GAO/OIG-11-3, Information Security: Evaluation of GAO's Program and Practices for Fiscal Year 2010

This is the accessible text file for GAO report number GAO/OIG-11-3 
entitled 'Information Security: Evaluation of GAO's Program and 
Practices for Fiscal Year 2010' which  was released on March 7, 2011. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as 
part of a longer term project to improve GAO products' accessibility. 
Every attempt has been made to maintain the structural and data 
integrity of the original printed product. Accessibility features, 
such as text descriptions of tables, consecutively numbered footnotes 
placed at the end of the file, and the text of agency comment letters, 
are provided but may not exactly duplicate the presentation or format 
of the printed version. The portable document format (PDF) file is an 
exact electronic replica of the printed version. We welcome your 
feedback. Please E-mail your comments regarding the contents or 
accessibility features of this document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. The published product may be 
reproduced and distributed in its entirety without further permission 
from GAO. However, because this work may contain copyrighted images or 
other material, permission from the copyright holder may be necessary 
if you wish to reproduce this material separately. 

Office of the Inspector General: 
United States Government Accountability Office: 
GAO/OIG: 

GAO/OIG-11-3: 

March 2011: 

Information Security: Evaluation of GAO's Program and Practices
for Fiscal Year 2010: 

Objectives: GAO is not obligated by law to comply with, but has 
adopted, the requirements of the Federal Information Security 
Management Act of 2002 (FISMA) to strengthen its information security 
program and demonstrate its ongoing commitment to lead by example. 
GAO’s Office of Inspector General (OIG) conducted an evaluation to 
assess (1) the effectiveness of the agency’s information security 
policies, procedures, and practices, and (2) agency compliance with 
the information security requirements of FISMA and other federal 
information security policies, procedures, standards, and guidelines.
(A full report on this evaluation was prepared for GAO internal use 
only.) 

Findings: The OIG’s evaluation showed that GAO has established an
information security program that is generally consistent with the
requirements of FISMA, Office of Management and Budget (OMB)
implementing guidance, and standards and guidance issued by the National
Institute of Standards and Technology. However, using evaluation metrics
provided by OMB for inspectors general, the OIG also identified 
improvement opportunities for specific elements of this program that 
concern: 

* identifying the agency’s systems inventory and assuring that all 
systems operated by GAO or by contractors meet security requirements, 

* implementing additional computer scanning capabilities to test 
security configuration settings, 

* remediating configuration-related vulnerabilities in a timely manner,
* ensuring that contractors have access to required role-based security
awareness training, and, 

* planning for further implementation of the personal identity 
verification requirements of Homeland Security Presidential Directive 
12 (HSPD-12). 

Recommendations: This report recommends that GAO (1) incorporate
procedures within its annual systems inventory process that require 
inventory changes to be documented and formally approved by the Chief 
Information Officer and that system interfaces be identified, (2) 
identify and pursue additional options for obtaining assurances that 
certain contractor systems meet federal information security 
requirements, (3) continue efforts to complete and document required 
information security processes and procedures for all GAO-operated 
systems, (4) proceed with plans to establish a security configuration 
scanning capability for GAO notebook computers and workstations, (5) 
incorporate changes to the configuration management process that 
remediate specific open configuration-related vulnerabilities, (6) 
ensure that access to annual role-based information security training 
or its equivalent is provided for all contractor staff required to 
take this training, and (7) develop and brief senior management on a 
plan for practical implementation of HSPD-12 requirements. GAO 
concurred with these recommendations. 

[End of section] 

Reporting Fraud, Waste, and Abuse in GAO's Internal Operations: 

To report fraud, waste, and abuse in GAO's internal operations, do one 
of the following. (You may do so anonymously.) 

* Call toll-free (866) 680-7963 to speak with a hotline specialist, 
available 24 hours a day, 7 days a week. 

* Send an e-mail to OIGHotline@gao.gov. 

* Send a fax to the OIG Fraud, Waste, and Abuse Hotline at (202) 
512-8361. 

Write to: 

GAO Office of Inspector General: 
441 G Street NW, Room 1808: 
Washington, DC 20548: 

Obtaining Copies of GAO/OIG Reports and	Testimony: 

To obtain copies of OIG reports and testimony, go to GAO's Web site: 
[hyperlink, http://www.gao.gov/about/workforce/ig.html]. 
	
Congressional Relations: 

Ralph Dawn, Managing Director, dawnr@gao.gov, (202) 512-4400: 
U.S. Government Accountability Office, 441 G Street NW, Room 7125 
Washington, DC 20548. 

Public Affairs: 
Chuck Young, Managing Director, youngcl@gao.gov, (202) 512-4800: 
U.S. Government Accountability Office, 441 G Street NW, Room 7149 
Washington, DC 20548.