GAO lists security bargains
- By Diane Frank
- Mar 29, 2000
Agencies can cut their information systems' security risks with low-cost
and no-cost solutions, federal experts told Congress Wednesday.
The General Accounting Office listed six steps that agencies can take to
immediately cut down on their security risks:
* Increase security awareness throughout the organization.
* Ensure that existing controls are operating effectively.
* Ensure that software patches are up-to-date.
* Use automated scanning and testing tools to quickly identify vulnerabilities.
* Expand the use of best practices throughout the agency.
* Ensure that the most common vulnerabilities are addressed.
In its security audits of agencies, including the departments of Defense
and Veterans Affairs, GAO found that security controls are in place but
that those controls are not being used correctly, said Jack Brock, director
of governmentwide and defense information systems at the General Accounting
Office's Accounting and Information Management Division.
"Agencies are spending money for tools, but they're not using those tools,"
Brock testified before the House Government Reform Committee's Government
Management, Information and Technology Subcommittee. "Tools are present,
but they're not turned on, they're not monitored, you're not sure if they're
working or not."
One agency that has incorporated many of GAO's low-cost solutions into its
agencywide security policy is NASA, which has made many improvements in
security since its GAO audit in 1998, Brock said.
The agency has bought commercial off-the-shelf vulnerability analysis and
scanning tools, but it is augmenting them with freeware and shareware tools
from the Internet. NASA also has developed and distributed a list of its
top 50 vulnerabilities and has built those into auditing tools at NASA centers
so that they automatically scan for those weaknesses, testified David Nelson,
NASA's deputy chief information officer.