Information Security: Opportunities for Improved OMB Oversight of Agency Practices
AIMD-96-110
Published: Sep 24, 1996. Publicly Released: Sep 24, 1996.
Skip to Highlights
Highlights
Pursuant to a congressional request, GAO provided a general overview of the adequacy of information security at 15 major federal agencies, focusing on: (1) recent reviews and self-audits of information security at these agencies; (2) the most significant information security weaknesses and their causes; and (3) the Office of Management and Budget's (OMB) oversight of federal agency practices and opportunities for improvement.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Office of Management and Budget | The Director, OMB, should advocate and promote the CIO Council's adoption of information security as one of its top priorities and development of a strategic plan for increasing awareness of the importance of information security, especially among senior agency executives and improving information security program management governmentwide. Initiatives the CIO Council should consider incorporating in its strategic plan include: (1) developing information on the existing security risks associated with nonclassified systems currently in use; (2) developing information on the risks associated with evolving practices, such as Internet use; (3) identifying best practices regarding information security programs so that they can be adopted by federal agencies; (4) establishing a program for reviewing the adequacy of individual agency information security programs using interagency teams of reviewers; (5) ensuring adequate review coverage of agency information security practices by considering the scope of various types of audits and reviews performed and acting to address any identified gaps in coverage; (6) developing or identifying training and certification programs that can be shared among agencies; and (7) identifying proven security tools and techniques. |
Closed – Implemented
In late 1997, the CIO Council formally declared information security as one of six priority areas and established a Security Committee to coordinate its plans to address some of the most prominent governmentwide problems--insufficient awareness of risks, inadequate technical training, and poor incident response capabilities. In addition, in May 1998, the President issued Presidential Decision Directive 63, which addresses federal information security from a national security perspective and imposes some new reporting requirements on federal agencies. As of late 1998, it was not clear how the new requirements specified in the Directive would be coordinated with ongoing CIO Council efforts. The other aspects of this recommendation have been subsumed under a new recommendation in GAO/AIMD-98-92, September 23, 1998.
|
| Office of Management and Budget | The Director, OMB, should direct the Office of Information and Regulatory Affairs, the Office of Federal Financial Management, and the Resource Management Offices to: (1) supplement their current reviews of audit reports to include reviewing audits conducted under the Chief Financial Officers Act in order to identify any findings related to information security; and (2) use this information, in conjunction with reports on agency self assessments, to assist in proactively monitoring the scope of such reviews and the effectiveness of agency information security practices. |
Closed – Implemented
OMB has encouraged program examiners in its Resource Management Offices to make use of financial audit findings related to information security and other IRM issues. However, neither OMB nor the CIO Council, which OMB chairs, has taken steps to monitor: (1) the scope of information security audits performed; or (2) improvements or declines in security program effectiveness. These remaining aspects of this recommendation have been subsumed under a new recommendation issued in GAO/AIMD-98-92, September 23, 1998.
|
| Office of Management and Budget | The Director, OMB, should encourage the development of improved sources of information with which to monitor compliance with OMB guidance and the effectiveness of agency information security programs. This could include engaging assistance from private contractors or others with appropriate expertise, such as federally funded research and development centers. |
Closed – Implemented
OMB continues to focus its monitoring efforts on individual agency projects rather than general compliance with A-130. This is likely to continue, since OMB now views the CIO Council's security committee, of which OMB is an active participant, as the focal point for addressing governmentwide deficiencies. Also, OMB has encouraged the NIST-sponsored Federal Security Managers Forum to develop a standard format for agency security plans, which could make it somewhat easier for OMB and others to evaluate these plans, if agencies comply with the guidance. Future GAO efforts to evaluate oversight of agency practices and compliance with Circular A-130 will focus on both OMB and CIO Council efforts.
|
| Office of Management and Budget | The Director, OMB, should direct the Office of Information and Regulatory Affairs to develop and implement a program for increasing program examiners' understanding of information security management issues so that they can readily identify and understand the implications of information security weaknesses on agency programs. |
Closed – Implemented
Since September 1996, OMB's annual training for program examiners has included some expanded emphasis on information technology issues, including information security. However, the emphasis is primarily on major investments in technology (new systems or enhancements) and the requirements of the Clinger-Cohen Act. OMB has not specifically encouraged its program examiners to examine agencies' overall security programs.
|
Full Report
Office of Public Affairs
Topics
Access controlComputer securityConfidential communicationsDisaster planningDisaster recovery plansFederal CIO CouncilGovernment informationHomeland securityInformation securityInformation systemsSabotageInformation accessExecutive agency oversight