Agencies are not doing enough to defend against and analyze
emerging forms of online security threats, the Government
Accountability Office has said.
It said the combination of common online security threats
such as spam and spyware — programs that can go unnoticed
on a user’s computer and transmit data — present “risks
that cannot be easily mitigated with currently available
tools.”
Most agencies do not apply the information security program
requirements of the Federal Information Security Management
Act of 2002 to “emerging threats,” among them “phishing,”
or the use of bogus programs to convince users to submit
personal information such as Social Security and credit
card numbers, according to GAO-05-231.
It said security requirements include “performing risk
assessments, implementing effective mitigating controls,
providing security awareness training, and ensuring that
agency incident-response plans and procedures addressed
these threats.”
Some federal and private entities are addressing security
by educating consumers and targeting crime, but similar
efforts are not “being made to assist and educate federal
agencies,” said the report.
GAO called for effective coordination and government-wide
guidance to clarify to agencies which incidents they
should be monitoring and reporting and to whom they should
report to — which, with regard to FISMA, falls within the
purview of Office Management and Budget and Department of
Homeland Security.