The report, “Information Security: Protecting Personally Identifiable Information,” was released by the US Government Accountability Office (GAO), the investigative arm of Congress.
Only two agencies, Treasury and Transportation, met all the recommendations for compliance, while two others, the Small Business Administration and the National Science Foundation, met none. The other 20 agencies comply with some, but not all, of the GAO report’s recommendations for better security and privacy.
Most agencies did not implement controls to sufficiently prevent, limit or detect access to computer networks, systems or information, according to the GAO.
For example, the GAO found only 11 agencies have established policies to log computer-readable data extracts and erase data after 90 days, while 14 implemented two-factor authentication where one of the factors is provided by a device separate from the computer gaining access.
The report stated “agencies did not always manage the configuration of network devices to prevent unauthorized access and ensure system integrity, patch key servers and workstations in a timely manner, assign duties to different individuals or groups so that one individual did not control all aspects of a process or transaction and maintain complete continuity of operations plans for key information systems.”
Senator Norm Coleman, one of the lawmakers who asked for the GAO report, said “the clock is ticking and we need to know when the agencies are going to have the protections in place to stop the numerous data breaches we have seen over the past few years.”
Senator Coleman and Senator Susan Collins, ranking member of the Homeland Security and Governmental Affairs Committee, sent letters to 24 Cabinet agencies on February 22 requesting a written timeline for when they will meet the requirements laid out by the Office of Management and Budget (OMB) in a June 2006 memo.
The OMB said all agencies are required to encrypt all data on mobile computers or devices that carry agency data; allow remote access only with two-factor authentication; enforce a time-out function for remote access and mobile devices that requires that users re-authenticate after 30 minutes of inactivity and log all instances in which computer-readable data are extracted from databases holding sensitive information.
“The findings released in this report are very troubling – indicating that agency after agency has failed to make securing citizens’ personal information a high priority,” Collins said in a statement.
The report also found persistent weaknesses appear in five major categories of information system controls - access controls; configuration management controls; segregation of duties; continuity of operations planning and an agencywide information security program, which provides the framework for ensuring that risks are understood.
However, the report found the percentage of certified and accredited systems government-wide reportedly increased from 88 percent to 92 percent and gains were reported in testing of security controls, from 88 percent of systems to 95 percent of systems and for contingency plan testing, from 77 percent to 86 percent.