Agencies urged to improve IT security tests
Agencies do not know for sure whether their technological systems are properly protected, the Government Accountability Office finds.
Agencies have inadequate policies for testing whether computer systems are secure, leaving officials blind to potential weaknesses, according to a new report from the Government Accountability Office.
None of the policies at the 24 agencies surveyed provided adequate guidelines for linking the extent of testing required for various information technology systems to the level of risk a breach could pose. Agencies did not always include instructions for testing those security controls common to multiple systems concurrently, to improve efficiency. And the policies did not always contain directions for how often tests should be conducted, the report (GAO-07-65) stated.
"Conducting effective periodic testing and evaluations of information security controls is a serious, pervasive and crosscutting challenge to federal agencies, warranting increased attention from [the Office of Management and Budget]," the report stated. "If these challenges are not addressed, federal agencies' information and operations may be at increased risk."
GAO recommended that OMB instruct agencies to develop and implement stronger policies for conducting periodic testing and evaluations. The auditors also urged administration officials to revise the instructions for agency reports to Congress on compliance with the 2002 Federal Information Security Management Act.
In a response to the report, OMB officials said they would consider the recommendations.
Rep. Tom Davis, R-Va., the outgoing House Government Reform Committee chairman, said in a statement that the report shows the government has a "long way to go to ensure Americans the information the government keeps about them is safe." Davis asked GAO to produce the study.
It remains unclear whether the committee will hold a hearing to discuss the findings.
With the pending Democratic takeover of Congress in January, Davis will step down as chairman of the government oversight committee and the current ranking member, Rep. Henry Waxman, D-Calif., will take the lead.
A spokeswoman for Waxman said it is too early to discuss specific topics for hearings for next year, but Waxman is grateful for GAO's suggestions.
"GAO is an expert on oversight, and its recommendations for oversight topics will be very helpful in setting priorities for next year," he said.
On Monday, GAO released a series of 36 oversight priorities for the next Congress. Computer security was on the list.