U.S. flag

An official website of the United States government, Department of Justice.

NCJRS Virtual Library

The Virtual Library houses over 235,000 criminal justice resources, including all known OJP works.
Click here to search the NCJRS Virtual Library

Information Security: Comments on the Proposed Government Information Security Act of 1999

NCJ Number
189510
Author(s)
Jack L. Brock
Date Published
March 2000
Length
13 pages
Annotation
This document addressed ways to strengthen the information security practices throughout the Federal Government.
Abstract
Improvement in agency information security practices are sorely needed, as was demonstrated in an analysis of audits that found that 22 of the largest Federal agencies were not adequately protecting critical Federal operations and assets from computer-based attacks. The following six areas of management and general control weaknesses were repeatedly highlighted in these reviews: (1)entitywide security program planning and management; (2) access controls; (3) application software development and change controls; (4)segregation of duties; (5) system software controls; and (6) service continuity controls. Computer security can only work within agencies if a strong management framework is in place. S. 1993, the Government Information Security Act of 1999, incorporates the basic tenets of good security management. The bill proposes improvements in three significant areas: (1) following a risk-based approach to information security; (2) performing independent annual audits of security controls; and (3) approaching security from a government-wide perspective taking into account the varying information security needs of both national security and civilian agency operations. While S. 1993 would update the current legislative framework for computer security, two important considerations not addressed in the bill -- the need for better-defined security control standards and the need to clarify and strengthen leadership for information security across government -- are critical to strengthening security practices and oversight. For better-defined security control standards, a set of data classifications could be used by all Federal agencies to categorize the criticality and sensitivity of the data they generate and maintain. For leadership in information security, the Federal Government must have the support of top leaders and more clearly defined roles for those organizations that support government-wide initiatives. 9 footnotes