- Google I/O 2013's Coolest Products and Services
- 10 Star Trek Technologies That are Almost Here
- 19 Generations of Computer Programmers
- 25 Must-Have Technologies for SMBs
CSO - Mountains of data on how Americans work and live collected by the U.S. Census Bureau may not be adequately protected from intruders, according to a report from the U.S. Government Accountability Office (GAO).
While the Census Bureau has taken steps to protect the data it's collected, it hasn't implemented the kind of security controls needed to protect its systems, said the report.
[HISTORY: Census handheld system gets failing grade]
"Many of the deficiencies relate to the security controls used to regulate who or what can access the bureau's systems," the GAO reported.
[See also: EPA data breach highlights worrying trend]
Security sins cited by the GAO include:
Securing government data has become increasingly important because its agencies, bureaus and departments have attracted increased intruder attention over the last six years, said GAO Director of Information Security Issues Gregory C. Wilshusen, one of the report's authors.
"The number of security incidents reported by federal agencies has risen 782% over the last six years, from about 5,500 in fiscal year 2006 to 48,562 in fiscal year 2012," he said in an interview.
The report noted that the Bureau had taken steps to protect its data in the event of a disaster or disruption, but those steps remain incomplete. They did not include distributing the disaster plan to key personnel and identifying any weaknesses through testing.
"Without an effective and complete contingency plan, an agency's likelihood of recovering its information and systems in a timely manner is diminished," the report said.
One reason the audit may show the Bureau in an unflattering light is that it was conducted while the agency was moving to a new security framework, according to the Census Bureau's CIO, Brian McGrath.
"That presented some challenges for all parties to truly assess the sophistication and depth of the IT security program here at the Census Bureau," he said in an interview.
"We do not take IT security lightly," he continued. "We fully recognize the importance of IT security and the data that the American citizens have entrusted us with.
"Data security is part of our culture," he added. "We require staff to take IT security awareness training on an annual basis, and we have acceptable usage policies that all employees have to sign before they're granted access to our IT systems."
While the report acknowledged the agency's implementation of a new security framework, it argued that the framework did not fully document information security risks.
It also asserted that the bureau did not adequately enforce user requirements for security and awareness training.
"Until the Bureau implements a complete and comprehensive security program, it will have limited assurance that its information and systems are being adequately protected against unauthorized access, use, disclosure, modification, disruption, or loss," the report said.