Coast Guard urged to overhaul IT practices

[InfoSec News <isn () C4I ORG>]

http://www.govexec.com/dailyfed/1200/121500m1.htm

By Kellie Lunney
klunney () govexec com
December 15, 2000

Poor management oversight and lackluster computer security policies
and practices plague the U.S. Coast Guard's information technology
system, according to a new General Accounting Office report.

Congress' agency watchdog said that although the Coast Guard had many
important IT management policies in place, it has not consistently put
those policies into practice.

In "Coast Guard Practices Can Be Improved" (GAO-01-190), GAO evaluated
the Coast Guard's information technology policies in five areas:
investment management; IT architecture; software acquisition and
development; information security; and human capital.

The Coast Guard fared the worst with its policies and practices on
tracking IT assets and overseeing its IT investment, according to the
report. GAO rated the agency's computer security and human capital
practices as average at best.

"USCG [the Coast Guard] has no policy for developing and maintaining
an IT asset inventory. In practice, USCG has several different lists
of assets, but they are not consistent or comprehensive. One key list,
the Agency Capital Plan, summarizes the IT systems in development and
in operation, but does not capture and track the assets--such as
hardware, software, and human capital--comprising these systems," said
the report.

The Coast Guard's information security policies won praise, but GAO
questioned USCG's follow-through on practice. GAO determined that only
three of 38 computer systems have obtained proper security
accreditation, and that refresher training on emerging security
threats and technologies is needed. GAO also cited the agency for
failing to address reported weaknesses in physical security controls.

On the human capital front, GAO said that the Coast Guard did not have
a complete inventory of its workforce's IT skills and does not report
on the status of its recruiting and training programs.

The Coast Guard--the fifth branch of the armed services--is a
responsible for ensuring maritime safety, national security,
protecting natural resources and cracking down on illegal drugs and
migrants. In the last few years, the agency has voiced concerns over
performing its multiple duties with aging equipment, an inexperienced
workforce and a short supply of funds.

The Coast Guard's four major acquisition projects--including a project
that will modernize the agency's distress and response system--account
for 25 percent of the agency's $4.8 billion fiscal 2000 budget.

In each of the five areas evaluated, GAO provided the Coast Guard with
recommendations, including:

* Establish a comprehensive inventory of IT assets that includes
  up-to-date cost and schedule information.

* Develop and oversee a thorough IT investment portfolio.

* Implement an effective computer security program.

* Correct IT security weaknesses.

* Assess the IT civilian workforce's skills.

* Document progress on recruiting strategies and use results to
  improve human capital strategies.

GAO praised the Coast Guard for putting sound policy guidance into
practice in some key areas, including software acquisition planning
and project management and contract tracking and oversight.

Transportation Department and Coast Guard officials generally agreed
with GAO's recommendations and said they are working to put them into
practice.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".