Strengthening Information Security Controls

What Needs to Be Done | Key Reports

In 2008, GAO reported that major federal agencies continue to experience significant deficiencies in information security controls.

Highlights of GAO-08-571T (PDF)

  • Most agencies did not implement controls to sufficiently prevent, limit, or detect access to computer networks, systems, or information, even in the face of growing and evolving threats to information resources.
  • Agencies did not always manage the configuration of network devices to prevent unauthorized access and ensure system integrity.
  • Agencies did not always patch key servers and workstations in a timely manner.
  • Agencies did not always assign duties to different individuals or groups, so that one individual did not control all aspects of a process or transaction.
  • Agencies did not always maintain complete continuity of operations plans for key information systems.

An underlying cause for these weaknesses is that agencies have not fully or effectively implemented agencywide information security programs, as required by the Federal Information Security Management Act of 2002 (FISMA) and OMB in its oversight role.

Although agencies have reported progress in implementing information security requirements, dramatic increases in reported incidents involving data loss or theft, computer intrusions, and privacy breaches underscore the need for further improvements. 

Highlights of GAO-08-525 (PDF)

^ Back to topWhat Needs to Be Done

Federal agencies should implement the hundreds of recommendations made by GAO and inspectors general to resolve prior significant control deficiencies and information security program shortfalls.

  • Agencies need to implement controls that prevent, limit, or detect access to computer resources.
  • Agencies should manage the configuration of network devices to prevent unauthorized access and ensure system integrity.
  • Opportunities also exist to enhance policies and practices necessary for implementing sound information security programs. To implement these programs, agencies must create and maintain inventories of major systems, implement common security configurations, ensure staff receive information security training, test and evaluate controls, take remedial actions for known deficiencies, and certify and accredit systems for operation.
  • Agencies also need to implement controls that reduce the chance of incidents involving data loss or theft, computer intrusions, and privacy breaches.

^ Back to topKey Reports

Information Security

TVA Needs to Address Weaknesses in Control Systems and Networks
GAO-08-526, May 21, 2008

Information Security

Protecting Personally Identifiable Information
GAO-08-343, Feb 22, 2008

Information Security

Progress Reported, but Weaknesses at Federal Agencies Persist
GAO-08-571T, Mar 12, 2008

Information Security

IRS Needs to Address Pervasive Weaknesses
GAO-08-211, Jan 8, 2008

Information Security

Further Actions Needed to Address Risks to Bank Secrecy Act Data
GAO-09-195, Jan 30, 2009

Information Security

Federal Agency Efforts to Encrypt Sensitive Information Are Under Way, but Work Remains
GAO-08-525, Jul 28, 2008

Information Security

Continued Efforts Needed to Address Significant Weaknesses at IRS
GAO-09-136, Jan 9, 2009

Information Security

Actions Needed to Better Protect Los Alamos National Laboratory's Unclassified Computer Network
GAO-08-1001, Sep 26, 2008
More Reports More Results Toggle
GAO Contact
portrait of Gregory C. Wilshusen

Gregory C. Wilshusen

Director, Information Technology

wilshuseng@gao.gov

(202) 512-6244