A central point for collection of information that relates to computer security. Including, but not limited to, security advisories from the major vendors, major data breaches, “phishing” alerts, commentary regarding staffing levels. etc. etc.
Cybersecurity at Dept of Energy
November 17, 2009 at 1:19 pm #85653
From Govinfo Security
Little to Show for $45 Million Infosec Investment
Author: Eric Chabrow, Managing Editor
Los Alamos National Laboratory has spent $45 million to secure its classified computer network between fiscal years 2001 and 2008, according to a report issued Friday by the Government Accountability Office, yet significant weaknesses remain in safeguarding the confidentiality, integrity and availability of information stored on and transmitted over its classified computer network.
The audit, requested by the House Committee on Energy and Commerce, cites Los Alamos’ management as saying funding for its core classified cybersecurity program has been inadequate for implementing an effective program during fiscal years 2007 and 2008.
“LANL’s security plans and test plans were neither comprehensive nor detailed enough to identify certain critical weaknesses on the classified network,” the GAO said in its 39-page report.
The Energy Department-run laboratory in Los Alamos, N.M., also known as LANL, is among the world’s largest science and technology institutions that conduct multidisciplinary research for fields such as national security, outer space, renewable energy, medicine, nanotechnology and supercomputing. Along with the Lawrence Livermore National Laboratory, LANL is one of two labs in the United States where classified work designing nuclear weapons takes place.
GAO identified several critical areas where vulnerabilities surfaced, including uniquely identifying and authenticating the identity of users, authorizing user access, encrypting classified information, monitoring and auditing compliance with security policies and maintaining software configuration assurance.
A key reason for the information security weaknesses was that the laboratory had not fully implemented an information security program to ensure that controls were effectively established and maintained, the congressional auditors said.
Among the program’s shortfalls identified by the GAO:
* Lack of comprehensive risk assessments to ensure that appropriate controls are in place to protect against unauthorized use,
* Not developing detailed implementation guidance for key control areas such as marking the classification level of information stored on the classified network,
* Inadequate specialized training for users with significant security responsibilities and
* Insufficiently developing and testing disaster recovery and contingency plans to mitigate the laboratory’s chances of being unsuccessful at resuming normal operational standards after a service disruption.
“The laboratory’s decentralized approach to information security program management has led to inconsistent implementation of policy, and although the laboratory has taken steps to address management weaknesses, its efforts may be limited because LANL has not demonstrated a consistent capacity to sustain security improvements over the long term,” the GAO said.
Among GAO’s recommendations: The laboratory fully implement its information security program, centralize management of the classified network and develop a sustainability plan that details how it plans to strengthen recent cybersecurity improvements over the long term.
The National Nuclear Security Administration, the Energy Department unit responsible for the safety of government nuclear sites, generally concurred with the GAO recommendations.
Copyright © 2009 GovInfoSecurity.com an ISMG Corp. media property
You must be logged in to reply to this topic.