Following an analysis of reports from agencies and inspectors general as well as its own reviews GAO has said most major federal agencies have weaknesses in one or more areas of information security controls, and that sensitive data remains at risk.
The underlying cause for these weaknesses is that agencies have not fully or effectively implemented agency-wide information security programs, according to GAO-07-935T.
It said most agencies did not implement controls to sufficiently prevent, limit, or detect access to computer networks, systems, or information.
For example, agencies did not consistently identify and authenticate users to prevent unauthorized access, apply encryption to protect sensitive data on networks and portable devices, and restrict physical access to information assets, the report said.
It said agencies also did not always manage the configuration of network devices to prevent unauthorized access and ensure system integrity " for example, patching key servers and workstations in a timely manner; assigning incompatible duties to different individuals or groups so that one individual does not control all aspects of a process or transaction; and maintaining or testing continuity of operations plans for key information systems, according to the report.
Still, agencies have continued to report steady progress in implementing certain information security requirements, the report said.
