GSA's IG Identifies 4 IT Security WeaknessIG: Need to Strengthen Authentication, Configuration, Encryption
In the fiscal year 2010 audit required by the Federal Information Security Management Act, the IG recommends that GSA Chief Information Officer Casey Coleman:
- Strengthen configuration management practices for GSA systems by increasing oversight of security officials' application of baseline configuration requirements and expanding technical testing processes to include authenticated scanning.
- Work with system security officials to prioritize the implementation of audit logging and monitoring controls for GSA systems.
- Ensure that all systems that are remotely accessed implement multi-factor authentication, as appropriate.
- Implement an encryption solution for agency laptops that integrates into GSA's network environment.
The CIO concurs with the IG's findings.
Not all of the IG's comments are critical, crediting the GSA for taking steps to develop, document and implement an agency-wide IT security program. For example, the IG says, the CIO has updated GSA's IT security policy, published procedural guidance on a variety of information security topics and expanded the IT security program to cover cloud computing technologies.