|
Good morning, Mr.
Chairman. I appreciate this opportunity to discuss the Information Technology
Security Audit of the Department of Commerce that was recently conducted by the
General Accounting Office (GAO). Accompanying me today is Tom Pyke, Acting Chief
Information Officer for the Department. Although Tom took on this role only
recently, his information technology (IT) security experience includes directing
the National Institute of Standards and Technology’s (NIST’s) program for
the development of government-wide computer security standards and guidelines.
Secretary Evans and
I are very concerned about the findings of this GAO review because much of the
work of the Department on behalf of our citizens depends on the quality and
integrity of our data and IT systems. We thank the Committee and GAO for
bringing this serious issue to the attention of the Department’s new
leadership. Having managed the IT security programs at Fidelity Investments and
the Cabot Corporation, I appreciate the critical importance of IT security, and
I trust that my management experience in this area will be of some value in
meeting the challenges presented by the findings of the GAO review.
Speaking for the
Secretary and myself, we accept the findings of the GAO report, as to both the
specific weaknesses identified in the audit and their underlying causes. To
correct these security problems and prevent future incidents,
Secretary Evans is acting to build a strong and effective Commerce IT
Security Program and to correct the technical problems identified by the GAO
audit.
First, Secretary
Evans has directed all Commerce agency heads to focus their personal attention
on establishing IT security as a priority. Working in conjunction with their
Chief Information Officers, they will allocate necessary resources to assure
that the Department’s data and IT systems are protected in order to avoid data
loss, misuse, or unauthorized access, and to assure the integrity and
availability of Commerce data. In this connection, the Secretary has also
recently appointed a Senior Advisor for Privacy, another area important to
overall IT security.
Second, the
Secretary has ordered the implementation of a Department-wide IT restructuring
plan. The plan provides the Departmental Chief Information Officer (CIO) with
the authority to guide individual agency CIOs as they address IT security
problems. This oversight function ensures that appropriate action will be taken
at the agency level to implement new Departmental IT policies. In the past, the
Departmental CIO apparently had little management authority, and policy often
stalled when it reached the agencies. I believe that the new priority given this
matter by Secretary Evans and me, our agency heads and our CIOs will produce
positive results.
The plan also gives
each of our CIOs the authority to manage IT security, IT planning and
operations, and IT capital investment review. This new approach is in sharp
contrast to the old way of doing business in which CIOs apparently were not key
members of the Commerce management team.
Third, Commerce has
established an IT Security Task Force, which will work under my personal
oversight. This Task Force will improve Commerce IT security by developing a
comprehensive, Department-wide IT security program. The Task Force is made up of
individuals with expertise in IT security management, including people from NIST,
which has a critical Government-wide role in developing standards and guidelines
for effective IT security programs. We also have enlisted the assistance of the
National Security Agency. We appreciate NSA’s willingness to share its
institutional knowledge and leadership in this field as part of the Task Force.
The new Task Force
is already working on a fast track to develop an effective IT Security Program
for the Department and to identify actions that Commerce should take quickly to
bolster its IT security posture. These recommendations for short-term action
will be made in the context of the Corrective Action Plans already developed by
Commerce agencies in response to specific concerns identified in the GAO review.
Furthermore,
the program developed by the Task Force will address the assessment of risks
throughout the Department and the means for providing security commensurate with
those risks. The Task Force will provide a roadmap for updating the Department’s
IT security policies, develop an oversight process
with compliance testing as a key component, and plan a Department-wide IT
security awareness training program.
The Task Force is
also addressing specific issues, including strengthening access controls for the
Department’s IT systems, segregating assigned duties consistent with
mitigating risk, and developing policies and procedures for authorizing,
testing, reviewing and documenting software changes prior to implementation.
Special attention is being given to network security, an area the GAO audit
singled out in light of the Department’s reliance on network connectivity to
carry out its mission. The Task Force is designing recovery plans for the
Department’s sensitive systems; developing a Department-wide IT security
incident detection and response process; and looking at other areas essential to
a comprehensive Commerce IT Security Program.
The Secretary and I
are committed to supporting the efforts of the Commerce IT Security Task Force
and to implementing its recommendations throughout the Department. Under the
leadership of our agency heads and our CIOs, and guided by the efforts of this
Task Force, we are confident that we are moving in the right direction, and that
the Department’s IT security program will be effective.
Again, thank you for this
opportunity to discuss the IT security initiatives underway at the Department of
Commerce. Secretary Evans and I appreciate that effective IT security is vital
to the Department’s mission, and I am pleased that this important issue is
among the first I have devoted my time and attention to after having been sworn
in last week. I would be pleased to respond to any questions you may have.
|
