GOVERNMENT SECURITY: SENSITIVE DATA REMAINS AT RISK
For many years, the Government Accounting Office has reported that weaknesses in information security are a widespread problem with potentially devastating consequences --such as intrusions by malicious users, compromised networks, and the theft of personally identifiable information -- and has identified information security as a governmentwide high-risk issue.
Concerned by reports of significant vulnerabilities in federal computer systems, Congress passed the Federal Information Security Management Act of 2002 (FISMA), which permanently authorized and strengthened the information security program, evaluation, and reporting requirements for federal agencies.
In its testimony, GAO discussed security incidents reported at federal agencies, the continued weaknesses in information security controls at major federal agencies, agencies' progress in performing key control activities, and opportunities to enhance FISMA reporting and independent evaluations.
Federal agencies have recently reported a spate of security incidents that put sensitive data at risk. Personally identifiable information about millions of Americans has been lost, stolen, or improperly disclosed, thereby exposing those individuals to loss of privacy, identity theft, and financial crimes.
The wide range of incidents involving data loss or theft, computer intrusions, and privacy breaches underscore the need for improved security practices.
As illustrated by these security incidents, significant weaknesses in information security controls threaten the confidentiality, integrity, and availability of critical information and information systems used to support the operations, assets, and personnel of federal agencies. Almost all of the major federal agencies had weaknesses in one or more areas of information security controls.
Most agencies did not implement controls to sufficiently prevent, limit, or detect access to computer networks, systems, or information. For example, agencies did not consistently identify and authenticate users to prevent unauthorized access, apply encryption to protect sensitive data on networks and portable devices, and restrict physical access to information assets.
In addition, agencies did not always manage the configuration of network devices to prevent unauthorized access and ensure system integrity, such as patching key servers and workstations in a timely manner; assign incompatible duties to different individuals or groups so that one individual does not control all aspects of a process or transaction; and maintain or test continuity of operations plans for key information systems.
An underlying cause for these weaknesses is that agencies have not fully or effectively implemented agencywide information security programs.
federal agencies have continued to report steady progress in implementing
certain information security requirements. However, IGs at several
agencies sometimes disagreed with the agency's reported information
and identified weaknesses in the processes used to implement these
and other security program activities. Further, opportunities exist
to enhance reporting under FISMA and the independent evaluations completed
© 2007 Jim Kouri- All
E-Mails are used strictly for NWVs alerts, not for sale
Jim Kouri, CPP is currently fifth vice-president of the National Association of Chiefs of Police. He's former chief at a New York City housing project in Washington Heights nicknamed "Crack City" by reporters covering the drug war in the 1980s. He's also served on the National Drug Task Force and trained police and security officers throughout the country.
He writes for many police and crime magazines including Chief of Police, Police Times, The Narc Officer, Campus Law Enforcement Journal, and others. He's appeared as on-air commentator for over 100 TV and radio news and talk shows including Oprah, McLaughlin Report, CNN Headline News, MTV, Fox News, etc. His book Assume The Position is available at Amazon.Com, Booksamillion.com, and can be ordered at local bookstores.
Most agencies did not implement controls to sufficiently prevent, limit, or detect access to computer networks, systems, or information.