Security continues to be a bugbear for most of 24 major federal agencies, including the three cabinet-level departments with the largest federal healthcare operations: HHS and the Defense and Veterans Affairs departments, according to a 61-page Government Accountability Office report issued Friday.
"Almost all of the 24 major federal agencies had weaknesses in one or more areas of information security controls," the report said.
According to the GAO and reports from the inspectors general for the federal departments or agencies studied, "persistent weaknesses appear in the five major categories of information system controls:
- Access controls, which ensure that only authorized individuals can read, alter or delete data.
- Configuration management controls, which provide assurance that only authorized software programs are implemented.
- Segregation of duties, which reduces the risk that one individual can independently perform inappropriate actions without detection.
- Continuity of operations planning, which provides for the prevention of significant disruptions of computer-dependent operations.
- An agencywide information security program, which provides the framework for ensuring that risks are understood and that effective controls are selected and properly implemented.
"Most agencies continue to have weaknesses in each of these categories," the report said, noting, "a spate of security incidents that have put sensitive data at risk, including the theft, loss or improper disclosure of personally identifiable information on millions of Americans, thereby exposing them to loss of privacy and potential harm associated with identity theft."
The report cites as its first example of system security flaws the spring 2006 loss during a home burglary of 26.5 million records from the Veterans Health Administration. These weaknesses in security policies and practices threaten the confidentiality, integrity and availability of critical information and information systems used to support the operations, assets and personnel of most federal agencies."
"Recently reported information security incidents at federal agencies have placed sensitive data at risk, including the theft, loss or improper disclosure of personally identifiable information on millions of Americans, thereby exposing them to loss of privacy and potential harm associated with identity theft," the report said.