Why Auditors' InfoSec Advice Is IgnoredRapid Pace of Change Makes Compliance a Big Challenge
As director of information security issues at the U.S. Government Accountability Office, Gregory Wilshusen dispenses advice to agencies to improve their security - recommendations that aren't always heeded.
But Wilshusen understands why his advice isn't always followed, saying several factors make it more difficult for agencies to protect IT.
The prevalence of an agile and opportunistic threat landscape ... often has security managers playing catch-up and reacting to incidents.
"Federal IT and communications systems are highly complex and dynamic with multiple technologies, operating systems and networks that are increasingly interconnected to deliver services and conduct operations," Wilshusen told me in response to questions about agencies complying with IT security audits. "The complexity and rapidity of change in agency IT environments inherently introduce risk as they become more difficult to manage and secure."
Along with his GAO colleague Nancy Kingsbury, Wilshusen earlier this month co-authored "Information Security: IRS Needs to Address Control Weaknesses that Place Financial and Taxpayer Data at Risk." The report says the Internal Revenue Service hasn't always installed appropriate controls to protect against known vulnerabilities, sufficiently monitored database and mainframe controls and appropriately restricted access to its mainframe environment.
The GAO also determined that the IRS had allowed individuals to make changes to mainframe data processing without requiring them to follow established change control procedures to ensure changes were authorized, and didn't configure all applications to use strong encryption, increasing the potential for unauthorized access.
An underlying reason GAO cites for these weaknesses is that the IRS has not effectively implemented portions of its information security program. The agency has established a comprehensive framework for the program and has continued to improve its controls. However, GAO says, components of the program did not always function as intended.
"Until IRS takes additional steps to more effectively implement its testing and monitoring capabilities, ensure that policies and procedures are updated, and address unresolved and newly identified control deficiencies, its financial and taxpayer data will remain vulnerable to inappropriate and undetected use, modification or disclosure," the audit states.
Wilshusen says the rapid pace of change - in business processes and technology - places increasing demands on IT security mechanisms to protect data on devices that are portable, operated remotely or by third parties and shared with growing numbers of organizations and people.
"People are human and make mistakes that inadvertently expose agency information and resources, such as clicking on a malicious link in an e-mail or falling prey to a phishing attack," he says. " ... The prevalence of an agile and opportunistic threat landscape ... often has security managers playing catch-up and reacting to incidents."
Eugene Spafford, executive director of the Center for Education and Research in Information Assurance and Security at Purdue University, says government agencies' efforts to follow auditors' advice to implement controls vary widely.
"Some agencies - fewer than in the past - don't take the controls seriously," Spafford says. "The majority seem to be overwhelmed and constrained by inconsistent and unclear rules and insufficient budget. In particular, too many have a large, non-homogenous infrastructure to secure but not enough people working the problem - and those are at government wages with insufficient training and tools.
"There are also rules on procurement that force acquisition to proceed at a glacial pace, some rules that make maintenance and upgrade difficult, and rules over access and configuration. The combination makes the job more difficult in some cases."
Though some agencies have sufficient resources, Spafford says, Congress is curtailing spending, so agencies face the classic question of mission vs. infrastructure. "And," he says, "they tend to put more emphasis on mission."
Emphasizing mission over security explains why many agencies often fail to take auditors' advice to strengthen security controls. Agencies' security managers must convince their bosses that the mission will be compromised if security remains weak.