The Defense Department inspector general released a report last week that shows despite releasing over the past year a grand total of 36 investigations and reports on Defenseâ€™s managerial shortcomings in information assurance weaknesses, Defense still has real problems with information security basics.
Investigations conducted between Aug. 1, 2006, and July 31, 2007, by the Defense IG, the Army Audit Agency, the Air Force Audit Agency and the Naval Audit Service repeatedly found problems with system access control, safeguarding of privacy information, poor security policy and procedures, training and education, according to the latest IG report, which is a bibliography of sorts of all the other info sec reports.
A total of 15 reports over the past year identified problems with system access control, the Defense IG said, including allowing unauthorized users to gain access to protected health information covered by the Privacy Act and â€œFor Official Use Onlyâ€ information.
Ten reports over the past year covered Privacy Act violations, and it seems that the message not to throw documents containing protected privacy information into the trash still needs reinforcement.
The audit agencies also identified weaknesses with security policies and procedures in 33 reports and poor security training, awareness and education in eight reports.
â€œWithout adequate security program management and security polices and procedures in place, DoD cannot provide and maintain appropriate security for managing, protecting and distributing information,â€ according to the Defense IG.
Add this stark view to threats posed by Chinese zombie computers and it looks like Defense really needs to work on network defense.