In-Depth

The Best Compliance Resource You Don't Know About

The Government Accountability Office (GAO) produces a wealth of guidance and reports for the entire federal IT system, but this knowledge is just as applicable to their private sector counterparts. Here's a treasure map to navigate the GAO site, find reports of interest, and access critical compliance information.

• By Linda Briggs
• 12/12/2006

Government agencies that struggle with security and information privacy issues—and yes, private industry, you can take heart from the fact that there are plenty—surely cringe when the Government Accountability Office (GAO) comes calling. The GAO, with Congress as its client, serves as the internal auditor of the federal government. In that capacity, it publishes numerous reports each month, many of which are focused on IT and laden with detailed criticisms and recommendations on how particular government agencies are falling short in a wide variety of areas.

Other than triggering alarm at the repeated failings of some key government agencies to safeguard our national systems and data, the reports also offer a wealth of useful advice. Although it's geared to advise federal agencies on how they can improve, much of the GAO recommendations specific to IT can also translate to the private sector. All of the reports—and the GAO is prodigious, often issuing several a week—are publicly available as text or PDF files on the GAO's public Web site.

Knowing a treasure trove exists and finding it are two different things. Although there's a wealth of useful IT and compliance-related information, finding pertinent tidbits buried deep in reports—or even pertinent reports in their entirety—can be a challenge. Here's a quick primer on how to navigate the GAO site, find reports of interest, and sign up for regular e-mails on new releases pertinent to IT. To give you an idea of what's out there, we've also included examples from some recent IT-relevant reports.

The GAO's stated mission is to help improve the performance and assure the accountability of the executive branch of the federal government. The agency has issued almost 1,000 reports in the past 12 months, which range from lending practices to farmers, to funding for climate change studies, to illegal immigration problems, to 60 reports on homeland security issues—most of those critical.

The GAO is part of the legislative branch; 95 percent of GAO inquiries are triggered by requests from Congress. Since virtually every federal program depends on information technology as a delivery mechanism, the GAO has a broad and deep reach into just about every aspect of how and where government is using technology.

Given that the federal government spends upwards of $60 billion dollars a year on IT, it's a big job. According to Randolph Hite, the GAO's director of IT Architecture & Systems Issues, his staff of 165 is responsible for auditing the entire federal government relative to information technology. In addition to reviewing how agencies are implementing current technology, Hite's staff evaluates new programs and technologies to ensure that they are secure and meet the stated needs of a particular agency. "In the end, all we're really trying to do is make the government a better developer, acquirer, and user of technology," Hite says. "Basically, we're trying to get the biggest bang for the [government's] technology dollar."

Beyond its auditing capabilities, Hite's department also issues best practices reviews. "We take a top-down look at how an institution manages technology," Hite says. "Does it have the basic institutional controls [needed] to do things the right way?"

How to Find GAO Information

To get a sense of the wealth of reports available regarding IT, start at the GAO's "Reports and Testimony Browse by Topic," and click on Information Management. In the third quarter of 2006 alone, the GAO issued 13 reports on information management topics, several of which contain solid advice on improving IT infrastructure, including:

• "Critical Infrastructure Protection: DHS [Department of Homeland Security] Leadership Needed to Enhance Cybersecurity" (Sept. 2006)



• "Information Security: The Centers for Medicare & Medicaid Services Needs to Improve Controls over Key Communication Network" (July 2006)



• "Internet Infrastructure: Challenges in Developing a Public/Private Recovery Plan" (July 2006)



• "Information Technology: Immigration and Customs Enforcement Is Beginning to Address Infrastructure Modernization Program Weaknesses but Key Improvements Still Needed" (July 2006)

You can see an obvious theme here just from the titles—the need for improvement—and the GAO reports aren't shy about drilling down on specifics. To make the most of a GAO report, note that their structures follow a typical pattern. There's a one-page abstract that summarizes the report ("highlights" replace this abstract, in PDF format), then the testimony to Congress, which is essentially the GAO report itself—view it by clicking on the GAO report number on the Web site. If you prefer a plain text format, select "Accessible Text."

Inside a GAO Report

From a certain perspective, GAO reports are basically audit and implementation guides that detail what auditors assess and ways that programs typically go wrong. Moreover, they often indicate valuable and specific remediation recommendations for the problems they uncover. Information that might be useful to privacy, security, and compliance officers is sprinkled throughout the reports.

For example, in an August 2006 report on information security in the Federal Deposit Insurance Corporation (FDIC) entitled "Federal Deposit Insurance Corporation Needs to Improve Its Program," the GAO said the FDIC, which is charged with regulating banking institutions and protecting some $7 trillion in bank deposits, has made progress on security issues, but still falls short.

Specifically, the report criticizes the agency for 20 new information security weaknesses, many of which will certainly sound familiar to compliance and security officers at private companies:

"Most identified weaknesses pertain to access controls over (1) user accounts and passwords; (2) access rights and permissions; (3) network services; (4) configuration assurance; (5) audit and monitoring of security-related events; and (6) physical security that are to prevent, limit, or detect access to its critical financial and sensitive systems and information," the report stated. "In addition, weaknesses exist in other information security controls relating to segregation of duties and application change controls."

In the 35-page report, the GAO specifically mentions issues such as failure of the FDIC to change vendor-supplied administrator accounts and passwords, or remove inactive user accounts.

While the FDIC has made progress in correcting previously reported weaknesses, the GAO said, in correcting 18 of 24 previous reported weaknesses, work remains:

"GAO identified 20 new information security weaknesses. Most identified weaknesses pertain to access controls over (1) user accounts and passwords; (2) access rights and permissions; (3) network services; (4) configuration assurance; (5) audit and monitoring of security-related events; and (6) physical security that are to prevent, limit, or detect access to its critical financial and sensitive systems and information. In addition, weaknesses exist in other information security controls relating to segregation of duties and application change controls."

A key reason for the new weaknesses, GAO concludes that:

"FDIC has not fully implemented elements of its information security program. For example, it has not consistently implemented its security-related policies, addressed security plans for certain applications, provided specialized training to individuals with significant security responsibilities, implemented remedial action plans for resolving known weaknesses, and updated or tested continuity plans in light of its implementation of the new financial environment. As a result, financial and sensitive information are at increased risk of unauthorized access, modification, and/or disclosure, possibly without detection. Because of this, GAO reported information system control weaknesses to be a reportable condition in 2005."

In another example, a September 2006 report on cybersecurity and the DHS, prepared for Rep. Tom Davis of (R-VA), who is chair of the congressional Committee on Government Reform, outlines a number of problems with the government's cybersecurity work to date, including incompatible and out-of-date information repositories on cybersecurity R&D and information. The report also criticized several agencies, including three in particular who, "fund and conduct much of cyber security R&D: the National Science Foundation and the Departments of Homeland Security and Defense." The GAO then specifically criticizes governmental efforts at coordinating R&D information:

"The federal government has established, and currently funds, two government-wide repositories and Web sites for R&D information that are available to, and searchable by, federal agencies and the public… The repositories generally contain the type of information about R&D tasks or awards required by the E-Government Act. Both are intended to provide the public and agencies with information about federally funded R&D activities and results."

However, the report found, both repositories were "incomplete and not fully populated with information about all federally funded tasks and awards. Query searches for cybersecurity research projects… produced limited results… As a result, the usefulness of the repositories and Web sites to facilitate the coordination of cybersecurity R&D activities, collaboration among researchers, and access to research information in a timely and efficient manner was limited."

There are many more reports pertinent to security, privacy and other compliance issues; here's a handful more, all issued in 2006:

• "Financial Restatements: Update of Public Company Trends, Market Impacts, and Regulatory Enforcement Activities" (July 2006)



• "Personal Information: Key Federal Privacy Laws Do Not Require Information Resellers to Safeguard All Sensitive Data" (June 2006)



• "Information Technology: Agencies and OMB Should Strengthen Processes for Identifying and Overseeing High Risk Projects," (June 2006)

Reports Available Daily

Reports and testimony from the GAO are updated daily on the site at http://www.gao.gov/docsearch/repandtest.html. You can also order a free, printed copy of any report, but the PDFs are complimentary and can be downloaded from the Web site.

Reports often include charts and other background data; note that because these are government publications, the reports aren't copyrighted (although the images used in a particular diagram may be). So if a particular segment or set of numbers will help make a point in your own reporting, you can include it.

If you want recently posted reports to be e-mailed to you daily or monthly (your choice), go to http://www.gao.gov and select "Subscribe to Updates" in the right column. From there, be sure to click on the Information Management box in the list of topics that the GAO covers.

In addition to the newsfeeds, the GAO site includes a series of Best Practices Reviews. The reviews, which go back to 1990, "identify other public and private sector organizations that are widely recognized for major improvements in their performance in a specific area, such as financial management. The processes, practices, and systems identified in these leading organizations are referred to as best practices and provide a model for other organizations with similar functions and/or missions." There are two kinds of best practices reports: Comparative benchmarking reports match the processes or practices of a government agency with best practices for similar processes in the private sector. Best practices methodology studies provide a framework based on best practice reviews.