GAO skewers Agriculture IT security
- By Mary Mosquera
- Mar 01, 2004
The Agriculture Department has not implemented an adequate security management program to ensure that effective controls are in place, leading to 'significant, pervasive information security weaknesses,' the General Accounting Office reported today.
Information security also requires significantly more management attention.
Although Agriculture has various initiatives under way, it had not yet fully implemented the key elements of a comprehensive security management program. GAO reviewed Agriculture's IT security from February through October last year.
Agriculture CIO Scott Charbo told the GAO in a letter that he was committed to improving IT security throughout the department. The department received an F in the federal computer security scorecard released in December by the House Government Reform subcommittee on technology, information policy, intergovernmental relations and the census.
Agriculture's security will be greatly improved by the next scorecard, Charbo said in an interview. Certification and accreditation of Agriculture's IT systems is his top security priority, he said. Audits by Agriculture's Inspector General and GAO have generated work lists with plans of action and milestones to be met. 'If you look at what happens in the certification and accreditation process, you correct the majority of the material weakness and plan of action and milestone tasks,' he said, adding that he has vetted his security plan through the IG.
In its report
, the GAO cited, for example, that agency security personnel lack management involvement needed to effectively implement security programs. Three agencies have not completed any of the required risk assessments, and security controls have been tested and evaluated for less than half of the department's systems in the past year, the report said.
Serious weaknesses in access control include inadequate protection of network boundaries, insufficient control of network access, inappropriate limits on mainframe access, and failure to fully implement a comprehensive program to monitor access.
Weaknesses also exist in physical security, personnel controls, system software, application change control and service continuity. 'As a result, sensitive data, including information relating to the privacy of U.S. citizens, payroll and financial transactions, proprietary information, agricultural production and marketing estimates, and other mission-critical data, are at increased risk of unauthorized disclosure, modification, or loss, possibly without being detected,' GAO said in its report..
GAO recommended that Agriculture:ensure that security management positions have the authority and cooperation of agency management to implement the security programscompletes periodic IT systems risk assessmentscomplete IT security plans and establishe policies and procedures on the basis of identified risksprovide employees security awareness trainingtest security controlscomplete IT system certification and accreditation.
Mary Mosquera is a reporter for Federal Computer Week.