Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Information-Security-News
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISN] Lax IT Security Threatens Theft Of Personal And Other Sensitive Da

from [InfoSec News] Network Security [Permanent Link]
Subject: [ISN] Lax IT Security Threatens Theft Of Personal And Other Sensitive Data From Government Systems
Date: Fri, 25 Mar 2005 03:33:19 -0600 (CST) 
http://informationweek.com/story/showArticle.jhtml?articleID=159905569

By Eric Chabrow 
InformationWeek 
March 24, 2005 

Personal data held in a government database is at increased risk of
unauthorized disclosure, modification, or loss--possibly without
anyone knowing, government auditors reported Thursday.  The Government
Accountability Office, the investigative arm of Congress, contends the
Securities and Exchange Commission hasn't effectively implemented IT
controls to protect the integrity, confidentiality, and availability
of its financial and sensitive data.

Specifically, the GAO says in a 29-page report--addressed to SEC
chairman William Donaldson--that the SEC hadn't consistently
implemented effective electronic access controls, including user
accounts and passwords, access rights and permissions, network
security, and audit and monitoring of security-relevant events to
prevent, limit, and detect access to its critical financial and
sensitive systems.

In addition, the report says, weaknesses in other information system
controls, including physical security, segregation of computer
functions, application change controls, and service continuity,
further increase risk to the SEC's information systems. "As a result,
sensitive data--including payroll and financial transactions,
personnel data, regulatory, and other mission-critical
information--were at increased risk of unauthorized disclosure,
modification, or loss, possibly without detection," Gregory Wilshusen,
the GAO's director of information security issues, wrote in the
report.

A major factor for the SEC's IT control weaknesses is that the
commission hasn't fully developed and implemented a comprehensive
agency information security program to provide reasonable assurance
that effective controls are established and maintained and that
information security receives sufficient management attention,
Wilshusen says. Although the SEC has taken some actions to improve
security management, including establishing a central
security-management function and appointing a senior information
security officer to manage the program, it had not clearly defined
roles and responsibilities for security personnel.

In addition, the GAO says, the SEC had not fully assessed its risks,
established or implemented security policies, promoted security
awareness, and tested and evaluated the effectiveness of its
information system controls. The commission doesn't have a solid
foundation for resolving existing information system control
weaknesses and continuously managing information security risks,
Wilshusen says.

In response, the SEC agreed with the GAO recommendations that the
commission's, CIO Corey Booth, move to fully develop and implement an
effective, agencywide information security program. In a letter to
Wilshusen, Booth assured the GAO that the SEC already is addressing
the problems raised by congressional auditors.



_________________________________________
Bellua Cyber Security Asia 2005 -
http://www.bellua.com/bcs2005
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ISN] Lax IT Security Threatens Theft Of Personal And Other Sensitive Data From Government Systems, InfoSec News <=
Previous by Date:  [ISN] random comments on the Symantec vulnerability report, InfoSec News
Next by Date:  [ISN] Feds tells companies: Report those intrusions, InfoSec News
Previous by Thread:  [ISN] random comments on the Symantec vulnerability report, InfoSec News
Next by Thread:  [ISN] Feds tells companies: Report those intrusions, InfoSec News
Indexes:  [Date] [Thread] [Top] [All Lists]