Most Federal Web Sites Fail Privacy Test
The GAO report reviewed Web content of 24 major federal agencies including some 65 government Web sites. Only three percent of the Web sites surveyed, or about two sites, passed the GAO's security and privacy tests.
Joel Willemssen, director of civil agencies information and author of the GAO report, said in a statement that privacy concerns and security risks abound at government Web sites.
"At 21 of the 24 agencies, we identified problems in the area of security program management fundamental to the effectiveness privacy protections," Willemssen said.
The GAO's security program management review covered a range of activities related to understanding information security risks, including selecting and implementing security controls and ensuring that controls, once implemented, continue to operate effectively.
House Majority Leader Dick Armey (R-TX) blamed the White House Administration for failing to execute on implementing "fair information principles", as proposed by the Federal Trade Commission.
"The GAO report is a devastating assessment of the Clinton-Gore Administration's failure to live by its own privacy standards," Armey said. "People with glass Web sites should not throw stones. Since only three percent of the Administration Web sites met all four FTC privacy criteria, perhaps the government could take a few lessons from the private sector."
In a statement from the White House, a representative disputed the report as misleading because the FTC's privacy guidelines were not designed to apply to U.S. agencies.
What unnerves people on and offline is that the report included frightening reviews of who has access to data collected at the U.S. Department of the Treasury, which operates Web sites for the Internal Revenue Service, the Bureau of Alcohol, Tobacco & Firearms, and the U.S. Customs Service, among other federal agencies and bureaus.
Rep. Armey said he is deeply concerned about how the federal government collects and stores vast amounts of personal information about you and me.
"You are required to personal information to the government, you have no choice," Armey said. "You don't have an option to use a commercial website if you feel the government has a bad privacy policy. Which worries you more? The IRS disclosing your personal financial information or the GAP.com knowing how many pairs of jeans you've bought this year?"
Armey added that it is critical for the government to restore confidence in the federal government's ability to protect citizens personal information.
"I think the government should start worrying about whether it really should be maintaining so much information on its citizens," Armey said. "That would be one positive step toward to protecting our privacy."
The GAO first started reviewing federal computer and security systems in September 1996. Not much has changed since it first announced that federal computer security systems are fraught with weaknesses and that critical operations and government assets are at risk.
Willemssen said previous analyses have shown that federal computer systems were not adequately protecting their networks that process, store, and transmit enormous amounts of sensitive personal data.
"In September 1996, we reported that serious weaknesses had been found at 10 of the largest 15 federal agencies," Willemssen said. "In that report we concluded that poor information security was a widespread federal problem with potentially devastating consequences. In our 1997 and 1999 reports to the Congress, we identified information security as a high-risk issue."
For most agencies, the weaknesses reported covered a full range of computer security controls. Specifically, security program planning and management were inadequate. Physical and logical access controls also were not effective in preventing or detecting system intrusions and misuse.
In addition, software change controls were ineffective in ensuring that only properly authorized and tested software programs were implemented. Finally, sensitive operating system software was not adequately controlled, and adequate steps had not been taken to ensure continuity of computerized operations.
The report recommend that each federal agency surveyed needs to set up stringent management procedures and an organizational framework for identifying and assessing risks. Once policies and controls are decided, the federal agencies in question need to periodically evaluate the effectiveness of security systems.
In addition to problems stemming from outside threats to federal computer systems through well publicized e-mail viruses and denial of service attacks, the GAO report cited many examples of how lax security systems create a threat from within by government employees.
At one agency, all 1,100 users were granted access to sensitive system directories and settings that could alter sensitive personal data. At another agency, 20,000 users had been provided access to one system without written authorization. At yet another agency, system support personnel had the ability to change data in the system audit log. As a result, they could not only engage in a wide array of inappropriate activity, they could also delete related segments of an audit log to cover their tracks and diminish the likelihood that their actions would be detected.
The GAO found that simple security procedures like password protection and updating were not in place at most federal Web sites. Also, few federal agencies had a stringent timelines to removing access permissions of former employees.
Willemssen said there are many specific causes of security weaknesses, but an underlying problem is poor security program management and poor administration of available control techniques. He added that federal agencies need to do more to shore-up security risks and protect the privacy of American citizens.
"We and agency inspectors general have made scores of recommendations to agencies regarding specific steps they should take to make their security programs more effective," Willemssen said. "Most agencies have heeded these recommendations and taken at least some corrective actions. However, more needs to be done."
October 14th, 2008 - Posted in hznj.com | edit |
