From: InfoSec News (alertsinfosecnews.org)
Date: Wed Oct 03 2007 - 01:03:31 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.fcw.com/online/news/150338-1.html

By Mary Mosquera
October 2, 2007

Some of the agencies most critically involved with the countrys security
still have not fully implemented key provisions of the Federal
Information Security Management Act five years after the act was passed.
The Defense, Homeland Security, Justice and State departments especially
face challenges in establishing information security control activities
that FISMA and the Office of Management and Budget require, the
Government Accountability Office said.

The challenges for these agencies arose from various weaknesses, such as
inadequate tools and gaps and inconsistencies in guidance, GAO said.

For example, DOD has difficulty developing a complete inventory of major
systems because it has different definitions of what constitutes a
system. DHS cannot be sure all users have received the appropriate
security training because its application counts the number of security
courses completed but does not indicate whether someone has taken a
specialized course, GAO said in the Oct. 1 report.

These agencies also had problems correcting deficiencies and weaknesses,
ensuring that employees receive information security training, and
testing security controls. Of the four agencies, only Justice had
accomplished full certification and accreditation of systems, and only
State had implemented a common security configuration.

Until the departments address their challenges and fully implement
effective departmentwide information security programs, increased risk
exists that they will not be able to effectively protect the
confidentiality, integrity and availability of their information and
information systems, said Gregory Wilshusen, GAOs director of
information security issues, in his report.

DHS, Justice and State generally agreed with GAOs recommendations. DOD,
however, disagreed with three of six recommendations.

In general, this office does not believe the draft report accurately
reflects the current security posture of the Department of Defense nor
does it consider initiatives undertaken and progress the department has
made in implementing the provisions of the Federal Information Security
Management Act of 2002 over the last five years, said Robert Lentz,
deputy assistant secretary of Defense for information and identity
assurance.

Examples of GAOs recommendations include:

    * For DOD, to develop and apply a plan with milestones to finalize
      and implement a departmentwide definition of a major information
      system.
    * For DHS, to coordinate with its workforce office to finalize
      deployment of the centralized online learning management system
      for tracking the IT security training of employees.
    * For Justice, to reconcile duplications in its remediation plan
      tracking tool.
    * For State, to strengthen its security control testing policies and
      ensure that its component agencies complete the required annual
      security control and contingency plan testing on all systems.

__________________________________________________________________
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques. Register now for savings on conference fees
and/or free exhibits admission. - www.csiannual.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]