Skip to main content

Information Security: State Has Taken Steps to Implement a Continuous Monitoring Application, but Key Challenges Remain

GAO-11-149 Published: Jul 08, 2011. Publicly Released: Aug 08, 2011.
Jump To:
Skip to Highlights

Highlights

The Department of State (State) has implemented a custom application called iPost and a risk scoring program that is intended to provide continuous monitoring capabilities of information security risk to elements of its information technology (IT) infrastructure. Continuous monitoring can facilitate nearer real-time risk management and represents a significant change in the way information security activities have been conducted in the past. GAO was asked to determine (1) the extent to which State has identified and prioritized risk to the department in its risk scoring program; (2) how agency officials use iPost information to implement security improvements; (3) the controls for ensuring the timeliness, accuracy, and completeness of iPost information; and (4) the benefits and challenges associated with implementing iPost. To do this, GAO analyzed program documentation and compared it to relevant standards, interviewed and surveyed department officials, and performed analyses on iPost data.

State has developed and implemented a risk scoring program that identifies and prioritizes several but not all areas affecting information security risk. Specifically, the scope of iPost's risk scoring program (1) addresses Windows hosts but not other IT assets on its major unclassified network; (2) covers a set of 10 scoring components that includes many, but not all, information system controls that are intended to reduce risk; and (3) assigns a score for each identified security weakness, although State could not demonstrate the extent to which scores are based on risk factors such as threat, impact, or likelihood of occurrence that are specific to its computing environment. As a result, the iPost risk scoring program helps to identify, monitor, and prioritize the mitigation of vulnerabilities and weaknesses for the areas it covers, but it does not provide a complete view of the information security risks to the department. State officials reported they used iPost to (1) identify, prioritize, and fix Windows vulnerabilities that were reported in iPost and (2) to implement other security improvements at their sites. For example, more than half of the 40 survey respondents said that assigning a numeric score to each vulnerability identified and each component was very or moderately helpful in their efforts to prioritize vulnerability mitigation. State has implemented several controls aimed at ensuring the timeliness, accuracy, and completeness of iPost information. For example, State employed the use of automated tools and collection schedules that support the frequent collection of monitoring data, which helps to ensure the timeliness of iPost data. State also relies on users to report when inaccurate and incomplete iPost data and scoring are identified, so they may be investigated and corrected as appropriate. Notwithstanding these controls, the timeliness, accuracy, and completeness of iPost data were not always assured. For example, several instances existed where iPost data were not updated as frequently as scheduled, inconsistent, or incomplete. As a result, State may not have reasonable assurance that data within iPost are accurate and complete with which to make risk management decisions. iPost provides many benefits but also poses challenges for the department. iPost has resulted in improvements to the department's information security by providing more extensive and timely information on vulnerabilities, while also creating an environment where officials are motivated to fix vulnerabilities based on department priorities. However, State has faced, and will continue to face, challenges with the implementation of iPost. These include (1) overcoming limitations and technical issues with data collection tools, (2) identifying and notifying individuals with responsibility for site-level security, (3) implementing configuration management for iPost, (4) adopting a strategy for continuous monitoring of controls, and (5) managing stakeholder expectations for continuous monitoring activities. GAO recommends the Secretary of State direct the Chief Information Officer to take a number of actions aimed at improving implementation of iPost. State agreed with two of GAO's recommendations, partially agreed with two, and disagreed with three. GAO continues to believe that its recommendations are valid and appropriate.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of State To improve implementation of iPost at State, the Secretary of State should direct the Chief Information Officer to incorporate the results of iPost's monitoring of controls into key security documents such as the OpenNet security plan, security assessment report, and plan of action and milestones.
Closed – Not Implemented
State Department did not provide adequate documentation to demonstrate implementation of this recommendation.
Department of State To improve implementation of iPost at State, the Secretary of State should direct the Chief Information Officer to document existing controls intended to ensure the timeliness, accuracy, and completeness of iPost data.
Closed – Not Implemented
State Department asserted that the agency:(a) maintained full scan schedules in an Excel spreadsheet for all domains; (b) verified daily that scans are being completed without errors and on schedule; (c) generated reports upon completion of a scan; (d) tracked the scan rate to meet the enterprise's goal. However, State did not provide adequate evidentiary support so that we could verify these assertions.
Department of State To improve implementation of iPost at State, the Secretary of State should direct the Chief Information Officer to develop, document, and implement procedures for validating data and reviewing and reconciling output in iPost to ensure data consistency, accuracy, and completeness.
Closed – Not Implemented
State Department asserted the following: (a) A risk score is applied based on the severity of the vulnerability in order to garner the attention of the ISSO and/or system owner; (b) The Post Administration Tool (PAT) is readily available for system owners to use in order to remediate vulnerabilities; (c) System Center Configuration Manager (SCCM) is utilized to assist in maintaining up to date versions and pushing of patches; (d) There are dedicated teams to assist system owners with issues surrounding remediation (i.e. patch management, SMS, DSE, etc.) However, State did not provide adequate support so that we could verify these assertions.
Department of State To improve implementation of iPost at State, the Secretary of State should direct the Chief Information Officer to clearly identify in iPost individuals with site-level responsibility for monitoring the security state and ensuring the resolution of security weaknesses of Windows hosts.
Closed – Not Implemented
State did not provide adequate support so that we could verify that a documented and implemented process exists to ensure that ISSOs and/or system managers are responsible for monitoring the security state.
Department of State To improve implementation of iPost at State, the Secretary of State should direct the Chief Information Officer to implement procedures to consistently notify senior managers at sites with low security grades of the need for corrective actions, in accordance with department criteria.
Closed – Implemented
In fiscal year 2015, we verified that State, in response to our recommendation, developed a Risk Reduction Summary report that identifies sites with low security grades needing assistance for corrective actions.
Department of State To improve implementation of iPost at State, the Secretary of State should direct the Chief Information Officer to develop, document, and maintain an iPost configuration management and test process.
Closed – Not Implemented
State did not provide an iPost configuration management standard operating procedure for operational units, domestic sites/bureaus, and overseas posts as requested.
Department of State To improve implementation of iPost at State, the Secretary of State should direct the Chief Information Officer to develop, document, and implement a continuous monitoring strategy that addresses risk, to include changing threats, vulnerabilities, technologies, and missions/business processes.
Closed – Implemented
In fiscal year 2015, we verified that State, in response to our recommendation, developed, documented, and implemented an information security continuous monitoring strategy that outlines improvements to the implementation of the six step risk management framework, the acquisition and implementation of tools to scan and aggregate sensor and other data for analysis supporting situational awareness, and the implementation of a risk executive function to establish organizational tolerance and guide agency risk decisions.

Full Report

GAO Contacts

Office of Public Affairs

Topics

Computer securityData collectionData integrityDocumentationInformation accessInformation disclosureInformation securityInformation security managementInformation systemsInformation technologyInternal controlsManagement information systemsMonitoringPrioritizingRisk managementStandardsSystem vulnerabilitiesTestingCorrective actionPolicies and procedures