Information Security:

FBI Needs to Address Weaknesses in Critical Network

GAO-07-368: Published: Apr 30, 2007. Publicly Released: May 24, 2007.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The Federal Bureau of Investigation (FBI) relies on a critical network to electronically communicate, capture, exchange, and access law enforcement and investigative information. Misuse or interruption of this critical network, or disclosure of the information traversing it, would impair FBI's ability to fulfill its missions. Effective information security controls are essential for ensuring that information technology resources and information are adequately protected from inadvertent or deliberate misuse, fraudulent use, disclosure, modification, or destruction. GAO was asked to assess information security controls for one of FBI's critical networks. To assess controls, GAO conducted a vulnerability assessment of the internal network and evaluated the bureau's information security program associated with the network operating environment. This report summarizes weaknesses in information security controls in one of FBI's critical networks.

Certain information security controls over the critical internal network reviewed were ineffective in protecting the confidentiality, integrity, and availability of information and information resources. Specifically, FBI did not consistently (1) configure network devices and services to prevent unauthorized insider access and ensure system integrity; (2) identify and authenticate users to prevent unauthorized access; (3) enforce the principle of least privilege to ensure that authorized access was necessary and appropriate; (4) apply strong encryption techniques to protect sensitive data on its networks; (5) log, audit, or monitor security-related events; (6) protect the physical security of its network; and (7) patch key servers and workstations in a timely manner. Taken collectively, these weaknesses place sensitive information transmitted on the network at risk of unauthorized disclosure or modification, and could result in a disruption of service, increasing the bureau's vulnerability to insider threats. These weaknesses existed, in part, because FBI had not fully implemented key information security program activities for the critical network reviewed. FBI has developed an agencywide information security program, which includes an organization to monitor and protect the bureau's information systems from external attacks and insider misuse and to serve as the central focal point of contact for near-real-time security monitoring. However, shortcomings exist with certain program elements for the network, including an outdated risk assessment, incomplete security plan, incomplete specialized security training, insufficient testing, untimely remediation of weaknesses, and inadequate service continuity planning. Without a fully implemented program, certain security controls will likely remain inadequate or inconsistently applied.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: In fiscal year 2011 we verified that FBI corrected identified weaknesses in a timely manner.

    Recommendation: To fully implement information security program activities for the critical internal network reviewed, the Director of the FBI should correct identified weaknesses in a timely manner.

    Agency Affected: Department of Justice: Federal Bureau of Investigation

  2. Status: Closed - Implemented

    Comments: In fiscal year 2011 we verified that FBI provided comprehensive coverage of system testing and scans.

    Recommendation: To fully implement information security program activities for the critical internal network reviewed, the Director of the FBI should provide comprehensive coverage of system testing and scans.

    Agency Affected: Department of Justice: Federal Bureau of Investigation

  3. Status: Closed - Implemented

    Comments: In fiscal year 2011 we verified that FBI ensured that network users received security awareness training and that users with significant security responsibilities received specialized training as defined by their role.

    Recommendation: To fully implement information security program activities for the critical internal network reviewed, the Director of the FBI should ensure that all network users receive security awareness training and that all users with significant security responsibilities receive specialized training as defined by their role.

    Agency Affected: Department of Justice: Federal Bureau of Investigation

  4. Status: Closed - Implemented

    Comments: In fiscal year 2011 we verified that FBI completed a network security plan that reflected the current operating environment and included sections required by the FBI Certification & Accreditation Handbook.

    Recommendation: To fully implement information security program activities for the critical internal network reviewed, the Director of the FBI should update the network security plan to ensure that it reflects the current operating environment and includes sections required by the FBI Certification & Accreditation Handbook.

    Agency Affected: Department of Justice: Federal Bureau of Investigation

  5. Status: Closed - Implemented

    Comments: In fiscal year 2011 we verified that FBI developed technical standards that included guidance for addressing the access control weaknesses identified.

    Recommendation: To fully implement information security program activities for the critical internal network reviewed, the Director of the FBI should develop technical standards that include guidance for addressing the access control weaknesses identified.

    Agency Affected: Department of Justice: Federal Bureau of Investigation

  6. Status: Closed - Implemented

    Comments: In fiscal year 2011 we verified that FBI implemented a network risk assessment that reflected the current operating environment and included elements required by the FBI Certification & Accreditation Handbook.

    Recommendation: To fully implement information security program activities for the critical internal network reviewed, the Director of the FBI should update the network's risk assessment to reflect the current operating environment and ensure that the assessment includes elements required by the FBI Certification & Accreditation Handbook.

    Agency Affected: Department of Justice: Federal Bureau of Investigation

  7. Status: Closed - Implemented

    Comments: In fiscal year 2011 we verified that FBI developed a comprehensive inventory of the current network operating environment.

    Recommendation: To fully implement information security program activities for the critical internal network reviewed, the Director of the FBI should develop a comprehensive inventory of the current network operating environment.

    Agency Affected: Department of Justice: Federal Bureau of Investigation

  8. Status: Closed - Implemented

    Comments: In fiscal year 2011 we verified that FBI developed a continuity of operations plan that addressed the current network environment, and periodically tested the plan.

    Recommendation: To fully implement information security program activities for the critical internal network reviewed, the Director of the FBI should develop a continuity of operations plan that addresses the current network environment, and periodically test the plan.

    Agency Affected: Department of Justice: Federal Bureau of Investigation

 

Explore the full database of GAO's Open Recommendations »

Nov 18, 2014

Nov 17, 2014

Sep 18, 2014

Sep 16, 2014

Sep 8, 2014

Jul 17, 2014

Jun 25, 2014

May 30, 2014

Apr 17, 2014

Apr 2, 2014

Looking for more? Browse all our products here