Information systems (11 - 20 of 54 items)
Information Security: Agencies Need to Improve Oversight of Contractor Controls
GAO-14-612: Published: Aug 8, 2014. Publicly Released: Sep 8, 2014.
Although the six federal agencies that GAO reviewed (the Departments of Energy (DOE), Homeland Security (DHS), State, and Transportation (DOT), the Environmental Protection Agency (EPA) and the Office of Personnel Management (OPM)) generally established security and privacy requirements and planned for assessments to determine the effectiveness of contractor implementation of controls, five of the...
Information Security: Additional Oversight Needed to Improve Programs at Small Agencies
GAO-14-344: Published: Jun 25, 2014. Publicly Released: Jun 25, 2014.
The six small agencies GAO reviewed have made mixed progress in implementing elements of information security and privacy programs as required by the Federal Information Security Management Act of 2002, the Privacy Act of 1974, the E-Government Act of 2002, and Office of Management and Budget (OMB) guidance (see figure).Agencies' Implementation of Information Security and Privacy Elements in Fisca...
Information Security: Federal Agencies Need to Enhance Responses to Data Breaches
GAO-14-487T: Published: Apr 2, 2014. Publicly Released: Apr 2, 2014.
The number of reported information security incidents involving personally identifiable information (PII) has more than doubled over the last several years (see figure).Information Security Incidents Involving PII, Fiscal Years 2009 – 2013As GAO has previously reported, major federal agencies continue to face challenges in fully implementing all components of an agency-wide information security...
Information Security: Agency Responses to Breaches of Personally Identifiable Information Need to Be More Consistent
GAO-14-34: Published: Dec 9, 2013. Publicly Released: Jan 8, 2014.
The eight federal agencies GAO reviewed generally developed, but inconsistently implemented, policies and procedures for responding to a data breach involving personally identifiable information (PII) that addressed key practices specified by the Office of Management and Budget (OMB) and the National Institute of Standards and Technology. The agencies reviewed generally addressed key management an...
Federal Information Security: Mixed Progress in Implementing Program Components; Improved Metrics Needed to Measure Effectiveness
GAO-13-776: Published: Sep 26, 2013. Publicly Released: Sep 26, 2013.
In fiscal year 2012, 24 major federal agencies had established many of the components of an information security program required by The Federal Information Security Management Act of 2002 (FISMA); however, they had partially established others. FISMA requires each federal agency to establish an information security program that incorporates eight key components, and each agency inspector general...
Cybersecurity: A Better Defined and Implemented National Strategy Is Needed to Address Persistent Challenges
GAO-13-462T: Published: Mar 7, 2013. Publicly Released: Mar 7, 2013.
The federal government continues to face challenges in a number of key areas in effectively implementing cybersecurity; these challenge areas include the following, among others:Designing and implementing risk-based cybersecurity programs at federal agencies. Shortcomings persist in assessing risks, developing and implementing security programs, and monitoring results at federal agencies. This is...
Cybersecurity: Threats Impacting the Nation
GAO-12-666T: Published: Apr 24, 2012. Publicly Released: Apr 24, 2012.
The nation faces an evolving array of cyber-based threats arising from a variety of sources. These threats can be intentional or unintentional. Unintentional threats can be caused by software upgrades or defective equipment that inadvertently disrupt systems, and intentional threats can be both targeted and untargeted attacks from a variety of threat sources. Sources of threats include criminal gr...
IT Supply Chain: National Security-Related Agencies Need to Better Address Risks
GAO-12-361: Published: Mar 23, 2012. Publicly Released: Mar 23, 2012.
Reliance on a global supply chain introduces multiple risks to federal information systems. These risks include threats posed by actorssuch as foreign intelligence services or counterfeiterswho may exploit vulnerabilities in the supply chain and thus compromise the confidentiality, integrity, or availability of an end system and the information it contains. This in turn can adversely a...
Critical Infrastructure Protection: Cybersecurity Guidance Is Available, but More Can Be Done to Promote Its Use
GAO-12-92: Published: Dec 9, 2011. Publicly Released: Jan 9, 2012.
A wide variety of cybersecurity guidance is available from national and international organizations for entities within the seven critical infrastructure sectors GAO reviewed--banking and finance; communications; energy; health care and public health; information technology; nuclear reactors, material, and waste; and water. Much of this guidance is tailored to business needs of entities or provide...
Information Security: Additional Guidance Needed to Address Cloud Computing Concerns
GAO-12-130T: Published: Oct 6, 2011. Publicly Released: Oct 6, 2011.
Cloud computing, an emerging form of computing where users have access to scalable, on-demand capabilities that are provided through Internet-based technologies, has the potential to provide information technology services more quickly and at a lower cost, but also to introduce information security risks. Accordingly, GAO was asked to testify on the security implications of cloud computing. This t...