GSA fails to follow through with IT security, IG says

Auditors found weaknesses in database and operating system software that wasn't patched or securely configured and lax password management for database administrator accounts.

In those reviews, auditors found weaknesses in database and operating system software that wasn't patched or securely configured and lax password management for database administrator accounts and said the weaknesses stem from a failure of system security officials to apply GSA’s IT security policy core requirements. In addition, officials were not being comprehensive when overseeing the technical testing of systems, the IG reported.

General Services Administration officials have strengthened their agencywide IT security program, but auditors have found managers failing to follow all the procedures to make the program function well.

GSA’s IT officials need to closely watch how security officials apply baseline configuration requirements to IT systems and IT officials also need to include authenticated security scanning to their systems' technical testing processes, according to a review by the agency's inspector general.

“Authenticated scanning would provide a more comprehensive view as to the implementation of GSA’s IT security policy and hardening guides by system security officials,” the IG reported.

The report, released last December, is the fiscal 2010 Federal Information Security Management Act review of GSA’s IT security program. It's an annual audit of the agency’s IT security program and the results of five system security audits conducted during the year.


Related stories:

GSA employee may have exposed entire staff to identity theft

Report: WikiLeaks source exploited security flaw


To improve IT system security, the IG recommended that all of GSA’s IT systems that are remotely accessed have a multi-factor authentication. Multi-factor authentication involves accessing IT systems with two or more unique identifiers, such as a user name and password, smart card, and a biometric.

None of the five systems were using the tougher authentications for remote access to sensitive information, the review said, adding that the systems could be accessed with only a user name and password, even though three of the systems include sensitive information.

One of the systems had a requirement to be secured with a multi-factor authentication, but officials didn’t follow up to make sure it was included, the IG said.

GSA also needs to get system security officials to prioritize how they will set up ways to monitor who has been accessing the systems, the report states. In the case of a security breach or unlawful access to information, a log may be a key to the investigation, it added.

"System security officials may be unable to identify unauthorized activity or when GSA systems are compromised" without it, the IG wrote.

GSA agreed with the findings.