Cyber security (1 - 10 of 33 items)
Information Security: Agencies Need to Improve Controls over Selected High-Impact Systems
GAO-16-501: Published: May 18, 2016. Publicly Released: Jun 21, 2016.
In GAO's survey of 24 federal agencies, the 18 agencies having high-impact systems identified cyber attacks from “nations” as the most serious and most frequently-occurring threat to the security of their systems. These agencies also noted that attacks delivered through e-mail were the most serious and frequent. During fiscal year 2014, 11 of the 18 agencies reported 2,267 incidents affecting...
Information Security: IRS Needs to Further Improve Controls over Taxpayer Data and Continue to Combat Identity Theft Refund Fraud
GAO-16-589T: Published: Apr 12, 2016. Publicly Released: Apr 12, 2016.
In March 2016, GAO reported that the Internal Revenue Service (IRS) had instituted numerous controls over key financial and tax processing systems; however, it had not always effectively implemented other controls intended to properly restrict access to systems and information, among other security measures. In particular, while IRS had improved some of its access controls, weaknesses remained in...
Information Security: DHS Needs to Enhance Capabilities, Improve Planning, and Support Greater Adoption of Its National Cybersecurity Protection System
GAO-16-294: Published: Jan 28, 2016. Publicly Released: Jan 28, 2016.
The Department of Homeland Security's (DHS) National Cybersecurity Protection System (NCPS) is partially, but not fully, meeting its stated system objectives:Intrusion detection: NCPS provides DHS with a limited ability to detect potentially malicious activity entering and exiting computer networks at federal agencies. Specifically, NCPS compares network traffic to known patterns of malicious data...
Information Security: Department of Education and Other Federal Agencies Need to Better Implement Controls
GAO-16-228T: Published: Nov 17, 2015. Publicly Released: Nov 17, 2015.
Cyber-based risks to federal systems and information can come from unintentional threats, such as natural disasters, software coding errors, and poorly trained or careless employees, or intentional threats, such as disgruntled insiders, hackers, or hostile nations. These threat sources may exploit vulnerabilities in agencies' systems and networks to steal or disclose sensitive information, among o...
Critical Infrastructure Protection: Cybersecurity of the Nation's Electricity Grid Requires Continued Attention
GAO-16-174T: Published: Oct 21, 2015. Publicly Released: Oct 21, 2015.
GAO reported in 2011 that several entities—the North American Electric Reliability Corporation (NERC), the National Institute of Standards and Technology (NIST), the Federal Energy Regulatory Commission (FERC), the Department of Homeland Security (DHS), and the Department of Energy (DOE)—had taken steps to help secure the electric grid. These included developing cybersecurity standards and oth...
Maritime Critical Infrastructure Protection: DHS Needs to Enhance Efforts to Address Port Cybersecurity
GAO-16-116T: Published: Oct 8, 2015. Publicly Released: Oct 8, 2015.
Similar to other critical infrastructures, the nation's ports face an evolving array of cyber-based threats. These can come from insiders, criminals, terrorists, or other hostile sources and may employ a variety of techniques or exploits, such as denial-of-service attacks and malicious software. By exploiting vulnerabilities in information and communications technologies supporting port operations...
Defense Cybersecurity: Opportunities Exist for DOD to Share Cybersecurity Resources with Small Businesses
GAO-15-777: Published: Sep 24, 2015. Publicly Released: Sep 24, 2015.
The Department of Defense (DOD) Office of Small Business Programs (OSBP) has explored some options, such as online training videos, to integrate cybersecurity into its existing efforts; however, as of July 2015, the office had not identified and disseminated cybersecurity resources in its outreach and education efforts to defense small businesses. While DOD OSBP is not required to educate small bu...
Cybersecurity: Bank and Other Depository Regulators Need Better Data Analytics and Depository Institutions Want More Usable Threat Information
GAO-15-509: Published: Jul 2, 2015. Publicly Released: Jul 2, 2015.
Regulators use a risk-based examination approach to oversee the adequacy of information security at depository institutions—banks, thrifts, and credit unions—but could better target future examinations by analyzing deficiencies across institutions. For information technology (IT) examinations, regulators adjust the level of scrutiny at each institution depending on the information they review,...
Federal Facility Cybersecurity: DHS and GSA Should Address Cyber Risk to Building and Access Control Systems
GAO-15-6: Published: Dec 12, 2014. Publicly Released: Jan 12, 2015.
The Department of Homeland Security (DHS) has taken preliminary steps to begin to understand the cyber risk to building and access controls systems in federal facilities. For example, in 2013, components of DHS's National Protection and Programs Directorate (NPPD) conducted a joint assessment of the physical security and cybersecurity of a federal facility. However, significant work remains.Lack o...
Information Security: Agencies Need to Improve Oversight of Contractor Controls
GAO-14-612: Published: Aug 8, 2014. Publicly Released: Sep 8, 2014.
Although the six federal agencies that GAO reviewed (the Departments of Energy (DOE), Homeland Security (DHS), State, and Transportation (DOT), the Environmental Protection Agency (EPA) and the Office of Personnel Management (OPM)) generally established security and privacy requirements and planned for assessments to determine the effectiveness of contractor implementation of controls, five of the...