifically, the report found, risk assessments were not comprehensive, specific guidance was missing from policies and procedures, the training and awareness program did not adequately address specialized training needs for individuals with significant network security responsibilities, and system security plans were incomplete.
The report explains that a concerted response to safeguarding federal systems includes several components.
First, agencies can take action to resolve specific security weaknesses, federal law and guidance can be strengthened, and continued effort can be made on government wide security initiatives.
GAO also recommended that agencies fully implement comprehensive, agencywide information security programs, including by correcting weaknesses in specific areas of their programs such as assessments of the risk to information systems, information security policies and procedures , planning for interruptions to information system processing and training personnel in awareness of security policies and procedures. Also recommended are periodic tests and evaluations of the effectiveness of information system controls and the implementation of plans of action to remediate information security weaknesses.
In addition, it says, “agencies can alsoincrease their efficiency in securing and monitoring networks by expanding their use of automated tools as part of their monitoring programs for performing certain security-related functions.”
“ Because federal computing environments are very large, complex, and geographically dispersed, often consisting of tens or hundreds of thousands of devices,” it adds, “ increasing automation of key security processes can assist in the efficient and effective implementation of key controls across the entire enterprise.”

(Visited 2 times, 1 visits today)

The Government Technology & Services Coalition's Homeland Security Today (HSToday) is the premier news and information resource for the homeland security community, dedicated to elevating the discussions and insights that can support a safe and secure nation. A non-profit magazine and media platform, HSToday provides readers with the whole story, placing facts and comments in context to inform debate and drive realistic solutions to some of the nation’s most vexing security challenges.

Leave a Reply