Internal controls (11 - 20 of 245 items)
Information Security: DHS Needs to Enhance Capabilities, Improve Planning, and Support Greater Adoption of Its National Cybersecurity Protection System
GAO-16-294: Published: Jan 28, 2016. Publicly Released: Jan 28, 2016.
The Department of Homeland Security's (DHS) National Cybersecurity Protection System (NCPS) is partially, but not fully, meeting its stated system objectives:Intrusion detection: NCPS provides DHS with a limited ability to detect potentially malicious activity entering and exiting computer networks at federal agencies. Specifically, NCPS compares network traffic to known patterns of malicious data...
Critical Infrastructure Protection: Measures Needed to Assess Agencies' Promotion of the Cybersecurity Framework
GAO-16-152: Published: Dec 17, 2015. Publicly Released: Dec 17, 2015.
In accordance with requirements in a 2013 executive order which were enacted into law in 2014, the National Institute of Standards and Technology (NIST) facilitated the development of a set of voluntary standards and procedures for enhancing cybersecurity of critical infrastructure. This process, which involved stakeholders from the public and private sectors, resulted in NIST's Framework for Impr...
Critical Infrastructure Protection: Sector-Specific Agencies Need to Better Measure Cybersecurity Progress
GAO-16-79: Published: Nov 19, 2015. Publicly Released: Nov 19, 2015.
Sector-specific agencies (SSA) determined the significance of cyber risk to networks and industrial control systems for all 15 of the sectors in the scope of GAO's review. Specifically, they determined that cyber risk was significant for 11 of 15 sectors. Although the SSAs for the remaining four sectors had not determined cyber risks to be significant during their 2010 sector-specific planning pro...
Information Security: Department of Education and Other Federal Agencies Need to Better Implement Controls
GAO-16-228T: Published: Nov 17, 2015. Publicly Released: Nov 17, 2015.
Cyber-based risks to federal systems and information can come from unintentional threats, such as natural disasters, software coding errors, and poorly trained or careless employees, or intentional threats, such as disgruntled insiders, hackers, or hostile nations. These threat sources may exploit vulnerabilities in agencies' systems and networks to steal or disclose sensitive information, among o...
Information Security: Federal Agencies Need to Better Protect Sensitive Data
GAO-16-194T: Published: Nov 17, 2015. Publicly Released: Nov 17, 2015.
Federal systems face an evolving array of cyber-based threats. These threats can be unintentional—for example, from software coding errors or the actions of careless or poorly trained employees; or intentional—targeted or untargeted attacks from criminals, hackers, adversarial nations, terrorists, disgruntled employees or other organizational insiders, among others. These concerns are further...
Critical Infrastructure Protection: Cybersecurity of the Nation's Electricity Grid Requires Continued Attention
GAO-16-174T: Published: Oct 21, 2015. Publicly Released: Oct 21, 2015.
GAO reported in 2011 that several entities—the North American Electric Reliability Corporation (NERC), the National Institute of Standards and Technology (NIST), the Federal Energy Regulatory Commission (FERC), the Department of Homeland Security (DHS), and the Department of Energy (DOE)—had taken steps to help secure the electric grid. These included developing cybersecurity standards and oth...
Federal Information Security: Agencies Need to Correct Weaknesses and Fully Implement Security Programs
GAO-15-714: Published: Sep 29, 2015. Publicly Released: Sep 29, 2015.
Persistent weaknesses at 24 federal agencies illustrate the challenges they face in effectively applying information security policies and practices. Most agencies continue to have weaknesses in (1) limiting, preventing, and detecting inappropriate access to computer resources; (2) managing the configuration of software and hardware; (3) segregating duties to ensure that a single individual does n...
Defense Cybersecurity: Opportunities Exist for DOD to Share Cybersecurity Resources with Small Businesses
GAO-15-777: Published: Sep 24, 2015. Publicly Released: Sep 24, 2015.
The Department of Defense (DOD) Office of Small Business Programs (OSBP) has explored some options, such as online training videos, to integrate cybersecurity into its existing efforts; however, as of July 2015, the office had not identified and disseminated cybersecurity resources in its outreach and education efforts to defense small businesses. While DOD OSBP is not required to educate small bu...
Cybersecurity: Bank and Other Depository Regulators Need Better Data Analytics and Depository Institutions Want More Usable Threat Information
GAO-15-509: Published: Jul 2, 2015. Publicly Released: Jul 2, 2015.
Regulators use a risk-based examination approach to oversee the adequacy of information security at depository institutions—banks, thrifts, and credit unions—but could better target future examinations by analyzing deficiencies across institutions. For information technology (IT) examinations, regulators adjust the level of scrutiny at each institution depending on the information they review,...
Cybersecurity: Recent Data Breaches Illustrate Need for Strong Controls across Federal Agencies
GAO-15-725T: Published: Jun 24, 2015. Publicly Released: Jun 24, 2015.
GAO has identified a number of challenges federal agencies face in addressing threats to their cybersecurity, including the following:Designing and implementing a risk-based cybersecurity program.Enhancing oversight of contractors providing IT services.Improving security incident response activities.Responding to breaches of personal information.Implementing cybersecurity programs at small agencie...