(Infocon will resume tomorrow as normal. (I have been abroad and just returned today). The report below is well worth a read, even though it does not really contain anything new. By the way, I would also recommend reading my all time favourite GAO InfoSec report titled 'Information Security Management Learning From Leading Organizations' from May 1998 which is available at http://www.gao.gov/archive/1998/ai98068.pdf and which is really well done. WEN)
Computer Security: Progress Made, but Critical Federal Operations and Assets Remain at Risk, by Robert F. Dacey, director, information security, before the Subcommittee on Government Efficiency, Financial Management, and International Relations, House Committee on Government Reform. GAO-03-303T, November 19. http://www.gao.gov/cgi-bin/getrpt?GAO-03-303T Although GAO's current analyses of audit and evaluation reports for the 24 major departments and agencies issued from October 2001 to October 2002 indicate some individual agency improvements, overall they continue to highlight significant information security weaknesses that place a broad array of federal operations and assets at risk of fraud, misuse, and disruption. GAO identified significant weaknesses in each of the 24 agencies in each of the six major areas of general controls. As in 2000 and 2001, weaknesses were most often identified in control areas for security program management and access controls. All 24 agencies had weaknesses in security program management, which provides the framework for ensuring that risks are understood and that effective controls are selected and properly implemented (see figure below for list of major weaknesses). Implementation of the Government Information Security Reform provisions ("GISRA") is proving to be a significant step in improving federal agencies' information security programs. It has also prompted the administration to take important actions to address information security, such as integrating security into the President's Management Agenda Scorecard. However, GISRA is scheduled to expire on November 29, 2002. GAO believes that continued authorization of such important information security legislation is essential to sustaining agencies' efforts to identify and correct significant weaknesses. In addition to reauthorizing this legislation, there are a number of important steps that the administration and the agencies should take to ensure that information security receives appropriate attention and resources and that known deficiencies are addressed. These steps include delineating the roles and responsibilities of the numerous entities involved in federal information security and related aspects of critical infrastructure protection; providing more specific guidance on the controls agencies need to implement; obtaining adequate technical expertise to select, implement, and maintain controls to protect information systems; and allocating sufficient agency resources for information security. IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk