Information Security: Department of Homeland Security Needs to Fully Implement Its Security Program Page: 15 of 36
The following text was automatically extracted from the image on this page using optical character recognition software:
* periodic testing and evaluation of the effectiveness of the agency's
information security policies, procedures, and practices;
* a process for planning, implementing, evaluating, and documenting
remedial actions that are taken to address any deficiencies in the
agency's information security policies, procedures, and practices; and
* plans and procedures to ensure continuity of operations for information
systems that support the operations and assets of the agency.
FISMA also establishes a requirement that each agency develops,
maintains, and annually updates an inventory of major information systems
that the agency operates or that are under its control. Among other things,
this inventory is to identify the interfaces between each system and all
other systems or networks with which it communicates, including those
that are not operated by, or under the control of, the agency.
Each agency is also required to undergo an annual, independent evaluation
of its information security program and practices, including control testing
and compliance assessment. Evaluations of nonnational security systems
are to be performed by the agency's IG or by an independent external
auditor; evaluations related to national security systems are to be
performed only by an entity designated by the agency head. Agencies are to
report annually to OMB on the results of their independent evaluations.
OMB then summarizes the results of the evaluations in a report to selected
Other major provisions require NIST to develop, for systems other than
national security systems, (1) standards to be used by all agencies to
categorize their information and information systems based on the
objectives of providing appropriate levels of information security
according to a range of risk levels, (2) guidelines recommending the types
of information and information systems to be included in each category,
and (3) minimum information security requirements for information and
information systems in each category. NIST must also develop (1) a
definition of and guidelines concerning the detection and handling of
information security incidents and (2) guidelines developed in coordination
with the National Security Agency for identifying an information system as
a national security system.
GAO-05-700 DHS Information Security
Here’s what’s next.
This report can be searched. Note: Results may vary based on the legibility of text within the document.
Tools / Downloads
Get a copy of this page or view the extracted text.
Citing and Sharing
Basic information for referencing this web page. We also provide extended guidance on usage rights, references, copying or embedding.
Reference the current page of this Report.
United States. Government Accountability Office. Information Security: Department of Homeland Security Needs to Fully Implement Its Security Program, report, June 17, 2005; Washington D.C.. (https://digital.library.unt.edu/ark:/67531/metadc295505/m1/15/: accessed May 24, 2019), University of North Texas Libraries, Digital Library, https://digital.library.unt.edu; crediting UNT Libraries Government Documents Department.