DOT Web Systems Security
We released our report on the security of the Department's web systems in response to the statutory requirements of the Government Information Security Reform Act. We found that in FY 2002 the Department made good progress to better protect the public’s privacy, correct vulnerabilities we identified last year, and report cyber incidents. However, we also found vulnerabilities and deficiencies in DOT’s public web server security, network services, web sites operated on third-party computers, incident reporting, and presence of sensitive information on public web sites. We concluded the Department needs to enhance its web security by: (1) performing more comprehensive scans for web vulnerabilities; (2) upgrading its scanning capability to cover all public DOT web systems; (3) establishing requirements to protect those web sites operated on third-party computers; (4) enhancing the reporting of cyber incidents; (5) increasing employee awareness through training on protecting sensitive information; and (6) establishing procedures to perform automatic searches for sensitive information on public web sites. The Department agreed and will take corrective action.