Jim Kouri
FBI addresses internal information security
By Jim Kouri
The Federal Bureau of Investigation relies on a critical network to electronically communicate, capture, exchange, and access law enforcement and investigative information.
Misuse or interruption of this critical network, or disclosure of the information traversing it, would impair FBI's ability to fulfill its missions. Effective information security controls are essential for ensuring that information technology resources and information are adequately protected from inadvertent or deliberate misuse, fraudulent use, disclosure, modification, or destruction. The Government Accounting Office was asked to assess information security controls for one of FBI's critical networks.
To assess controls, GAO conducted a vulnerability assessment of the internal network and evaluated the bureau's information security program associated with the network operating environment. This report summarizes weaknesses in information security controls in one of FBI's critical networks.
Certain information security controls over the critical internal network reviewed were ineffective in protecting the confidentiality, integrity, and availability of information and information resources.
Specifically, FBI did not consistently configure network devices and services to prevent unauthorized insider access and ensure system integrity Nor did the FBI identify and authenticate users to prevent unauthorized access. The Bureau failed to enforce the principle of least privilege to ensure that authorized access was necessary and appropriate and failed to apply strong encryption techniques to protect sensitive data on its networks.
Taken collectively, these and other weaknesses place sensitive information transmitted on the network at risk of unauthorized disclosure or modification, and could result in a disruption of service, increasing the bureau's vulnerability to insider threats. These weaknesses existed, in part, because the FBI had not fully implemented key information security program activities for the critical network reviewed.
The FBI has developed an agencywide information security program, which includes an organization to monitor and protect the bureau's information systems from external attacks and insider misuse and to serve as the central focal point of contact for near-real-time security monitoring.
However, shortcomings exist with certain program elements for the network, including an outdated risk assessment, incomplete security plan, incomplete specialized security training, insufficient testing, untimely remediation of weaknesses, and inadequate service continuity planning. Without a fully implemented program, certain security controls will likely remain inadequate or inconsistently applied.
© Jim Kouri
The Federal Bureau of Investigation relies on a critical network to electronically communicate, capture, exchange, and access law enforcement and investigative information.
Misuse or interruption of this critical network, or disclosure of the information traversing it, would impair FBI's ability to fulfill its missions. Effective information security controls are essential for ensuring that information technology resources and information are adequately protected from inadvertent or deliberate misuse, fraudulent use, disclosure, modification, or destruction. The Government Accounting Office was asked to assess information security controls for one of FBI's critical networks.
To assess controls, GAO conducted a vulnerability assessment of the internal network and evaluated the bureau's information security program associated with the network operating environment. This report summarizes weaknesses in information security controls in one of FBI's critical networks.
Certain information security controls over the critical internal network reviewed were ineffective in protecting the confidentiality, integrity, and availability of information and information resources.
Specifically, FBI did not consistently configure network devices and services to prevent unauthorized insider access and ensure system integrity Nor did the FBI identify and authenticate users to prevent unauthorized access. The Bureau failed to enforce the principle of least privilege to ensure that authorized access was necessary and appropriate and failed to apply strong encryption techniques to protect sensitive data on its networks.
Taken collectively, these and other weaknesses place sensitive information transmitted on the network at risk of unauthorized disclosure or modification, and could result in a disruption of service, increasing the bureau's vulnerability to insider threats. These weaknesses existed, in part, because the FBI had not fully implemented key information security program activities for the critical network reviewed.
The FBI has developed an agencywide information security program, which includes an organization to monitor and protect the bureau's information systems from external attacks and insider misuse and to serve as the central focal point of contact for near-real-time security monitoring.
However, shortcomings exist with certain program elements for the network, including an outdated risk assessment, incomplete security plan, incomplete specialized security training, insufficient testing, untimely remediation of weaknesses, and inadequate service continuity planning. Without a fully implemented program, certain security controls will likely remain inadequate or inconsistently applied.
© Jim Kouri
The views expressed by RenewAmerica columnists are their own and do not necessarily reflect the position of RenewAmerica or its affiliates.
(See RenewAmerica's publishing standards.)
