Mountains of data on how Americans work and live collected by the U.S. Census Bureau may not be adequately protected from intruders, according to a reportÃ'Â from the U.S. Government Accountability Office (GAO).
While the Census Bureau has taken steps to protect the data it's collected, it hasn't implemented the kind of security controls needed to protect its systems, said the report.
"Many of the deficiencies relate to the security controls used to regulate who or what can access the bureau's systems," the GAO reported.
[See also: EPA data breach highlights worrying trend]
Security sins cited by the GAO include:
- Inadequate control of connectivity to key network devices and servers;
- Inadequate identification and authentication of users;
- Allocation of access privileges without regard to need;
- Failure to encrypt stored and transmitted data;
- Failure to insure adequate physical controls were in place;
- And inadequate monitoring of systems and networks.
Securing government data has become increasingly important because its agencies, bureaus and departments have attracted increased intruder attention over the last six years, said GAO Director of Information Security Issues Gregory C. Wilshusen, one of the report's authors.
"The number of security incidents reported by federal agencies has risen 782% over the last six years, from about 5,500 in fiscal year 2006 to 48,562 in fiscal year 2012," he said in an interview.
The report noted that the Bureau had taken steps to protect its data in the event of a disaster or disruption, but those steps remain incomplete. They did not include distributing the disaster plan to key personnel and identifying any weaknesses through testing.
"Without an effective and complete contingency plan, an agency's likelihood of recovering its information and systems in a timely manner is diminished," the report said.
One reason the audit may show the Bureau in an unflattering light is that it was conducted while the agency was moving to a new security framework, according to the Census Bureau's CIO, Brian McGrath.
"That presented some challenges for all parties to truly assess the sophistication and depth of the IT security program here at the Census Bureau," he said in an interview.
"We do not take IT security lightly," he continued. "We fully recognize the importance of IT security and the data that the American citizens have entrusted us with.
"Data security is part of our culture," he added. "We require staff to take IT security awareness training on an annual basis, and we have acceptable usage policies that all employees have to sign before they're granted access to our IT systems."
While the report acknowledged the agency's implementation of a new security framework, it argued that the framework did not fully document information security risks.
It also asserted that the bureau did not adequately enforce user requirements for security and awareness training.
"Until the Bureau implements a complete and comprehensive security program, it will have limited assurance that its information and systems are being adequately protected against unauthorized access, use, disclosure, modification, disruption, or loss," the report said.
The security deficiencies found at the agency aren't limited to the Census Bureau, Wilshusen said.
"What we found at the Census Bureau is not inconsistent with what we have identified in other agencies when we go in there the first time and examine their information security controls," he said. "We typically find these kinds of vulnerabilities and the extent of these types of vulnerabilities."
Read more about data protection in CSOonline's Data Protection section.