GAO to examine ways nonfederal groups protect data

The chairman and the minority leader of the Senate Governmental Affairs Committee this month asked the General Accounting Office to study the best security measures and policies that nonfederal organizations use to protect their computer systems.

Sens. Fred Thompson (R-Tenn.) and John Glenn (D-Ohio) requested the study and cited the importance of security measures to protect data on citizens and to safeguard federal operations.

"Although a body of federal guidance exists regarding information security it is clear that federal agencies need additional direction in implementing effective security programs " the senators wrote. "We are asking that you review the activities of leading organizations in this arena in order to identify practices that could be successfully adopted by federal agencies."

The senators' letter asked GAO to review how these organizations assess and manage risk develop and disseminate security policies allocate resources for these activities and measure and monitor the effectiveness of their programs.

A committee staff member said she expects GAO to produce a report similar to ones it has issued recently on industry best practices in information technology management.

Jack Brock director of Defense information financial management issues at GAO and the team leader on the new best-practices project said he hopes the practices described in the report will serve as models for federal agencies struggling with how to establish and enforce efficient computer security guidelines. "Rather than looking at what people are doing wrong we want to focus on organizations that are doing things right " he said.

Brock said last week his staff had already met with five groups identified as having excellent computer security programs. He declined to name the organ-izations and said many of the subjects GAO interviewed were concerned about becoming targets of hackers if they were publicly identified as leaders in computer security. GAO will sign confidentiality agreements with most organizations involved in the study "because of the reasonably in-depth access we are getting to their computer security features " he said.

GAO tracked down many of the organizations it will cite in its report through recommendations from computer security experts at the National Institute of Standards and Technology Brock said. Others were groups known to GAO from work on related issues or were winners of awards for achievements in computer security.

Brock said GAO will focus on banks and other financial institutions decentralized retail operations and state agencies offering services to citizens.

GAO plans to publish its findings around the start of 1998 Brock said.


  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.