CIOZone.com - Professional Network for CIOs and IT Professionals

The federal Office of the Inspector General found four significant failings in the General Services Administration’s IT security systems and procedures in a December review of 2010 security audits of the agency. The review also pointed to successes the GSA’s CIO has achieved in the past year, including updating the agency’s security policy, publishing security guides and expanding security to cover cloud computing.

The four areas where GSA has been lax included configuration management practices, audit logging and monitoring controls, multi-factor authentication for remotely accessed systems and encryption of data on agency laptops.

In the area of configuration management, the IG’s office said GSA had failed to patch and properly configure database and operating system software. The IT also criticized the agency for what it called lax password management for database administrators.

The review reported that audit records, which would note when data was modified or deleted, were not being generated for one system that contains information covered by the federal Privacy Act. For another system containing sensitive information, GSA security officials were criticized for not reviewing audit records for evidence of suspicious activity.

None of the five GSA systems the audits looked at were using multifactor authentication, which would require users to access the systems with a combination of username and password, smart card or other physical tool, and biometrics. Instead, according to the review, all the systems permitted users to access them using only usernames and passwords. Three of the systems, the review notes, contained sensitive data. NIST standards require multifactor authentication for remote access to these systems, according to the IG report.

After a laptop containing personally identifiable information on 26.5 million veterans was stolen in 2006, the White House Office of Management and Budget began requiring agencies to encrypt sensitive data on mobile devices. A 2008 IG report noted that the GSA hadn’t done that. And, according to the latest report, GSA still wasn’t encrypting data on laptops, citing a problem with integrating the chosen encryption solution into its network.

The GSA didn’t dispute the findings of the security review. In a letter included as part of the review, GSA CIO Casey Coleman wrote: “My staff has reviewed the draft audit report and we concur with your audit findings and recommendations.”

The latest review stems from an April 21, 2010 request from the Office of Management and Budget calling for annual FISMA reports. The request required IGs to assess information security in several areas including certification, accreditation, configuration management, training, incident response, remote access and identity management.

Comments (2)

	1. 01-15-2011 22:01
	No one likes to be the subject of an audit, and no organization's security plan is perfect; kudos to the GSA's CIO for seeming to take the results of this audit constructively and not defensively...that kind of attitude sets the stage for beneficial change. Registered

This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

	2. 01-24-2011 16:55
	It is interesting that the GSA CIO was so calm about being criticized for security. Casey Coleman, the CIO in question, is a prominent proponent of both cloud computing and improved security. I'd be interested to know here behind-the-scenes reaction to this report. Registered

Mark Henricks

Only registered users can write comments.
Please login or register.