Information Security: Evaluation of GAO's Program and Practices for Fiscal Year 2012

OIG-13-2: Feb 13, 2013

Additional Materials:


Office of Public Affairs
(202) 512-4800

What We Found

This is a publication by GAO's Inspector General that concerns internal GAO operations. The Federal Information Security Management Act of 2002 (FISMA) requires that each federal agency establish an agency-wide information security management program for the information and information systems that support the agency's operations and assets. GAO is not obligated by law to comply with FISMA or Executive Branch information policies, but has adopted them to help ensure physical and information system security. Our prior year evaluations have shown that GAO has established an overall information security program that is generally consistent with the requirements of FISMA, OMB implementing guidance, and standards and guidance issued by the National Institute of Standards and Technology. For example, GAO has well defined operational and technical controls for remote access to its network. Its telecommunications policy requires users to sign rules of behavior and user agreements that acknowledge their responsibility and accountability. GAO also has a process for reporting and disabling lost or stolen devices to prevent unauthorized access. In addition, GAO has continued its focus on closing prior year security-related recommendations.

Our fiscal year 2012 limited evaluation reinforced our prior conclusion. However, using 18 new FISMA reporting metrics for federal inspectors general, we identified areas for improvement in the contingency planning process. We also identified resource challenges that affect GAO's ability to implement security upgrades and strategies identified by GAO managers and the OIG.

What We Recommend

To help strengthen GAO's overall information security program, we recommend that the Chief Information Officer take the following two actions: (1) implement measures to increase the redundancy and availability of GAO mission-essential applications and (2) develop and provide, for GAO senior management consideration, a proposed strategy to ensure power redundancy to GAO servers and provide a long-term alternate power supply in the event of a power outage. GAO concurred with our recommendations.

Mar 30, 2015

Dec 1, 2014

Sep 30, 2014

Jun 3, 2014

May 27, 2014

Dec 19, 2013

Sep 27, 2013

Apr 26, 2013

Feb 13, 2013

Dec 12, 2012

Looking for more? Browse all our products here