Risk assessment (31 - 39 of 39 items)
Information Security: Veterans Affairs Needs to Address Long-Standing Weaknesses
GAO-07-532T: Published: Feb 28, 2007. Publicly Released: Feb 28, 2007.
Security breaches at the Department of Veterans Affairs (VA) and other public and private organizations have highlighted the importance of well-designed and implemented information security programs. GAO was asked to testify on its past work on VA's information security program, as well as ongoing reviews that it is conducting at VA. In developing its testimony, GAO drew on over 15 of its previous...
Managing Sensitive Information: DOJ Needs a More Complete Staffing Strategy for Managing Classified Information and a Set of Internal Controls for Other Sensitive Information
GAO-07-83: Published: Oct 20, 2006. Publicly Released: Nov 20, 2006.
The September 11 attacks showed that agencies must balance the need to protect and share sensitive information to prevent future attacks. Agencies classify this information or designate it sensitive but unclassified to protect and limit access to it. The National Archives' Information Security Oversight Office (ISOO) assesses agencies' classification management programs, and in July 2004 and April...
Information Security: Federal Agencies Show Mixed Progress in Implementing Statutory Requirements
GAO-06-527T: Published: Mar 16, 2006. Publicly Released: Mar 16, 2006.
For many years, GAO has reported that ineffective information security is a widespread problem that has potentially devastating consequences. In its reports to Congress since 1997, GAO has identified information security as a governmentwide high-risk issue--most recently in January 2005. Concerned with accounts of attacks on commercial systems via the Internet and reports of significant weaknesses...
Information Security: Weaknesses Persist at Federal Agencies Despite Progress Made in Implementing Related Statutory Requirements
GAO-05-552: Published: Jul 15, 2005. Publicly Released: Jul 15, 2005.
Federal agencies rely extensively on computerized information systems and electronic data to carry out their missions. The security of these systems and data is essential to prevent data tampering, disruptions in critical operations, fraud, and inappropriate disclosure of sensitive information. Concerned with accounts of attacks on systems via the Internet and reports of significant weaknesses in...
Information Security: Emerging Cybersecurity Issues Threaten Federal Information Systems
GAO-05-231: Published: May 13, 2005. Publicly Released: Jun 13, 2005.
Federal agencies are facing a set of emerging cybersecurity threats that are the result of increasingly sophisticated methods of attack and the blending of once distinct types of attack into more complex and damaging forms. Examples of these threats include spam (unsolicited commercial e-mail), phishing (fraudulent messages to obtain personal or sensitive data), and spyware (software that monitors...
Information Security: Agencies Need to Implement Consistent Processes In Authorizing Systems for Operation
GAO-04-376: Published: Jun 28, 2004. Publicly Released: Jul 28, 2004.
The Office of Management and Budget (OMB) requires agencies to certify the security controls of their information systems and to formally authorize and accept the risk associated with their operation (a process known as accreditation). These processes support requirements of the Federal Information Security Management Act of 2002 (FISMA). Further, OMB requires agencies to report the number of syst...
Information Security: Computer Controls over Key Treasury Internet Payment System
GAO-03-837: Published: Jul 30, 2003. Publicly Released: Jul 30, 2003.
"Pay.gov" is an Internet portal sponsored and managed by the Department of the Treasury's Financial Management Service (FMS) and operated at three Federal Reserve facilities. Pay.gov is intended to allow the public to make certain non-income-tax-payments to the federal government securely over the Internet. FMS estimates that Pay.gov eventually could annually process 80 million transactions valued...
Information Security Risk Assessment: Practices of Leading Organizations
AIMD-00-33: Published: Nov 1, 1999. Publicly Released: Nov 1, 1999.
This document is a supplement to GAO's May 1998 executive guide on information security management. It is intended to help federal managers implement an ongoing information security risk assessment process by providing examples, or case studies, of practical risk assessment procedures that have been successfully adopted by four organizations known for their efforts to implement good risk assessmen...
Information Security Risk Assessment: Practices of Leading Organizations (Exposure Draft)
AIMD-99-139: Published: Aug 1, 1999. Publicly Released: Aug 1, 1999.
GAO published a guide to aid federal managers in implementing an ongoing information security risk assessment process. GAO provided case studies of practical risk assessment procedures that have been successfully adopted by four organizations known for their efforts to implement good risk assessment practices...