Since the passing of the Federal Information Security Management Act in 2002 (FISMA), the Office of Inspector General (OIG) has been required to perform yearly audits on their agencies IT security programs. After the completion of the FY2012 audit for the General Services Administration, it appears the IT Security Program has some work to do. The audit released today uncovered three glaring security control deficiencies, majority seemingly the result of inattentiveness.
Transgression number one was the lack of security patches consistent with the required standard in multiple systems. According to FISMA requirements, high risk vulnerabilities found in the IT systems must be securely patched within 30 days. Review discovered that two systems only had patch standards to within 60 days while another systems vulnerability’s had not been adequately dealt with since 2009. The lack of timeliness compromises the system to unnecessarily higher threat levels.
A second issue found was the lack of insurance on backup capability for newly deployed IT systems. Security procedure NIST 800-53 dictates all systems must be backup tested before deployment to ensure data is recoverable in case of a security compromise, however some newly deployed systems were not guaranteed backup capable.
The final finding was that the OIG Information Officer did not have their own security controls in place for mobile applications despite the presence of 5 mobile apps linking GSA to the public. Due to the increased security risk that comes with mobile apps due to reduced authentication requirements and the greater chance of theft of misplacement of mobile devices, NIST 800-53 requires, the managing organization itself to create security controls for the apps within their own system instead of relying on external general controls from application manufacturers.
The audit complied general guidelines on how to remedy these security issues, however specific implementation and improvement was left to the digression of the GSA IT Security team. One can be sure though that the findings of the 2013 report will be eagerly anticipated.
