Security lacking at most government agencies, GAO says

When it comes to securing your private information the US government has a long way to go.  A Government Accountability Office report last week found that only 2 of 24 agencies it had implemented all of the security requirements mandated by the Office of Management and Budget last year to protect personal information.

According to the GAO report the Treasury Department and the Department of Transportation had implemented the strongest security while National Science Foundation and the Small Business Administration were worst.  A Washington Post story today noted that the SBA and NSF had implemented stronger security measures since the GAO looked at them last Fall.

Specifically, the OMB says all agencies are required to:

• Encrypt all data on mobile computers or devices that carry agency data, unless the data are determined to be nonsensitive;

• Allow remote access only with two-factor authentication, where one of the factors is provided by a device separate from the computer gaining access;

• Enforce a “time-out” function for remote access and mobile devices that requires that users re-authenticate after 30 minutes of inactivity; and

• Log all instances in which computer-readable data are extracted from databases holding sensitive information, and verify that each extract including sensitive data has been erased within 90 days or that its use is still required.

OMB also recommended the use of a NIST-provided checklist for the protection of remote information.

It wasn’t like all agencies failed to implement these security requirements however. The GAO said of the 24 major agencies it surveyed, 22 had developed policies requiring personally identifiable information to be encrypted on mobile computers and devices. Fifteen of the 24 agencies had policies to use a “time-out” function for remote access and mobile devices requiring user reauthentication after 30 minutes of inactivity. Fewer agencies (11) had established policies to log computer-readable data extracts from databases holding sensitive information and erase the data within 90 days after extraction. Several agencies indicated that they were researching technical solutions to address these issues. Gaps in their policies and procedures reduced agencies’ ability to protect personally identifiable information from improper disclosure, the GAO added.

The federal government has seen significant exposures of personally identifiable information in the past few years. According to a 2006 congressional staff report, since January 2003, 19 departments and agencies reported at least one loss of personally identifiable information that could expose individuals to identity theft. 

According to the GAO report, a series of data breaches at federal agencies have involved system intrusion, phishing scams, and the physical loss or theft of portable computers, hard drives, and disks. During fiscal year 2006, federal agencies reported a record number of incidents to the US Computer Emergency Readiness Team (US-CERT). For example, in 2006 there were 5,146 incident reports—a substantial increase over the 3,569 incidents reported in 2005. During this period, US-CERT recorded a dramatic rise in incidents where either physical loss or theft or system compromise resulted in the loss of personally identifiable information.

This report follows a GAO report in January that said the IRS, has "persistent information security weaknesses that place [it] at risk of disruption, fraud or inappropriate disclosure of sensitive information.” The agency, which collected about $2.7 trillion in taxes in 2007, has fixed just 29 of 98 information security weaknesses identified in a report released last March, the report said.  

Layer 8 in a box

Check out these other hot topics:

Software, portal target, predict terrorist behaviour

X Prize, Google set on 10 teams in $30 million race to moon

FBI warns: Hitman scam back with a vengeance 

What are the 14 greatest engineering challenges for the 21st century?

Prototype software sniffs out insider threats

Computer science professor grabs Oscar gold  

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2008 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)