Guidance for system reviews changed to focus more on network

Because federal networks are more linked than ever before, the Government Accountability Office says it will conduct detailed audits of how agencies protect computer systems.

GAO released on Feb. 2 its latest version of the 600-page federal information system controls audit manual, which evaluates how agencies manage the risks to their computer networks. The manual, which was last revised in 1999, reflects the fact that agencies' systems are increasingly interconnected and hacking strategies have become more sophisticated

"Revisions were made to reflect today's networked environment," said Robert Dacey, GAO's chief accountant, and Gregory Wilshusen, the agency's director of information security issues, in a joint statement included with the report. "The nature of [information system] risks continues to evolve. Protecting government computer systems has never been more important because of the complexity and interconnectivity of systems (including Internet and wireless), the ease of obtaining and using hacking tools, the steady advances in the sophistication and effectiveness of attack technology, and the emergence of new and more destructive attacks."

The manual shows agencies how they can analyze the controls they use to protect information systems. The analysis often informs reports on overall performance, financial audits and testimony an agency has to provide Congress on information security, according to the report.

Among the changes to the latest edition were new audit requirements to mitigate certain types of risk. GAO broadened the category of security management to ensure audits included compliance with federal requirements, such as the 2002 Federal Information Security Management Act, and best practices for protecting networks, operating systems and applications agencywide. Auditors should evaluate, for example, whether agencies assess risk to the network and applications periodically, have developed information security policies, offer employees information security training, fix information security holes, and verify that contractors comply with their information security policy.

GAO changed the guidance for access to networks to ensure only authorized individuals can see or change information on a network by eliminating redundancies and adding requirements for system software. The enterprise software used by agencies to control access to networks, such as Microsoft Active Directory, is typically managed from one or two computers, and requires proper configuration of the operating system, according to the report.

Agencies typically control access to networks that are managed centrally on one or more computers and require configuration of operating systems, according to the report. Agencies should certify that configurations support the appropriate level of access across the network and ensure the controls protect identity and sensitive system resources, and authorize users and monitor the network.

GAO broadened the configuration management category to include network components and applications, rather than focusing solely on the network perimeter, according to the report.

"Configuration management and control procedures are critical to establishing an initial baseline of hardware, software and firmware components . . . and subsequently controlling and maintaining an accurate inventory of any changes to the system," GAO wrote.

Audits therefore will evaluate agencies on authorization, testing, approval and tracking changes to configurations, and whether monitoring and software updates are conducted to protect against vulnerabilities.

The manual also instructs auditors to check for proper segregation of duties and oversight of employee activities. In addition, agencies should check for controls that ensure information resources are protected and recoverable during unplanned system interruptions.