GAO Questions Security of Census Data

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://www.govinfosecurity.com/gao-questions-security-census-data-a-5525

A government audit reveals that the Census Bureau does not do a good
enough job protecting the confidentiality of its data - a stinging
conclusion, considering the bureau collects personal information about
every individual residing in the United States.

In the report made public Feb. 20 - entitled Information Security:
Actions Needed by Census Bureau to Address Weaknesses - the Government
Accountability Office says the bureau has not effectively implemented
appropriate information security controls to protect its information
systems. Auditors say many of the deficiencies at the Commerce
Department agency relate to access controls, the security rules and
procedures used to regulate who or what can access the bureau's
systems.

As an example, GAO cites the bureau's failure to adequately:

Control connectivity to key network devices and servers;
Identify and authenticate users;
Limit user access rights and permissions to only those necessary to
perform official duties;
Encrypt data in transmission and at rest;
Monitor its systems and network;
Ensure appropriate physical security controls were in place.

"Without adequate controls over access to its systems, the bureau
cannot be sure that its information and systems are protected from
intrusion," GAO's Information Security Issues Director Gregory
Wilshusen and Chief Technologist Nabajyoti Barkakati wrote in the
51-page report.

Framework Fails to Fully Identify Risks

Wilshusen and Barkakati said an underlying reason for these weaknesses
is that the Census Bureau has not fully implemented a comprehensive
information security program to ensure that controls are effectively
established and maintained. Although the Census Bureau had begun
implementing a new risk management framework with a goal of better
management visibility of information security risks, the auditors
said, the framework didn't fully document identified information
security risks.

In addition, the bureau failed to update certain security management
program policies, adequately enforce user requirements for security
and awareness training and implement policies and procedures for
incident response.

"Until the bureau implements a complete and comprehensive security
program," the auditors wrote, "it will have limited assurance that its
information and systems are being adequately protected against
unauthorized access, use, disclosure, modification, disruption or
loss."

GAO offered 13 recommendations to address the problems, and Acting
Commerce Secretary Rebecca Blank responded that, for the most part, it
agreed with GAO's conclusions, adding the agency is forming a team to
carefully review each finding and prepare a specific course of action
to address them.

Bureau Questions Parts of Audit

Still, the bureau raised concerns with respect to several of GAO's
finding, including one in which the auditor found the bureau's
continuous monitoring program failed to include mechanisms for near
real-time continuous monitoring. The bureau contended that the
frequency at which it performs scans is based on the identified risk
of the control or system being assessed, and that monthly scans were
consistent with the risk level it had identified for census data.

But GAO said the bureau's response is inconsistent with the risk-based
continuous monitoring plans providing for weekly scans that the Census
Bureau provided auditors. In addition, the auditors said, National
Institute of Standards and Technology guidelines note the importance
of near real-time data as an input to an agency's security
decision-making process, and the bureau's risk management framework
documentation noted that near real-time risk monitoring is a long-term
goal for the bureau. GAO said it has clarified its finding to better
reflect the bureau's continuous monitoring plans.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.