[ISN] IT security testing weak, GAO finds

From: InfoSec News (alerts@private)
Date: Mon Nov 20 2006 - 22:49:56 PST


http://www.gcn.com/online/vol1_no1/42645-1.html

By Patience Wait
GCN Staff
11/20/06

Despite the emphasis placed on IT security in recent years, federal 
agencies are not testing their security controls with any consistency or 
timeliness, and as a result may not realize their systems weaknesses, a 
new General Accounting Office report [1] has found.

Federal agencies have not adequately designed and effectively 
implemented policies for periodically testing and evaluating information 
security controls, the GAO concluded after surveying 24 major agencies 
and conducting in-depth case studies on 30 IT systems at six of the 
agencies.

These problems are occurring despite the requirements of the Federal 
Information Security Management Act, under which agencies have been 
laboring since its passage in 2002. The study was initiated at the 
request of Rep. Tom Davis (R-Va.), chairman of the House Government 
Reform Committee and the originator of FISMA. Davis office promised a 
statement on the GAO report, but has not released it yet.

According to the GAO, none of the 24 agencies have fully implemented six 
elements included in guidelines and standards developed by the Office of 
Management and Budget and the National Institute for Standards and 
Technology for conducting effective security testing and evaluation. 
Those six elements are:
    
* Identifying the frequency of periodic testing;
    
* Defining roles and responsibilities of personnel performing the 
  testing;
    
* Selecting a minimum set of security controls evaluated during periodic 
  tests;
    
* Identifying and testing common security controls;
    
* Determining the depth and breadth of periodic testing; and
    
* Including assessment results in remediation plans.

Because the problems were governmentwide, the GAO has recommended that 
OMB instruct agencies to develop and implement policies on periodic 
testing and evaluation, and revise instructions for future FISMA 
reporting by inspectors general to include assessments on the quality of 
agencies testing processes.

We received oral comments on a draft of this report from representatives 
at OMB, the GAO reported. The representatives agreed to consider our 
recommendations as part of their oversight responsibilities for 
information security at federal agencies.

[1] http://www.gao.gov/new.items/d0765.pdf


_________________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 



This archive was generated by hypermail 2.1.3 : Mon Nov 20 2006 - 23:08:21 PST