インドはまとめたい ＝＞ バイオ先進国、医療検査を空輸で行っている、マシンはIBM（男性）
コートジボアール ＝＞ 渋い顔、象牙海岸は奴隷海岸、象牙と奴隷を輸出した（男性）
ガーナ ＝＞ 前国連事務総長の出身国、公平が最重要（女性）
かっこいいロゴが消えた ＝＞ サイバンインコの会員になった
MANAGEMENT AND INTERGOVERNMENTAL RELATIONS
U.S. HOUSE OF REPRESENTATIVES
SECURITY REFORM ACT OF 2002"
TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION
Mr. Chairmen, and members of the subcommittees, I appreciate the opportunity to appear today to provide an Inspector General’s (IG) perspective. Government agencies continue to struggle with the appropriate balance between IT security and computing capacity, too often with an overwhelming bias toward speed and ease of operations. The Government Information Security Reform Act (GISRA) has served as an essential beacon urging agencies toward a more balanced course. During Fiscal Year 2001, the GISRA assessments identified substantial vulnerabilities across government that could threaten the security of information systems. These included:
- Formal security training and awareness programs for all employees were frequently ineffective or non-existent. In the Internal Revenue Service, for example, 70 of 100 employees were willing to compromise their passwords, during pretext telephone calls by IG auditors. No matter how strong other controls may be, employees can often be the most vulnerable component of an agency’s IT security program.
- Specific performance measures were often absent, such as the effectiveness of efforts to reduce the impact of computer viruses.
- Oversight of contractors was not sufficient and many had not received the necessary background clearances.
- An unacceptable number of systems and applications critical to the agency missions were not security certified and accredited.
- System intrusion incidents were not consistently reported and shared throughout the government to assist agencies to proactively identify and combat hacking.
- Security controls often seemed to be an afterthought in IT budget and investment decisions, and
- Senior managers often assumed little responsibility for IT security within their programs, deferring entirely to small security offices.
- To assist agencies in adhering to GISRA and H.R. 3844 provisions, we offer the following suggestions to improve consistency in conducting and reporting information security assessments and investigations.
- Certain terminology should be clarified to avoid confusion in reporting. Terms such as "programs", "systems", "networks", "mission-critical" and "mission essential" are subject to varying interpretations.
- Agency officials should be required to use the NIST IT security assessment framework.
- Agency and IG reporting requirements should be integrated to reduce duplication of effort.
- The OMB should provide implementation guidance at the beginning of each reporting year.
- Annual submissions should contain a conclusion section on agency compliance with the law and its overall information security posture.
- The IGs should be required to evaluate whether agencies have a process that incorporates information security into their Enterprise Architectures.
- Reporting intrusion incidents to FedCIRC should not be limited to national security incidents, but should also include threats to critical infrastructure, as was the case during the Y2K initiative, and
- Importantly, agencies should identify the IG or another law enforcement organization that will investigate intrusions and refer them for prosecution.
I would be happy to answer any questions.