(Infocon will resume tomorrow as normal. (I have been abroad and just
returned today). The report below is well worth a read, even though it
does not really contain anything new. By the way, I would also recommend
reading my all time favourite GAO InfoSec report titled 'Information
Management Learning From Leading Organizations' from May 1998 which is
available at http://www.gao.gov/archive/1998/ai98068.pdf and which is
really well done. WEN)  

Computer Security:  Progress Made, but Critical Federal Operations and
Assets Remain at Risk, by Robert F. Dacey, director, information
security, before the Subcommittee on Government Efficiency, Financial
Management, and International Relations, House Committee on Government
Reform.  GAO-03-303T, November 19. 


Although GAO's current analyses of audit and evaluation reports for the
major departments and agencies issued from October 2001 to October 2002
indicate some individual agency improvements, overall they continue to
highlight significant information security weaknesses that place a broad
array of federal operations and assets at risk of fraud, misuse, and
disruption. GAO identified significant weaknesses in each of the 24
in each of the six major areas of general controls. As in 2000 and 2001,
weaknesses were most often identified in control areas for security
management and access controls. All 24 agencies had weaknesses in
program management, which provides the framework for ensuring that risks
are understood and that effective controls are selected and properly
implemented (see figure below for list of major weaknesses).

Implementation of the Government Information Security Reform provisions
("GISRA") is proving to be a significant step in improving federal
information security programs. It has also prompted the administration
take important actions to address information security, such as
security into the President's Management Agenda Scorecard. However,
GISRA is scheduled to expire on November 29, 2002. GAO believes that
continued authorization of such important information security
legislation is essential to sustaining agencies' efforts to identify and
correct significant weaknesses.

In addition to reauthorizing this legislation, there are a number of
important steps that the administration and the agencies should take to
ensure that information security receives appropriate attention and
resources and that known deficiencies are addressed. These steps include
delineating the roles and responsibilities of the numerous entities
involved in federal information security and related aspects of critical
infrastructure protection; providing more specific guidance on the
controls agencies need to implement; obtaining adequate technical
expertise to select, implement, and maintain controls to protect
information systems; and allocating sufficient agency resources for
information security.

IWS INFOCON Mailing List
@ IWS - The Information Warfare Site

Reply via email to