IG: GSA needs more effective data security

The General Services Administration lacks consistency in implementing security controls and doesn't have enough management oversight of its contractors as part of its information technology security program, the department’s inspector general has said. Those weaknesses prevent GSA from effectively identifying and managing risks for all its systems and data, the IG said in a recent report. In addition to contractor oversight, GSA needs to improve the protection of sensitive information, the security of its publicly facing Web sites and controls for minor applications, Larry Bateman, director of GSA’s Information Technology Security Audit Services in the IT audit office, said in a report released Sept. 24. For example, GSA has encrypted less than 1,800 of the 8,000 laptop computers it identified as needing that work two years after the Office of Management and Budget issued a memo that directed agencies to secure mobile data, the report said. GSA has already incorporated security roles and responsibilities and guidance from the National Institute of Standard into department policies and procedures, he said. GSA also has taken initial steps to identify and reduce risks through security controls. However, Bateman recommended that Casey Coleman, GSA’s chief information officer, enhance management, operational and technical controls in each of these areas. Coleman said in a written response that she agreed with the recommendations. The recommendations included implementing a comprehensive breach notification policy to protect sensitive information; more monitoring of GSA’s external Web sites to reduce associated risks; and updating policies and procedures to also cover minor applications.