Watchdog: GSA must improve data security
Lax password controls and incorrectly configured databases put IT systems at risk, IG says.
The General Services Administration must beef up security of its IT systems or risk compromising critical data, according to an annual evaluation of GSA's information security program and controls by the agency inspector general.
The audit found a number of problems, including misconfigured databases, operating systems that were not patched or securely configured, and lax password management practices by database administrators.
Agency officials failed to follow IT security policy requirements and did not conduct comprehensive technical testing, the report said. As a result, "These systems and their sensitive data were placed at an increased risk of inappropriate access, modification, or destruction." The auditors recommended GSA expand technical testing and increase oversight to ensure security staff meet configuration requirements.
The audit further found that GSA did not consistently implement policies affecting database audit records, which capture information such as the deletion of data, or operating system audits, which monitor baseline system data. System security personnel also failed to review audit records for suspicious activity.
Consequently, officials might not detect unauthorized activity, or know when systems were compromised. Additionally, the lapses could hinder investigations of security incidents, the audit said.
The inspector general's office said none of the systems it reviewed used multifactor authentication, which requires two or more identifiers, such as username or password, smart card, or biometric data for remote access to sensitive information, placing the systems at an "increased risk of unauthorized access, disclosure of sensitive information and having their data compromised."
GSA also did not encrypt agency laptops, which the inspector general first noted in 2008. The Office of Management and Budget requires encryption of sensitive data on mobile devices after an unencrypted laptop containing data on 26.5 million veterans was stolen from a Veterans Affairs Department employee in 2006. In a letter responding to the audit, GSA Chief Information Officer Casey Coleman concurred with the IG's findings.