GAO Audit: Can We Learn From Their Mistakes

Nov 1, 2016 10:00:00 AM |

Megan Hudson

Social Share:

megan blog picture-1.jpgThe old saying “if it ain't broke, don’t fix it” immediately came to mind as I began to look at the audit report from the Government Accountability Office regarding Federal Agency Security. The reason this quote came to mind is that in information security, there are some serious breaks in need of very intentional fixing. It is evident from the amount of information security incidents that have occurred over the past several years that there is much in disrepair. In fact, since 2006, the number of incidents that we know about has risen from 5,503 to 67,168 according to the recent GAO Federal Information Security report. If this isn’t cause for concern I’m not sure what is.

These incidents are the result of major weaknesses in several categories of controls.

Access Controls

According to the GAO, 18 of 24 agencies had weakness in their authorization controls. These weaknesses included terminated employees still having access to confidential information and unnecessary access granted to employees.

We all know that when personal information is placed in the hands of the wrong people,  mistakes are made and the door opens to cyber criminals. The concern is not limited to employees opportunistically abusing their access. These mistakes make it easier for any attacker with access to impact the organization in a serious way.

Configuration Management

If the manufacturer of your child’s crib ordered a recall on your particular model you would immediately have it fixed, wouldn’t you? A software patch for a system is similar to a manufacturer announcing that something needs to be replaced to address the risk associated with part of the crib.

As in a recall, it is your responsibility to address the situation, only more so with a patch, as you have to administer the fix yourself. In 2014, 22 federal agencies reported weaknesses in this area alone. With unsupported or out-of-date software you might as well be asking for a hacker to steal your agencies confidential files.

Segregation of Duties

We all know the inherent security risks that accompany short staffing: too few people doing too many jobs. This seems to be the first thing many companies think about; for example, ensuring that one person with access to inventory isn’t also responsible for a periodic physical count of those assets. These controls, if not enforced completely, can lead to employees bypassing them through the sharing of accounts and passwords. Fifteen federal agencies reported weaknesses in this area in 2014.

Contingency Planning

As business people, we like to think of all potential outcomes and prepare accordingly as to not risk our reputations, continuity, and confidentiality of what we’ve been trusted to protect. This is the fourth area that the GAO noticed was a huge issue in 2014 when 18 federal agencies reported they still haven’t fully committed to planning for the future.

Security Management

All of these areas relate to information security; they are tools that we use to ensure safety for our confidential information. It’s safe to say that a large part of the reason that so many weaknesses are being reported is that almost every federal agency reported weaknesses in information security management.

The point here is to understand how important it is to protect the information we are trusted with by our customers, employees, and business partners. If we consider that governmental agencies are not properly securing our personal information, the last thing I want is for you to make the same mistakes inside your organization. Here are some ways the GAO recommends these weaknesses be addressed:

  • Protect data at rest and in transit. The GAO notes how vital it is for organizations to protect data through encryption. This includes data in transit even inside the organization, as well as anything communicated outside the organization.
  • Cybersecurity proficiency has become one of the most important areas an organization can invest in when it comes to protecting information. The GAO agrees with this trend when they suggest that companies increase capacity to recruit and retain cybersecurity personnel. These are the individuals who will make a significant difference in the way your organization handles information security. There is, however, a talent shortage in this field. For many tasks, such as security testing, trusted third parties that specialize in those services are more effective and economical than maintaining full-time staff.
  • Automation and simplification of processes are other techniques for increasing information security. Complexity is the enemy of security. Some processes need to be simplified to better protect large amounts of information. However, changing processes is much more efficient when awareness is increased. The GAO encourages organizations to continue to increase awareness internally so that risks can be mitigated by individuals.
  • Incident response is a critical area that the GAO suggests organizations keep on the forefront of their information security planning. The weaknesses we’ve been talking about need to be mitigated and if there isn’t a sound process in place for responding to outside penetration of vulnerabilities then recovery is a serious problem.

When it comes to information security, there is always something that needs to be fixed. The best thing you can do is learn from other organizations’ mistakes and make sure you are prepared to handle any issues that come your way.


Subscribe to HORNE Cyber Blog




Megan is a Manager for HORNE Cyber where she specializes in cyber risk related assurance services. She provides analytic expertise regarding policy design and implementation as well as IT and data governance. Megan also consults on information systems environment compliance and management for public and middle market clients.

Find me on: