Skip to main content

National Transportation Safety Board: Progress Made in Management Practices, Investigation Priorities, Training Center Use, and Information Security, But These Areas Continue to Need Improvement

GAO-08-652T Published: Apr 23, 2008. Publicly Released: Apr 23, 2008.
Jump To:
Skip to Highlights

Highlights

The National Transportation Safety Board (NTSB) plays a vital role in advancing transportation safety by investigating accidents, determining their causes, issuing safety recommendations, and conducting safety studies. To support its mission, NTSB's training center provides training to NTSB investigators and others. It is important that NTSB use its resources efficiently to carry out its mission. In 2006, GAO made recommendations to NTSB in most of these areas. In 2007, an independent auditor made information security recommendations. This testimony addresses NTSB's progress in following leading practices in selected management areas, increasing the efficiency of aspects of investigating accidents and conducting safety studies, increasing the utilization of its training center, and improving information security. This testimony is based on GAO's assessment of agency plans and procedures developed to address these recommendations.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
National Transportation Safety Board To assist NTSB in continuing to strengthen its overall management of the agency as well as information security, and to ensure that Congress is kept informed of progress in improving the management of the agency, the Chairman of NTSB should report on the status of GAO recommendations concerning management practices in the agency's annual performance and accountability report or other congressionally approved reporting mechanism.
Closed – Implemented
GAO found in 2008 that it was important that Congress have updated information on challenges that the agency faced in improving its management for its continuing oversight, but that there was no reporting requirement for its management challenges not related to information security. GAO recommended that NTSB report on the status of GAO recommendations concerning management practices in the agency's annual performance and accountability report or other congressionally approved reporting mechanism. In its 2009 Annual Report to Congress, issued in July 2010, NTSB reported on the status of GAO's recommendations concerning management practices. This ensures that Congress has updated information that it needs for oversight.
National Transportation Safety Board To assist NTSB in continuing to strengthen its overall management of the agency as well as information security, the Chairman should direct NTSB's Chief Information Officer to encrypt information/data on all laptops and mobile devices unless the data are determined to be non-sensitive by the agency's deputy director or his/her designate.
Closed – Implemented
In 2008, GAO found that NTSB information and information systems were at increased risk of unauthorized access and unauthorized disclosure. GAO recommended that NTSB encrypt information/data on all laptops unless the data were determined to be non-sensitive. GAO performed limited testing to verify that NT SB has implemented its recommendation to install encryption software. Agency officials confirmed, however, that while encryption software is operational on 410 of the agency's approximately 420 laptop computers, the remaining laptops do not have encryption software installed because they do not include sensitive information and are not removed from the headquarters building. With this action, NTSB has reduced the risk of unauthorized access or use of sensitive agency data/information.
National Transportation Safety Board To assist NTSB in continuing to strengthen its overall management of the agency as well as information security, the Chairman should remove user's local administrative privileges from all workstations except administrators' workstations, where applicable, and document any exceptions granted by the Chief Information Officer.
Closed – Implemented
In fiscal year 2008 we testified that National Transportation Safety Board (NTSB) had inappropriately granted excessive access privileges to users. Users with local administrator privileges on their workstations had complete control over all local resources, including accounts and files, and had the ability to load software with known vulnerabilities, either unintentionally or intentionally, and to modify or reconfigure their computers in a manner that could negate network security policies as well as provide an attack vector into the internal network. As a result, increased risk existed that these users could compromise NTSB computers and internal network. We recommended that NTSB remove user's local administrative privileges from all workstations except administrators' workstations, where applicable, and document any exceptions granted by the Chief Information Officer. In fiscal year 2011, we verified that NTSB, in response to our recommendation, has implemented a policy to ensure that administrator privileges are not available except on administrators' workstations, and has removed these privileges from workstations whose users do not require such access. In addition, we verified that NTSB is tracking exceptions to this policy. These steps increase assurance that NTSB computers and internal network will be protected from compromise

Full Report

Office of Public Affairs

Topics

Access controlAccident preventionAgency missionsData encryptionData integrityEmployee trainingEmployeesEvaluation criteriaHuman capitalHuman capital managementInformation managementInformation securityInformation technologyInternal controlsInvestigations by federal agenciesProgram evaluationProgram managementReporting requirementsRisk assessmentRisk managementStrategic planningSystems evaluationTraining utilizationTransportationTransportation safetyProgram goals or objectives