IG Questions Infosec Efforts at Commerce UnitAgency Advising President on Info Policy Needs to Step Up
The federal agency that advises the American president on telecommunications and information policy issues needs to step up its IT security efforts.
The information systems at the Commerce Department's National Telecommunications and Information Administration lack sufficient IT security controls because the required step of identifying the critical information in the systems has not been properly performed, according to an audit conducted by Commerce's Office of Inspector General.
"Without understanding the types of information that a system processes, stores or transmits, an organization cannot make an accurate determination of the risks to the system and select appropriate security controls," Assistant Inspector Allen Crawley writes in the audit.
Fundamental steps for securing NTIA's information and systems have not been taken, Crawley says, adding that when the IG assessed seven NTIA systems, it found these deficiencies:
- Inadequate security categorizations that jeopardize critical bureau information.
- Significant weaknesses in IT software and hardware inventory practices.
- Major inadequacies in NTIA's process to remediate security weaknesses.
- Weaknesses in managing its IT security workforce and developing effective IT security policies and procedures.
- Significant deficiencies in key IT security controls.
"These issues have resulted in ineffective management of security controls needed to protect NTIA's systems and information," Crawley says.
The IG recommended that NTIA system owners, IT security officers, authorizing officials and other staff with critical IT security roles be appropriately trained, earn certifications as required by department policy and have the required metrics incorporated into their performance plans. NTIA's chief information officer and IT security officer should develop and maintain NTIA security policies, procedures, standards and guidance consistent with departmental and federal requirements, Crawley recommends.
Commerce's assistant secretary for communications and information, Lawrence Strickling, concurred with the IG's recommendations.