Information Security: Weaknesses Place Commerce Data and Operations at Serious Risk

United States Government Publishing Office publisher pbl distributor dst United States Government Accountability Office author aut Government Organization text government publication eng GAOREPORTS Legislative Agency Publications gao legislative 2010-08-12 U.S. Government Printing Office 2001-08-13 monographic deposited born digital GA 1.13:GAO-01-751 https://www.govinfo.gov/app/details/GAOREPORTS-GAO-01-751 P0b002ee180387820 f:d01751 DGPO 2010-08-12 2011-03-28 GAOREPORTS-GAO-01-751 machine generated eng fdlp REPORT GAOREPORTS-GAO-01-751 GAO-01-751 Computer security Information resources management Information systems Internet National Plan for Information Systems Protection Other Written Product A01555 Information Security: Weaknesses Place Commerce Data and Operations at Serious Risk The Department of Commerce generates and disseminates important economic information that is of paramount interest to U.S. businesses, policymakers, and researchers. The dramatic rise in the number and sophistication of cyberattacks on federal information systems is of growing concern. This report provides a general summary of the computer security weaknesses in the unclassified information systems of seven Commerce organizations as well as in the management of the department's information security program. The significant and persuasive weaknesses in the seven Commerce bureaus place the data and operations of these bureaus at serious risk. Sensitive economic, personnel, financial, and business confidential information is exposed, allowing potential intruders to read, copy, modify, or delete these data. Moreover, critical operations could effectively cease in the event of accidental or malicious service disruptions. Poor detection and response capabilities exacerbate the bureaus' vulnerability to intrusions. As demonstrated during GAO's testing, the bureaus' general inability to notice GAO's activities increases the likelihood that intrusions will not be detected in time to prevent or minimize damage. These weaknesses are attributable to the lack of an effective information security program with a lack of centralized management, a risk-based approach, up-to-date security policies, security awareness and training, and continuous monitoring of the bureaus' compliance with established policies and the effectiveness of implemented controls. These weaknesses are exacerbated by Commerce's highly interconnected computing environment. A compromise in a single poorly secured system can undermine the security of the multiple systems that connect to it. https://www.govinfo.gov/content/pkg/GAOREPORTS-GAO-01-751/html/GAOREPORTS-GAO-01-751.htm GAO-01-751 https://www.govinfo.gov/app/details/GAOREPORTS-GAO-01-751 Other Written Product GAO-01-751; Information Security: Weaknesses Place Commerce Data and Operations at Serious Risk; Computer security Information resources management Information systems Internet National Plan for Information Systems Protection United States Public Law 74 (99th Congress) Public Law 99-74