GAO Information Security Issues

Similar documents
FEDERAL INFORMATION SECURITY. Mixed Progress in Implementing Program Components; Improved Metrics Needed to Measure Effectiveness

GAO. INFORMATION SECURITY Persistent Weaknesses Highlight Need for Further Improvement

INFORMATION SECURITY. Additional Oversight Needed to Improve Programs at Small Agencies

GAO. IT SUPPLY CHAIN Additional Efforts Needed by National Security- Related Agencies to Address Risks

Middle Class Economics: Cybersecurity Updated August 7, 2015

GAO CYBERSECURITY HUMAN CAPITAL. Initiatives Need Better Planning and Coordination

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report

Deputy Chief Financial Officer Peggy Sherry. And. Chief Information Security Officer Robert West. U.S. Department of Homeland Security.

Department of Homeland Security

NARA s Information Security Program. OIG Audit Report No October 27, 2014

NASA OFFICE OF INSPECTOR GENERAL

I. U.S. Government Privacy Laws

GAO. INFORMATION SECURITY Governmentwide Guidance Needed to Assist Agencies in Implementing Cloud Computing

Audit Report. The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013

Actions and Recommendations (A/R) Summary

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

ANNUAL REPORT TO CONGRESS: FEDERAL INFORMATION SECURITY MANAGEMENT ACT

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION

December 8, Security Authorization of Information Systems in Cloud Computing Environments

GAO INFORMATION SECURITY. Federal Guidance Needed to Address Control Issues with Implementing Cloud Computing. Report to Congressional Requesters

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

NICE and Framework Overview

STATEMENT OF MARK A.S. HOUSE OF REPRESENTATIVES

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

Federal Communications Commission Office of Inspector General. FY 2003 Follow-up on the Audit of Web Presence Security

Preventing and Defending Against Cyber Attacks June 2011

Statement of Danny Harris, Ph.D. Chief Information Officer U.S. Department of Education

ANNUAL REPORT TO CONGRESS: FEDERAL INFORMATION SECURITY MANAGEMENT ACT

CLOUD COMPUTING. Agencies Need to Incorporate Key Practices to Ensure Effective Performance

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections. Evaluation Report

NIST Cyber Security Activities

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

Why Cybersecurity Matters in Government Contracting. Robert Nichols, Covington & Burling LLP

a GAO GAO INFORMATION SECURITY Department of Homeland Security Needs to Fully Implement Its Security Program

Fiscal Year 2011 Report to Congress on the Implementation of The Federal Information Security Management Act of 2002

United States Department of Agriculture. Office of Inspector General

Briefing Outline. Overview of the CUI Program. CUI and IT Implementation

Preventing and Defending Against Cyber Attacks November 2010

SECTION-BY-SECTION. Section 1. Short Title. The short title of the bill is the Cybersecurity Act of 2012.

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

THE 411 ON CYBERSECURITY, INFORMATION SHARING AND PRIVACY

Continuous Monitoring

INFORMATION SECURITY. Agencies Need to Improve Cyber Incident Response Practices

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems

Identity, Credential, and Access Management. An information exchange For Information Security and Privacy Advisory Board

The Comprehensive National Cybersecurity Initiative

POSTAL REGULATORY COMMISSION

How To Audit The Mint'S Information Technology

Cybersecurity and Data Breach: Mitigating Risk and How Government Policymakers Approach These Critical Issues

NIST Cybersecurity Framework What It Means for Energy Companies

NIST A: Guide for Assessing the Security Controls in Federal Information Systems. Samuel R. Ashmore Margarita Castillo Barry Gavrich

Compliance Risk Management IT Governance Assurance

Cybersecurity Enhancement Account. FY 2017 President s Budget

Cybersecurity and Corporate America: Finding Opportunities in the New Executive Order

An Overview of Large US Military Cybersecurity Organizations

The DS Information Assurance and Cybersecurity Role-Based Training Program. Diplomatic Security Training Center (DSTC) Dunn Loring, VA

HEALTHCARE.GOV. Actions Needed to Address Weaknesses in Information Security and Privacy Controls

REVIEW OF MEDICARE CONTRACTOR INFORMATION SECURITY PROGRAM EVALUATIONS FOR FISCAL YEAR 2013

Cybersecurity Risk Management Activities Instructions Fiscal Year 2015

How To Improve Nasa'S Security

Information Security Guide For Government Executives. Pauline Bowen Elizabeth Chew Joan Hash

Fiscal Year 2014 Federal Information Security Management Act Report: Status of EPA s Computer Security Program

CYBERSECURITY RISK MANAGEMENT

September 24, Mr. Hogan and Ms. Newton:

Audit of the Department of State Information Security Program

EXECUTIVE OFFICE OF THE PRESIDENT OFFICE OF MANAGEMENT AND BUDGET WASHINGTON, D.C October 30, 2015

VA Office of Inspector General

National Cybersecurity Assessment and Technical Services

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

Evaluation of DHS' Information Security Program for Fiscal Year 2015

Information Technology Security Training Requirements APPENDIX A. Appendix A Learning Continuum A-1

Transcription:

GAO Information Security Issues Presented to: Federal Audit Executive Council April 18, 2012 1

Agenda Snapshots of Federal Information Security Highlights of Selected GAO Reports GAO Focus Areas List of Recent GAO Reports on Cybersecurity Questions and Answers 2

Snapshots of Federal Information Security Increasing software vulnerabilities is one of several security challenges confronting agencies 3

Snapshots of Federal Information Security Most agencies have weaknesses in most FISCAM general control areas in FY 2011 4

Snapshots of Federal Information Security Agencies continue to report information security weaknesses over financial systems 5

Snapshots of Federal Information Security Reported security incidents continue to rise 6

Snapshots of Federal Information Security Types of reported security incidents varied 7

Snapshots of Federal Information Security Current federal priorities for enhancing cybersecurity TIC/Einstein External connections Continuous monitoring Automated monitoring capabilities Cyberscope HSPD-12, PIV Cards Logical access 8

Review of State Dept. s ipost continuous monitoring system (GAO-11-149) Requested by Senators Carper, Lieberman, Brown 4 objectives: Identify scope, use, controls, benefits and challenges associated with ipost Key findings: ipost covers many, but not all, devices and controls Risk scoring helps to identify vulnerabilities, prioritize remediation & provide accountability Challenges include limitations of automated tools, implementing configuration management, adopting a strategy, and managing stakeholder expectations 9

Review of PIV Implementation (GAO-11-751) Requested by Senators Lieberman, Collins, Carper 2 objectives: Assess progress, identify obstacles Scope: 8 agencies plus OMB, GSA; Oct 2010 Sept 2011 Key findings: Substantial progress conducting BIs and issuing cards Fair to limited progress using electronic features for physical and logical access; minimal for interoperability Obstacles include: logistical problems issuing cards to individuals in remote locations; low priority to implement electronic capabilities; and lack of trust in credentials issued by other agencies 10

Review of Cybersecurity Human Capital (GAO-12-8) Requested by Senator Schumer 2 objectives: Assess agency workforce planning activities for cybersecurity and status of governmentwide initiatives Scope: 8 agencies plus OPM, NIST; Dec 2010 Nov 2011 Key Findings: Agencies varied in their use of workforce planning practices 5 of 8 developed cyber workforce plans; all faced challenges identifying size of workforce and several with filling cybersecurity positions; 6 of 8 identified hiring process as an obstacle; training opportunities varied Governmentwide efforts to enhance cyber workforce, but efforts lack planning and coordination 11

Review of IT Supply Chain (GAO-12-361) Requested by Senators Kyl, Hutchison, Collins, Carper, Gillibrand, and Rep. Upton 3 objectives: Identify risks, extent agencies addressed risks, extent agencies identified foreign technology in networks Scope: 4 agencies Energy, DHS, Justice, DOD Key Findings: IT supply chain may introduce malicious code, counterfeits, shortages or disruptions, unintentional vulnerabilities Energy, DHS, Justice have not fully addressed risk, DOD is further along; governmentwide efforts are underway Agencies have not identified foreign technology 12

Cybersecurity Focus Areas FISMA - Mandate Report and Analysis - EPA - Census Bureau - FCC Emerging Issues - Implantable Medical Devices - Security of Mobile Devices - Cybersecurity Threats - Cybersecurity Strategies Privacy - Electronic Prescriptions - Wireless Location-Based Information Consolidated Financial Statements - IRS - BPD/Federal Reserve - FDIC - SEC - OIGs - TARP - FHFA - SOSI - CFPB Critical IT Systems & Infrastructure - Fed. Role in Datacomm Network Security - Cyber Threats to DOD Industrial Base Training/ Methodology/ Liaison - FISCAM - GAO Internal Controls - Internal/External Training - Technical Assistance to Hill - OMB/NIST/NASCIO 13

Recent GAO Reports GAO-12-424R, Management Rpt: Improvements Needed in SEC s Internal Control and Accounting Procedure (Apr. 2012) GAO-12-393, Information Security: IRS Needs to Further Enhance Internal Control over Financial Reporting and Taxpayer Data (March 2012) GAO-12-361, IT Supply Chain: National Security-Related Agencies Need to Better Address Risks (March 2012) GAO-12-507T, Cybersecurity: Challenges in Securing the Modernized Electricity Grid (February 2012) GAO-12-92, Critical Infrastructure Protection: Cybersecurity Guidance is Available, but More Can Be Done to Promote Its Use (December 2011) 14

Recent GAO Reports (cont.) GAO-12-8, Cybersecurity Human Capital: Initiatives Need Better Planning and Coordination (Nov. 2011) GAO-12-130T, Information Security: Additional Guidance Needed to Address Cloud Computing Concerns (Oct. 2011) GAO-12-137, Information Security: Weaknesses Continue Amid New Federal Efforts to Implement Requirements (Oct. 2011) GAO-11-751, Personal ID Verification: Agencies Should Set a Higher Priority on Using the Capabilities of Standardized Identification Cards (Sept. 2011) 15

Recent GAO Reports (cont.) GAO-11-708, Information Security: FDIC Has Made Progress, but Further Actions Are Needed to Protect Financial Data (Aug. 2011) GAO-11-695R, Defense Department Cyber Efforts: Definitions, Focal Point, and Methodology Needed for DOD to Develop Full-Spectrum Cyberspace Budget Estimates (July 2011) GAO-11-865T, Cybersecurity: Continued Attention Needed to Protect Our Nation s Critical Infrastructure (July 2011) GAO-11-149, Information Security: State Has Taken Steps to Implement a Continuous Monitoring Application, but Key Challenges Remain (July 2011) 16

Recent GAO Reports (cont.) GAO-11-75, Defense Department Cyber Efforts: DOD Faces Challenges in Its Cyber Activities (July 2011) GAO-11-605, Social Media: Federal Agencies Need Policies and Procedures for Managing and Protecting Information They Access and Disseminate (June 2011) GAO-11-463T, Cybersecurity: Continued Attention Needed to Protect Our Nation s Critical Infrastructure and Federal Information Systems (March 2011) GAO-11-308, Information Security: IRS Needs to Enhance Internal Control Over Financial Reporting and Taxpayer Data (March 2011) GAO-11-278, High-Risk Series: An Update (February 2011) 17

Recent GAO Reports (cont.) GAO-11-117, Electric Grid Modernization: Progress Being Made on Cybersecurity Guidelines, but Key Challenges Remain to be Addressed (January 2011) GAO-11-67, Information Security: National Nuclear Security Administration Needs to Improve Contingency Planning for Its Classified Supercomputing Operations (December 2010) GAO-11-43, Information Security: Federal Agencies Have Taken Steps to Secure Wireless Networks, but Further Actions Can Mitigate Risks (November 2010) GAO-11-20, Information Security: National Archives and Records Administration Needs to Implement Key Program Elements and Controls (October 2010) 18

Recent GAO Reports (cont.) GAO-11-24, Cyberspace Policy: Executive Branch is Making Progress Implementing 2009 Policy Review Recommendations, but Sustained Leadership is Needed (October 2010) GAO-10-916, Information Security: Progress Made on Harmonizing Policies and Guidance for National Security and Non-National Security Systems (September 2010) GAO-10-628, Critical Infrastructure Protection: Key Private and Public Cyber Expectations Need to Be Consistently Addressed (July 2010) GAO-10-606, Cyberspace: United States Faces Challenges in Addressing Global Cybersecurity and Governance (July 2010) 19

GAO Contact Greg Wilshusen Director, Information Security Issues 202-512-6244 wilshuseng@gao.gov www.gao.gov 20

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information