Inspector General's Audit Finds GSA Security Lapses

Friday, January 07, 2011

Bill Gerneglia


The federal Office of the Inspector General found four significant failings in the General Services Administration’s IT security systems and procedures in a December review of 2010 security audits of the agency.

The review also pointed to successes the GSA’s CIO has achieved in the past year, including updating the agency’s security policy, publishing security guides and expanding security to cover cloud computing.

The four areas where GSA has been lax included configuration management practices, audit logging and monitoring controls, multi-factor authentication for remotely accessed systems and encryption of data on agency laptops.

In the area of configuration management, the IG’s office said GSA had failed to patch and properly configure database and operating system software. The IT also criticized the agency for what it called lax password management for database administrators.

The review reported that audit records, which would note when data was modified or deleted, were not being generated for one system that contains information covered by the federal Privacy Act. For another system containing sensitive information, GSA security officials were criticized for not reviewing audit records for evidence of suspicious activity.

None of the five GSA systems the audits looked at were using multifactor authentication, which would require users to access the systems with a combination of username and password, smart card or other physical tool, and biometrics. Instead, according to the review, all the systems permitted users to access them using only usernames and passwords. Three of the systems, the review notes, contained sensitive data. NIST standards require multifactor authentication for remote access to these systems, according to the IG report.

After a laptop containing personally identifiable information on 26.5 million veterans was stolen in 2006, the White House Office of Management and Budget began requiring agencies to encrypt sensitive data on mobile devices. A 2008 IG report noted that the GSA hadn’t done that. And, according to the latest report, GSA still wasn’t encrypting data on laptops, citing a problem with integrating the chosen encryption solution into its network.

The GSA didn’t dispute the findings of the security review. In a letter included as part of the review, GSA CIO Casey Coleman wrote: “My staff has reviewed the draft audit report and we concur with your audit findings and recommendations.”

The latest review stems from an April 21, 2010 request from the Office of Management and Budget calling for annual FISMA reports. The request required IGs to assess information security in several areas including certification, accreditation, configuration management, training, incident response, remote access and identity management.

Cross-posted from CIOZone

Possibly Related Articles:
Encryption Government Log Management Security Audits Monitoring
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.