IG: GSA needs more effective data security

The General Services Administration lacks consistency in implementing security controls and doesn't have enough management oversight of its contractors as part of its information technology security program, the department’s inspector general has said. Those weaknesses prevent GSA from effectively identifying and managing risks for all its systems and data, the IG said in a recent report.

In addition to contractor oversight, GSA needs to improve the protection of sensitive information, the security of its publicly facing Web sites and controls for minor applications, Larry Bateman, director of GSA’s Information Technology Security Audit Services in the IT audit office, said in a report released Sept. 24.

For example, GSA has encrypted less than 1,800 of the 8,000 laptop computers it identified as needing that work two years after the Office of Management and Budget issued a memo that directed agencies to secure mobile data, the report said.

GSA has already incorporated security roles and responsibilities and guidance from the National Institute of Standard into department policies and procedures, he said. GSA also has taken initial steps to identify and reduce risks through security controls.

However, Bateman recommended that Casey Coleman, GSA’s chief information officer, enhance management, operational and technical controls in each of these areas. Coleman said in a written response that she agreed with the recommendations.

The recommendations included implementing a comprehensive breach notification policy to protect sensitive information; more monitoring of GSA’s external Web sites to reduce associated risks; and updating policies and procedures to also cover minor applications.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Featured

  • Workforce
    White House rainbow light shutterstock ID : 1130423963 By zhephotography

    White House rolls out DEIA strategy

    On Tuesday, the Biden administration issued agencies a roadmap to guide their efforts to develop strategic plans for diversity, equity, inclusion and accessibility (DEIA), as required under a as required under a June executive order.

  • Defense
    software (whiteMocca/Shutterstock.com)

    Why DOD is so bad at buying software

    The Defense Department wants to acquire emerging technology faster and more efficiently. But will its latest attempts to streamline its processes be enough?

Stay Connected