Information Security: FBI Needs to Address Weaknesses in Critical Network
Highlights
The Federal Bureau of Investigation (FBI) relies on a critical network to electronically communicate, capture, exchange, and access law enforcement and investigative information. Misuse or interruption of this critical network, or disclosure of the information traversing it, would impair FBI's ability to fulfill its missions. Effective information security controls are essential for ensuring that information technology resources and information are adequately protected from inadvertent or deliberate misuse, fraudulent use, disclosure, modification, or destruction. GAO was asked to assess information security controls for one of FBI's critical networks. To assess controls, GAO conducted a vulnerability assessment of the internal network and evaluated the bureau's information security program associated with the network operating environment. This report summarizes weaknesses in information security controls in one of FBI's critical networks.
Recommendations
Recommendations for Executive Action
Agency Affected | Recommendation | Status Sort descending |
---|---|---|
Federal Bureau of Investigation | To fully implement information security program activities for the critical internal network reviewed, the Director of the FBI should develop a comprehensive inventory of the current network operating environment. |
In fiscal year 2011 we verified that FBI developed a comprehensive inventory of the current network operating environment.
|
Federal Bureau of Investigation | To fully implement information security program activities for the critical internal network reviewed, the Director of the FBI should update the network's risk assessment to reflect the current operating environment and ensure that the assessment includes elements required by the FBI Certification & Accreditation Handbook. |
In fiscal year 2011 we verified that FBI implemented a network risk assessment that reflected the current operating environment and included elements required by the FBI Certification & Accreditation Handbook.
|
Federal Bureau of Investigation | To fully implement information security program activities for the critical internal network reviewed, the Director of the FBI should develop technical standards that include guidance for addressing the access control weaknesses identified. |
In fiscal year 2011 we verified that FBI developed technical standards that included guidance for addressing the access control weaknesses identified.
|
Federal Bureau of Investigation | To fully implement information security program activities for the critical internal network reviewed, the Director of the FBI should update the network security plan to ensure that it reflects the current operating environment and includes sections required by the FBI Certification & Accreditation Handbook. |
In fiscal year 2011 we verified that FBI completed a network security plan that reflected the current operating environment and included sections required by the FBI Certification & Accreditation Handbook.
|
Federal Bureau of Investigation | To fully implement information security program activities for the critical internal network reviewed, the Director of the FBI should ensure that all network users receive security awareness training and that all users with significant security responsibilities receive specialized training as defined by their role. |
In fiscal year 2011 we verified that FBI ensured that network users received security awareness training and that users with significant security responsibilities received specialized training as defined by their role.
|
Federal Bureau of Investigation | To fully implement information security program activities for the critical internal network reviewed, the Director of the FBI should provide comprehensive coverage of system testing and scans. |
In fiscal year 2011 we verified that FBI provided comprehensive coverage of system testing and scans.
|
Federal Bureau of Investigation | To fully implement information security program activities for the critical internal network reviewed, the Director of the FBI should correct identified weaknesses in a timely manner. |
In fiscal year 2011 we verified that FBI corrected identified weaknesses in a timely manner.
|
Federal Bureau of Investigation | To fully implement information security program activities for the critical internal network reviewed, the Director of the FBI should develop a continuity of operations plan that addresses the current network environment, and periodically test the plan. |
In fiscal year 2011 we verified that FBI developed a continuity of operations plan that addressed the current network environment, and periodically tested the plan.
|