North American governments receive poor security grades

Internal Auditor, April, 2005 by T. McCollum

TWO NEW REPORTS GIVE Canadian and U.S. government agencies low marks for information security. The auditor general of Canada reported that the Canadian government has failed to develop consistent information security practices since the previous audit in 2002. Meanwhile, U.S. government agencies scored a "D " grade on the annual Federal Computer Security Report released in February by the House Government Reform Committee.

[ILLUSTRATION OMITTED]

The Canadian audit reviewed the state of information security in the government and the progress that the nation's Treasury Board Secretariat and departments have made in implementing the 2002 audit recommendations. The report found that Canada's revised Government Security Policy has laid a foundation for security improvements and increased cooperation among departments and agencies. However, the report noted that the Secretariat has yet to establish all the necessary standards outlined in the policy and has not fulfilled its role of monitoring and overseeing information security throughout the government.

The audit also revealed that most agencies don't comply fully with the security policy and maintain widely different security practices. According to a 2004 survey by the Secretariat, only one department meets all of the policy's baseline requirements. Moreover, 16 percent of departments don't have an information security policy, and 35 percent lack a policy requiring threat and risk assessments. Departments have also failed to assess security risks and threats adequately, the auditor general's report said.

U.S. government departments aren't faring any better than their Canadian counterparts. Most agencies earned grades of "C" or lower on the Federal Computer Security Report Card, which is based on annual information security reviews required by the Federal Information Security Management Act of 2002. Seven large U.S. departments received an "F," including the Departments of Agriculture, Commerce, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, and Veterans Affairs.

House Government Reform Committee Chairman Tom Davis (R-Va.) cited many areas that need improvement, including annual reviews of contractor systems, contingency plan testing, configuration management, incident reporting, and specialized training for employees who are responsible for information security. To address these problems, Davis announced the formation of the CISO Exchange, a private-sector funded forum that is intended to help federal government chief information officers and chief information security officers (CISOs) share information and collaborate on security issues.

The auditor general of Canada's Report on Information Technology Security is available at www.oag-bvg.gc.ca/domino/reports. The U.S. 2004 Federal Computer Security Report Card can be downloaded from the U.S. House Government Reform Committee Web site at http://reform.house.gov/GovReform/News/DocumentSingle.aspx?DocumentID=6813.