GAO lists security bargains

Agencies can cut their information systems' security risks with low-cost

and no-cost solutions, federal experts told Congress Wednesday.

The General Accounting Office listed six steps that agencies can take to

immediately cut down on their security risks:

* Increase security awareness throughout the organization.

* Ensure that existing controls are operating effectively.

* Ensure that software patches are up-to-date.

* Use automated scanning and testing tools to quickly identify vulnerabilities.

* Expand the use of best practices throughout the agency.

* Ensure that the most common vulnerabilities are addressed.

In its security audits of agencies, including the departments of Defense

and Veterans Affairs, GAO found that security controls are in place but

that those controls are not being used correctly, said Jack Brock, director

of governmentwide and defense information systems at the General Accounting

Office's Accounting and Information Management Division.

"Agencies are spending money for tools, but they're not using those tools,"

Brock testified before the House Government Reform Committee's Government

Management, Information and Technology Subcommittee. "Tools are present,

but they're not turned on, they're not monitored, you're not sure if they're

working or not."

One agency that has incorporated many of GAO's low-cost solutions into its

agencywide security policy is NASA, which has made many improvements in

security since its GAO audit in 1998, Brock said.

The agency has bought commercial off-the-shelf vulnerability analysis and

scanning tools, but it is augmenting them with freeware and shareware tools

from the Internet. NASA also has developed and distributed a list of its

top 50 vulnerabilities and has built those into auditing tools at NASA centers

so that they automatically scan for those weaknesses, testified David Nelson,

NASA's deputy chief information officer.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.