📄 computer security_2.txt
字号:
United States General Accounting Office ___________________________________________________________________ GAO Report to the Chairman, Committee on Science, Space, and Technology, House of Representatives ___________________________________________________________________ May 1990 COMPUTER SECURITY Governmentwide Planning Process Had Limited Impact ___________________________________________________________________ GAO/IMTEC-90-48 This U.S. General Accounting Office (GAO) report is 1 of 7 available over the Internet as part of a test to determine whether there is sufficient interest within this community to warrant making all GAO reports available over the Internet. The file REPORTS at NIH lists the 7 reports. So that we can keep a count of report recipients, and your reaction, please send an E-Mail message to KH3@CU.NIH.GOV and include, along with your E-Mail address, the following information: 1) Your organization. 2) Your position/title and name (optional). 3) The title/report number of the above reports you have retrieved electronically or ordered by mail or phone. 4) Whether you have ever obtained a GAO report before. 5) Whether you have copied a report onto another bulletin board--if so, which report and bulletin board. 6) Other GAO report subjects you would be interested in. GAO's reports cover a broad range of subjects such as major weapons systems, energy, financial institutions, and pollution control. 7) Any additional comments or suggestions. Thank you for your time. Sincerely, Jack L. Brock, Jr. Director, Government Information and Financial Management Issues Information Management and Technology Division B-238954 May 10, 1990 The Honorable Robert A. Roe Chairman, Committee on Science, Space, and Technology House of Representatives Dear Mr. Chairman: This report responds to your June 5, 1989, request and subsequent agreements with your office that we review the governmentwide computer security planning and review process required by the Computer Security Act of 1987. The act required federal agencies to identify systems that contain sensitive information and to develop plans to safeguard them. As agreed, we assessed the (1) planning process in 10 civilian agencies as well as the extent to which they implemented planned controls described in 22 selected plans and (2) National Institute of Standards and Technology (NIST)/National Security Agency (NSA) review of the plans. This is the fifth in a series of reports on implementation of the Computer Security Act that GAO has prepared for your committee. Appendix I details the review's objectives, scope, and methodology. Appendix II describes the systems covered by the 22 plans we reviewed. RESULTS IN BRIEF ---------------- The planning and review process implemented under the Computer Security Act did little to strengthen computer security governmentwide. Although agency officials believe that the process heightened awareness of computer security, they typically described the plans as merely "reporting requirements" and of limited use in addressing agency- specific problems. Officials cited three problems relating to the design and implementation of the planning process: (1) the plans lacked adequate information to serve as management tools and some agencies already had planning processes in place, (2) managers had little time to prepare the plans, and (3) the Office of Management and Budget (OMB) planning guidance was sometimes unclear and misinterpreted by agency officials. 1 B-238954 Although a year has passed since the initial computer security plans were completed, agencies have made little progress in implementing planned controls. Agency officials said that budget constraints and inadequate top management support--in terms of resources and commitment--were key reasons why controls had not been implemented. Based on the results of the planning and review process, OMB--in conjunction with NIST and NSA--issued draft security planning guidance in January 1990. The draft guidance focuses on agency security programs and calls for NIST, NSA, and OMB to visit agencies to discuss their security programs and problems, and provide advice and technical assistance. We believe that efforts directed toward assisting agencies in solving specific problems and drawing top management attention to computer security issues have greater potential for improving computer security governmentwide. BACKGROUND ---------- The Computer Security Act of 1987 (P.L. 100-235) was passed in response to concerns that the security of sensitive information was not being adequately addressed in the federal government.1 The act's intent was to improve the security and privacy of sensitive information in federal computer systems by establishing minimum security practices. The act required agencies to (1) identify all developmental and operational systems with sensitive information, (2) develop and submit to NIST and NSA for advice and comment a security and privacy plan for each system identified, and (3) establish computer security training programs. OMB Bulletin 88-16, developed with NIST and NSA assistance, provides guidance on the computer security plans required by the act. To be in compliance, approximately 60 civilian agencies submitted almost 1,600 computer security plans to a NIST/NSA review team in early 1989. Nearly all of these plans followed, to some degree, the format and content requested by the bulletin. The bulletin requested that the following information be included in each plan: 1The act defines sensitive information as any unclassified information that in the event of loss, misuse, or unauthorized access or modification, could adversely affect the national interest, conduct of a federal program, or the privacy individuals are entitled to under the Privacy Act of 1974 (5 U.S.C. 552a). 2 B-238954 -- Basic system identification: agency, system name and type, whether the plan combines systems, operational status, system purpose, system environment, and point of contact. -- Information sensitivity: laws and regulations affecting the system, protection requirements, and description of sensitivity. -- Security control status: reported as "in place," "planned," "in place and planned" (i.e., some aspects of the control are operational and others are planned), or "not applicable," and a brief description of and expected operational dates for controls that are reported as planned.2 (Appendix V lists the controls.) Appendix III presents a composite security plan that we developed for this report as an example of the civilian plans we reviewed. It is representative of the content, format, and common omissions of the plans. PLANS HAD LIMITED IMPACT ON --------------------------- AGENCY COMPUTER SECURITY PROGRAMS --------------------------------- The goals of the planning process were commendable--to strengthen computer security by helping agencies identify and evaluate their security needs and controls for sensitive systems. According to agency officials, the process yielded some benefits, the one most frequently cited being increased management awareness of computer security. Further, some officials noted that the planning process provided a framework for reviewing their systems' security controls. However, problems relating to the design and implementation of the planning process limited its impact on agency security programs. Specifically, (1) the plans lacked adequate information to serve as effective management tools, (2) managers had little time to prepare the plans, and (3) the OMB guidance was sometimes unclear and misinterpreted by the agencies. Consequently, most agency officials viewed the plans as reporting requirements, rather than as management tools. 2In this report, we are using the term "planned controls" to include controls that agencies listed as "planned" or "in place and planned" in their January 1989 plans. Both categories indicated that the controls were not fully in place. 3 B-238954 Plans Lacked Adequate Information to ------------------------------------ Serve as Effective Management Tools ----------------------------------- Although agency officials said that security planning is essential to the effective management of sensitive systems, the plans lacked important information that managers need in order to plan, and to monitor and implement plans. The plans did not include this information, in part, because they were designed not only to help agencies plan, but also to facilitate NIST/NSA's review of the plans and to minimize the risks of unauthorized disclosure of vulnerabilities. For example: -- Many plans provided minimal descriptions (a sentence or nothing at all) of system sensitivity and planned security controls. Detailed descriptions would have made the plans more useful in setting priorities for implementing planned controls. -- The plans did not assign responsibility for each planned control. It was not clear, therefore, who was accountable for implementing the control (e.g., who would be performing a risk assessment). -- The plans did not include resource estimates needed to budget for planned actions. -- The plans generally did not refer to computer security- related internal control weaknesses, although such information can be important in developing plans. Finally, officials from about one-third of the agencies said that they already had more comprehensive planning processes to help them identify and evaluate their security needs. As a result, the governmentwide process was largely superfluous for these agencies. Officials at such agencies said that their plans, which included information such as detailed descriptions of security controls, already met the objectives of the governmentwide planning process. Many officials said that what they needed was assistance in areas such as network security. Managers Had Little ------------------- Time to Prepare the Plans ------------------------- Officials had little time to adequately consider their security needs and prepare plans, further limiting the usefulness of the plans. OMB Bulletin 88-16 was issued July 6, 1988, 27 weeks before the plans were due to the NIST/NSA 4 B-238954 review team, as required by the Computer Security Act. However, less than 14 weeks was left after most agencies issued guidance on responding to the OMB request. Within the remaining time, instructions were sent to the component agencies and from there to the managers responsible for preparing the plans, meetings were held to discuss the plans, managers prepared the plans, and the plans were reviewed by component agencies and returned to the agencies for review. As a result, some managers had only a few days to prepare plans. Guidance Was Sometimes Unclear ------------------------------ and Misinterpreted by Agencies ------------------------------ Many agency officials misinterpreted or found the guidance unclear as to how systems were to be combined in the plans, the definition of some key terms (e.g., "in place"), the level of expected detail, and the need to address telecommunications. For example, some plans combined many⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -