U.S. Government Accountability OfficeFrom time to time the U.S. GAO issues reports related to computer and network security, you can find and read about them here.

GAO's Cybersecurity Key Issues

  1. INFORMATION SECURITY: IRS needs to continue improving controls over financial and taxpayer data GAO-15-337, March, 2015
  • The Internal Revenue Service (IRS) made progress in implementing information security controls; however, weaknesses limit their effectiveness in protecting the confidentiality, integrity and availability of financial and sensitive taxpayer data. During fiscal year 2014, IRS continued to devote attention to securing its information systems that process sensitive taxpayer and financial information. Key among its actions were improving the security over the software that manages changes to its mainframe environment and upgrading secure communications enterprise-wide for sensitive data. However, significant control deficiencies existed. For example, IRS did not install appropriate security updates on all of its databases and servers, and did not sufficiently monitor control activities that support its financial reporting. In addition, IRS did not effectively maintain the secure configuration of a key application, or appropriately segregate duties by allowing a developer unnecessary access to the application.

  • An underlying reason for these weaknesses is that IRS has not effectively implemented elements of its information security program. The agency had a comprehensive framework for its program, such as assessing risk for its systems, developing security plans, and providing employees with security awareness and specialized training. However, aspects of its program were not yet effectively implemented. For example, IRS's testing methodology did not always determine whether required controls were operating effectively; consequently, GAO continued to identify control weaknesses that had not been detected by IRS. Also, IRS had not updated key mainframe policies and procedures to address issues such as comprehensively auditing and monitoring of access, thereby increasing the risk of unauthorized access to tax processing systems not being detected. In addition, IRS did not reassess controls for a key system after significant changes had been made in the operating environment. Further, IRS had not ensured that many of its corrective actions to address previously identified deficiencies were effective. For example, of 69 previously reported weaknesses that remained unresolved at the end of GAO's last audit, IRS indicated it had implemented corrective actions for 24 of them; however, GAO determined that 10 of the 24 weaknesses had not been fully resolved.
  • Until IRS takes additional steps to (1) address unresolved and newly identified control deficiencies and (2) effectively implements elements of its information security program, including, among other things, updating policies, test and evaluation procedures, and remedial action procedures, its financial and taxpayer data will remain unnecessarily vulnerable to inappropriate and undetected use, modification, or disclosure. These shortcomings were the basis for GAO's determination that IRS had a significant deficiency in internal control over financial reporting systems for fiscal year 2014.
  1. INFORMATION SECURITY: Agencies Need to Improve Cyber Incident Response Practices GAO-14-354, May 30, 2014

  • Twenty-four major federal agencies did not consistently demonstrate that they are effectively responding to cyber incidents (a security breach of a computerized system and information). Based on a statistical sample of cyber incidents reported in fiscal year 2012, GAO projects that these agencies did not completely document actions taken in response to detected incidents in about 65 percent of cases (with 95 percent confidence that the estimate falls between 58 and 72 percent). For example, agencies identified the scope of an incident in the majority of cases, but frequently did not demonstrate that they had determined the impact of an incident. In addition, agencies did not consistently demonstrate how they had handled other key activities, such as whether preventive actions to prevent the reoccurrence of an incident were taken. Although all 6 selected agencies that GAO reviewed in depth had developed parts of policies, plans, and procedures to guide their incident response activities, their efforts were not comprehensive or fully consistent with federal requirements. In addition, the Office of Management and Budget (OMB) and the Department of Homeland Security (DHS) conduct CyberStat reviews, which are intended to help federal agencies improve their information security posture, but the reviews have not addressed agencies' cyber incident response practices. Without complete policies, plans, and procedures, along with appropriate oversight of response activities, agencies face reduced assurance that they can effectively respond to cyber incidents.

  • DHS and a component, the United States Computer Emergency Readiness Team (US-CERT), offer services that assist agencies in preparing to handle cyber incidents, maintain awareness of the current threat environment, and deal with ongoing incidents. Officials from the 24 agencies GAO surveyed said that they were generally satisfied with the assistance provided, and made suggestions to make the services more useful, such as improving reporting requirements. Although US-CERT receives feedback from agencies to improve its services, it has not yet developed performance measures for evaluating the effectiveness of the assistance it provides to agencies. Without results-oriented performance measures, US-CERT will face challenges in ensuring it is effectively assisting federal agencies with preparing for and responding to cyber incidents.
  1. INFORMATION SECURITY: SEC Needs to Improve Controls over Financial Systems and Data GAO-14-419, April 17, 2014
  • Although the Securities and Exchange Commission (SEC) had implemented and made progress in strengthening information security controls, weaknesses limited their effectiveness in protecting the confidentiality, integrity, and availability of a key financial system. For this system's network, servers, applications, and databases, weaknesses in several controls were found, as the following examples illustrate:
    • Access controls: SEC did not consistently protect its system boundary from possible intrusions; identify and authenticate users; authorize access to resources; encrypt sensitive data; audit and monitor actions taken on the commission's networks, systems, and databases; and restrict physical access to sensitive assets.
    • Configuration and patch management: SEC did not securely configure the system at its new data center according to its configuration baseline requirements. In addition, it did not consistently apply software patches intended to fix vulnerabilities to servers and databases in a timely manner.
    • Segregation of duties: SEC did not adequately segregate its development and production computing environments. For example, development user accounts were active on the system's production servers.
    • Contingency and disaster recovery planning: Although SEC had developed contingency and disaster recovery plans, it did not ensure redundancy of a critical server.

  • The information security weaknesses existed, in part, because SEC did not effectively oversee and manage the implementation of information security controls during the migration of this key financial system to a new location. Specifically, during the migration, SEC did not (1) consistently oversee the information security-related work performed by the contractor and (2) effectively manage risk.
    Until SEC mitigates control deficiencies and strengthens the implementation of its security program, its financial information and systems may be exposed to unauthorized disclosure, modification, use, and disruption. These weaknesses, considered collectively, contributed to GAO's determination that SEC had a significant deficiency in internal control over financial reporting for fiscal year 2013.
  1. INFORMATION SECURITY: Federal Agencies Need to Enhance Responses to Data Breaches GAO-14-487T, April 2, 2014
    • As GAO has previously reported, major federal agencies continue to face challenges in fully implementing all components of an agency-wide information security program, which is essential for securing agency systems and the information they contain—including PII. Specifically, agencies have had mixed results in addressing the eight components of an information security program called for by law, and most agencies had weaknesses in implementing specific security controls. GAO and inspectors general have continued to make recommendations to strengthen agency policies and practices.
      In December 2013, GAO reported on agencies' responses to PII data breaches and found that they were inconsistent and needed improvement. Although selected agencies had generally developed breach-response policies and procedures, their implementation of key practices called for by Office of Management and Budget (OMB) and National Institute of Standards and Technology guidance was inconsistent. For example:
      • only one of seven agencies reviewed had documented both an assigned risk level and how that level was determined for PII data breaches; two agencies documented the number of affected individuals for each incident; and two agencies notified affected individuals for all high-risk breaches.
      • the seven agencies did not consistently offer credit monitoring to affected individuals;
      • none of the seven agencies consistently documented lessons learned from their breach responses.

    • Incomplete guidance from OMB contributed to this inconsistent implementation. For example, OMB's guidance does not make clear how agencies should use risk levels to determine whether affected individuals should be notified. In addition, the nature and timing of reporting requirements may be too stringent.
  1. Information Security: Agency Responses to Breaches of Personally Identifiable Information Need to Be More Consistent GAO-14-34, Dec 9, 2013
      • The eight federal agencies GAO reviewed generally developed, but inconsistently implemented, policies and procedures for responding to a data breach involving personally identifiable information (PII) that addressed key practices specified by the Office of Management and Budget (OMB) and the National Institute of Standards and Technology. The agencies reviewed generally addressed key management and operational practices in their policies and procedures, although three agencies had not fully addressed all key practices. For example, the Department of the Army (Army) had not specified the parameters for offering assistance to affected individuals. In addition, the implementation of key operational practices was inconsistent across the agencies. The Army, VA, and the Federal Deposit Insurance Corporation had not documented how risk levels had been determined and the Army had not offered credit monitoring consistently. Further, none of the agencies we reviewed consistently documented the evaluation of incidents and resulting lessons learned. Incomplete guidance from OMB contributed to this inconsistent implementation. As a result, these agencies may not be taking corrective actions consistently to limit the risk to individuals from PII-related data breach incidents.
        According to agency officials, the Department of Homeland Security's (DHS) role of collecting information and providing assistance on PII breaches, as currently defined by federal law and policy, has provided few benefits. OMB's guidance to agencies requires them to report each PII-related breach to DHS's U.S. Computer Emergency Readiness Team (US-CERT) within 1 hour of discovery. However, complete information from most incidents can take days or months to compile; therefore preparing a meaningful report within 1 hour can be infeasible. US-CERT officials stated they can generally do little with the information typically available within 1 hour and that receiving the information at a later time would be just as useful. Likewise, US-CERT officials said they have little use for case-by-case reports of certain kinds of data breaches, such as those involving paper-based PII, because they considered such incidents to pose very limited risk. Also, the agencies GAO reviewed have not asked for assistance in responding to PII-related incidents from US-CERT, which has expertise focusing more on cyber-related topics. As a result, these agencies may be expending resources to meet reporting requirements that provide little value and divert time and attention from responding to breaches.
  2. INFORMATION SECURITY: IRS Has Improved Controls but Needs to Resolve Weaknesses GAO-13-350, Mar 15, 2013

    • IRS continued to make progress in addressing information security control weaknesses, improving its internal control over financial reporting. During fiscal year 2012, IRS management devoted attention and resources to addressing information security controls, and resolved a significant number of the information security control deficiencies that GAO previously reported. Notable among these efforts were the (1) formation of cross-functional working groups tasked with the identification and remediation of specific at-risk control areas, (2) improvement in controls over the encryption of data transferred between accounting systems, and (3) upgrades to critical network devices on the agency's internal network system. However, serious weaknesses remain that could affect the confidentiality, integrity, and availability of financial and sensitive taxpayer data. For example, the agency had not always (1) implemented effective controls for identifying and authenticating users, such as enforcing password complexity on certain servers; (2) appropriately restricted access to its mainframe environment; (3) effectively monitored the mainframe environment; or (4) ensured that current patches had been installed on systems to protect against known vulnerabilities.
      An underlying reason for these weaknesses is that IRS has not effectively implemented portions of its information security program. The agency has established a comprehensive framework for the program, and continued to make strides with various initiatives designed to improve its controls; however, certain components of the program did not always function as intended. For example, IRS's testing procedures over a financial reporting system that GAO reviewed did not always determine whether required controls were operating effectively and consequently, GAO identified control weaknesses that had not been detected by IRS. In addition, the agency had not updated an important policy concerning security standards for IRS's main tax processing environment to include current software versions and control capabilities. Further, although IRS indicated that it had addressed 58 of the previous information system security-related recommendations GAO made, 13 (about 22 percent) of the 58 had actually not yet been fully resolved. Continued and consistent management commitment and attention to an effective information security program will be essential to the maintenance of, and continued improvements in, its information system controls. Until IRS takes additional steps to (1) more effectively implement its testing and monitoring capabilities, (2) ensure that policies and procedures are updated, and (3) address unresolved and newly identified control deficiencies, its financial and taxpayer data will remain vulnerable to inappropriate use, modification, or disclosure, possibly without being detected. These deficiencies, along with shortcomings in the information security program, were the basis of GAO's determination that IRS had a significant deficiency in its internal control over financial reporting systems for fiscal year 2012.
  3. National Strategy, Roles, and Responsibilities Need to Be Better Defined and More Effectively Implemented GAO-13-187, Feb 14, 2013

    • Threats to systems supporting critical infrastructure and federal operations are evolving and growing. Federal agencies have reported increasing numbers of cybersecurity incidents that have placed sensitive information at risk, with potentially serious impacts on federal and military operations; critical infrastructure; and the confidentiality, integrity, and availability of sensitive government, private sector, and personal information. The increasing risks are demonstrated by the dramatic increase in reports of security incidents, the ease of obtaining and using hacking tools, and steady advances in the sophistication and effectiveness of attack technology. The number of incidents reported by federal agencies to the U.S. Computer Emergency Readiness Team has increased 782 percent from 2006 to 2012.
  4. Actions Needed by Census Bureau to Address Weaknesses GAO-13-63, Jan 22, 2013

    • Although the Census Bureau has taken steps to safeguard the information and systems that support its mission, it has not effectively implemented appropriate information security controls to protect those systems. Many of the deficiencies relate to the security controls used to regulate who or what can access the bureau's systems (access controls). For example, the bureau did not adequately: control connectivity to key network devices and servers; identify and authenticate users; limit user access rights and permissions to only those necessary to perform official duties; encrypt data in transmission and at rest; monitor its systems and network; or ensure appropriate physical security controls were in place. Without adequate controls over access to its systems, the bureau cannot be sure that its information and systems are protected from intrusion.
      In addition to access controls, implementing other important security controls including policies, procedures, and techniques to implement system configurations and plan for and manage unplanned events (contingency planning) helps to ensure the confidentiality, integrity, and availability of information and systems. While the Census Bureau had documented policies and procedures for managing and implementing configuration management controls, key communication systems were not securely configured and did not have proper encryption. Further, while the bureau has taken steps to implement guidance for contingency planning such as developing plans for mitigating disruptions to its primary data center through the use of emergency power, fire suppression, and storing backup copies of data for its critical systems offsite at a secured location, it only partially satisfied other requirements for contingency planning such as distributing the plan to key personnel and identifying potential weaknesses during disaster testing. Without an effective and complete contingency plan, an agency's likelihood of recovering its information and systems in a timely manner is diminished.
      An underlying reason for these weaknesses is that the Census Bureau has not fully implemented a comprehensive information security program to ensure that controls are effectively established and maintained. Specifically, the Census Bureau had begun implementing a new risk management framework with a goal of better management visibility of information security risks, but the framework did not fully document identified information security risks. Also, the bureau had not updated certain security management program policies, adequately enforced user requirements for security and awareness training, and implemented policies and procedures for incident response. Until the bureau implements a complete and comprehensive security program, it will have limited assurance that its information and systems are being adequately protected against unauthorized access, use, disclosure, modification, disruption, or loss.
  5. Improvements Needed in SEC's Internal Controls and Accounting Procedures GAO-12-424R, Apr 13, 2012

    • n our audit of SEC’s fiscal years 2011 and 2010 financial statements, we identified four significant deficiencies in internal control as of September 30, 2011. These significant internal control deficiencies represent continuing deficiencies concerning controls over (1) information systems (emphasis added), (2) financial reporting and accounting processes, (3) budgetary resources, and (4) registrant deposits and filing fees. These significant control deficiencies may adversely affect the accuracy and completeness of information used and reported by SEC’s management. We are making a total of 10 new recommendations to address these continuing significant internal control deficiencies.
  6. CYBERSECURITY: Threats Impacting the Nation GAO-12-666T, Apr 24, 2012

    • The nation faces an evolving array of cyber-based threats arising from a variety of sources. These threats can be intentional or unintentional. Unintentional threats can be caused by software upgrades or defective equipment that inadvertently disrupt systems, and intentional threats can be both targeted and untargeted attacks from a variety of threat sources. Sources of threats include criminal groups, hackers, terrorists, organization insiders, and foreign nations engaged in crime, political activism, or espionage and information warfare. These threat sources vary in terms of the capabilities of the actors, their willingness to act, and their motives, which can include monetary gain or political advantage, among others. Moreover, potential threat actors have a variety of attack techniques at their disposal, which can adversely affect computers, software, a network, an organization’s operation, an industry, or the Internet itself. The nature of cyber attacks can vastly enhance their reach and impact due to the fact that attackers do not need to be physically close to their victims and can more easily remain anonymous, among other things. The magnitude of the threat is compounded by the ever-increasing sophistication of cyber attack techniques, such as attacks that may combine multiple techniques. Using these techniques, threat actors may target individuals, businesses, critical infrastructures, or government organizations.
      The threat posed by cyber attacks is heightened by vulnerabilities in federal systems and systems supporting critical infrastructure. Specifically, significant weaknesses in information security controls continue to threaten the confidentiality, integrity, and availability of critical information and information systems supporting the operations, assets, and personnel of federal government agencies. For example, 18 of 24 major federal agencies have reported inadequate information security controls for financial reporting for fiscal year 2011, and inspectors general at 22 of these agencies identified information security as a major management challenge for their agency. Moreover, GAO, agency, and inspector general assessments of information security controls during fiscal year 2011 revealed that most major agencies had weaknesses in most major categories of information system controls. In addition, GAO has identified vulnerabilities in systems that monitor and control sensitive processes and physical functions supporting the nation’s critical infrastructures. These and similar weaknesses can be exploited by threat actors, with potentially severe effects.
      The number of cybersecurity incidents reported by federal agencies continues to rise, and recent incidents illustrate that these pose serious risk. Over the past 6 years, the number of incidents reported by federal agencies to the federal information security incident center has increased by nearly 680 percent. These incidents include unauthorized access to systems; improper use of computing resources; and the installation of malicious software, among others. Reported attacks and unintentional incidents involving federal, private, and infrastructure systems demonstrate that the impact of a serious attack could be significant, including loss of personal or sensitive information, disruption or destruction of critical infrastructure, and damage to national and economic security.
  7. INFORMATION SECURITY: IRS Needs to Further Enhance Internal Control over Financial Reporting and Taxpayer Data GAO-12-393, Mar 16, 2012

    • IRS implemented numerous controls and procedures intended to protect key financial and tax-processing systems; nevertheless, control weaknesses in these systems continue to jeopardize the confidentiality, integrity, and availability of the financial and sensitive taxpayer information processed by IRS’s systems. Specifically, the agency continues to face challenges in controlling access to its information resources. For example, it had not always (1) implemented controls for identifying and authenticating users, such as requiring users to set new passwords after a prescribed period of time; (2) appropriately restricted access to certain servers; (3) ensured that sensitive data were encrypted when transmitted; (4) audited and monitored systems to ensure that unauthorized activities would be detected; or (5) ensured management validation of access to restricted areas. In addition, unpatched and outdated software exposed IRS to known vulnerabilities, and the agency had not enforced backup procedures for a key system.
      An underlying reason for these weaknesses is that IRS has not fully implemented a comprehensive information security program. IRS has established a comprehensive framework for such a program, and has made strides to address control deficiencies—such as establishing working groups to identify and remediate specific at-risk control areas; however, it has not fully implemented all key components of its program. For example, IRS’s security testing and monitoring continued to not detect many of the vulnerabilities GAO identified during this audit. IRS also did not promptly correct known vulnerabilities. For example, the agency indicated that 76 of the 105 previously reported weaknesses open at the end of GAO’s prior year audit had not yet been corrected. In addition, IRS did not always validate that its actions to resolve known weaknesses were effectively implemented. Although IRS had a process in place for verifying whether each weakness had been corrected, this process was not always working as intended. Of the 29 weaknesses IRS indicated were corrected, GAO determined that 13 (about 45 percent) had not yet been fully addressed.
      Considered collectively, these deficiencies, both new and unresolved from previous GAO audits, along with a lack of fully effective compensating and mitigating controls, impair IRS's ability to ensure that its financial and taxpayer information is secure from internal threats. This reduces IRS's assurance that its financial statements and other financial information are fairly presented or reliable and that sensitive IRS and taxpayer information is being sufficiently safeguarded from unauthorized disclosure or modification. These deficiencies are the basis of GAO’s determination that IRS had a material weakness in internal control over financial reporting related to information security in fiscal year 2011.
  8. INFORMATION SECURITY: Weaknesses Continue Amid New Federal Efforts to Implement Requirements GAO-12-137, Oct 3, 2011

    • For many years, GAO has reported that weaknesses in information security can lead to serious consequences--such as intrusions by malicious individuals, compromised networks, and the theft of sensitive information including personally identifiable information--and has identified information security as a governmentwide high-risk area. The Federal Information Security Management Act of 2002 (FISMA) established information security program, evaluation, and annual reporting requirements for federal agencies. The act requires the Office of Management and Budget (OMB) to oversee and report to Congress on agency information security policies and practices, including agencies' compliance with FISMA. FISMA also requires that GAO periodically report to Congress on (1) the adequacy and effectiveness of agencies' information security policies and practices and (2) agencies' implementation of FISMA requirements. To do this, GAO analyzed information security-related reports and data from 24 major federal agencies, their inspectors general, OMB, and GAO.
      Weaknesses in information security policies and practices at 24 major federal agencies continue to place the confidentiality, integrity, and availability of sensitive information and information systems at risk. Consistent with this risk, reports of security incidents from federal agencies are on the rise, increasing over 650 percent over the past 5 years. Each of the 24 agencies reviewed had weaknesses in information security controls. An underlying reason for these weaknesses is that agencies have not fully implemented their information security programs. As a result, they have limited assurance that controls are in place and operating as intended to protect their information resources, thereby leaving them vulnerable to attack or compromise. In reports for fiscal years 2010 and 2011, GAO and agency inspectors general have made hundreds of recommendations to agencies for actions necessary to resolve control deficiencies and information security program shortfalls. Agencies generally agreed with most of GAO's recommendations and indicated that they would implement them. OMB, agencies, and the National Institute of Standards and Technology took actions intended to improve the implementation of security requirements, but more work is necessary. Beginning in fiscal year 2009, OMB provided agencies with a new online tool to report their information security postures and, in fiscal year 2010, instituted the use of new and revised metrics. Nevertheless, OMB's guidance for those metrics did not always provide performance targets for measuring improvement. In addition, weaknesses were identified in the processes agencies used to implement requirements. Specifically, agencies did not always ensure (1) personnel with significant responsibilities received training; (2) security controls were monitored continuously; (3) weaknesses were remediated effectively; and (4) incidents were resolved in a timely manner, among other areas. Until hundreds of recommendations are implemented and program weaknesses are corrected, agencies will continue to face challenges in securing their information and information systems. GAO is recommending that the Director of OMB provide performance targets for metrics included in OMB's annual FISMA reporting instructions to agencies and inspectors general. OMB stated it was more appropriate for those targets to be included in the performance metrics that are now issued separately by the Department of Homeland Security. GAO agrees that this meets the intent of its recommendation.
  9. INFORMATION SECURITY: Federal Deposit Insurance Corporation Has Made Progress, but Further Actions Are Needed to Protect Financial Data GAO-11-708, Aug 12, 2011

    • The Federal Deposit Insurance Corporation (FDIC) has a demanding responsibility enforcing banking laws, regulating financial institutions, and protecting depositors. Because of the importance of FDIC's work, effective information security controls are essential to ensure that the corporation's systems and information are adequately protected from inadvertent misuse, fraudulent use, or improper disclosure. As part of its audits of the 2010 financial statements of the Deposit Insurance Fund and the Federal Savings & Loan Insurance Corporation Resolution Fund administrated by FDIC, GAO assessed the effectiveness of the corporation's controls in protecting the confidentiality, integrity, and availability of its financial systems and information. To perform the audit, GAO examined security policies, procedures, reports, and other documents; tested controls over key financial applications; and interviewed key FDIC personnel.
      Although FDIC had implemented numerous controls in its systems, it had not always implemented access and other controls to protect the confidentiality, integrity, and availability of its financial systems and information. FDIC has implemented controls to detect and change default user accounts and passwords in vendor-supplied software, restricted access to network management servers, developed and tested contingency plans for major systems, and improved mainframe logging controls. However, the corporation had not always (1) required strong passwords on financial systems and databases; (2) reviewed user access to financial information in its document sharing system in accordance with policy; (3) encrypted financial information transmitted over and stored on its network; and (4) protected powerful database accounts and privileges from unauthorized use. In addition, other weaknesses existed in FDIC's controls that were intended to appropriately segregate incompatible duties, manage system configurations, and implement patches. An underlying reason for the information security weaknesses is that FDIC had not always implemented key information security program activities. To its credit, FDIC had developed and documented a security program and had completed actions to correct or mitigate 26 of the 33 information security weaknesses that were previously identified by GAO. However, the corporation had not assessed risks, documented security controls, or performed periodic testing on the programs and data used to support the estimates of losses and costs associated with the servicing and disposal of the assets of failed institutions. Additionally, FDIC had not always implemented its policies for restricting user access or for monitoring the progress of security patch installation. Because FDIC had made progress in correcting or mitigating previously reported weaknesses and had implemented compensating management and reconciliation controls during 2010, GAO concluded that FDIC had resolved the significant deficiency in internal control over financial reporting related to information security reported in GAO's 2009 audit, and that the remaining unresolved issues and the new issues identified did not individually or collectively constitute a material weakness or significant deficiency in 2010. However, if left unaddressed, these issues will continue to increase FDIC's risk that its sensitive and financial information will be subject to unauthorized disclosure, modification, or destruction. GAO recommends that FDIC take two actions to enhance its comprehensive information security program. In commenting on a draft of this report, FDIC discussed actions that it has taken or plans to take to address these recommendations.
  10. INFORMATION SECURITY: State Has Taken Steps to Implement a Continuous Monitoring Application, but Key Challenges Remain GAO-11-149, Jul 8, 2011

    • The Department of State (State) has implemented a custom application called iPost and a risk scoring program that is intended to provide continuous monitoring capabilities of information security risk to elements of its information technology (IT) infrastructure. Continuous monitoring can facilitate nearer real-time risk management and represents a significant change in the way information security activities have been conducted in the past. GAO was asked to determine (1) the extent to which State has identified and prioritized risk to the department in its risk scoring program; (2) how agency officials use iPost information to implement security improvements; (3) the controls for ensuring the timeliness, accuracy, and completeness of iPost information; and (4) the benefits and challenges associated with implementing iPost. To do this, GAO analyzed program documentation and compared it to relevant standards, interviewed and surveyed department officials, and performed analyses on iPost data.
      State has developed and implemented a risk scoring program that identifies and prioritizes several but not all areas affecting information security risk. Specifically, the scope of iPost's risk scoring program (1) addresses Windows hosts but not other IT assets on its major unclassified network; (2) covers a set of 10 scoring components that includes many, but not all, information system controls that are intended to reduce risk; and (3) assigns a score for each identified security weakness, although State could not demonstrate the extent to which scores are based on risk factors such as threat, impact, or likelihood of occurrence that are specific to its computing environment. As a result, the iPost risk scoring program helps to identify, monitor, and prioritize the mitigation of vulnerabilities and weaknesses for the areas it covers, but it does not provide a complete view of the information security risks to the department. State officials reported they used iPost to (1) identify, prioritize, and fix Windows vulnerabilities that were reported in iPost and (2) to implement other security improvements at their sites. For example, more than half of the 40 survey respondents said that assigning a numeric score to each vulnerability identified and each component was very or moderately helpful in their efforts to prioritize vulnerability mitigation. State has implemented several controls aimed at ensuring the timeliness, accuracy, and completeness of iPost information. For example, State employed the use of automated tools and collection schedules that support the frequent collection of monitoring data, which helps to ensure the timeliness of iPost data. State also relies on users to report when inaccurate and incomplete iPost data and scoring are identified, so they may be investigated and corrected as appropriate. Notwithstanding these controls, the timeliness, accuracy, and completeness of iPost data were not always assured. For example, several instances existed where iPost data were not updated as frequently as scheduled, inconsistent, or incomplete. As a result, State may not have reasonable assurance that data within iPost are accurate and complete with which to make risk management decisions. iPost provides many benefits but also poses challenges for the department. iPost has resulted in improvements to the department's information security by providing more extensive and timely information on vulnerabilities, while also creating an environment where officials are motivated to fix vulnerabilities based on department priorities. However, State has faced, and will continue to face, challenges with the implementation of iPost. These include (1) overcoming limitations and technical issues with data collection tools, (2) identifying and notifying individuals with responsibility for site-level security, (3) implementing configuration management for iPost, (4) adopting a strategy for continuous monitoring of controls, and (5) managing stakeholder expectations for continuous monitoring activities. GAO recommends the Secretary of State direct the Chief Information Officer to take a number of actions aimed at improving implementation of iPost. State agreed with two of GAO's recommendations, partially agreed with two, and disagreed with three. GAO continues to believe that its recommendations are valid and appropriate.