TRENDING:

FISMA , Standards, Regulations & Compliance

Interior Fails Big Time in FISMA Audit

IG Blames Lack of CIO Oversight, Under-Qualified Personnel November 5, 2009    
Interior Fails Big Time in FISMA Audit

In a scathing report, the Interior Department inspector general said the department, once again, failed to comply with the Federal Information Security Management Act in fiscal 2009.

In the 46-page report posted on its website, the IG blamed a decentralized organization structure, fragmented IT governance processes, lack of oversight, bureau resistance to departmental guidance and use of substantially under-qualified personnel to perform significant IT securities duties. These weaknesses exasperates the challenges in securing Interior's IT systems, the IG said, adding that personnel responsible for managing Interior's IT programs failed to be accountable for results, wasting investments that aren't leverage to their fullest.

"These serious flaws significantly negate the benefit of the $182 million spent on IT security in FY 2009 and the efforts of the 677 employees and contractors fully devoted to information security across the department," the IG wrote in Interior's annual FISMA assessment report.

A major flaw is the tendency for the department, bureau and office chief information officers to delegate IT security responsibility to regional managers, in contrast to federal law that calls for strong CIO oversight of information security. "Delegating authority from the department CIO has resulted in multiple layers of bureaucracy that impede achieve of results and drive up costs," the report said.

The IG also criticized Interior's IT governance, calling it inefficient, wasteful and lacking of accountability. The Information Technology Management Council, Interior's governing body, consists of bureau and office CIOs who report to bureau and office directors, yet the council tackles departmental-wide information security concerns. "Implementation of ITMC decisions is sporadic and often incomplete," the IG wrote. "The lack of adequate governance constitutes a weakness in the department's overall information security program, which is a significant deficiency under FISMA."

Among the IG's recommendations:

  • Realign the department CIO to report directly to the Interior secretary.
  • Realign personnel performing significant responsibility for IT security under the departmental CIO purview.
  • Performance of significant IT security duties should be consolidated and centralize to improve consistency, enhance efficiency and reduce costs.
Previous
Data Breach Bills Clear Senate Panel
Next
New NIST Director Faces Cybersecurity Decisions



Around the Network

Why Connected Devices Are Such a Risk to Outpatient Care
Why Connected Devices Are Such a Risk to Outpatient Care
Why Entities Should Review Their Online Tracker Use ASAP
Why Entities Should Review Their Online Tracker Use ASAP
The State of Security Leadership
The State of Security Leadership
Inside Look: FDA's Cyber Review Process for Medical Devices
Inside Look: FDA's Cyber Review Process for Medical Devices
Addressing Security Gaps and Risks Post-M&A in Healthcare
Addressing Security Gaps and Risks Post-M&A in Healthcare
Zero Trust, Auditability and Identity Governance
Zero Trust, Auditability and Identity Governance
Generative AI: Embrace It, But Put Up Guardrails
Generative AI: Embrace It, But Put Up Guardrails
Why OT Security Keeps Some Healthcare Leaders Up at Night
Why OT Security Keeps Some Healthcare Leaders Up at Night
Threat Modeling Essentials for Generative AI in Healthcare
Threat Modeling Essentials for Generative AI in Healthcare
Critical Considerations for Generative AI Use in Healthcare
Critical Considerations for Generative AI Use in Healthcare

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.