Internal controls (11 - 20 of 52 items)
Cybersecurity: Recent Data Breaches Illustrate Need for Strong Controls across Federal Agencies
GAO-15-725T: Published: Jun 24, 2015. Publicly Released: Jun 24, 2015.
GAO has identified a number of challenges federal agencies face in addressing threats to their cybersecurity, including the following:Designing and implementing a risk-based cybersecurity program.Enhancing oversight of contractors providing IT services.Improving security incident response activities.Responding to breaches of personal information.Implementing cybersecurity programs at small agencie...
Federal Facility Cybersecurity: DHS and GSA Should Address Cyber Risk to Building and Access Control Systems
GAO-15-6: Published: Dec 12, 2014. Publicly Released: Jan 12, 2015.
The Department of Homeland Security (DHS) has taken preliminary steps to begin to understand the cyber risk to building and access controls systems in federal facilities. For example, in 2013, components of DHS's National Protection and Programs Directorate (NPPD) conducted a joint assessment of the physical security and cybersecurity of a federal facility. However, significant work remains.Lack o...
Information Security: VA Needs to Address Identified Vulnerabilities
GAO-15-117: Published: Nov 13, 2014. Publicly Released: Nov 17, 2014.
While the Department of Veterans Affairs (VA) has taken actions to mitigate previously identified vulnerabilities, it has not fully addressed these weaknesses. For example, VA took actions to contain and eradicate a significant incident detected in 2012 involving a network intrusion, but these actions were not fully effective:The department's Network and Security Operations Center (NSOC) analyzed...
Information Security: Agencies Need to Improve Oversight of Contractor Controls
GAO-14-612: Published: Aug 8, 2014. Publicly Released: Sep 8, 2014.
Although the six federal agencies that GAO reviewed (the Departments of Energy (DOE), Homeland Security (DHS), State, and Transportation (DOT), the Environmental Protection Agency (EPA) and the Office of Personnel Management (OPM)) generally established security and privacy requirements and planned for assessments to determine the effectiveness of contractor implementation of controls, five of the...
Information Security: Federal Agencies Need to Enhance Responses to Data Breaches
GAO-14-487T: Published: Apr 2, 2014. Publicly Released: Apr 2, 2014.
The number of reported information security incidents involving personally identifiable information (PII) has more than doubled over the last several years (see figure).Information Security Incidents Involving PII, Fiscal Years 2009 – 2013As GAO has previously reported, major federal agencies continue to face challenges in fully implementing all components of an agency-wide information security...
Federal Information Security: Mixed Progress in Implementing Program Components; Improved Metrics Needed to Measure Effectiveness
GAO-13-776: Published: Sep 26, 2013. Publicly Released: Sep 26, 2013.
In fiscal year 2012, 24 major federal agencies had established many of the components of an information security program required by The Federal Information Security Management Act of 2002 (FISMA); however, they had partially established others. FISMA requires each federal agency to establish an information security program that incorporates eight key components, and each agency inspector general...
Information Security: IRS Has Improved Controls but Needs to Resolve Weaknesses
GAO-13-350: Published: Mar 15, 2013. Publicly Released: Mar 15, 2013.
IRS continued to make progress in addressing information security control weaknesses, improving its internal control over financial reporting. During fiscal year 2012, IRS management devoted attention and resources to addressing information security controls, and resolved a significant number of the information security control deficiencies that GAO previously reported. Notable among these efforts...
Information Security: Federal Communications Commission Needs to Strengthen Controls over Enhanced Secured Network Project
GAO-13-155: Published: Jan 25, 2013. Publicly Released: Feb 1, 2013.
The Federal Communications Commission (FCC) did not effectively implement appropriate information security controls in the initial components of the Enhanced Secured Network (ESN) project. Although FCC took steps to enhance its ability to control and monitor its network for security threats, weaknesses identified in the commission's deployment of components of the ESN project as of August 2012 res...
Critical Infrastructure Protection: Cybersecurity Guidance Is Available, but More Can Be Done to Promote Its Use
GAO-12-92: Published: Dec 9, 2011. Publicly Released: Jan 9, 2012.
A wide variety of cybersecurity guidance is available from national and international organizations for entities within the seven critical infrastructure sectors GAO reviewed--banking and finance; communications; energy; health care and public health; information technology; nuclear reactors, material, and waste; and water. Much of this guidance is tailored to business needs of entities or provide...
Information Security: Additional Guidance Needed to Address Cloud Computing Concerns
GAO-12-130T: Published: Oct 6, 2011. Publicly Released: Oct 6, 2011.
Cloud computing, an emerging form of computing where users have access to scalable, on-demand capabilities that are provided through Internet-based technologies, has the potential to provide information technology services more quickly and at a lower cost, but also to introduce information security risks. Accordingly, GAO was asked to testify on the security implications of cloud computing. This t...