This is the accessible text file for GAO report number GAO/OIG-09-1 
entitled 'GAO Office of Inspector General: Independent Evaluation of 
GAO’s Information Security Program and Practices – Fiscal Year 2008' 
which was released on January 7, 2009. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 


GAO Office of Inspector General: 

Report Summary: 

Date: October 2, 2008: 

Title: Independent Evaluation of GAO’s Information Security Program and 
Practices – Fiscal Year 2008 (GAO/OIG-09-1):  

Summary: The Office of Inspector General (OIG) performed an independent 
evaluation of GAO’s information security program and practices for 
fiscal year 2008 as prescribed by the Federal Information Security 
Management Act of 2002 (FISMA). GAO is not obligated by law to comply 
with FISMA, but has adopted the law’s requirements to strengthen its 
information security program and demonstrate its ongoing commitment to 
lead by example. The OIG issued a sensitive report that found GAO had 
generally established an information security program consistent with 
the requirements of FISMA and guidance issued by the Office of 
Management and Budget and the National Institute of Standards and 
Technology. However, the OIG identified several requirements that were 
not fully implemented and made recommendations accordingly to improve 
GAO’s information security practices and its Privacy Program. GAO 
management concurred with each of the report’s recommendations and is 
initiating corrective actions. 

[End of document]