GAO hits IT security at USDA, says improvements needed

Computerworld - The U.S. Department of Agriculture (USDA) has "significant, pervasive information security control weaknesses" brought on by the lack of a fully implemented IT security management program, according to a report from the U.S. General Accounting Office.
The 33-page report (download PDF), released yesterday, strongly criticizes the USDA for security weaknesses, which potentially leave its proprietary information, payroll and financial transactions, agricultural and marketing data, and other information "at increased risk of unauthorized disclosure, modification or loss, possibly without being detected."
To tighten the agency's IT security, the GAO report recommends that a top-to-bottom security management program be implemented, including improved controls on network boundaries, network access, mainframe access and overall system access management to better show who is using the agency's IT systems at any time.
The GAO acknowledged that the USDA "has various initiatives under way" to improve its IT security, but it criticized the agency's progress.
"Agency security personnel have lacked the management involvement needed to effectively implement security programs," while "three agencies [inside the USDA] have not completed any of the required risk assessments" that have been laid out for them previously, according to the report. "Security controls have been tested and evaluated for less than half of the department's systems in the past year."
Scott Charbo, CIO at the USDA in Washington, couldn't be reached for comment today but said in a reply letter to the GAO that the report "accurately reflects issues and concerns identified by the GAO" and that he concurs with the need to improve the agency's IT security.
Robert Dacey, director of information security issues at the GAO, today declined to comment further on the document.
The GAO said it's been highlighting the need for improved information security within government agencies since 1997 and acknowledged that the USDA has been making some progress since 2000, when the GAO recommended that the USDA develop and document a strategy for improving information security.
Among the chief criticisms from the report is that the USDA's network "does not provide a secure operating environment" to support its users. "While USDA established a restrictive policy to protect its agencies' internal networks from the Internet by using firewalls, its current network boundary controls are not configured in accordance with its security policy and do not provide adequate protection," the report said.