GAO Agencies Continue to Report Progress, but Need to Mitigate Persistent Weaknesses

　こんにちは、丸山満彦です。GAOが政府機関の情報セキュリティ対策の実施状況に対する報告書「Agencies Continue to Report Progress, but Need to Mitigate Persistent Weaknesses」を公表していますね。。。これから読んでいこうと思いますが、アクセスコントロールに課題が多いような感じですね。。。
　日本の会計検査院もこういうのをやってみるとよいのかもしれませんね。。。
　日本の場合はどうなのでしょうか・・・
　

　
■GAO
・2009.07.17 Information Security: Agencies Continue to Report Progress, but Need to Mitigate Persistent Weaknesses
　・・Quick View
　・・Summary
　・・Highlights Page 　・・ Full Report 　・・Accessible Text 　・・Recommendations

 

＝＝＝＝＝
Background 　　　・Agency Responsibilities
　　　・Responsibilities of NIST
　　　・Responsibilities of Inspectors General
　　　・Responsibilities of OMB

 

Weaknesses in Information Security Place Sensitive Information at Risk 　・Reported Incidents Are on the Rise and Place Sensitive Information at Risk
　・Weaknesses in Controls Highlight Deficiencies in the Implementation of Security Policies and Practices
　・Weaknesses Persist in All Major Categories of Controls 　　　・Access Controls Were not Adequate
　　　・Boundary Protection
　　　・User Identification and Authentication
　　　・Authorization
　　　・Cryptography
　　　・Auditing and Monitoring
　　　・Physical Security
　　・Configuration Management Controls Were Not Always Implemented
　　・Segregation of Duties Was Not Appropriately Enforced
　　・Continuity of Operations Plans Have Shortcomings
　　・Agencywide Security Programs Were Not Fully Implemented
　　　・Risk Assessments
　　　・Policies and Procedures
　　　・Security Plans
　　　・Specialized Training
　　　・System Tests and Evaluations
　　　・Remedial Action Processes and Plans
　・Opportunities Exist for Bolstering Federal Information Security

 

Agencies Continue to Report Progress in Implementing Requirements
　　・Agencies Report Mixed Progress in Implementing Security Awareness and Specialized Training
　　・Weaknesses Reported in Testing and Evaluating System Security Controls
　　・Agencies Reported Testing More Contingency Plans, but Inspectors General often Cited Weaknesses
　　・Agencies Reported More System, but Deficiencies Were identified in Inventory Processes
　　・Agencies Reported Higher Percentages, but Inspectors General Highlight Weaknesses in the Quality of Certifications and Accreditations
　　・Agencies Report Having Configuration Management Policies, but Did Not Always Implement Them
　　・Most Agencies Reported Following Security Incident Procedures, but Weaknesses in Procedures Continue at Selected Agencies
　　・Agencies Report Improvements in Remedial Actions, but Processes Could Be Strengthened
　　・Inspectors General Report Using Professional Standards for Conduction Independent Evaluations More, but Opportunities to Improve Consistency Remain
　・Opportunities Remain for OMB to Improve Annual Reporting and Oversight of Agency Information Security Programs

 

Conclusions Recommendations for Executive Action Agency Comments and Our Evaluation