Security issues continue to confound many Federal agencies keeping tons of sensitive information at risk of unauthorized disclosure, modification, or destruction.
That was one of the main conclusions of yet another Government Accountability security assessment, which focused on the Department of Education but included information about other agencies, to congress this week. Since fiscal year 2006, the number of reported information security incidents affecting federal systems has steadily increased, rising from about 5,500 in fiscal year 2006 to almost 67,200 in fiscal year 2014, the GAO noted.
+More on Network World: Magic or Curse? World TV day 2015+
“Inspectors general for 23 of 24 agencies, including Education, cited information security as a major management challenge. In prior reports, GAO and inspectors general have made thousands of recommendations to agencies to address deficiencies in their information security controls and weaknesses in their programs, but many of these recommendations remain open,” the GAO stated. “Some 19 agencies—including Education—reported that information security control deficiencies were either a material weakness or a significant deficiency for fiscal year 2014.”
At the same time as the risks have exponentially grown, spending on security systems has grown with little result. From fiscal year 2010 to fiscal year 2014, 24 agencies reported spending anywhere between $10.3 and $14.6 billion annually on cybersecurity, including 12.7 billion in fiscal year 2014, which was a 23% increase from fiscal year 2013, the GAO stated. For fiscal years 2013 and 2014, agencies reported information security spending in areas that include: preventing malicious cyber activity; detecting, analyzing, and mitigating intrusions; and shaping the cybersecurity environment, the GAO stated.
Specific weaknesses include:
Access controls: For fiscal year 2014, Education and 21 other agencies had weaknesses in electronic and physical controls to limit, prevent, or detect inappropriate access to computer resources (data, equipment, and facilities), thereby increasing their risk of unauthorized use, modification, disclosure, and loss. Specifically, Education’s inspector general reported weaknesses in several key access control elements, including protecting the boundaries of its information systems and handling incidents. For example, the department did not implement controls to verify the security of non-government furnished equipment connecting to its network via virtual private client programs prior to authentication.
+More on Network World: Quick look: World’s largest e-waste dump
Configuration management: For fiscal year 2014, 22 agencies, including Education, had weaknesses reported in controls that are intended to ensure that only authorized and fully tested software is placed in operation, software and hardware is updated, information systems are monitored, patches are applied to these systems to protect against known vulnerabilities, and emergency changes are documented and approved. For example, the department’s configuration management guidance had not been updated since 2005 and its IT security baseline configuration guidance had not been updated since 2009.
Segregation of duties: Fifteen agencies had weaknesses reported in controls for segregation of duties, although Education was not one of them. These controls are the policies, procedures, and organizational structure that help to ensure that one individual cannot independently control all key aspects of a computer-related operation and thereby take unauthorized actions or gain unauthorized access to assets or records.
Continuity of operations: Education and 17 other agencies had weaknesses reported in controls for their continuity of operations practices for fiscal year 2014. For example, Education did not consistently document the IT recovery procedures for its systems in accordance with National Institute of Standards and Technology (NIST) guidelines and departmental policies. In addition, the department did not consistently perform and document testing of contingency plans for certain systems.
Security management: For fiscal year 2014, 23 agencies, including Education, had weaknesses reported in security management, which is an underlying cause for information security control deficiencies identified at federal agencies. An agency-wide security program, as required by the Federal Information Security Management Act (FISMA), provides a framework for assessing and managing risk, including developing and implementing security policies and procedures, conducting security awareness training, monitoring the adequacy of the entity’s computer-related controls through security tests and evaluations, and implementing remedial actions as appropriate.
The GAO reported in September that most of 24 major agencies (including Education) had weaknesses information security controls including:
- Limiting, preventing, and detecting inappropriate access to computer resources;
- Managing the configuration of software and hardware;
- Segregating duties to ensure that a single individual does not have control over all key aspects of a computer-related operation;
- Planning for continuity of operations in the event of a disaster or disruption; and
- Implementing agency-wide security management programs that are critical to identifying control deficiencies, resolving problems, and managing risks on an ongoing basis.
“These deficiencies place critical information and information systems used to support the operations, assets, and personnel of federal agencies at risk, and can impair agencies' efforts to fully implement effective information security programs” the GAO stated.
Check out these other hot stories: