Strengthening Information Security Controls

In 2008, GAO reported that major federal agencies continue to experience significant deficiencies in information security controls.

Highlights of GAO-08-571T (PDF)

• Most agencies did not implement controls to sufficiently prevent, limit, or detect access to computer networks, systems, or information, even in the face of growing and evolving threats to information resources.
• Agencies did not always manage the configuration of network devices to prevent unauthorized access and ensure system integrity.
• Agencies did not always patch key servers and workstations in a timely manner.
• Agencies did not always assign duties to different individuals or groups, so that one individual did not control all aspects of a process or transaction.
• Agencies did not always maintain complete continuity of operations plans for key information systems.

An underlying cause for these weaknesses is that agencies have not fully or effectively implemented agencywide information security programs, as required by the Federal Information Security Management Act of 2002 (FISMA) and OMB in its oversight role.

Although agencies have reported progress in implementing information security requirements, dramatic increases in reported incidents involving data loss or theft, computer intrusions, and privacy breaches underscore the need for further improvements.

Highlights of GAO-08-525 (PDF)

^ Back to topWhat Needs to Be Done

OMB, as part of its oversight role, needs to develop metrics that measure security effectiveness and require agencies to report on results. Further, OMB needs to monitor the effectiveness of the agencies’ encryption implementation plans and efforts to inventory the sensitive information that agencies hold.

^ Back to topKey Reports

Information Security

Information Security

Information Security

Information Security

More Reports