IG Questions Infosec Efforts at Commerce Unit

Agency Advising President on Info Policy Needs to Step Up
IG Questions Infosec Efforts at Commerce Unit

The federal agency that advises the American president on telecommunications and information policy issues needs to step up its IT security efforts.

See Also: Live Webinar | Locking down the hybrid workforce with XDR

The information systems at the Commerce Department's National Telecommunications and Information Administration lack sufficient IT security controls because the required step of identifying the critical information in the systems has not been properly performed, according to an audit conducted by Commerce's Office of Inspector General.

"Without understanding the types of information that a system processes, stores or transmits, an organization cannot make an accurate determination of the risks to the system and select appropriate security controls," Assistant Inspector Allen Crawley writes in the audit.

Fundamental steps for securing NTIA's information and systems have not been taken, Crawley says, adding that when the IG assessed seven NTIA systems, it found these deficiencies:

  • Inadequate security categorizations that jeopardize critical bureau information.
  • Significant weaknesses in IT software and hardware inventory practices.
  • Major inadequacies in NTIA's process to remediate security weaknesses.
  • Weaknesses in managing its IT security workforce and developing effective IT security policies and procedures.
  • Significant deficiencies in key IT security controls.

"These issues have resulted in ineffective management of security controls needed to protect NTIA's systems and information," Crawley says.

The IG recommended that NTIA system owners, IT security officers, authorizing officials and other staff with critical IT security roles be appropriately trained, earn certifications as required by department policy and have the required metrics incorporated into their performance plans. NTIA's chief information officer and IT security officer should develop and maintain NTIA security policies, procedures, standards and guidance consistent with departmental and federal requirements, Crawley recommends.

Commerce's assistant secretary for communications and information, Lawrence Strickling, concurred with the IG's recommendations.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.