The U.S. Merchant Marine Academy's Security Controls Were Not Sufficient to Protect Sensitive Data from Unauthorized Access
On May 30, 2012, we issued a report on the results of our self-initiated audit of the United States Merchant Marine Academy’s (the Academy) network security controls. Our objectives were to: (1) determine whether the Academy’s local area network (LAN) and Website are secure from compromise; and (2) identify security weaknesses in the Academy’s LAN, Website and databases.
We found that the Academy’s security controls were not sufficient to protect its Website and LAN from compromise. In March 2011, we successfully penetrated the Academy’s network security and were able to gain full access to its LAN and sensitive information. Our test demonstrated that all Academy data, including personally identifiable information, is at high risk of exposure to hackers. Additional information security weaknesses exist in the Academy’s LAN, Website and databases because the Academy has not implemented information security programs for protection of information and information systems, as required by FISMA and DOT policies. As a result, the Academy runs the risk that intruders will gain unauthorized access to the large amount of sensitive information stored in its systems without being detected. The Maritime Administration (MARAD), the Operating Administration responsible for the Academy, concurred with our findings and nine recommendations. MARAD’s plan for corrective action is responsive to our recommendations.