|
 |
 |
 |
 |
|
This GAO announcement has highlights of GAO-08-36, a report to congressional requesters. An outbreak of pandemic flu would require close cooperation between the public and private sectors to ensure the protection of our nation’s critical infrastructure, such as drinking water and electricity. Because over 85 percent of the nation’s critical infrastructure is owned and operated by the private sector, it is vital that both sectors effectively coordinate to successfully protect these assets. The Department of Homeland Security (DHS) is responsible for coordinating a national protection strategy and government and private sector councils have been created as a collaborating tool. GAO was asked to assess how the federal and private sectors are working together at a national level to protect the nation’s critical infrastructure in the event of a pandemic, the challenges they face, and opportunities for addressing these challenges. GAO reviewed 5 of the 17 critical infrastructure sectors. These 5 sectors are energy (electricity), food and agriculture, telecommunications, transportation (highway and motor carrier), and water.
What GAO Found The inherent problems of measuring the costs and benefits of regulation make it difficult to assess the extent to which regulations may be unduly burdensome to U.S. financial services firms, particularly in comparison to firms in other countries.
Computer interconnectivity has produced enormous benefits but has also enabled criminal activity that exploits this interconnectivity for financial gain and other malicious purposes, such as Internet fraud, child exploitation, identity theft, and terrorism. Efforts to address cybercrime include activities associated with protecting networks and information, detecting criminal activity, investigating crime, and prosecuting criminals.
DHS has issued a national plan aimed at providing a consistent approach to critical infrastructure protection, ensured that all 17 sectors have organized to collaborate on protection efforts, and worked with government and private sector partners to complete all 17 sector-specific plans.Nevertheless, our work has shown that sectors vary in terms of how complete and comprehensive their plans are. Furthermore, DHS recognizes that the sectors, their councils, and their plans must continue to evolve. As they do, and as the plans are updated and annual implementation reports are provided that begin to show the level of protection achieved, it will be important that the plans and reports add value, both to the sectors themselves and to the government as a whole. This is critical because DHS is dependent on these plans and reports to meet its mandate to evaluate whether gaps exist in the protection of the nation’s most critical infrastructure and key resources and, if gaps exist, to work with the sectors to address them.
The following GAO report highlights GAO-07-737, a report to congressional requesters.In recent years, many entities in the private, public, and government sectors have reported the loss or theft of sensitive personal information.
In February 2007, the GAO issued its opinions on the calendar year 2006 financial statements of the Deposit Insurance Fund (DIF) and the FSLIC Resolution Fund (FRF). It also issued its opinion on the effectiveness of the Federal Deposit Insurance Corporation’s (FDIC) internal control over financial reporting (including safeguarding assets) and compliance as of December 31, 2006, and its
Federal agencies have recently reported a spate of security incidents that put sensitive data at risk. Personally identifiable information about millions of Americans has been lost, stolen, or improperly disclosed, thereby exposing those individuals to loss of privacy, identity theft, and financial crimes.
The Federal Bureau of Investigation (FBI) relies on a critical network to electronically communicate, capture, exchange, and access law enforcement and investigative information. Misuse or interruption of this critical network, or disclosure of the information traversing it, would impair FBI’s ability to fulfill its missions. Effective information security controls are essential for ensuring that information technology resources and information are adequately protected from inadvertent or deliberate misuse, fraudulent use, disclosure, modification, or destruction.
GAO was asked to assess information security controls for one of FBI’s critical networks. To assess controls, GAO conducted a vulnerability assessment of the internal network and evaluated the bureau’s information security program associated with the network operating environment. This report summarizes weaknesses in information security controls in one of FBI’s critical networks.
Highlights of GAO-07-351, a report to the Chief Financial Officer and Chief Operating Officer, Federal Deposit Insurance Corporation The Federal Deposit Insurance Corporation (FDIC) has a demanding responsibility enforcing banking laws, regulating financial institutions, and protecting depositors. As part of its audit of the calendar year 2006 financial statements, GAO assessed (1) the progress FDIC has made in correcting or mitigating information security weaknesses previously reported and (2) the effectiveness of FDIC’s system integrity controls to protect the confidentiality and availability of its financial information and information systems. To do this, GAO examined pertinent security policies, procedures, and relevant reports. In addition, GAO conducted tests and observations of controls
FINANCIAL MARKET PREPAREDNESS Significant Progress Has Been Made, but Pandemic Planning and Other Challenges Remain Highlights of GAO-07-399, a report to congressional requesters This is GAO’s third report since the September 11 terrorist attacks that assesses progress that market participants and regulators have made to ensure the security and resiliency of our securities markets. This report examined (1) actions taken to improve the markets’ capabilities to prevent and recover from attacks; (2) actions taken to improve disaster response and increase telecommunications resiliency; and (3) financial regulators’ efforts to ensure market resiliency. GAO inspected physical and electronic security measures and business continuity capabilities using regulatory, government, and industry-established criteria and discussed improvement efforts with broker dealers, banks, regulators, telecommunications carriers, and trade associations. What GAO Recommends To improve the readiness of the securities markets to withstand potential disease pandemics, securities and banking regulators should consider taking additional actions, including providing formal expectations that market participants’ plans address even severe pandemic outbreaks and setting a date by which such plans should be completed. Banking and securities regulators indicated they believe organizations are adequately addressing this risk, but will consider taking the recommended actions if progress lags. GAO believes that giving greater consideration now would better assure market readiness.
Why GAO Did This Study For many years, GAO has reported that weaknesses in information security are a widespread problem with potentially devastating consequences—such as intrusions by malicious users, compromised networks, and the theft of personally identifiable information. In reports to Congress since 1997, GAO has identified information security as a governmentwide high-risk issue.
The government’s interest in using technology to detect terrorism and other threats has led to increased use of data mining. A technique for extracting useful information from large volumes of data, data mining offers potential benefits but also raises privacy concerns when the data include personal information. GAO was asked to review the development by the Department of Homeland Security (DHS) of a data mining tool known as ADVISE (Analysis, Dissemination, Visualization, Insight, and Semantic Enhancement). Specifically, GAO was asked to determine (1) the tool’s planned capabilities, uses, and associated benefits and (2) whether potential privacy issues could arise from using it to process personal information and how DHS has addressed any such issues. GAO reviewed program documentation and discussed these issues with DHS officials.
Why GAO Did This Study The Federal Deposit Insurance Reform Conforming Amendments Act of 2005 requires GAO to report on the effectiveness of Federal Deposit Insurance Corporation’s (FDIC) organizational structure and internal controls. GAO reviewed (1) mechanisms the board of directors uses to oversee the agency, (2) FDIC’s human capital strategies and how its training initiatives are evaluated, and (3) FDIC’s process for monitoring and assessing risks to the banking industry and the deposit insurance fund, including its oversight and evaluation. To answer these objectives, GAO analyzed FDIC documents, reviewed recommended practices and GAO guidance, conducted interviews with FDIC officials and board members, and conducted site visits to FDIC regional and field offices in three states. What GAO Recommends GAO recommends that FDIC (1) develop outcome-based performance measures for key human capital initiatives and make available such performance results to all employees and (2) develop policies and procedures that define how it will systematically and comprehensively evaluate its risk assessment activities.
What GAO Recommends With safeguards, it is appropriate for U.S. banking regulators to proceed with finalizing Basel II and begin the transition period. GAO recommends that they (1) clarify some aspects of the Notice of Proposed Rulemaking (NPR); (2) issue a new NPR if material differences from the current NPR, or a U.S. standardized approach option, are planned for the final rule; (3) issue periodic public reports on progress, results, and any needed adjustments; and (4) at the end of the transition period, reevaluate the appropriateness of Basel II as a long-term framework for setting regulatory capital. The Federal Reserve said it agreed with our recommendations and the other banking agencies said they will consider them as part of the rule-making process.
Hurricanes Katrina and Rita destroyed homes and displaced millions of individuals. While federal and state governments continue to respond to this disaster, GAO has identified significant control weaknesses-specifically in the Federal Emergency Management Agency (FEMA)'s Individuals and Households Program (IHP) and in Department of Homeland Security (DHS)'s purchase card program—resulting in significant fraud, waste, and abuse. In response to the numerous recommendations GAO made, DHS and FEMA have reported on numerous actions taken to address our recommendations. Lessons learned from GAO's prior work can serve as a framework for an effective fraud prevention system for federal and state governments as they consider spending billions more on disaster recovery. These lessons are particularly important because funding that is lost to fraud, waste, and abuse reduces the amount of money that could be delivered to victims in need.
Why GAO Did This Study
Why GAO Did This Study
Today's testimony will address whether FEMA provided improper and potentially fraudulent (1) rental assistance payments to registrants at the same time it was providing free housing via trailers and apartments; (2) duplicate assistance payments to individuals who claimed damages to the same property for both hurricanes Katrina and Rita; and (3) IHP payments to non-U.S. residents who did not qualify for IHP. This testimony will also discuss (1) the importance of fraud identification and prevention, and (2) the results of our investigation into property FEMA bought using DHS purchase cards.
The Honorable William M. Thomas Chairman, Committee on Ways and Means House of Representatives Dear Mr. Chairman: During recent congressional hearings and in public speeches, statements made by the National Credit Union Administration's (NCUA) Chairman and another board member raised congressional interest in the ability of NCUA to collect and objectively analyze data on credit union membership and executive compensation. More generally, these statements also raised issues about the agency's overall vigilance as a regulator and the independence and objectivity of NCUA's board and senior staff from the industry being regulated.
Why GAO Did This Study
GAO was asked to evaluate the extent to which agencies have adequately designed and effectively implemented policies for testing and evaluating their information security controls.
Why GAO Did This Study
Research and development (R&D) of cyber security technology is essential to creating a broader range of choices and more robust tools for building secure, networked computer systems in the federal government and in the private sector. The National Strategy to Secure Cyberspace identifies national priorities to secure cyberspace, including a federal R&D agenda. GAO was asked to identify the:
GAO continues to have concerns about restatements to federal agencies' previously issued financial statements. During fiscal year 2005, at least 7 of the 24 Chief Financial Officers (CFO) Act agencies restated certain of their fiscal year 2004 financial statements to correct misstatements. To study this trend, GAO reviewed the nature and causes of the restatements made by certain CFO Act agencies in fiscal year 2004 to their fiscal year 2003 financial statements. Eleven CFO Act agencies had restatements for fiscal year 2003. Nine of those 11 received unqualified opinions on their originally issued fiscal year 2003 financial statements. GAO’s view is that users of federal agencies' financial statements and the related audit reports need to be provided at least a basic understanding of why a restatement was necessary and its effect on the agencies' previously issued financial statements and related audit reports. This report communicates GAO's observations on the transparency and timeliness of the 9 federal agencies' and their auditors' restatement disclosures.
Minority banks can play an important role in serving the financial needs of historically underserved communities and growing populations of minorities. For this reason, the Financial Institutions, Reform, Recovery, and Enforcement Act of 1989 (FIRREA) established goals that the Federal Deposit Insurance Corporation (FDIC) and the Office of Thrift Supervision (OTS) must work toward to preserve and promote such institutions (support efforts). To evaluate their efforts, as well as those of the Office of the Comptroller of the Currency (OCC) and the Federal Reserve, GAO (1) reviewed the profitability of minority banks, (2) identified the regulators' support and assessment efforts, and (3) obtained the views of minority banks on the regulators' efforts.
Why GAO Did This Study In the wake of the 2005 hurricanes in the Gulf Region, GAO and the Department of Homeland Security Office of Inspector General (DHS OIG) initiated a number of audits and investigations addressing the federal government's response to those events. On July 19, 2006, GAO testified on the results of its purchase card work. This report summarizes the testimony and provides recommendations. Department of Homeland Security (DHS) cardholders made thousands of transactions related to hurricane relief operations. GAO analyzed transactions between June and November of 2005 to determine if (1) DHS's control environment and management of purchase card usage were effective; (2) DHS's key internal control activities operated effectively and provided reasonable assurance that purchase cards were used appropriately; and (3) potentially fraudulent, improper, and abusive purchase card activity existed at DHS.
Why GAO Did This Study In 2005, Hurricanes Katrina and Rita caused unprecedented damage. FEMA’s Individuals and Households Program (IHP), provides direct assistance (temporary housing units) and financial assistance (grant funding for temporary housing and other disaster-related needs) to eligible individuals affected by disasters. Our objectives were to (1) compare the types and amounts of IHP assistance provided to Hurricanes Katrina and Rita victims to other recent hurricanes, (2) describe the challenges FEMA faced by the magnitude of the requests for assistance following Hurricanes Katrina and Rita, and (3) determine the vulnerability of the IHP program to fraud and abuse. GAO determined the extent to which the program was vulnerability to fraud and abuse, by conducting statistical sampling, data mining and undercover operations.
The Federal Deposit Insurance Corporation (FDIC) has a demanding responsibility enforcing banking laws, regulating financial institutions, and protecting depositors. The corporation relies extensively on computerized systems to support and carry out its financial and mission-related operations. As part of the audit of the calendar year 2005 financial statements, GAO assessed (1) the progress FDIC has made in correcting or mitigating information security weaknesses previously reported and (2) the effectiveness of the corporation's information system controls to protect the confidentiality, integrity, and availability of its key financial information and information systems.
The Federal Reserve System's Federal Reserve Banks (FRB) serve as fiscal agents of the U.S. government when they are directed to do so by the Secretary of the Treasury. In this capacity, the FRBs operate and maintain several mainframe and distributed-based systems-including the systems that support the Department of the Treasury's auctions of marketable securities-on behalf of the department's Bureau of the Public Debt (BPD). Effective security controls over these systems are essential to ensure that sensitive and financial information is adequately protected from inadvertent or deliberate misuse, disclosure, or destruction. In support of its audit of BPD's fiscal year 2005 Schedule of Federal Debt, GAO assessed the effectiveness of information system controls in protecting financial and sensitive auction information on key mainframe and distributed-based systems that the FRBs maintain and operate for BPD. To do this, GAO observed and tested FRBs' security controls.
Why GAO Did This Study The Internet protocol (IP) provides the addressing mechanism that defines how and where information such as text, voice, music, and video move across interconnected networks. IP version 4 (IPv4), which is widely used today, may not be able to accommodate the increasing number of global users and devices that are connecting to the Internet. As a result, Internet version 6 (IPv6) was developed to increase the amount of available address space. In August 2005, the Office of Management and Budget (OMB) issued a memorandum specifying activities and time frames for federal agencies to transition to IPv6. GAO was asked to determine (1) the status of federal agencies' efforts to transition to IPv6; (2) what emerging applications are being planned or implemented that take advantage of IPv6 features; and (3) key challenges industry and government agencies face as they transition to the new protocol.
Why GAO Did This Study Hurricanes Katrina, Rita, and Wilma (the Gulf Coast hurricanes) caused more than $118 billion in estimated property damages across the Gulf Coast region in 2005. The Small Business Administration (SBA) helps individuals and businesses recover from disasters through its Disaster Loan Program. GAO initiated work to determine how well SBA provided victims of the Gulf Coast hurricanes with timely assistance. This report, the first of two, focuses primarily on the Disaster Credit Management System (DCMS) and disaster loan process. Here, GAO evaluates (1) what affected SBA's ability to provide timely disaster assistance and (2) actions SBA took after the disasters to improve its response to disaster victims. In conducting this study, GAO analyzed data on loan applications and assessed key aspects of SBA's acquisition and implementation of DCMS. What GAO Recommends GAO recommends four actions including reassessing DCMS's maximum user capacity based on such things as lessons learned from the Gulf Coast hurricanes, a review of information available from catastrophe risk modeling firms and disaster simulations, and related cost considerations. In comments on a draft of this report, SBA generally agreed with our recommendations but said more credit should have been given to its improvement efforts.
Why GAO Did This Study
GAO was asked to examine (1) financial institutions' use of resellers; (2) federal privacy and security laws applicable to resellers; (3) federal regulators' oversight of resellers; and (4) regulators' oversight of financial institution compliance with privacy and data security laws. To address these objectives, GAO analyzed documents and interviewed representatives from 10 information resellers, 14 financial institutions, 11 regulators, industry and consumer groups, and others.
Why GAO Did This Study Federal regulation is one of the basic tools of government used to implement public policy. In 1980, the Regulatory Flexibility Act (RFA) was enacted in response to concerns about the effect that regulations can have on small entities, including small businesses, small governmental jurisdictions, and certain small not-for-profit organizations. Congress amended RFA in 1996, and the President issued Executive Order 13272 in 2002, to strengthen requirements for agencies to consider the impact of their proposed rules on small entities. However, concerns about the regulatory burden on small entities persist, prompting legislative proposals such as H.R. 682, the Regulatory Flexibility Improvements Act, which would amend RFA. At the request of Congress, GAO has prepared many reports and testimonies reviewing the implementation of RFA and related policies. On the basis of that body of work, this testimony (1) provides an overview of the basic purpose and requirements of RFA, (2) highlights the main impediments to the Act’s implementation that GAO's reports identified, and (3) suggests elements of RFA that Congress might consider amending to improve the effectiveness of the Act. GAO's prior reports and testimonies contain recommendations to improve the implementation of RFA and related regulatory process requirements.
FinCEN's primary function is to support and strengthen domestic and international anti-money laundering efforts through coordination and partnerships. Since its creation in 1990, FinCEN has been responsible for overseeing the management, processing, storage and dissemination of Bank Secrecy Act (BSA) data. In 2004, FinCEN embarked on a major initiative intended to improve the sharing of information reported under the Bank Secrecy Act. BSA Direct is an umbrella project intended to provide secure, user-friendly, web-based tools for accessing, analyzing, and filing BSA data. It is part of a broad effort to reengineer data management responsibilities and transition them from the IRS. During the early spring of 2006, it became clear to FinCEN that the Retrieval and Sharing component of the BSA Direct project (BSA Direct R&S) was not going to meet the critical implementation deadline of June 30, 2006. Objectives Because FinCEN has experienced problems with development and implementation of the BSA Direct R&S, you asked us about the project's current status and to provide observations on FinCEN's IT investment management practices. Our objectives were to (1) describe BSA Direct R&S and the project's current status; (2) examine FinCEN's application of information technology (IT) investment management processes to the BSA Direct R&S project; and (3) describe, at a high level, the range of options FinCEN may consider as it reexamines the BSA Direct R&S project.
Highlights of GAO-06-954T, a testimony before the Subcommittee on Management, Integration, and Oversight, Committee on Homeland Security, U.S. House of Representatives Why GAO Did This Study
Inspectors General In our role as principal auditor of the consolidated financial statements of the U.S. government (CFS), we plan to use the work of the inspectors general and contracted independent public accountants who audit the agency-level financial statements. The development of the joint PCIE/GAO Financial Audit Manual (FAM) has provided a common framework and methodology for federal financial statement auditing. Adherence to the FAM will enable us to readily review the work of other auditors as a basis for using that work under auditing standards. We want to all be on the same page so that we are in the position to use your work. Certain CFS line items that will be subject to our concurrent review because of their significance, such as the federal employee and veteran benefits payable line item, involve federal agencies’ significant actuarial estimations. Statement on Auditing Standards (SAS) No. 57, Auditing Accounting Estimates applies to such estimations. In addition, Statement of Federal Financial Accounting Standard (SFFAS) No. 5 requires that federal agencies disclose specific information in their financial statements for pensions, other retirement benefits, and other postemployment benefits.
Why GAO Did This Study
GAO was asked to testify on VA's information security program, ways that agencies can prevent improper disclosures of personal information, and issues concerning notifications of privacy breaches. In preparing this testimony, GAO drew on its previous reports and testimonies, as well as on expert opinion provided in congressional testimony and other sources.
Why GAO Did This Study Since 1979, Egypt has received about $80 billion in military and economic assistance with about $34 billion in the form of foreign military financing (FMF) grants that enable Egypt to purchase U.S.-manufactured military goods and services. In this report, GAO (1) describes the types and amounts of FMF assistance provided to Egypt; (2) assesses the financing arrangements used to provide FMF assistance to Egypt; and (3) evaluates how the U.S. assesses the program's contribution to U.S. foreign policy and security goals. What GAO Recommends
We recommend that the Secretaries of State and Defence conduct: (1) an assessment of the impact of potential shifts in appropriations on the Egypt FMF program; and (2) periodic program-level evaluations of the program. Specifically, the agencies should define the current and desired levels of modernization and interoperability the U.S. would like to achieve.
Regulators, public companies, audit firms, and investors generally agree that the Sarbanes-Oxley Act of 2002 has had a positive and significant impact on investor protection and confidence. However, for smaller public companies (defined in this report as $700 million or less in market capitalization), the cost of compliance has been disproportionately higher (as a percentage of revenues) than for large public companies, particularly with respect to the internal control reporting provisions in section 404 and related audit fees. Smaller public companies noted that resource limitations and questions regarding the application of existing internal control over financial reporting guidance to smaller public companies contributed to challenges they face in implementing section 404. The costs associated with complying with the act, along with other market factors, may be encouraging some companies to become private. The companies going private were small by any measure and represented 2 percent of public companies in 2004. The full impact of the act on smaller public companies remains unclear because the majority of smaller public companies have not fully implemented section 404.
For many years, GAO has reported that ineffective information security is a widespread problem that has potentially devastating consequences. in its reports to COngress since 1997, GAO has identified information security as a governmentwide high-risk issue - most recently in January 2005.
Concerned with accounts of attacks on commercial systems via the Internet and reports of significant weaknesses in federal computer systems that make them vulnerable to attack, Congress passed the Federal Information Security Management Act of 2002 (FISMA), which permanently authorized and strengthened the federal information security program, evaluation, and reporting requirements established for federal agencies.
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
RSS Syndication