IG cites ongoing flaws in State's security
- By Wilson P. Dizard III
- Nov 15, 2002
The State Department's systems security remains weak a year after the department's inspector general identified serious flaws, the IG reported recently.
As part of an annual review mandated by the Government Information Security Reform Act, the IG found that although State has a plan for certifying and accrediting its systems' security, it has set no timetable for implementing the plan.
But other officials called the security of State systems 'solid' in a statement responding to a reporter's questions.
'State has a strong program that includes intrusion detection systems deployed throughout the global infrastructure, enhanced firewalls and routers, a rigorous antivirus program and independent, periodic penetration testing,' the department said.
IT officials said some of the problems identified by the IG resulted from differences in how the department and IG defined GISRA terms. The department is taking steps to bolster its systems security, including establishing a new security office and seeking additional funds, State said.
Department officials had certified and accredited 4 percent of systems by August, the IG report said. Even though 72 percent of the department's 358 systems contain some level of classified information, only 15 percent have security plans, the report said.
State said it had a provisional plan for certifying all its systems on a three-year cycle.
The IG also said that information security officers at overseas posts 'generally were not performing all the requisite duties.'
Of 11 posts visited by auditors, none had information security plans, said the report.
The department said it had assigned security duties to officers at the posts, but the shortage of IT professionals made completing the tasks difficult. The department said it soon would appoint regional systems officers to oversee multiple smaller posts.
State also said it had established a new Office of Information Assurance to ensure that security measures are considered from a systems project's beginning.
The IG's report said the audit team will make recommendations for improving security at the department.