The most prevalent types of information security incidents include infections from malicious code; violations of use policies; unauthorized access into networks, applications, and data; and scans, probes and attempted access. Denial of service attacks were involved in only 1% of incidents, according to the GAO report.
Ongoing weaknesses in information security policies and practices at 24 major federal agencies continue to place the “confidentiality, integrity, and availability of sensitive information and information systems at risk”, the federal watchdog warned. These agencies have failed to fully implement their information security programs, which has contributed to these weaknesses, the GAO added.
The report chastised federal agencies for failing to implement hundreds of recommendations made by the GAO, as well as individual agency inspectors general.
The GAO faulted the Office of Management and Budget (OMB), which is tasked to oversee information security at federal agencies, for failing to provide performance targets for agencies to measure improvement in information security.
Also, GAO said the agencies themselves have fallen short in training personnel, monitoring security controls, remediating weaknesses, and resolving incidents in a timely manner.
“Until hundreds of recommendations are implemented and program weaknesses are corrected, agencies will continue to face challenges in securing their information and information systems”, the GAO warned.
The OMB responded to the GAO by noting that the Department of Homeland Security is taking over responsibility for overseeing performance targets for federal agencies under the Federal Information Security Management Act (FISMA). The federal agencies examined in the report did not have any comments about the GAO’s findings.