This is the accessible text file for GAO report number GAO/OIG-12-2 
entitled 'Report Highlights: Information Security: Evaluation of GAO’s 
Program and Practices for Fiscal Year 2011' which was released on 
March 30, 2012. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as 
part of a longer term project to improve GAO products' accessibility. 
Every attempt has been made to maintain the structural and data 
integrity of the original printed product. Accessibility features, 
such as text descriptions of tables, consecutively numbered footnotes 
placed at the end of the file, and the text of agency comment letters, 
are provided but may not exactly duplicate the presentation or format 
of the printed version. The portable document format (PDF) file is an 
exact electronic replica of the printed version. We welcome your 
feedback. Please E-mail your comments regarding the contents or 
accessibility features of this document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. The published product may be 
reproduced and distributed in its entirety without further permission 
from GAO. However, because this work may contain copyrighted images or 
other material, permission from the copyright holder may be necessary 
if you wish to reproduce this material separately. 

Office of the Inspector General: 
United States Government Accountability Office: 

OIG-12-2 

March 2012: 

Information Security: 

Evaluation for GAO’s Program and Practices for Fiscal Year 2011: 

What We Found: 

The Federal Information Security Management Act of 2002 (FISMA) 
requires that each federal agency establish an agencywide information 
security management program for the information and information 
systems that support the agency’s operations and assets. GAO is not 
obligated by law to comply with FISMA or Executive Branch information 
policies, but has adopted them to help ensure physical and information 
system security. Our evaluation showed that GAO has established an 
overall information security program that is generally consistent with 
the requirements of FISMA, Office of Management and Budget 
implementing guidance, and standards and guidance issued by the 
National Institute of Standards and Technology. However, using FISMA 
reporting metrics for federal inspectors general, we identified 
opportunities to improve specific elements of this program that 
concern: 

* addressing information security risk from an overall agency 
perspective through a comprehensive governance structure and 
organization-wide risk management strategy, 

* remediating security weaknesses identified for agency information 
systems in a timely manner, 

* building out GAO’s Alternative Computing Facility to fully support 
the agency’s mission-essential functions in the event of an emergency 
or disaster, and, 

* developing accurate statistics for employees and contractors 
completing annual security awareness and role-based training. A full 
report on this evaluation was prepared for internal GAO use only. 

What We Recommend: 

This report recommends that GAO (1) establish a comprehensive 
governance structure and organization-wide risk management strategy 
for the security of its information systems; (2) enhance 
accountability for, and management of, the agency’s information 
security weakness remediation process; (3) provide senior management 
with adequate information to consider and prioritize building out the 
capabilities of the agency’s Alternative Computing Facility; and (4) 
develop and implement procedures for capturing data that accurately 
reflect agency compliance with security training requirements as of 
the end of each fiscal year. GAO concurred with these recommendations. 

[End of section] 

Reporting Fraud, Waste, and Abuse in GAO's Internal Operations: 

To report fraud, waste, and abuse in GAO's internal operations, do one 
of the following. (You may do so anonymously.) 

* Call toll-free (866) 680-7963 to speak with a hotline specialist, 
available 24 hours a day, 7 days a week. 

* Online at: https://OIG.alertline.com. 

Obtaining Copies of GAO/OIG Reports and Testimony:  

To obtain copies of OIG reports and testimony, go to GAO's Web site: 
[hyperlink, www.gao.gov/about/workforce/ig.html]. 

Congressional Relations:  

Katherine Siggerud, Managing Director, siggerudk@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, DC 20548: 

Public Affairs:  

Chuck Young, Managing Director, youngcl@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, DC 20548: 

[End of document]