Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- Ask the CIO
- Building the Hybrid Cloud
- Connected Government: How to Build and Procure Network Services for the Future
- Continuing Diagnostics and Mitigation: Discussion of Progress and Next Steps
- Federal Executive Forum
- Federal Tech Talk
- The Intersection: Where Technology Meets Transformation
- Maximizing ROI Through Data Center Consolidation
- Moving to the Cloud. What's the best approach for me
- Navigating Tough Choices in Government Cloud Computing
- The New Generation of Database
- Satellite Communications: Acquiring SATCOM in Tight Times
- Targeting Advanced Threats: Proven Methods from Detection through Remediation
- Transformative Technology: Desktop Virtualization in Government
- Value of Health IT
Shows & Panels
GAO: State leaving security holes unplugged
Monday - 8/8/2011, 6:39pm EDT
Federal News Radio
Government watchdogs have found holes in a project designed to plug vulnerabilities in computer networks and systems at the State Department, according to the Government Accountability Office (GAO).
The program, called iPost, was created to provide continuous monitoring of information security risks within the department's IT infrastructure, GAO said. "But it does not provide a complete view of" those risks.
State officials use iPost risk scores to identify and prioritize vulnerability mitigation.
GAO noted progress in iPost implementation but flagged shortfalls. The system:
- "Addresses Windows hosts but not other IT assets on its major unclassified network."
- "Covers a set of 10 scoring components that includes many, but not all, information system controls that are intended to reduce risk."
- Assigns a score for each identified security weakness, although State could not demonstrate the extent to which scores are based on risk factors such as threat, impact, or likelihood of occurrence that are specific to its computing environment."
GAO recommended State "(1) implement procedures to consistently notify senior managers at sites with low security grades of the need for corrective actions, in accordance with department criteria, and (2) develop, document, and implement a continuous monitoring strategy."
State agreed with both recommendations, GAO said, but disagreed with others, including one for incorporating the results of iPost's monitoring of controls into key security documents, such as the OpenNet security plan, security assessment report, and plan of action and milestones.
"In addition, the department did not concur with our recommendation to document existing controls intended to ensure the timeliness, accuracy, and completeness of iPost data," GAO said, "because it stated that it regularly evaluates iPost data in these areas and stated that further documentation was of questionable value."
Federal News Radio has asked State for comment on this story.