Department of Agriculture
Information Technology Network Security Controls Audit
Financial Audit Division Report 10-23
Released July 1, 2010
The Department of Agriculture generally had adequate security controls to protect the classifications, integrity, and availability of its data and computer systems from threats originating outside its internal network. However, we identified four weaknesses in internal controls.
- The Department of Agriculture did not conduct formal risk assessments.
- The Department of Agriculture did not assess its monitoring needs nor did it proactively review some security events.
- The Department of Agriculture did not sufficiently restrict or filter computer traffic in its private internal network.
- The Department of Agriculture did not periodically recertify some access privileges nor did it implement strong password controls on some accounts.
Audit Objective and Scope
The audit objective was to answer the following question:
Did the Department of Agriculture have adequate security controls to protect the department’s computer systems and data from external threats?
We assessed controls as of May 2010.