Government Information Security Reform Act (GISRA)

 GAO: FBI Needs to Address Weaknesses in Critical Network

Highlights of GAO-07-368, a report to F. James Sensenbrenner Jr., House of Representatives The Federal Bureau of Investigation (FBI) relies on a critical network to electronically communicate, capture, exchange, and access law enforcement and investigative information. Misuse or interruption of this critical network, or disclosure of the information traversing it, would impair FBI’s ability to fulfill its missions. Effective information security controls are essential for ensuring that information technology resources and information are adequately protected from inadvertent or deliberate misuse, fraudulent use, disclosure, modification, or destruction. GAO was asked to assess information security controls for one of FBI’s critical networks. To assess controls, GAO conducted a vulnerability assessment of the internal network and evaluated the bureau’s information security program associated with the network operating environment. This report summarizes weaknesses in information security controls in one of FBI’s critical networks.

 Evaluation of Government Information Security Reform Act (GISRA) - NCUA

NATIONAL CREDIT UNION ADMINISTRATIONOFFICE OF INSPECTOR GENERAL EVALUATION
GOVERNMENT INFORMATION SECURITY REFORM ACT

The Government Information Security Reform Act (GISRA), Public Law 106-398, requires Inspectors General (IG) to perform independent evaluations to:

•Assess compliance with GISRA and agency security policies and procedures; and
•Test effectiveness of information security control techniques for a subset of the agency’s information systems.

The Office of Management and Budget (OMB) has requested IGs to submit the results of their independent evaluation by responding specifically to questions 2 through 13 of OMB Memorandum M-01-24. The following presents our evaluation of the National Credit Union Administration’s (NCUA) compliance with GISRA.

The NCUA Office of Inspector General (OIG) has determined that NCUA is not yet in compliance with GISRA. The following represents the agency’s status toward compliance with key GISRA provisions as of August 2001:

•NCUA needs to develop an agency-wide security program. NCUA developed a draft security policy that will be incorporated in the security program. However this policy has not been approved by the agency head or disseminated to personnel with key responsibilities.
•NCUA needs to perform formal risk assessments.
•NCUA program managers need to perform periodic management testing of controls and perform their annual program review as required by GISRA.
•For the reporting cycle, NCUA has provided some security training to personnel with significant security responsibilities, and security awareness training is provided to all employees on a 3-year cycle coinciding with equipment replacement. New examiners are provided with basic computer training, which includes security awareness. Contractors and new non-examiner personnel are not provided any security awareness training.
•NCUA needs to formalize an incident response program.
•NCUA’s Office of the Chief Information Officer (OCIO) needs to perform the annual security program review required by GISRA.
•NCUA has not yet determined the resources required to implement the security program and incorporate this program in the budget and strategic planning process.