GAO Pans Agriculture Department For Inadequate Information-Security ControlsGAO Pans Agriculture Department For Inadequate Information-Security Controls

A lack of information-security controls at the Department of Agriculture puts at risk sensitive information about citizens, payroll and financial transactions, trade secrets, agricultural production and marketing estimates, and critical data, government auditors said in a report issued Monday. The USDA pledges to fix the problems.

The General Accounting Office, the investigative arm of Congress, reports that significant and pervasive information-security control flaws exist at the USDA, including serious access-control flaws. Specifically, it says, the USDA has not adequately protected network boundaries, sufficiently controlled network access, appropriately limited mainframe access, or fully implemented a comprehensive program to monitor access activity. Weaknesses in other information-security controls--including physical security, personnel controls, system software, application software, and service continuity--further increase the risk to the USDA's information systems, according to the 34-page report.

"Interruptions in USDA's ability to fulfill its missions could have a significant adverse impact on the nation's food and agricultural production," writes Robert Dacey, GAO's director of information-security issues. "In addition, securing sensitive information is critical to USDA's efforts to maintain public confidence in the department."

The GAO says the department hasn't yet fully developed and implemented a comprehensive security-management program to ensure that effective controls are established and maintained and that information security receives significant management attention. For example, agency security personnel have lacked the management involvement needed to effectively implement security programs, three agencies have not completed any of the required risk assessments, and security controls have been tested and evaluated for less than half of the department's systems in the past year, the GAO says.

In commenting on a draft of the report, USDA concurred with the GAO's recommendations, saying it recognizes the need to improve information security throughout the department and plans to correct the specific weaknesses identified, as well as fully implement a comprehensive security-management program.

The full report can be read at www.gao.gov/new.items/d04154.pdf.