Risk management (1 - 10 of 56 items)
Information Security: Agencies Need to Improve Controls over Selected High-Impact Systems
GAO-16-501: Published: May 18, 2016. Publicly Released: Jun 21, 2016.
In GAO's survey of 24 federal agencies, the 18 agencies having high-impact systems identified cyber attacks from “nations” as the most serious and most frequently-occurring threat to the security of their systems. These agencies also noted that attacks delivered through e-mail were the most serious and frequent. During fiscal year 2014, 11 of the 18 agencies reported 2,267 incidents affecting...
Critical Infrastructure Protection: Sector-Specific Agencies Need to Better Measure Cybersecurity Progress
GAO-16-79: Published: Nov 19, 2015. Publicly Released: Nov 19, 2015.
Sector-specific agencies (SSA) determined the significance of cyber risk to networks and industrial control systems for all 15 of the sectors in the scope of GAO's review. Specifically, they determined that cyber risk was significant for 11 of 15 sectors. Although the SSAs for the remaining four sectors had not determined cyber risks to be significant during their 2010 sector-specific planning pro...
Federal Information Security: Agencies Need to Correct Weaknesses and Fully Implement Security Programs
GAO-15-714: Published: Sep 29, 2015. Publicly Released: Sep 29, 2015.
Persistent weaknesses at 24 federal agencies illustrate the challenges they face in effectively applying information security policies and practices. Most agencies continue to have weaknesses in (1) limiting, preventing, and detecting inappropriate access to computer resources; (2) managing the configuration of software and hardware; (3) segregating duties to ensure that a single individual does n...
Defense Cybersecurity: Opportunities Exist for DOD to Share Cybersecurity Resources with Small Businesses
GAO-15-777: Published: Sep 24, 2015. Publicly Released: Sep 24, 2015.
The Department of Defense (DOD) Office of Small Business Programs (OSBP) has explored some options, such as online training videos, to integrate cybersecurity into its existing efforts; however, as of July 2015, the office had not identified and disseminated cybersecurity resources in its outreach and education efforts to defense small businesses. While DOD OSBP is not required to educate small bu...
Information Security: FDIC Implemented Many Controls over Financial Systems, but Opportunities for Improvement Remain
GAO-15-426: Published: Apr 9, 2015. Publicly Released: Apr 9, 2015.
The Federal Deposit Insurance Corporation (FDIC) has implemented numerous information security controls intended to protect its key financial systems; nevertheless, weaknesses remain that place the confidentiality, integrity, and availability of financial systems and information at risk. During 2014, the corporation implemented 27 of the 36 GAO recommendations pertaining to previously reported sec...
Information Security: FAA Needs to Address Weaknesses in Air Traffic Control Systems
GAO-15-221: Published: Jan 29, 2015. Publicly Released: Mar 2, 2015.
While the Federal Aviation Administration (FAA) has taken steps to protect its air traffic control systems from cyber-based and other threats, significant security control weaknesses remain, threatening the agency's ability to ensure the safe and uninterrupted operation of the national airspace system (NAS). These include weaknesses in controls intended to prevent, limit, and detect unauthorized a...
Federal Facility Cybersecurity: DHS and GSA Should Address Cyber Risk to Building and Access Control Systems
GAO-15-6: Published: Dec 12, 2014. Publicly Released: Jan 12, 2015.
The Department of Homeland Security (DHS) has taken preliminary steps to begin to understand the cyber risk to building and access controls systems in federal facilities. For example, in 2013, components of DHS's National Protection and Programs Directorate (NPPD) conducted a joint assessment of the physical security and cybersecurity of a federal facility. However, significant work remains.Lack o...
Information Security: SEC Needs to Improve Controls over Financial Systems and Data
GAO-14-419: Published: Apr 17, 2014. Publicly Released: Apr 17, 2014.
Although the Securities and Exchange Commission (SEC) had implemented and made progress in strengthening information security controls, weaknesses limited their effectiveness in protecting the confidentiality, integrity, and availability of a key financial system. For this system's network, servers, applications, and databases, weaknesses in several controls were found, as the following examples i...
Federal Information Security: Mixed Progress in Implementing Program Components; Improved Metrics Needed to Measure Effectiveness
GAO-13-776: Published: Sep 26, 2013. Publicly Released: Sep 26, 2013.
In fiscal year 2012, 24 major federal agencies had established many of the components of an information security program required by The Federal Information Security Management Act of 2002 (FISMA); however, they had partially established others. FISMA requires each federal agency to establish an information security program that incorporates eight key components, and each agency inspector general...
Information Security: Federal Communications Commission Needs to Strengthen Controls over Enhanced Secured Network Project
GAO-13-155: Published: Jan 25, 2013. Publicly Released: Feb 1, 2013.
The Federal Communications Commission (FCC) did not effectively implement appropriate information security controls in the initial components of the Enhanced Secured Network (ESN) project. Although FCC took steps to enhance its ability to control and monitor its network for security threats, weaknesses identified in the commission's deployment of components of the ESN project as of August 2012 res...