GAO hits IT security at USDA, says improvements needed

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/securitytopics/security/story/0,10801,90709,00.html

By Todd R. Weiss 
MARCH 02, 2004 
COMPUTERWORLD

The U.S. Department of Agriculture (USDA) has "significant, pervasive
information security control weaknesses" brought on by the lack of a
fully implemented IT security management program, according to a
report from the U.S. General Accounting Office.

The 33-page report (download PDF)[1], released yesterday, strongly
criticizes the USDA for security weaknesses, which potentially leave
its proprietary information, payroll and financial transactions,
agricultural and marketing data, and other information "at increased
risk of unauthorized disclosure, modification or loss, possibly
without being detected."

To tighten the agency's IT security, the GAO report recommends that a
top-to-bottom security management program be implemented, including
improved controls on network boundaries, network access, mainframe
access and overall system access management to better show who is
using the agency's IT systems at any time.

The GAO acknowledged that the USDA "has various initiatives under way"  
to improve its IT security, but it criticized the agency's progress.

"Agency security personnel have lacked the management involvement
needed to effectively implement security programs," while "three
agencies [inside the USDA] have not completed any of the required risk
assessments" that have been laid out for them previously, according to
the report. "Security controls have been tested and evaluated for less
than half of the department's system in the past year."

Scott Charbo, CIO at the USDA in Washington, couldn't be reached for
comment today but said in a reply letter to the GAO that the report
"accurately reflects issues and concerns identified by the GAO" and
that he concurs with the need to improve the agency's IT security.

Robert Dacey, director of information security issues at the GAO,
today declined to comment further on the document.

The GAO said it's been highlighting the need for improved information
security within government agencies since 1997 and acknowledged that
the USDA has been making some progress since 2000, when the GAO
recommended that the USDA develop and document a strategy for
improving information security.

Among the chief criticisms of the report is that the USDA's network
"does not provide a secure operating environment" to support its
users. "While USDA established a restrictive policy to protect its
agencies' internal networks from the Internet by using firewalls, its
current network boundary controls are not configured in accordance
with its security policy and do not provide adequate protection," the
report said.

[1] http://www.gao.gov/new.items/d04154.pdf



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.