DOT’s Information Security Program
We plan to publicly release our annual report on DOT’s information security program. We found that the quality of security certification reviews improved during FY 2005. However, about 15 percent of departmental systems were overdue for recertification. The Department also needs to enforce implementation of the security configuration policy, ensure computer vulnerabilities are corrected in a timely manner, and complete deployment of the intrusion detection system at one Internet connection point. Further, FAA took only limited steps this year to address prior air traffic control system security recommendations. FAA only collected security information on about half of the systems used to support en route air traffic services and has not yet analyzed the information collected. Finally, we found that departmental oversight of major system investments needs to be enhanced. We found projects managed by most Operating Administrations benefited from the departmental Investment Review Board’s oversight; however, the Board has had little positive impact on complicated air traffic control projects, which are still experiencing significant cost increases and schedule delays. The report was issued to the Department on October 7.