Audit Finds Gaping Holes in NASA Security

The U.S. Government Accountability Office (GAO) has painted a bleak picture of the NASA’s IT security posture.
An audit of the space agency’s computer systems found weaknesses in
several critical areas, especially in the way NASA implemented access
controls like user accounts, passwords and the encryption of sensitive
data. Here’s the gist of the audit findings:

The U.S. Government Accountability Office (GAO) has painted a bleak picture of the NASA’s IT security posture.
An audit of the space agency’s computer systems found weaknesses in
several critical areas, especially in the way NASA implemented access
controls like user accounts, passwords and the encryption of sensitive
data. Here’s the gist of the audit findings:

[NASA]
did not always sufficiently identify and authenticate users, restrict
user access to systems, encrypt network services and data, protect
network boundaries, audit and  monitor computer-related events, and
physically protect its information technology resources. In addition,
weaknesses existed in other controls to appropriately segregate
incompatible duties and manage system configurations and implement
patches. A key reason for these weaknesses is that NASA has not yet
fully implemented key activities of its information security program to
ensure that controls are appropriately designed and operating
effectively.

Specifically,
it has not always fully assessed information security risks; fully
developed and documented security policies and procedures; included key
information in security plans; conducted comprehensive tests and
evaluation of its information system controls; tracked the status of
plans to remedy known weaknesses; planned for contingencies and
disruptions in service; maintained capabilities to detect, report, and
respond to security incidents; and incorporated important security
requirements in its contract with the Jet Propulsion Laboratory.

The audiors warns that highly sensitive personal,  scientific, and
other data were at an “increased risk” of unauthorized use,
modification, or disclosure.

* Here’s the GAO report [PDF]

Suggested articles