Skip to main content

Information Security: Actions Needed by Census Bureau to Address Weaknesses

GAO-13-63 Published: Jan 22, 2013. Publicly Released: Feb 20, 2013.
Jump To:
Skip to Highlights

Highlights

What GAO Found

Although the Census Bureau has taken steps to safeguard the information and systems that support its mission, it has not effectively implemented appropriate information security controls to protect those systems. Many of the deficiencies relate to the security controls used to regulate who or what can access the bureau's systems (access controls). For example, the bureau did not adequately: control connectivity to key network devices and servers; identify and authenticate users; limit user access rights and permissions to only those necessary to perform official duties; encrypt data in transmission and at rest; monitor its systems and network; or ensure appropriate physical security controls were in place. Without adequate controls over access to its systems, the bureau cannot be sure that its information and systems are protected from intrusion.

In addition to access controls, implementing other important security controls including policies, procedures, and techniques to implement system configurations and plan for and manage unplanned events (contingency planning) helps to ensure the confidentiality, integrity, and availability of information and systems. While the Census Bureau had documented policies and procedures for managing and implementing configuration management controls, key communication systems were not securely configured and did not have proper encryption. Further, while the bureau has taken steps to implement guidance for contingency planning such as developing plans for mitigating disruptions to its primary data center through the use of emergency power, fire suppression, and storing backup copies of data for its critical systems offsite at a secured location, it only partially satisfied other requirements for contingency planning such as distributing the plan to key personnel and identifying potential weaknesses during disaster testing. Without an effective and complete contingency plan, an agency's likelihood of recovering its information and systems in a timely manner is diminished.

An underlying reason for these weaknesses is that the Census Bureau has not fully implemented a comprehensive information security program to ensure that controls are effectively established and maintained. Specifically, the Census Bureau had begun implementing a new risk management framework with a goal of better management visibility of information security risks, but the framework did not fully document identified information security risks. Also, the bureau had not updated certain security management program policies, adequately enforced user requirements for security and awareness training, and implemented policies and procedures for incident response. Until the bureau implements a complete and comprehensive security program, it will have limited assurance that its information and systems are being adequately protected against unauthorized access, use, disclosure, modification, disruption, or loss.

Why GAO Did This Study

The Census Bureau is responsible for collecting and providing data about the people and economy of the United States. The bureau has long used some form of automation to tabulate the data it collects. Critical to the bureau’s ability to perform these duties are its information systems and the protection of the information they contain. A data breach could result in the public’s loss of confidence in the bureau’s and could affect its ability to collect census data.

Because of the importance of protecting information and systems at the bureau, GAO was asked to determine whether the agency has effectively implemented appropriate information security controls to protect the confidentiality, integrity, and availability of the information and systems that support its mission. To do this, GAO tested security controls over the bureau’s key networks and systems; reviewed policies, plans, and reports; and interviewed officials at bureau headquarters and field offices.

Recommendations

GAO is making 13 recommendations to the Census Bureau to enhance its agencywide information security program and, in a separate report with limited distribution, making an additional 102 recommendations. In written comments, the Department of Commerce expressed broad agreement with the overall theme of the report and said it would work to identify the best way to address our recommendations, but did not directly comment on the recommendations. It raised concerns about specific aspects of the reported findings which GAO addressed as appropriate.

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Commerce
Priority Rec.
To fully implement its agencywide information security program, the Acting Secretary of Commerce should direct the Under Secretary for Economic Affairs who oversees the Economics and Statistics Administration and the Acting Director of the U.S. Census Bureau to clearly document the bureau's assessment of common controls for information systems before granting an authorization to operate.
Closed – Implemented
In fiscal year 2016, we verified that, in response to our recommendation, the bureau documented assessment of common controls for information systems before granting an authorization to operate.
Department of Commerce To fully implement its agencywide information security program, the Acting Secretary of Commerce should direct the Under Secretary for Economic Affairs who oversees the Economics and Statistics Administration and the Acting Director of the U.S. Census Bureau to clearly document acceptance of risks and remedial actions for management review and approval before closing them.
Closed – Implemented
In fiscal year 2014, we verified that the Census Bureau, in response to our recommendation, clearly documented acceptance of risks and remedial actions for management review and approval before closing them.
Department of Commerce To fully implement its agencywide information security program, the Acting Secretary of Commerce should direct the Under Secretary for Economic Affairs who oversees the Economics and Statistics Administration and the Acting Director of the U.S. Census Bureau to establish a deadline for updating and finalizing the bureau's IT Security Program Policies document.
Closed – Implemented
In fiscal year 2014, we verified that the Census Bureau, in response to our recommendation, updated and finalized its IT Security Program Policies document.
Department of Commerce To fully implement its agencywide information security program, the Acting Secretary of Commerce should direct the Under Secretary for Economic Affairs who oversees the Economics and Statistics Administration and the Acting Director of the U.S. Census Bureau to fully implement the bureau's new process for tracking employee completion of security awareness training in the database of record.
Closed – Implemented
In fiscal year 2014, we verified that the Census Bureau, in response to our recommendation, has implemented the process to track employee completion of security awareness training within a centralized training database.
Department of Commerce To fully implement its agencywide information security program, the Acting Secretary of Commerce should direct the Under Secretary for Economic Affairs who oversees the Economics and Statistics Administration and the Acting Director of the U.S. Census Bureau to enforce the requirement for annual security awareness training for all users and ensure all users complete the training.
Closed – Implemented
In fiscal year 2014, we verified that the Census Bureau, in response to our recommendation, established a requirement to complete the security awareness training in the Data Stewardship Awareness Training policy and ensured that all users completed the training by tracking the training record within a centralized training database.
Department of Commerce To fully implement its agencywide information security program, the Acting Secretary of Commerce should direct the Under Secretary for Economic Affairs who oversees the Economics and Statistics Administration and the Acting Director of the U.S. Census Bureau to enforce the requirement that all individuals with significant security responsibilities complete both initial and refresher role-based training.
Closed – Implemented
In fiscal year 2014 we verified that the Census Bureau, in response to our recommendation, enforced the requirement that all individuals with significant security responsibilities completed both initial and refresher role-based training.
Department of Commerce To fully implement its agencywide information security program, the Acting Secretary of Commerce should direct the Under Secretary for Economic Affairs who oversees the Economics and Statistics Administration and the Acting Director of the U.S. Census Bureau to provide sufficient opportunities for incident response personnel to complete required training and certifications and verify compliance.
Closed – Implemented
In fiscal year 2014, we verified that the Census Bureau, in response to our recommendation, ensured that all personnel with incident response responsibilities completed the required training and certifications to comply with agency policy.
Department of Commerce To fully implement its agencywide information security program, the Acting Secretary of Commerce should direct the Under Secretary for Economic Affairs who oversees the Economics and Statistics Administration and the Acting Director of the U.S. Census Bureau to develop plans and criteria or metrics for incident response plan tests and exercises, and evaluate the effectiveness of the incident response capability.
Closed – Implemented
In fiscal year 2015, we verified that the Census Bureau, in response to our recommendation, developed plans and criteria for incident response plan tests and exercise and evaluated the effectiveness of the incident response capability
Department of Commerce To fully implement its agencywide information security program, the Acting Secretary of Commerce should direct the Under Secretary for Economic Affairs who oversees the Economics and Statistics Administration and the Acting Director of the U.S. Census Bureau to verify that incident response personnel document in the incident log the actions taken to contain, eradicate, and recover from incidents.
Closed – Implemented
In fiscal year 2014, we verified that the Census Bureau, in response to our recommendation, documented the action taken to contain, eradicate, and recover from incidents in the incident log.
Department of Commerce To fully implement its agencywide information security program, the Acting Secretary of Commerce should direct the Under Secretary for Economic Affairs who oversees the Economics and Statistics Administration and the Acting Director of the U.S. Census Bureau to fully develop an incident response plan by documenting metrics used for measuring the bureau's incident response effectiveness and defining the resources and management support necessary to develop an incident response capability that meets the Census Bureau's unique needs.
Closed – Implemented
In fiscal year 2014, we verified that the Census Bureau, in response to our recommendation, fully developed the incident response plan by documenting incident response metrics and identified the resources and management support to maintain incident response capability.
Department of Commerce To fully implement its agencywide information security program, the Acting Secretary of Commerce should direct the Under Secretary for Economic Affairs who oversees the Economics and Statistics Administration and the Acting Director of the U.S. Census Bureau to ensure that all reportable incidents are reported to the United States Computer Emergency Readiness Team (US-CERT).
Closed – Implemented
In fiscal year 2014 we verified that the Census Bureau, in response to our recommendation, acted to ensure that all incidents were reported to US-CERT.
Department of Commerce To fully implement its agencywide information security program, the Acting Secretary of Commerce should direct the Under Secretary for Economic Affairs who oversees the Economics and Statistics Administration and the Acting Director of the U.S. Census Bureau to complete development of a mature digital forensics capability to better detect and validate malware incidents.
Closed – Implemented
In fiscal year 2014, we verified that the Census Bureau, in response to our recommendation, developed a mature digital forensic capability by updating its forensic procedures on malware investigations.
Department of Commerce To fully implement its agencywide information security program, the Acting Secretary of Commerce should direct the Under Secretary for Economic Affairs who oversees the Economics and Statistics Administration and the Acting Director of the U.S. Census Bureau to develop a process to formally review incidents, gather lessons learned from ongoing incident handling activities and incorporate identified improvements into training, testing, and procedures.
Closed – Implemented
In fiscal year 2015, we verified that the Census Bureau, in response to our recommendation, developed a process to review incidents, gathered lessons learned from ongoing incident handling activities and incorporate identified improvements into training, testing, and procedures

Full Report

GAO Contacts

Topics

CensusInformation securityInformation systemsBest practicesContingency plansDatabase management systemsCyber securityRisk managementIT infrastructureConfidential communications