An Office of Inspector General (OIG) report released today says that one of the Federal Trade Commission’s (FTC) top management challenges is securing its information systems and networks from destruction, data loss, and compromise, based on an audit covering Fiscal Year 2018.
The report identifies two of FTC’s top management challenges: escalating costs of expert witnesses and information system security. For the latter, OIG found that FTC lacked adequate documentation, methodology, identification, authorizations, and implementation processes to achieve better information security and modernization.
In an FY2018 FISMA (Federal Information Security Modernization Act) evaluation, OIG found that “the FTC methodology for identifying and managing risk was determined to be not supported by an enterprise architecture with an embedded security architecture,” and that FTC “had systems and system components that were determined to not have associated security control baselines.” And although FTC had formed and documented an information security continuous monitoring strategy, OIG found that the strategy had not been not fully implemented.
To improve its information security program, FTC “should continue the implementation of technical capabilities that enforce its policies in accordance with documentation for systems within its inventory, including system security plans, authorizations to operation, and authorizations to use,” the report said. “The FTC must maintain the integrity and availability of its information assets as it modernizes its systems, reorganizes its information technology support staff, responds to new security requirements, and provides reliable mission support.”
FTC has been trying to overcome the information security challenge by implementing its Information Resources Management Strategic Plan for FY2019–2022, which addresses “FTC’s changing IT environment and evolving mission and business needs,” OIG said.
OIG added that FTC awarded multiple task orders in FY2019 to help the agency modernize and secure its IT services. It also said FTC has “embedded system-level security principles into the enterprise information security architecture,” and “has further completed additional work to close several outstanding recommendations” in tackling information security obstacles.