Help available for security risk, GAO says

Although information security is one of two governmentwide issues labeled "high-risk," guidance and legislation issued over the past six months could significantly reduce federal agencies' risk, according to the General Accounting Office.

Security has been on the GAO high-risk list since 1997, but threats have increased over the past two years, and the government's ability to respond has not kept pace.

Many improvements have been made in response to numerous GAO and inspector general reports, but security program management "continues to be a widespread and fundamental problem," according to GAO's high-risk report, released Jan. 17.

"In reports to our committee, GAO has targeted agency vulnerabilities and made scores of helpful recommendations," said Sen. Joseph Lieberman (D-Conn.). "Based on these reports, the committee reported out a computer security bill which was enacted by Congress last year."

That bill, the Government Information Security Act, became part of the 2001 Defense Authorization Act that President Clinton signed in October. The new legislation requires agencies to adopt many of the management practices advocated by GAO and undergo annual independent evaluations of the agency's security management policies and practices.

This legislation, coupled with new tools and guidance from the CIO Council and the Office of Management and Budget, could help agencies start to catch up with the vulnerabilities they face as they increasingly depend on computers and the Internet, the GAO report stated.

Key among these tools is the CIO Council's Information Technology Security Assessment Framework, a tool for agencies to determine the effectiveness of their security programs. But according to GAO it is important to maintain the momentum started by the release of the framework by ensuring it is used and its results are further evaluated by agencies.