The GAO (General Accountability Office) criticized the SEC (Securities and Exchange Commission) last month. Audit performed by the GAO disclosed that the SEC has serious internal IT-security problems in dealing with critical financial information and accountancy practices. The importance of this revelation is strengthened by the fact that the SEC is responsible for auditing procedures and practices that should prevent fraud and ensure financial accuracy in other companies.
This time the GAO has found critical weaknesses in the IT-infrastructure of US government agencies. According to the GAO's report, “overall” agencies are improving their systems security, but “pervasive weaknesses” still plague agencies and threaten the “integrity, confidentiality and availability” of federal information systems. Moreover, the GAO revealed that the weaknesses placed financial data at risk of unauthorized modification or destruction, sensitive information at risk of inappropriate disclosure and critical operations at risk of disruption. All those weaknesses exist because agencies have not yet fully implemented the security measures mandated by the 2002 Federal Information Security Management Act (FISMA).
The GAO audited 24 federal agencies and found five major areas of weaknesses including access controls, software change controls, segregation of duties, continuity of operations planning and agency-wide security programs. The Departments of Defense, Homeland Security, Commerce, Transportation, Justice and Interior, the GAO states, have weaknesses in all five areas. FISMA requires each agency to have policies and procedures that ensure compliance with minimally acceptable system configuration requirements, as determined by the agency.
In fiscal year 2004, for the first time, agencies reported on the degree to which they had implemented security configurations for specific operating systems and software applications and agency-wide policies containing detailed, specific system configurations. However, 20 agencies did not necessarily have minimally acceptable system configuration requirements for operating systems and software applications that they were running, reported the GAO.
The problem of such difficulties in achieving the compliance with FISMA may be in standard itself. Agencies and companies need comments and guidance that will help to comply with FISMA and other standards. It's not a secret, so the GAO recommended that the Office of Management and Budget (OMB) implement improvements in reporting guidance.
“Some standards are a really hard nut to crack even for government agencies. What can we say about business in this case? I think that responsible organizations should define standards' requirements more accurately by developing special comments and guidance”, – said Denis Zenkin, the Marketing Director of InfoWatch company.
Source: internetnews.com
Related Links