Information Security:

Actions Needed by Census Bureau to Address Weaknesses

GAO-13-63: Published: Jan 22, 2013. Publicly Released: Feb 20, 2013.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
WilshusenG@gao.gov

 

Nabajyoti Barkakati
(202) 512-4499
barkakatin@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

Although the Census Bureau has taken steps to safeguard the information and systems that support its mission, it has not effectively implemented appropriate information security controls to protect those systems. Many of the deficiencies relate to the security controls used to regulate who or what can access the bureau's systems (access controls). For example, the bureau did not adequately: control connectivity to key network devices and servers; identify and authenticate users; limit user access rights and permissions to only those necessary to perform official duties; encrypt data in transmission and at rest; monitor its systems and network; or ensure appropriate physical security controls were in place. Without adequate controls over access to its systems, the bureau cannot be sure that its information and systems are protected from intrusion.

In addition to access controls, implementing other important security controls including policies, procedures, and techniques to implement system configurations and plan for and manage unplanned events (contingency planning) helps to ensure the confidentiality, integrity, and availability of information and systems. While the Census Bureau had documented policies and procedures for managing and implementing configuration management controls, key communication systems were not securely configured and did not have proper encryption. Further, while the bureau has taken steps to implement guidance for contingency planning such as developing plans for mitigating disruptions to its primary data center through the use of emergency power, fire suppression, and storing backup copies of data for its critical systems offsite at a secured location, it only partially satisfied other requirements for contingency planning such as distributing the plan to key personnel and identifying potential weaknesses during disaster testing. Without an effective and complete contingency plan, an agency's likelihood of recovering its information and systems in a timely manner is diminished.

An underlying reason for these weaknesses is that the Census Bureau has not fully implemented a comprehensive information security program to ensure that controls are effectively established and maintained. Specifically, the Census Bureau had begun implementing a new risk management framework with a goal of better management visibility of information security risks, but the framework did not fully document identified information security risks. Also, the bureau had not updated certain security management program policies, adequately enforced user requirements for security and awareness training, and implemented policies and procedures for incident response. Until the bureau implements a complete and comprehensive security program, it will have limited assurance that its information and systems are being adequately protected against unauthorized access, use, disclosure, modification, disruption, or loss.

Why GAO Did This Study

The Census Bureau is responsible for collecting and providing data about the people and economy of the United States. The bureau has long used some form of automation to tabulate the data it collects. Critical to the bureau’s ability to perform these duties are its information systems and the protection of the information they contain. A data breach could result in the public’s loss of confidence in the bureau’s and could affect its ability to collect census data.

Because of the importance of protecting information and systems at the bureau, GAO was asked to determine whether the agency has effectively implemented appropriate information security controls to protect the confidentiality, integrity, and availability of the information and systems that support its mission. To do this, GAO tested security controls over the bureau’s key networks and systems; reviewed policies, plans, and reports; and interviewed officials at bureau headquarters and field offices.

What GAO Recommends

GAO is making 13 recommendations to the Census Bureau to enhance its agencywide information security program and, in a separate report with limited distribution, making an additional 102 recommendations. In written comments, the Department of Commerce expressed broad agreement with the overall theme of the report and said it would work to identify the best way to address our recommendations, but did not directly comment on the recommendations. It raised concerns about specific aspects of the reported findings which GAO addressed as appropriate.

For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov or Dr. Nabajyoti Barkakati at (202) 512-4499 or barkakatin@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To fully implement its agencywide information security program, the Acting Secretary of Commerce should direct the Under Secretary for Economic Affairs who oversees the Economics and Statistics Administration and the Acting Director of the U.S. Census Bureau to clearly document the bureau's assessment of common controls for information systems before granting an authorization to operate.

    Agency Affected: Department of Commerce

  2. Status: Closed - Implemented

    Comments: In fiscal year 2014, we verified that the Census Bureau, in response to our recommendation, clearly documented acceptance of risks and remedial actions for management review and approval before closing them.

    Recommendation: To fully implement its agencywide information security program, the Acting Secretary of Commerce should direct the Under Secretary for Economic Affairs who oversees the Economics and Statistics Administration and the Acting Director of the U.S. Census Bureau to clearly document acceptance of risks and remedial actions for management review and approval before closing them.

    Agency Affected: Department of Commerce

  3. Status: Closed - Implemented

    Comments: In fiscal year 2014, we verified that the Census Bureau, in response to our recommendation, updated and finalized its IT Security Program Policies document.

    Recommendation: To fully implement its agencywide information security program, the Acting Secretary of Commerce should direct the Under Secretary for Economic Affairs who oversees the Economics and Statistics Administration and the Acting Director of the U.S. Census Bureau to establish a deadline for updating and finalizing the bureau's IT Security Program Policies document.

    Agency Affected: Department of Commerce

  4. Status: Closed - Implemented

    Comments: In fiscal year 2014, we verified that the Census Bureau, in response to our recommendation, has implemented the process to track employee completion of security awareness training within a centralized training database.

    Recommendation: To fully implement its agencywide information security program, the Acting Secretary of Commerce should direct the Under Secretary for Economic Affairs who oversees the Economics and Statistics Administration and the Acting Director of the U.S. Census Bureau to fully implement the bureau's new process for tracking employee completion of security awareness training in the database of record.

    Agency Affected: Department of Commerce

  5. Status: Closed - Implemented

    Comments: In fiscal year 2014, we verified that the Census Bureau, in response to our recommendation, established a requirement to complete the security awareness training in the Data Stewardship Awareness Training policy and ensured that all users completed the training by tracking the training record within a centralized training database.

    Recommendation: To fully implement its agencywide information security program, the Acting Secretary of Commerce should direct the Under Secretary for Economic Affairs who oversees the Economics and Statistics Administration and the Acting Director of the U.S. Census Bureau to enforce the requirement for annual security awareness training for all users and ensure all users complete the training.

    Agency Affected: Department of Commerce

  6. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To fully implement its agencywide information security program, the Acting Secretary of Commerce should direct the Under Secretary for Economic Affairs who oversees the Economics and Statistics Administration and the Acting Director of the U.S. Census Bureau to enforce the requirement that all individuals with significant security responsibilities complete both initial and refresher role-based training.

    Agency Affected: Department of Commerce

  7. Status: Closed - Implemented

    Comments: In fiscal year 2014, we verified that the Census Bureau, in response to our recommendation, ensured that all personnel with incident response responsibilities completed the required training and certifications to comply with agency policy.

    Recommendation: To fully implement its agencywide information security program, the Acting Secretary of Commerce should direct the Under Secretary for Economic Affairs who oversees the Economics and Statistics Administration and the Acting Director of the U.S. Census Bureau to provide sufficient opportunities for incident response personnel to complete required training and certifications and verify compliance.

    Agency Affected: Department of Commerce

  8. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To fully implement its agencywide information security program, the Acting Secretary of Commerce should direct the Under Secretary for Economic Affairs who oversees the Economics and Statistics Administration and the Acting Director of the U.S. Census Bureau to develop plans and criteria or metrics for incident response plan tests and exercises, and evaluate the effectiveness of the incident response capability.

    Agency Affected: Department of Commerce

  9. Status: Closed - Implemented

    Comments: In fiscal year 2014, we verified that the Census Bureau, in response to our recommendation, documented the action taken to contain, eradicate, and recover from incidents in the incident log.

    Recommendation: To fully implement its agencywide information security program, the Acting Secretary of Commerce should direct the Under Secretary for Economic Affairs who oversees the Economics and Statistics Administration and the Acting Director of the U.S. Census Bureau to verify that incident response personnel document in the incident log the actions taken to contain, eradicate, and recover from incidents.

    Agency Affected: Department of Commerce

  10. Status: Closed - Implemented

    Comments: In fiscal year 2014, we verified that the Census Bureau, in response to our recommendation, fully developed the incident response plan by documenting incident response metrics and identified the resources and management support to maintain incident response capability.

    Recommendation: To fully implement its agencywide information security program, the Acting Secretary of Commerce should direct the Under Secretary for Economic Affairs who oversees the Economics and Statistics Administration and the Acting Director of the U.S. Census Bureau to fully develop an incident response plan by documenting metrics used for measuring the bureau's incident response effectiveness and defining the resources and management support necessary to develop an incident response capability that meets the Census Bureau's unique needs.

    Agency Affected: Department of Commerce

  11. Status: Closed - Implemented

    Comments: In fiscal year 2014 we verified that the Census Bureau, in response to our recommendation, reported all incidents to US-CERT.

    Recommendation: To fully implement its agencywide information security program, the Acting Secretary of Commerce should direct the Under Secretary for Economic Affairs who oversees the Economics and Statistics Administration and the Acting Director of the U.S. Census Bureau to ensure that all reportable incidents are reported to the United States Computer Emergency Readiness Team (US-CERT).

    Agency Affected: Department of Commerce

  12. Status: Closed - Implemented

    Comments: In fiscal year 2014, we verified that the Census Bureau, in response to our recommendation, developed a mature digital forensic capability by updating its forensic procedures on malware investigations.

    Recommendation: To fully implement its agencywide information security program, the Acting Secretary of Commerce should direct the Under Secretary for Economic Affairs who oversees the Economics and Statistics Administration and the Acting Director of the U.S. Census Bureau to complete development of a mature digital forensics capability to better detect and validate malware incidents.

    Agency Affected: Department of Commerce

  13. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To fully implement its agencywide information security program, the Acting Secretary of Commerce should direct the Under Secretary for Economic Affairs who oversees the Economics and Statistics Administration and the Acting Director of the U.S. Census Bureau to develop a process to formally review incidents, gather lessons learned from ongoing incident handling activities and incorporate identified improvements into training, testing, and procedures.

    Agency Affected: Department of Commerce

 

Explore the full database of GAO's Open Recommendations »

Nov 18, 2014

Nov 17, 2014

Sep 18, 2014

Sep 16, 2014

Sep 8, 2014

Jul 17, 2014

Jun 25, 2014

May 30, 2014

Apr 17, 2014

Apr 2, 2014

Looking for more? Browse all our products here