Information Security: Evaluation for GAO's Program and Practices for Fiscal Year 2011
OIG-12-2: Mar 30, 2012
Tonya R. Ford
What We Found
This is a publication by GAO's Inspector General that concerns internal GAO operations. A full report on this evaluation was prepared for GAO internal use only. The Federal Information Security Management Act of 2002 (FISMA) requires that each federal agency establish an agencywide information security management program for the information and information systems that support the agencys operations and assets. GAO is not obligated by law to comply with FISMA or Executive Branch information policies, but has adopted them to help ensure physical and information system security. Our evaluation showed that GAO has established an overall information security program that is generally consistent with the requirements of FISMA, Office of Management and Budget implementing guidance, and standards and guidance issued by the National Institute of Standards and Technology. However, using FISMA reporting metrics for federal inspectors general, we identified opportunities to improve specific elements of this program that concern
- addressing information security risk from an overall agency ·perspective through a comprehensive governance structure and organization-wide risk management strategy,
- remediating security weaknesses identified for agency information·systems in a timely manner,
- building out GAOs Alternative Computing Facility to fully support the·agencys mission-essential functions in the event of an emergency ordisaster, and
- developing accurate statistics for employees and contractors·completing annual security awareness and role-based training.
What We Recommend
This report recommends that GAO (1) establish a comprehensive governance structure and organization-wide risk management strategy for the security of its information systems; (2) enhance accountability for, and management of, the agencys information security weakness remediation process; (3) provide senior management with adequate information to consider and prioritize building out the capabilities of the agencys Alternative Computing Facility; and (4) develop and implement procedures for capturing data that accurately reflect agency compliance with security training requirements as of the end of each fiscal year. GAO concurred with these recommendations.