[ISN] GAO hits IT security at USDA, says improvements needed

From: InfoSec News (isn@private)
Date: Wed Mar 03 2004 - 00:09:36 PST

  • Next message: InfoSec News: "[ISN] FBI legal technician pleads guilty to unlawfully accessing the FBI's computer system"

    http://www.computerworld.com/securitytopics/security/story/0,10801,90709,00.html
    
    By Todd R. Weiss 
    MARCH 02, 2004 
    COMPUTERWORLD
    
    The U.S. Department of Agriculture (USDA) has "significant, pervasive
    information security control weaknesses" brought on by the lack of a
    fully implemented IT security management program, according to a
    report from the U.S. General Accounting Office.
    
    The 33-page report (download PDF)[1], released yesterday, strongly
    criticizes the USDA for security weaknesses, which potentially leave
    its proprietary information, payroll and financial transactions,
    agricultural and marketing data, and other information "at increased
    risk of unauthorized disclosure, modification or loss, possibly
    without being detected."
    
    To tighten the agency's IT security, the GAO report recommends that a
    top-to-bottom security management program be implemented, including
    improved controls on network boundaries, network access, mainframe
    access and overall system access management to better show who is
    using the agency's IT systems at any time.
    
    The GAO acknowledged that the USDA "has various initiatives under way"  
    to improve its IT security, but it criticized the agency's progress.
    
    "Agency security personnel have lacked the management involvement
    needed to effectively implement security programs," while "three
    agencies [inside the USDA] have not completed any of the required risk
    assessments" that have been laid out for them previously, according to
    the report. "Security controls have been tested and evaluated for less
    than half of the department's system in the past year."
    
    Scott Charbo, CIO at the USDA in Washington, couldn't be reached for
    comment today but said in a reply letter to the GAO that the report
    "accurately reflects issues and concerns identified by the GAO" and
    that he concurs with the need to improve the agency's IT security.
    
    Robert Dacey, director of information security issues at the GAO,
    today declined to comment further on the document.
    
    The GAO said it's been highlighting the need for improved information
    security within government agencies since 1997 and acknowledged that
    the USDA has been making some progress since 2000, when the GAO
    recommended that the USDA develop and document a strategy for
    improving information security.
    
    Among the chief criticisms of the report is that the USDA's network
    "does not provide a secure operating environment" to support its
    users. "While USDA established a restrictive policy to protect its
    agencies' internal networks from the Internet by using firewalls, its
    current network boundary controls are not configured in accordance
    with its security policy and do not provide adequate protection," the
    report said.
    
    [1] http://www.gao.gov/new.items/d04154.pdf
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Mar 03 2004 - 02:38:17 PST