📄 computer security_2.txt
字号:
different types of systems--such as microcomputers and mainframes--having diverse functions and security needs, although the guidance specified that only similar systems could be combined. When dissimilar systems were combined, the plan's usefulness as a management tool was limited. Further, for plans that combined systems, some agencies reported that a security control was in place for the entire plan, although it was actually in place for only a few systems. Agency officials stated that they combined systems in accordance with their understanding of the OMB guidance and NIST/NSA verbal instructions. In addition, officials were confused about how much detail to include in the plans and whether to address telecommunications issues (e.g., network security). For example, they said that although the guidance asked for brief descriptions of systems and information sensitivity, NIST/NSA reviewers frequently commented that plans lacked adequate descriptions. NIST officials said they expected that the plans would be more detailed and discuss the vulnerabilities inherent in networks. They said, in retrospect, that it would have been helpful if the guidance had provided examples and clarified the level of expected detail. AGENCIES HAVE NOT IMPLEMENTED ----------------------------- MOST PLANNED SECURITY CONTROLS ------------------------------ Although a year has passed since the initial computer security plans were completed, agencies have made little 5 B-238954 progress in implementing planned controls.3 The 22 plans we reviewed contained 145 planned security controls. According to agency officials, as of January 1990, only 38 percent of the 145 planned controls had been implemented. Table 1 shows the number and percentage of planned security controls that had been implemented as of January 1990. Table 1: Implementation of Security Controls in 22 Plans Percent Security control Planned Implemented implemented ---------------- ------- ----------- ----------- Assignment of security responsibility 7 7 100 Audit and variance detection 7 7 100 Confidentiality controls 3 3 100 User identification and authentication 2 2 100 Personnel selection and screening 7 6 86 Security measures for support systems 9 5 56 Security awareness and training measures 20 12 60 Authorization/access controls 4 2 50 Contingency plans 11 5 45 Data integrity and validation controls 8 2 25 Audit trails and maintaining journals 12 2 17 3Only 4 percent of the security controls had implementation dates beyond January 1990. 6 B-238954 Production, input/ output controls 8 1 13 Risk/sensitivity assessment 11 1 9 Security specifications 10 0 0 Design review and testing 11 0 0 Certification/ accreditation 14 0 0 Software controls 1 0 0 Total 145 55 - According to many agency officials, budget constraints and lack of adequate top management support--in terms of resources and commitment--were key reasons why security controls had not yet been implemented. Although some officials stated that the planning process has raised management awareness of computer security issues, this awareness has, for the most part, apparently not yet resulted in increased resources for computer security programs. A number of officials said that security has been traditionally viewed as overhead and as a target for budget cuts. Some officials noted that requests for funding of contingency planning, full-time security officers, and training for security personnel and managers have a low approval rate. NIST/NSA REVIEW FEEDBACK WAS GENERAL ------------------------------------ AND OF LIMITED USE TO AGENCIES ------------------------------ Agency officials said that the NIST/NSA review comments and recommendations on their plans were general and of limited use in addressing specific problems. However, because the plans were designed to be brief and minimize the risks of unauthorized disclosure, they had little detailed information for NIST and NSA to review. Thus, the NIST/NSA review team focused their comments on (1) the plans' conformity with the OMB planning guidance and (2) governmentwide guidance (e.g., NIST Federal Information Processing Standards publications) relating to planned security controls. (Appendix IV provides an example of typical NIST/NSA review comments and recommendations.) 7 B-238954 Despite the limited agency use of the feedback, NIST officials said that the information in the plans will be useful to NIST in identifying broad security weaknesses and needs. During the review process, the NIST/NSA review team developed a data base that included the status of security controls for almost 1,600 civilian plans. NIST intends to use statistics from the data base to support an upcoming report on observations and lessons learned from the planning and review process. Noting that the data have limitations-- for example, varying agency interpretations of "in place"-- NIST officials said that areas showing the greatest percentage of planned controls indicated areas where more governmentwide guidance might be needed. Appendix V shows the status of security controls in the civilian plans, according to our analysis of the NIST/NSA data base.4 REVISED GUIDANCE PROVIDES ------------------------- FOR AGENCY ASSISTANCE --------------------- The 1990 draft OMB security planning guidance calls for NIST, NSA, and OMB to provide advice and technical assistance on computer security issues to federal agencies as needed. Under the guidance, NIST, NSA, and OMB would visit agencies and discuss (1) their computer security programs, (2) the extent to which the agencies have identified their sensitive computer systems, (3) the quality of their security plans, and (4) their unresolved internal control weaknesses. NIST officials said that the number of agencies visited in fiscal year 1991 will depend on that year's funding for NIST's Computer Security Division, which will lead NIST's effort, and the number of staff provided by NSA. In addition, under the 1990 draft guidance, agencies would develop plans for sensitive systems that are new or significantly changed, did not have a plan for 1989, or had 1989 plans for which NIST and NSA could not provide comments because of insufficient information. Agencies would be required to review their component agency plans and provide independent advice and comment. CONCLUSIONS ----------- The government faces new levels of risk in information security because of increased use of networks and computer 4NIST and NSA deleted agency and system names from the data base provided to us. 8 B-238954 literacy and greater dependence on information technology overall. As a result, effective computer security programs are more critical than ever in safeguarding the systems that provide essential government services. The planning and feedback process was an effort to strengthen computer security by helping agencies identify and assess their sensitive system security needs, plans, and controls. However, the plans created under the process were viewed primarily as reporting requirements, and although the process may have elevated management awareness of computer security, as yet it has done little to strengthen agency computer security programs. OMB's draft planning security guidance creates the potential for more meaningful improvements by going beyond planning and attempting to address broader agency-specific security problems. However, although NIST, NSA, and OMB assistance can provide an impetus for change, their efforts must be matched by agency management commitment and actions to make needed improvements. Ultimately, it is the agencies' responsibility to ensure that the information they use and maintain is adequately safeguarded and that appropriate security measures are in place and tested. Agency management of security is an issue we plan to address in our ongoing review of this important area. --- --- --- As requested, we did not obtain written agency comments on this report. We did, however, discuss its contents with NIST, OMB, and NSA officials and have included their comments where appropriate. We conducted our review between July 1989 and March 1990, in accordance with generally accepted government auditing standards. As arranged with your office, unless you publicly release the contents of this report earlier, we plan no further distribution until 30 days after the date of this letter. At that time we will send copies to the appropriate House and Senate committees, major federal agencies, OMB, NIST, NSA, and other interested parties. We will also make copies available to others on request. This report was prepared under the direction of Jack L. Brock, Jr., Director, Government Information and Financial Management, who can be reached at (202) 275-3195. Other major contributors are listed in appendix VI. 9 B-238954 Sincerely yours, Ralph V. Carlone Assistant Comptroller General 10 B-238954 CONTENTS Page --------- ---- LETTER 1 APPENDIX I Objectives, Scope, and Methodology 12 II Plans GAO Reviewed 14 III Computer Security and Privacy Plan 16 IV NIST/NSA Feedback on Computer Security Plans 21 V Status of Security Controls in 1,542 Plans 22 VI Major Contributors to This Report 24 Related GAO Products 25 TABLE 1 Implementation of Security Controls in 22 6 Plans ABBREVIATIONS -------------⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -