GAO: Audit, tech staffs should share expertise
- By William Jackson
- Apr 26, 2002
Agencies' systems controls fall short and inspectors general tend to overlook IT security, the General Accounting Office's information security director told the House this month.
The reason, said GAO's Robert F. Dacey, is that most security reviews occur only as part of financial audits. Dacey said agencies' technical and audit staffs need to communicate more of their expertise to one another.
Dacey's written comments, submitted to the House Government Reform Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations, elaborated on testimony he made to the panel last month and that sparked a disagreement with the Office of Management and Budget over access to recent security reports drafted by agencies.
Other security problems, as yet unidentified, could be as serious as those OMB cited in its first review of IT security reports required by the Government Information Security Reform Act, he said.
Dacey's comments responded to questions from Rep. Steve Horn (R-Calif.), the subcommittee's chairman. The questions followed Dacey's testimony at Horn's March hearing on lessons learned from the 2001 GISRA reports.Tug-of-war
The testimony led to a minor turf battle between OMB, which is charged by GISRA to tell Congress the state of IT security, and GAO, the congressional investigative arm.
Dacey said OMB was restricting access to data needed for effective congressional oversight. OMB said the withheld information was preliminary budget data that could not be released.
Most agencies are not fully aware of the security risks they run, Dacey said, and too often they respond ad hoc to individual problems rather than set a disciplined overall approach.
Although OMB concluded that inadequate funding does not equate to poor security, Dacey said agencies have not done a good enough job of determining costs for security.
William Jackson is a senior writer of GCN and the author of the CyberEye blog.