The State Department has developed a system for identifying and prioritizing information security risks but it does not paint a complete picture, a Government Accountability Office report said.
The department developed iPost, a program providing continuous monitoring capabilities of information security risk. The department also developed a scoring system for iPost.
GAO said the State Department, by developing iPost, has been at the forefront of federal efforts in developing and implementing a continuous monitoring capability.
However, the iPost scoring system does not cover all areas affecting information security risk. GAO found iPost addresses Windows hosts but not other IT assets on State’s unclassified network, does not score all information security components and did not demonstrate the extent to which scores are based on risk factors.
GAO recommended the State Department improve iPost by documenting existing controls to ensure the timeliness, accuracy and completeness of iPost data. GAO also recommended the department’s chief information officer consistently notify senior managers of the need for corrective actions.
Click here to read the full report.