The GOA Report on Information Security  describes a number of serious issues that were found during a GAO review of 24 government agencies. "Each of the 24 agencies reviewed had weaknesses in information security controls.", p.2. Most of the issues cited were indeed focused on information security but there were also a number of issues related to configuration management. As a CM expert, you need to know about this report because the IT controls mentioned must be established in both government and business. Let's review a few of the key findings.
Weaknesses Noted in All Major Categories of Controls
"Our, agency, and inspectors general assessments of information security controls during fiscal year 2010 revealed that most major federal agencies had weaknesses in each of the five major categories of information system controls: (1) access controls, which ensure that only authorized individuals can read, alter, or delete data; (2) configuration management controls, which provide assurance that only authorized software programs are implemented; (3) segregation of duties, which reduces the risk that one individual can independently perform inappropriate actions without detection; (4) continuity of operations planning, which helps avoid significant disruptions in computer-dependent operations; and (5) agencywide information security programs, which provide a framework for ensuring that risks are understood and that effective controls are selected and implemented. All 24 agencies had vulnerabilities in access control, configuration management, and security management. Deficiencies in segregation of duties and contingency planning, while not reported for all of these agencies, were prevalent.", p. 11
Another key area cited was related to segregation of duties.
"Segregation of duties refers to the policies, procedures, and organizational structure that help ensure that one individual cannot independently control all key aspects of a computer-related operation and thereby take unauthorized actions or gain unauthorized access to assets or records. Key steps to achieving proper segregation are ensuring that incompatible duties are separated and employees understand their responsibilities, and controlling personnel activities through formal operating procedures, supervision, and review.", p15
There's much more in this report that CM gurus should know about, because the issues cited highlight the IT controls that are essential in any regulatory environment. For example, the GAO highlights the importance of configuration management controls and the essential regulatory requirement for an independent application build, package and deploy.
Are you working in a regulatory environment? Please drop me a line and share some of your experiences with establishing IT controls. We will be publishing more articles explaining how to implement effective IT controls to meet these and other regulatory requirements.
More articles by this author