Agencies need to develop and implement adequate policies for periodic information security testing, GAO has said.
After reviewing programs at 24 major federal agencies, GAO said policies often do not include important elements for performing effective testing.
For example, it said none of the agencies’ policies addressed how to determine the depth and breadth of testing according to risk, and that agencies did not always address other important elements, including the identification and testing of security controls common to multiple systems, the definition of roles and responsibilities of personnel performing tests, and the frequency of periodic testing.
Six case-study agencies did not effectively implement policies for periodically testing and evaluating information security controls for 30 systems reviewed, according to GAO-07-65.
It said the methods and practices for testing and evaluating controls at the six agencies were not adequate to ensure that assessments were consistent, of similar quality, and repeatable.
These agencies did not always sufficiently document their test methods and results, did not define the assessment methods to be used when evaluating security controls, did not test security controls as prescribed, and did not include previously reported remedial actions or weaknesses in their test plans to ensure they had been addressed, the report said.
It said agencies might not have reasonable assurance that controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements of the agency.
In response to the report, representatives of OMB’s offices of information and regulatory affairs and general counsel agreed to consider GAO recommendations to instruct federal agencies to develop and implement policies on periodic testing and evaluation — as well as to revise instructions for future FISMA reporting by requesting inspectors general to report on the quality of agency periodic testing processes.
