Friday, January 23, 2009

Information Security Makes GAO High Risk Report for the 12th Year

The U.S. Government Accountability Office (GAO) has updated its list of governmental projects that are at risk "due to their greater vulnerabilities to fraud, waste, abuse, and mismanagement. GAO also identifies high-risk areas needing broad-based transformation to address major economy, efficiency, or effectiveness challenges."

Information security continues to make the list - for the 12th year. In the section titled: "Protecting the Federal Government’s Information Systems and the Nation’s Critical Infrastructures", the report makes note that the Department of Homeland Security (DHS) has made some progress but still falls short:
"Federal information security has been on GAO’s list of high-risk areas since 1997; in 2003, GAO expanded this high-risk area to include cyber CIP [Critical Infrastructure Protection]. The continued risks to information systems include escalating and emerging threats; the ease of obtaining and using hacking tools; the steady advance in the sophistication of attack technology; and the emergence of new and more destructive attacks."
Specifically, the report refers to numerous detailed past GAO reports and summarizes several areas requiring attention:
"Since 2006, GAO has made numerous recommendations in the following key areas:
  • bolstering cyber analysis and warning capabilities.
  • reducing organizational inefficiencies.
  • completing actions identified during cyber exercises.
  • developing sector-specific plans that fully address all cyber-related criteria.
  • improving cyber security of infrastructure control systems.
  • strengthening DHS’s ability to help recover from Internet disruptions.
"Until these and other key cyber security areas are effectively addressed, the nation’s cyber critical infrastructure is at risk of increasing threats posed by terrorists, nation-states, and others."

No comments: