Report Summary
Department of Education
Information Technology Security Controls Audit
Financial Audit Division Report 10-17 |
Released May 5, 2010 |
Conclusion
The Department of Education did not have adequate security controls to protect the confidentiality, integrity, and availability of its data and computer systems from threats originating outside its internal network.
Key Findings
- The Department of Education did not develop a comprehensive security management program nor did it allocate sufficient resources or personnel to adequately manage security.
- The Department of Education had some firewall rules that were too permissive or unnecessary.
- The Department of Education did not assess its monitoring needs nor did it proactively review security events.
- The Department of Education had not adequately assessed, prioritized, reported, and remediated vulnerabilities.
Audit Objective and Scope
The audit objective was to answer the following question:
- Did the Department of Education have adequate security controls to protect the department’s computer systems and data from threats originating outside the internal network?
We assessed controls as of February 2010.