The U.S. Government Accountability Office (GAO) has released another information security report in July, which indicates that federal agencies continue to make progress with information security policies and practices, but there is still the need to "mitigate persistent weaknesses." Just like the report issued earlier this year, the report indicates progress made under the Federal Information Security Management Act of 2002 (FISMA).
The report says that for the fiscal year 2008, almost all 24 major federal agencies had weaknesses in information security controls. These weaknesses include issues with access control, configuration management, segregation of duties, continuity of operations and security management.
The GAO says these weaknesses are the result of security programs not being fully implemented. While control activities - such as awareness training - have gone up, several agencies reported decreased levels of testing security controls and training for employees with significant security responsibilities.
The GAO recommends that the Director of the Office of Management and Budget (OMB) make several changes to their guidance policies, including the implementation of an "approve" or "disapprove" of agency security programs after review periods. This is suggested so that agencies are held accountable for implementing effective security programs.