The Federal Bureau of Investigation relies on a critical network to electronically communicate, capture, exchange, and access law enforcement and investigative information.
Misuse or interruption of this critical network, or disclosure of the information traversing it, would impair FBI's ability to fulfill its missions. Effective information security controls are essential for ensuring that information technology resources and information are adequately protected from inadvertent or deliberate misuse, fraudulent use, disclosure, modification, or destruction. The Government Accounting Office was asked to assess information security controls for one of FBI's critical networks.
To assess controls, GAO conducted a vulnerability assessment of the internal network and evaluated the bureau's information security program associated with the network operating environment. This report summarizes weaknesses in information security controls in one of FBI's critical networks.
Certain information security controls over the critical internal network reviewed were ineffective in protecting the confidentiality, integrity, and availability of information and information resources.
Specifically, FBI did not consistently configure network devices and services to prevent unauthorized insider access and ensure system integrity Nor did the FBI identify and authenticate users to prevent unauthorized access. The Bureau failed to enforce the principle of least privilege to ensure that authorized access was necessary and appropriate and failed to apply strong encryption techniques to protect sensitive data on its networks.
Taken collectively, these and other weaknesses place sensitive information transmitted on the network at risk of unauthorized disclosure or modification, and could result in a disruption of service, increasing the bureau's vulnerability to insider threats. These weaknesses existed, in part, because the FBI had not fully implemented key information security program activities for the critical network reviewed.
The FBI has developed an agencywide information security program, which includes an organization to monitor and protect the bureau's information systems from external attacks and insider misuse and to serve as the central focal point of contact for near-real-time security monitoring.
However, shortcomings exist with certain program elements for the network, including an outdated risk assessment, incomplete security plan, incomplete specialized security training, insufficient testing, untimely remediation of weaknesses, and inadequate service continuity planning. Without a fully implemented program, certain security controls will likely remain inadequate or inconsistently applied.
Jim Kouri, CPP is currently fifth vice-president of the National Association of Chiefs of Police. He's former chief at a New York City housing project in Washington Heights nicknamed "Crack City" by reporters covering the drug war in the 1980s. In addition, he served as director of public safety at a New Jersey university and director of security for a number of organizations. He's also served on the National Drug Task Force and trained police and security officers throughout the country. He writes for many police and crime magazines including Chief of Police, Police Times, The Narc Officer, Campus Law Enforcement Journal, and others. He's appeared as on-air commentator for over 100 TV and radio news and talk shows including Oprah, McLaughlin Report, CNN Headline News, MTV, Fox News, etc. His book Assume The Position is available at Amazon.Com, Booksamillion.com, and can be ordered at local bookstores. Kouri holds a bachelor of science in criminal justice and master of arts in public administration and he's a board certified protection professional.