GAO raps Census Bureau's data protection practices

Mountains of data on how Americans work and live collected by the U.S. Census Bureau may not be adequately protected from intruders, according to a reportÃ'Â from the U.S. Government Accountability Office (GAO).

While the Census Bureau has taken steps to protect the data it's collected, it hasn't implemented the kind of security controls needed to protect its systems, said the report.

"Many of the deficiencies relate to the security controls used to regulate who or what can access the bureau's systems," the GAO reported.

[See also: EPA data breach highlights worrying trend]

Security sins cited by the GAO include:

  • Inadequate control of connectivity to key network devices and servers;
  • Inadequate identification and authentication of users;
  • Allocation of access privileges without regard to need;
  • Failure to encrypt stored and transmitted data;
  • Failure to insure adequate physical controls were in place;
  • And inadequate monitoring of systems and networks.

Securing government data has become increasingly important because its agencies, bureaus and departments have attracted increased intruder attention over the last six years, said GAO Director of Information Security Issues Gregory C. Wilshusen, one of the report's authors.

"The number of security incidents reported by federal agencies has risen 782% over the last six years, from about 5,500 in fiscal year 2006 to 48,562 in fiscal year 2012," he said in an interview.

The report noted that the Bureau had taken steps to protect its data in the event of a disaster or disruption, but those steps remain incomplete. They did not include distributing the disaster plan to key personnel and identifying any weaknesses through testing.

"Without an effective and complete contingency plan, an agency's likelihood of recovering its information and systems in a timely manner is diminished," the report said.

One reason the audit may show the Bureau in an unflattering light is that it was conducted while the agency was moving to a new security framework, according to the Census Bureau's CIO, Brian McGrath.

"That presented some challenges for all parties to truly assess the sophistication and depth of the IT security program here at the Census Bureau," he said in an interview.

"We do not take IT security lightly," he continued. "We fully recognize the importance of IT security and the data that the American citizens have entrusted us with.

"Data security is part of our culture," he added. "We require staff to take IT security awareness training on an annual basis, and we have acceptable usage policies that all employees have to sign before they're granted access to our IT systems."

While the report acknowledged the agency's implementation of a new security framework, it argued that the framework did not fully document information security risks.

It also asserted that the bureau did not adequately enforce user requirements for security and awareness training.

"Until the Bureau implements a complete and comprehensive security program, it will have limited assurance that its information and systems are being adequately protected against unauthorized access, use, disclosure, modification, disruption, or loss," the report said.

The security deficiencies found at the agency aren't limited to the Census Bureau, Wilshusen said.

"What we found at the Census Bureau is not inconsistent with what we have identified in other agencies when we go in there the first time and examine their information security controls," he said. "We typically find these kinds of vulnerabilities and the extent of these types of vulnerabilities."

Read more about data protection in CSOonline's Data Protection section.

Join the CSO newsletter!

Error: Please check your email address.

Tags GAOapplicationssoftwareU.S. Census Bureaugovernment dataGovernment Accountability Officedata protection

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello Jr.

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place