This is the accessible text file for GAO report number GAO/OIG-10-3 entitled 'Information Security: Evaluation of GAO’s Information Security Program and Practices for Fiscal Year 2009 (Highlights)' which was released on January 4, 2010. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: GAO: Office of the Inspector General: OIG-10-3: January 4, 2010: Highlights: Information Security: Evaluation of GAO’s Information Security Program and Practices for Fiscal Year 2009: Objectives: Although not obligated by law to comply, GAO has adopted the requirements of the Federal Information Security Management Act of 2002 (FISMA) to strengthen its information security program and demonstrate its ongoing commitment to lead by example. GAO’s Office of Inspector General (OIG) conducted an evaluation to assess (1) the effectiveness of the agency’s information security policies, procedures, and practices, and (2) agency compliance with the information security requirements of FISMA and other federal information security policies, procedures, standards, and guidelines. (A full report on our evaluation was prepared for GAO internal use only.) Findings: Overall, the OIG’s evaluation showed that GAO has established an information security program consistent with the requirements of FISMA, Office of Management and Budget (OMB) implementing guidance, and guidance and standards issued by the National Institute of Standards and Technology (NIST). However, it also found that GAO’s information security policies and procedures were not always applied and some could be improved to help ensure that they are consistent with the OMB and NIST guidance. In particular, the OIG found the following: * During fiscal year 2009, GAO greatly increased its systems inventory from 12 to 35 systems but did not complete all required security processes and procedures (such as preparing system security plans) for many of the newly added systems. * GAO’s incident response and handling procedures investigate security events, such as a denial of service attack, but deciding whether to classify such events as incidents—and, thus, to consider reporting them to other external organizations—needs additional management involvement. * GAO has continued to make progress in establishing its privacy program and protecting personally identifiable information, but implementing additional requirements, such as providing annual privacy awareness training, would help further strengthen this program. Recommendations: This report includes recommendations for GAO to (1) complete and document required information security processes and procedures for all systems in the systems inventory, (2) modify the agency’s incident handling and response procedures to increase Chief Information Officer involvement in the incident classification process to help ensure that security events are appropriately classified and reported, and (3) continue efforts to implement additional requirements for the agency’s privacy program. In commenting on a draft of the report, GAO concurred with these recommendations and described actions it is undertaking to address them.