Department of Commerce
Information Technology Security Controls
Financial Audit Division Report 11-08
Released April 15, 2011
The Department of Commerce did not have adequate security controls to protect the confidentiality, integrity, and availability of its data and computer systems from threats originating outside its internal network. We identified five weaknesses in internal controls.
- The Department of Commerce did not develop a comprehensive security management program.
- The Department of Commerce had many firewall rules that were too permissive or unnecessary.
- The Department of Commerce did not sufficiently restrict or filter computer traffic nor did it encrypt some sensitive computer traffic in its private internal network.
- The Department of Commerce had not implemented formal change management processes to ensure that it adequately documented, assessed, tested, and approved proposed changes before implementing those changes in the technology environment.
- The Department of Commerce lacked a periodic review of some users with remote access privileges.
Audit Objective and Scope
The audit objective was to answer the following question:
- Did the Department of Commerce have adequate security controls to protect the department’s computer systems and data from threats originating outside the internal network?
We assessed controls as of January 2011.