US audit finds weak infosec practices in government

The US Government Accountability Office has found “persistent weaknesses” in the way 24 federal government agencies are approaching information security.

An audit by the office found fault with the way the US agencies are applying security policies and practices.

The office identified weakness in areas including limiting and detecting inappropriate access to computer resources, managing hardware and software configuration, and segregating duties to prevent a single person having control over all key aspects of an IT-based operation.

Other problem areas include continuity planning, security risk management and the implementation of agency-wide security management programs.

“These deficiencies place critical information and information systems used to support the operations, assets, and personnel of federal agencies at risk, and can impair agencies’ efforts to fully implement effective information security programs,” the report states.

“In prior reports, GAO and inspectors general have made hundreds of recommendations to agencies to address deficiencies in their information security controls and weaknesses in their programs, but many of these recommendations remain unimplemented.”

The report finds that the US Government has had only “mixed” success in meeting federal legislative requirements for information security.

It recommends that the Office of Management and Budget should work with the Department of Homeland Security to develop a consistent and comparable set of ratings for agency security performance for inspection purposes.

Image courtesy of lungstruck under CC