GAO lists security bargains

Agencies can cut their information systems' security risks with low-cost

and no-cost solutions, federal experts told Congress Wednesday.

The General Accounting Office listed six steps that agencies can take to

immediately cut down on their security risks:

* Increase security awareness throughout the organization.

* Ensure that existing controls are operating effectively.

* Ensure that software patches are up-to-date.

* Use automated scanning and testing tools to quickly identify vulnerabilities.

* Expand the use of best practices throughout the agency.

* Ensure that the most common vulnerabilities are addressed.

In its security audits of agencies, including the departments of Defense

and Veterans Affairs, GAO found that security controls are in place but

that those controls are not being used correctly, said Jack Brock, director

of governmentwide and defense information systems at the General Accounting

Office's Accounting and Information Management Division.

"Agencies are spending money for tools, but they're not using those tools,"

Brock testified before the House Government Reform Committee's Government

Management, Information and Technology Subcommittee. "Tools are present,

but they're not turned on, they're not monitored, you're not sure if they're

working or not."

One agency that has incorporated many of GAO's low-cost solutions into its

agencywide security policy is NASA, which has made many improvements in

security since its GAO audit in 1998, Brock said.

The agency has bought commercial off-the-shelf vulnerability analysis and

scanning tools, but it is augmenting them with freeware and shareware tools

from the Internet. NASA also has developed and distributed a list of its

top 50 vulnerabilities and has built those into auditing tools at NASA centers

so that they automatically scan for those weaknesses, testified David Nelson,

NASA's deputy chief information officer.