GAO Questions Security of Census DataAuditor Says Many Deficiencies Relate to Access Controls
A government audit reveals that the Census Bureau does not do a good enough job protecting the confidentiality of its data - a stinging conclusion, considering the bureau collects personal information about every individual residing in the United States.
In the report made public Feb. 20 - entitled Information Security: Actions Needed by Census Bureau to Address Weaknesses - the Government Accountability Office says the bureau has not effectively implemented appropriate information security controls to protect its information systems. Auditors say many of the deficiencies at the Commerce Department agency relate to access controls, the security rules and procedures used to regulate who or what can access the bureau's systems.
As an example, GAO cites the bureau's failure to adequately:
- Control connectivity to key network devices and servers;
- Identify and authenticate users;
- Limit user access rights and permissions to only those necessary to perform official duties;
- Encrypt data in transmission and at rest;
- Monitor its systems and network;
- Ensure appropriate physical security controls were in place.
"Without adequate controls over access to its systems, the bureau cannot be sure that its information and systems are protected from intrusion," GAO's Information Security Issues Director Gregory Wilshusen and Chief Technologist Nabajyoti Barkakati wrote in the 51-page report.
Framework Fails to Fully Identify Risks
Wilshusen and Barkakati said an underlying reason for these weaknesses is that the Census Bureau has not fully implemented a comprehensive information security program to ensure that controls are effectively established and maintained. Although the Census Bureau had begun implementing a new risk management framework with a goal of better management visibility of information security risks, the auditors said, the framework didn't fully document identified information security risks.
In addition, the bureau failed to update certain security management program policies, adequately enforce user requirements for security and awareness training and implement policies and procedures for incident response.
"Until the bureau implements a complete and comprehensive security program," the auditors wrote, "it will have limited assurance that its information and systems are being adequately protected against unauthorized access, use, disclosure, modification, disruption or loss."
GAO offered 13 recommendations to address the problems, and Acting Commerce Secretary Rebecca Blank responded that, for the most part, it agreed with GAO's conclusions, adding the agency is forming a team to carefully review each finding and prepare a specific course of action to address them.
Bureau Questions Parts of Audit
Still, the bureau raised concerns with respect to several of GAO's finding, including one in which the auditor found the bureau's continuous monitoring program failed to include mechanisms for near real-time continuous monitoring. The bureau contended that the frequency at which it performs scans is based on the identified risk of the control or system being assessed, and that monthly scans were consistent with the risk level it had identified for census data.
But GAO said the bureau's response is inconsistent with the risk-based continuous monitoring plans providing for weekly scans that the Census Bureau provided auditors. In addition, the auditors said, National Institute of Standards and Technology guidelines note the importance of near real-time data as an input to an agency's security decision-making process, and the bureau's risk management framework documentation noted that near real-time risk monitoring is a long-term goal for the bureau. GAO said it has clarified its finding to better reflect the bureau's continuous monitoring plans.