Information Security: Weaknesses Place Commerce Data and Operations at Serious Risk
GAO-01-751
Published: Aug 13, 2001. Publicly Released: Aug 23, 2001.
Skip to Highlights
Highlights
The Department of Commerce generates and disseminates important economic information that is of great interest to U.S. businesses, policymakers, and researchers. The dramatic rise in the number and sophistication of cyberattacks on federal information systems is of growing concern. This report provides a general summary of the computer security weaknesses in the unclassified information systems of seven Commerce organizations as well as in the management of the department's information security program. The significant and pervasive weaknesses in the seven Commerce bureaus place the data and operations of these bureaus at serious risk. Sensitive economic, personnel, financial, and business confidential information is exposed, allowing potential intruders to read, copy, modify, or delete these data. Moreover, critical operations could effectively cease in the event of accidental or malicious service disruptions. Poor detection and response capabilities exacerbate the bureaus' vulnerability to intrusions. As demonstrated during GAO's testing, the bureaus' general inability to notice GAO's activities increases the likelihood that intrusions will not be detected in time to prevent or minimize damage. These weaknesses are attributable to the lack of an effective information security program with a lack of centralized management, a risk-based approach, up-to-date security policies, security awareness and training, and continuous monitoring of the bureaus' compliance with established policies and the effectiveness of implemented controls. These weaknesses are exacerbated by Commerce's highly interconnected computing environment. A compromise in a single poorly secured system can undermine the security of the multiple systems that connect to it.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of Commerce | The Secretary of Commerce should direct the Office of the Chief Information Officer (CIO) and the bureaus to develop and implement an action plan for strengthening access controls for the department's sensitive systems commensurate with the risk and magnitude of the harm resulting from the loss, misuse, or modification of information resulting from unauthorized access. Targeted timeframes for addressing individual systems should be determined by their order of criticality. This will require ongoing cooperative efforts between the Office of the CIO and the Commerce bureaus' CIOs and their staff. Specifically, this action plan should address the logical access control weaknesses that are summarized in this report and will be detailed, along with corresponding recommendations, in a separate report designated for "Limited Official Use." These weaknesses include password management control, operating systems controls, and network controls. |
Closed – Implemented
Action completed 10/15/2001. In compliance with requirements of the Government Information Security Reform Act (GISRA), the Department prepared an agency Plan of Action and Milestones (POA&M). The agency POA&M included time frames and interim milestone tasks for correcting system weaknesses at individual operating units as detailed in GAO-02-164 (LOUO). In April 2002, the Department CIO issued a memo to all operating units directing completion of corrective actions for the POA&M weaknesses, which include the GAO recommendations, no later than 30 September 2002. The Department is on track to meet this target.
|
| Department of Commerce | The Secretary of Commerce should direct the Office of the CIO and the Commerce bureaus to establish policies to identify and segregate incompatible duties and to implement controls, such as reviewing access activity, to mitigate the risks associated with the same staff performing these incompatible duties. |
Closed – Implemented
IT Security Program Policy and Minimum Implementation Standards were issued January 25, 2003. The policy addresses segregation of incompatible duties by stating that compensating management controls must be implemented to ensure changes to the security posture are properly authorized.
|
| Department of Commerce | The Secretary of Commerce should direct the Office of the CIO and the Commerce bureaus to establish policies for authorizing, testing, reviewing, and documenting software changes prior to implementation. |
Closed – Implemented
IT Security Program Policy and Minimum Implementation Standards were issued January 25, 2003. The policy addresses configuration management by requiring that system owners establish configuration management procedures for all general support systems and major applications. In addition, the policy states that the system security plan must describe how changes to the system or application will be authorized, controlled, tested, and implemented. It further provides policy related to operating system software and application software change controls.
|
| Department of Commerce | The Secretary of Commerce should direct the Office of the CIO to require the Commerce bureaus to develop and test, at least annually, comprehensive recovery plans for all sensitive systems. |
Closed – Implemented
Action completed 12/04/2001. The Department developed, issued to all operating units, and posted to the Department's intranet its policy for business continuity planning, which applies to all Commerce operating units. This policy includes a Business Continuity Planning Guidelines Matrix that details the procedures such as developing and testing plans.
|
| Department of Commerce | The Secretary of Commerce should direct the Office of the CIO to establish a departmentwide incident handling function with formal procedures for preparing for, detecting, responding to, and reporting incidents. |
Closed – Implemented
Action completed 04/30/2002. The Department awarded a contract on 26 September 2001 for computer incident response support services and thereby established a Department Computer Incident Response Team (CIRT) function. To supplement its formal incident handling policy and procedures issued in July 1999, the Department also developed an operational definition of incidents to report, which was reviewed and approved by FedCIRC in April 2002 and incorporated into the IT Security Program Policy.
|
| Department of Commerce | The Secretary of Commerce should direct the Office of the CIO and the Commerce bureaus to develop intrusion detection and incident response capabilities that include (1) installing updates to system software with known vulnerabilities, (2) installing warning banners on all network access paths, (3) installing intrusion detection systems on networks and sensitive systems, and (4) implementing policies for monitoring log files and audit trails on a regular schedule commensurate with risks for potentially unauthorized access to computer resources. |
Closed – Implemented
Action completed January 2003. Commerce procured a Department-wide intrusion detection system to alert users of vulnerabilities and threats to their systems in FY 2002. In addition, on January 25, 2003, the CIO issued a comprehensive IT Security Program Policy, which specifically provides requirements for patch management and system updates, warning banners, installation of intrusion detection systems, and audit trails and log files. Each of these control areas continue to be included in the Department's June 2005 update of the IT Security Program Policy.
|
| Department of Commerce | The Secretary of Commerce should direct the Office of the CIO to develop and implement an effective departmentwide security program. Such a program should include establishing a central information security function to assess risks and evaluate needs, which include (1) developing security plans for all sensitive systems that comply with federal guidelines and (2) formally authorizing all systems before they become operational, upon significant change, and at least every three years thereafter. |
Closed – Implemented
Action completed December 2003. In April 2002, the Commerce CIO increased the staffing of the IT Security Program team, hiring a Chief Information Security Officer/IT Security Program Manager and a Critical Infrastructure Program Manager. Working to establish a sound framework for the IT security program, the IT Security Program Manager developed a comprehensive IT Security Program Policy and Minimum Implementation Standards, issued by the CIO in January 2003. Commerce's CIO was subsequently reorganized in December 2003 when the CIO was designated a direct report to the Secretary of Commerce. The new centralized security program and policy required development of security plans for all systems. Certification and accreditation of all operational systems were also required at that time. As of the third quarter fiscal year 2005, Commerce reports that 98% of its operational systems are fully certified and accredited.
|
| Department of Commerce | The Secretary of Commerce, the Office of the CIO, and the bureau CIOs should direct the appropriate resources and authority to fulfill the security responsibilities that Commerce policy and directives task them with performing and to implement these recommendations. |
Closed – Implemented
Action completed 06/02/2002. On 27 July 2001, Commerce Secretary Donald Evans issued a memorandum for all Secretarial Offices to give high priority to IT security and to allocate sufficient resources at the operating unit level to ensure IT security. Also, restructuring of the Department's IT Security Program was implemented to give the Department CIO the authority to address IT Security Departmentwide, which resulted in increasing the IT Security staff from 4 to 10 effective 2 June 2002.
|
| Office of the Chief Information Officer (DOD CIO) | The Secretary of Commerce, the Office of the CIO, and the bureau CIOs should direct the appropriate resources and authority to fulfill the security responsibilities that Commerce policy and directives task them with performing and to implement these recommendations. |
Closed – Implemented
Action completed 06/02/2002. On 27 July 2001, Commerce Secretary Donald Evans issued a memorandum for all Secretarial Offices to give high priority to IT security and to allocate sufficient resources at the operating unit level to ensure IT security. Also, restructuring of the Department's IT Security Program was implemented to give the Department CIO the authority to address IT Security Departmentwide, which resulted in increasing the IT Security staff from 4 to 10 effective 2 June 2002.
|
| Office of the Chief Information Officer (DOD CIO) | The Secretary of Commerce, the Office of the CIO, and the bureau CIOs should direct the appropriate resources and authority to fulfill the security responsibilities that Commerce policy and directives task them with performing and to implement these recommendations. |
Closed – Implemented
Action completed 06/02/2002. On 27 July 2001, Commerce Secretary Donald Evans issued a memorandum for all Secretarial Offices to give high priority to IT security and to allocate sufficient resources at the operating unit level to ensure IT security. Also, restructuring of the Department's IT Security Program was implemented to give the Department CIO the authority to address IT Security Departmentwide, which resulted in increasing the IT Security staff from 4 to 10 effective 2 June 2002.
|
| Office of the Chief Information Officer (DOD CIO) | The Secretary of Commerce, the Office of the CIO, and the bureau CIOs should direct the appropriate resources and authority to fulfill the security responsibilities that Commerce policy and directives task them with performing and to implement these recommendations. |
Closed – Implemented
Action completed 06/02/2002. On 27 July 2001, Commerce Secretary Donald Evans issued a memorandum for all Secretarial Offices to give high priority to IT security and to allocate sufficient resources at the operating unit level to ensure IT security. Also, restructuring of the Department's IT Security Program was implemented to give the Department CIO the authority to address IT Security Departmentwide, which resulted in increasing the IT Security staff from 4 to 10 effective 2 June 2002.
|
| Office of the Chief Information Officer (DOD CIO) | The Secretary of Commerce, the Office of the CIO, and the bureau CIOs should direct the appropriate resources and authority to fulfill the security responsibilities that Commerce policy and directives task them with performing and to implement these recommendations. |
Closed – Implemented
Action completed 06/02/2002. On 27 July 2001, Commerce Secretary Donald Evans issued a memorandum for all Secretarial Offices to give high priority to IT security and to allocate sufficient resources at the operating unit level to ensure IT security. Also, restructuring of the Department's IT Security Program was implemented to give the Department CIO the authority to address IT Security Departmentwide, which resulted in increasing the IT Security staff from 4 to 10 effective 2 June 2002.
|
| Office of the Chief Information Officer (DOD CIO) | The Secretary of Commerce, the Office of the CIO, and the bureau CIOs should direct the appropriate resources and authority to fulfill the security responsibilities that Commerce policy and directives task them with performing and to implement these recommendations. |
Closed – Implemented
Action completed 06/02/2002. On 27 July 2001, Commerce Secretary Donald Evans issued a memorandum for all Secretarial Offices to give high priority to IT security and to allocate sufficient resources at the operating unit level to ensure IT security. Also, restructuring of the Department's IT Security Program was implemented to give the Department CIO the authority to address IT Security Departmentwide, which resulted in increasing the IT Security staff from 4 to 10 effective 2 June 2002.
|
| Office of the Chief Information Officer (DOD CIO) | The Secretary of Commerce, the Office of the CIO, and the bureau CIOs should direct the appropriate resources and authority to fulfill the security responsibilities that Commerce policy and directives task them with performing and to implement these recommendations. |
Closed – Implemented
Action completed 06/02/2002. On 27 July 2001, Commerce Secretary Donald Evans issued a memorandum for all Secretarial Offices to give high priority to IT security and to allocate sufficient resources at the operating unit level to ensure IT security. Also, restructuring of the Department's IT Security Program was implemented to give the Department CIO the authority to address IT Security Departmentwide, which resulted in increasing the IT Security staff from 4 to 10 effective 2 June 2002.
|
| Office of the Chief Information Officer (DOD CIO) | The Secretary of Commerce, the Office of the CIO, and the bureau CIOs should direct the appropriate resources and authority to fulfill the security responsibilities that Commerce policy and directives task them with performing and to implement these recommendations. |
Closed – Implemented
Action completed 06/02/2002. On 27 July 2001, Commerce Secretary Donald Evans issued a memorandum for all Secretarial Offices to give high priority to IT security and to allocate sufficient resources at the operating unit level to ensure IT security. Also, restructuring of the Department's IT Security Program was implemented to give the Department CIO the authority to address IT Security Departmentwide, which resulted in increasing the IT Security staff from 4 to 10 effective 2 June 2002.
|
| Department of Commerce | The Secretary of Commerce should take advantage of the opportunity that the installation of the new network infrastructure will provide to improve security. Specifically, by establishing strong departmental control over the network, Commerce could require all bureaus using this common network to meet a minimum level of security standards. This would help ensure that weaknesses in one bureau's security will not undermine the security of all interconnecting bureaus, as is now the case. |
Closed – Implemented
Action completed September 2003. Commerce implemented the new network within the Herbert C. Hoover Building (HCHB); this new network was certified and accredited as operational in September 2003. The Department issued its HCHB Network Infrastructure Migration Guide in October 2002 to provide information on matters including security requirements to bureaus migrating to the new network. Prior to any bureau's migration to the HCHB, the HCHB Network Manager required migrating networks to be fully certified and accredited. In FY 2004, the Office of the Secretary, Bureau of Industry and Security, Economic Development Administration, Economics and Statistics Administration, Minority Business Development Agency and National Telecommunications and Information Administration moved to the new network. In FY 2005, other offices and bureaus, including the Office of the Inspector General, International Trade Administration, and various offices of the National Oceanic and Atmospheric Administration have moved or are moving to the new network.
|
| Department of Commerce | The Secretary of Commerce should direct the Office of the CIO to develop and implement an effective departmentwide security program. Such a program should include establishing a central information security function to update the information security program policies to (1) comply with current federal regulations regarding risk assessments, specific security controls that must be included in security plans, management authorization process, audits and reviews, security incidents, awareness and training, and contingency planning, (2) address vulnerabilities associated with Commerce's widespread use of Internet technologies, and (3) provide minimum baseline standards for access controls to all networked systems to reduce risk in Commerce's highly interconnected environment. |
Closed – Implemented
Action completed January 2003. Upon appointment in April 2002, the IT Security Program Manager began development of a comprehensive IT Security Program Policy. This policy was finalized and issued by the Commerce CIO in January 2003 and addresses all topic areas included in the recommendation: (1) risk assessments, (2) security controls required in security plans, (3) management authorization process, (4) audits and reviews, (5) security incidents, (6) awareness and training, (7) contingency planning, (8) vulnerabilities stemming from Internet usage, and (9) minimum baseline standards for access controls to all networked systems. This policy was enhanced in June 2005 to align with the NIST Special Publication 800-53 control framework.
|
| Department of Commerce | The Secretary of Commerce should direct the Office of the CIO to develop and implement an effective departmentwide security program. Such a program should include establishing a central information security function to develop and implement a computer security awareness and training program. |
Closed – Implemented
Action completed January 2003. The IT Security Program Manager established the framework for the Department's IT security training program, which requires that the IT Security Officers at each operating unit establish training and awareness programs. The framework of the IT security training and awareness program is specified in Commerce's IT Security Program Policy and Minimum Implementation Standards, issued in January 2003 and updated in June 2005. Commerce procured an enterprise-wide license to use IT security training formerly provided by OPM. Commerce operating units supplement this training with other courses and conferences, and sponsor computer security awareness days and other awareness activities.
|
| Department of Commerce | The Secretary of Commerce should direct the Office of the CIO to develop and implement an effective departmentwide security program. Such a program should include establishing a central information security function to develop and implement a management oversight process that includes periodic compliance reviews and tests of the effectiveness of implemented controls. This process should include audits and reviews and establish clear roles, responsibilities, and procedures for tracking identified vulnerabilities and ensuring their remediation. |
Closed – Implemented
Action completed January 2003. Commerce established a Compliance Review Program with issue of its IT Security Program Policy in January 2003. The department develops compliance review program plans each fiscal year to define review objectives and methodologies. The review methodologies follow generally accepted assessment guidelines such as those noted in NIST Special Publications, GAO audit guides, and DOD Security Readiness Review guides. The Department provides completed compliance review reports to the Office of the Inspector General upon request, and these reports are considered in the Department's annual assessment of operating unit IT Security Programs under the Federal Information Security Management Act (FISMA).
|
Full Report
GAO Contacts
Office of Public Affairs
Topics
Computer securityComputer security policiesConfidential informationFederal computer incident response capabilityInformation resources managementInformation securityInformation systemsInternetSecurity policiesChief information officers