Information Security: Evaluation for GAO's Program and Practices for Fiscal Year 2011

OIG-12-2: Mar 30, 2012

Additional Materials:


Office of Public Affairs
(202) 512-4800

What We Found

This is a publication by GAO's Inspector General that concerns internal GAO operations. A full report on this evaluation was prepared for GAO internal use only. The Federal Information Security Management Act of 2002 (FISMA) requires that each federal agency establish an agencywide information security management program for the information and information systems that support the agency’s operations and assets. GAO is not obligated by law to comply with FISMA or Executive Branch information policies, but has adopted them to help ensure physical and information system security. Our evaluation showed that GAO has established an overall information security program that is generally consistent with the requirements of FISMA, Office of Management and Budget implementing guidance, and standards and guidance issued by the National Institute of Standards and Technology. However, using FISMA reporting metrics for federal inspectors general, we identified opportunities to improve specific elements of this program that concern

  • addressing information security risk from an overall agency ·perspective through a comprehensive governance structure and organization-wide risk management strategy,
  • remediating security weaknesses identified for agency information·systems in a timely manner,
  • building out GAO’s Alternative Computing Facility to fully support the·agency’s mission-essential functions in the event of an emergency ordisaster, and
  • developing accurate statistics for employees and contractors·completing annual security awareness and role-based training.

What We Recommend

This report recommends that GAO (1) establish a comprehensive governance structure and organization-wide risk management strategy for the security of its information systems; (2) enhance accountability for, and management of, the agency’s information security weakness remediation process; (3) provide senior management with adequate information to consider and prioritize building out the capabilities of the agency’s Alternative Computing Facility; and (4) develop and implement procedures for capturing data that accurately reflect agency compliance with security training requirements as of the end of each fiscal year. GAO concurred with these recommendations.

Dec 1, 2014

Sep 30, 2014

Jun 3, 2014

May 27, 2014

Dec 19, 2013

Sep 27, 2013

Apr 26, 2013

Feb 13, 2013

Dec 12, 2012

Aug 28, 2012

Looking for more? Browse all our products here