米国会計検査院 省庁に情報セキュリティに関する定期的な検査のための適切な方針の開発と導入が必要

　こんにちは、丸山満彦です。ちょっと古いのですが、米国会計検査院の2006.10.20の報告書です。省庁に情報セキュリティに関する定期的な検査のための適切な方針の開発と導入が必要ということのようです。

　
■GAO GAO-07-65
・2006.10.20 Information Security: Agencies Need to Develop and Implement Adequate Policies for Periodic Testing,
・・Abstract
・・Highlights-PDF
・・PDF (GAO-07-65)

＝＝＝＝＝
> Why GAO Did This Study
Agencies rely extensively on computerized information systems and electronic data to carry out their missions. To ensure the security of the information and information systems that support critical operations and infrastructure, federal law and policy require agencies to periodically test and evaluate the effectiveness of their information security controls at least annually. GAO was asked to evaluate the extent to which agencies have adequately designed and effectively implemented policies for testing and evaluating their information security controls. GAO surveyed 24 major federal agencies and analyzed their policies to determine whether the policies address important elements for periodic testing. GAO also examined testing documentation at 6 agencies to assess the quality and effectiveness of testing on 30 systems.

> What GAO Found
Federal agencies have not adequately designed and effectively implemented policies for periodically testing and evaluating information security controls. Agencies' policies often did not include important elements for performing effective testing. For example, none of the agencies' policies addressed how to determine the depth and breadth of testing according to risk. Also, agencies did not always address other important elements, including the identification and testing of security controls common to multiple systems, the definition of roles and responsibilities of personnel performing tests, and the frequency of periodic testing. The six case study agencies did not effectively implement policies for periodically testing and evaluating information security controls for the 30 systems reviewed. The methods and practices for testing and evaluating controls at the six agencies were not adequate to ensure that assessments were consistent, of similar quality, and repeatable. For example, these agencies did not always sufficiently document their test methods and results, did not define the assessment methods to be used when evaluating security controls, did not test security controls as prescribed, and did not include previously reported remedial actions or weaknesses in their test plans to ensure they had been addressed. As a result, agencies may not have reasonable assurance that controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements of the agency. In addition, agencies may not be fully aware of the security control weaknesses in their systems, thereby leaving the agencies' information and systems vulnerable to attack or compromise.
＝＝＝＝＝

　米国も苦労しているんだ・・・

【参考】
●GAOの報告書の検索

●このブログ
・2005.06.16 米国会計検査院 米国政府機関はネット上の脅威に対し無防備と警告
・2005.06.01 米国会計検査院 証券取引委員会の監査結果
・2005.05.31 米国会計検査院 プライバシーに対する配慮不足とRFID使用に警告
・2005.05.31 米国会計検査院 国土安全保障省はサイバーセキュリティに無防備と批判
・2005.04.22 米国の会計検査院は情報セキュリティ監査でがんばっている
・2005.03.29 会計検査院のウェブページ

・2005.06.07
参議院 会計検査院にITシステムの運用に関して重点検査要請