GAO: Census Bureau systems at risk due to lack of security controls
Despite taking steps to protect its computer systems and data, the Census Bureau is not effectively implementing appropriate information security controls to protect those systems, concludes a Government Accountability Office report (.pdf).
Access controls, designed to regulate who or what can access the Census Bureau's systems, are a major problem according to the GAO. Specifically, auditors find that the bureau does not adequately control connectivity to key network devices and servers, identify and authenticate users, or limit user access rights and permissions to only those necessary to perform official duties. In addition, the GAO says the bureau is not properly encrypting data in transmission and at rest, monitoring its systems and network, or ensuring that appropriate physical security controls are in place.
"Without adequate controls over access to its systems, the bureau cannot be sure that its information and systems are protected from intrusion," the report states.
Moreover, the GAO says the Census Bureau is not fully implementing a comprehensive information security program to ensure that controls are effectively established and maintained. Although the bureau started implementing a new risk management framework with the goal of better management visibility of information security risks, the report concludes that the framework did not fully document identified information security risks.
Auditors also take issue with the Census Bureau for not updating certain security management program policies, adequately enforcing user requirements for security and awareness training, and implementing policies and procedures for incident response. While the Census Bureau documents policies and procedures for managing and implementing configuration management controls, key communication systems are not securely configured and do not have proper encryption, according to the GAO.
"Until the bureau implements a complete and comprehensive security program, it will have limited assurance that its information and systems are being adequately protected against unauthorized access, use, disclosure, modification, disruption, or loss," the report states.
The GAO makes 13 recommendations to the Census Bureau to enhance its agency-wide information security program. Even though the Commerce Department did not directly comment on the GAO's recommendations, in a written response the department says it has "broad agreement with the overall theme of the report" and indicates it will work to identify the best way to address the recommendations.
-download the report, GAO-13-63 (.pdf)