Final Report on the Department of Transportation’s Information Security Program
On November 18, 2009, we issued our report presenting the results of our annual audit of the Department’s information security program and practices, as required by the Federal Information Security Management Act of 2002 (FISMA). Consistent with FISMA and OMB requirements, our overall audit objective was to determine the effectiveness of DOT’s information security program and practices. We found, overall, the departmental information security program is not as effective as it should be, and is not compliant with all key FISMA and OMB requirements. During fiscal year 2009, the Department made notable improvements in two key information security areas–they issued information about Department–wide security policy and improved the Common Operating Environment’s compliance with the Federal Desktop Core Configuration. Despite these improvements, the Department still has weakness in five critical areas: information security policy, enterprise–level controls, management of information security weaknesses, system–level controls, and protection of privacy related information. We are making 27 specific recommendations to address urgent vulnerabilities in these areas. The DOT Chief Information Officer generally concurred with our findings and recommendations, and plans to provide, within 30 days, a description of specific actions to be taken to implement these recommendations, along with their milestone dates.