What makes IT security problematic?

What makes IT security problematic?

Management snafus and employee errors result in low grades, feds say

By Tony Lee Orr

GCN Staff

The difference between what federal executives think users are doing to keep government computers secure and what Joe Techworker does can be as vast as the chasm between the grades of A and F, federal investigations show.

Chief information officers have testified numerous times before congressional committees about their security plans efforts.

Have you heard?

But General Accounting Office audits continue to shine a spotlight on the poor procedures for safeguarding systems that store personal and top-secret government information.

SSA chief information officer John Dyer says his agency has tightened up its password protection.

The majority of weaknesses reported are 'no-brainers,' former Energy Department CIO John Gilligan said.

GAO reports and testimony before the House Government Reform Subcommittee on Government Management, Information and Technology reveal basic security infractions:

' Desktop systems have been left running overnight.

' Some systems, although properly shut down, were found adorned with sticky tabs revealing users' passwords.

' Spot checks revealed passwords derived from the names of family members or pets.

' Systems administrators sometimes failed to block access by departed workers.

' Auditors also found users with more access to systems than their jobs require.

The government's CIOs have expressed frustration at all these scenarios.

The security message must be reiterated to managers until they spread the word to end users, said Gilligan, who left Energy this month for a newly created deputy CIO position at the Air Force.

To combat lazy password problems, the Social Security Administration has installed software that requires users to update passwords periodically, SSA CIO John R. Dyer said.

The software also checks for passwords that match names of users' family members, he said.

At the Education Department, where GAO auditors ve found the same laundry list of problems, managers must establish employees' access capabilities, which are reviewed yearly, said Robert Davidson, the department's deputy CIO.

Although CIOs say they need more money to implement security programs, lawmakers have expressed a growing frustration with the inability of agencies to enforce the simplest precautions.

During a recent hearing about the need for a governmentwide CIO, Rep. Steven Horn (R-Calif.) took the Office of Management and Budget to task for money wasted while no one made tough decisions concerning projects.

Senior agency managers continue to ask for money for security, but many security problems have little or nothing to do with funding, Horn said.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.