« 総務省 確定 「ASP・SaaS事業者が医療情報を取り扱う際の安全管理に関するガイドライン」 | Main | 公認会計士協会 監査・保証実務委員会研究報告第20号「公認会計士等が行う保証業務等に関する研究報告」 »

2009.07.21

GAO Agencies Continue to Report Progress, but Need to Mitigate Persistent Weaknesses

 こんにちは、丸山満彦です。GAOが政府機関の情報セキュリティ対策の実施状況に対する報告書「Agencies Continue to Report Progress, but Need to Mitigate Persistent Weaknesses」を公表していますね。。。これから読んでいこうと思いますが、アクセスコントロールに課題が多いような感じですね。。。
 日本の会計検査院もこういうのをやってみるとよいのかもしれませんね。。。
 日本の場合はどうなのでしょうか・・・
 

 
■GAO
・2009.07.17 Information Security: Agencies Continue to Report Progress, but Need to Mitigate Persistent Weaknesses
 ・・Quick View
 ・・Summary
 ・・Highlights Page
 ・・ Full Report
 ・・Accessible Text
 ・・Recommendations

=====
Background
   ・Agency Responsibilities
   ・Responsibilities of NIST
   ・Responsibilities of Inspectors General
   ・Responsibilities of OMB

Weaknesses in Information Security Place Sensitive Information at Risk
 ・Reported Incidents Are on the Rise and Place Sensitive Information at Risk
 ・Weaknesses in Controls Highlight Deficiencies in the Implementation of Security Policies and Practices
 ・Weaknesses Persist in All Major Categories of Controls

   ・Access Controls Were not Adequate
   ・Boundary Protection
   ・User Identification and Authentication
   ・Authorization
   ・Cryptography
   ・Auditing and Monitoring
   ・Physical Security
  ・Configuration Management Controls Were Not Always Implemented
  ・Segregation of Duties Was Not Appropriately Enforced
  ・Continuity of Operations Plans Have Shortcomings
  ・Agencywide Security Programs Were Not Fully Implemented
   ・Risk Assessments
   ・Policies and Procedures
   ・Security Plans
   ・Specialized Training
   ・System Tests and Evaluations
   ・Remedial Action Processes and Plans
 ・Opportunities Exist for Bolstering Federal Information Security

Agencies Continue to Report Progress in Implementing Requirements
  ・Agencies Report Mixed Progress in Implementing Security Awareness and Specialized Training
  ・Weaknesses Reported in Testing and Evaluating System Security Controls
  ・Agencies Reported Testing More Contingency Plans, but Inspectors General often Cited Weaknesses
  ・Agencies Reported More System, but Deficiencies Were identified in Inventory Processes
  ・Agencies Reported Higher Percentages, but Inspectors General Highlight Weaknesses in the Quality of Certifications and Accreditations
  ・Agencies Report Having Configuration Management Policies, but Did Not Always Implement Them
  ・Most Agencies Reported Following Security Incident Procedures, but Weaknesses in Procedures Continue at Selected Agencies
  ・Agencies Report Improvements in Remedial Actions, but Processes Could Be Strengthened
  ・Inspectors General Report Using Professional Standards for Conduction Independent Evaluations More, but Opportunities to Improve Consistency Remain
 ・Opportunities Remain for OMB to Improve Annual Reporting and Oversight of Agency Information Security Programs

Conclusions
Recommendations for Executive Action
Agency Comments and Our Evaluation

|

« 総務省 確定 「ASP・SaaS事業者が医療情報を取り扱う際の安全管理に関するガイドライン」 | Main | 公認会計士協会 監査・保証実務委員会研究報告第20号「公認会計士等が行う保証業務等に関する研究報告」 »

Comments

Post a comment



(Not displayed with comment.)




TrackBack

TrackBack URL for this entry:
http://app.cocolog-nifty.com/t/trackback/64462/45697813

Listed below are links to weblogs that reference GAO Agencies Continue to Report Progress, but Need to Mitigate Persistent Weaknesses:

« 総務省 確定 「ASP・SaaS事業者が医療情報を取り扱う際の安全管理に関するガイドライン」 | Main | 公認会計士協会 監査・保証実務委員会研究報告第20号「公認会計士等が行う保証業務等に関する研究報告」 »