DOT's Information Security Program
On October 8, 2008, we issued our report presenting the results of our annual audit of the Department’s information security program and practices, as required by the Federal Information Security Management Act of 2002 (FISMA). Consistent with FISMA and Office of Management and Budget requirements, we assessed the effectiveness of DOT’s program and practices in this area, specifically (1) implementation of minimum security standards, (2) configuration management, and (3) incident–handling and reporting. We found, overall, that the Department’s information security program was not effective. Despite some improvements, DOT had not established adequate policies and procedures; privacy protection of personally identifiable information remained insufficient, as did protection of computer networks; training of employees and contractors was not being assured; identification of information–security weaknesses was not being consistently carried out, nor was timely resolution of those identified; and departmental systems were not sufficiently protected or their recovery, when necessary, assured. We are making 27 specific recommendations to address these deficiencies. The DOT Chief Information Officer concurred with our findings and recommendations, and plans to provide, within 30 days, a description of specific actions to be taken to implement these recommendations, along with their milestone dates.