Information Security: Improvements Needed in Treasury's Security Management Program
GAO-04-77
Published: Nov 14, 2003. Publicly Released: Nov 14, 2003.
Skip to Highlights
Highlights
The Department of the Treasury relies heavily on information systems--and on the public's trust in its work. Information security is therefore critical to Treasury operations. In support of its annual audit of the government's financial statements, GAO assessed the effectiveness of (1) Treasury's information security controls in protecting the confidentiality, integrity, and availability of the department's systems and data and (2) Treasury's implementation of its departmentwide information security program. In assessing the adequacy of Treasury's information security program, GAO focused on the effectiveness of its departmentwide policies and processes, rather than on bureau-specific directives and guidance.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of the Treasury | To improve oversight and compliance with Treasury's information security program, the Secretary of the Treasury should direct the chief information officer to assess the staffing and resource requirements for performing the department's oversight and compliance efforts to ensure that departmental information security policies are effectively and consistently implemented throughout the organization. |
In March 2007, GAO verified that Treasury, in response to an OMB request and GAO's recommendation, has performed an information technology workforce analysis. This analysis assessed staff and resource requirements and described efforts to ensure that the department's information security policies are effectively implemented across the agency.
|
| Department of the Treasury | To improve oversight and compliance with Treasury's information security program, the Secretary of the Treasury should direct the chief information officer to designate a senior agency information security officer. |
GAO verified in March 2007 that Treasury, in response to GAO's recommendation and as required by the Federal Information Security Management Act of 2002, has designated a senior agency information security officer.
|
| Department of the Treasury | To improve oversight and compliance with Treasury's information security program, the Secretary of the Treasury should direct the chief information officer to examine existing reporting processes and implement procedures to enhance the reliability and completeness of the bureau-provided information required for day-to-day management of information security. |
In March 2007, GAO verified that Treasury has, in response to GAO's recommendation, implemented an automated tool to assist the agency's bureaus in their efforts to provide security data that is thorough and reliable.
|
Full Report
GAO Contacts
Public Inquiries
Topics
Computer securityData integrityInformation securityInformation resources managementInformation systemsInternal controlsPerformance measuresPolicies and proceduresChief information officersFinancial statements