[ISN] Energy Department auditors cite cybersecurity flaws at FERC
InfoSec News
isn at c4i.org
Wed Oct 12 00:08:41 EDT 2005
http://www.gcn.com/vol1_no1/daily-updates/37284-1.html
By Wilson P. Dizard III
GCN Staff
10/11/05
The Energy Department's inspector general has found fault with
cybersecurity procedures in the Federal Energy Regulatory Commission's
unclassified cybersecurity program.
In a report [1] issued today, the IG noted that FERC officials have
continued to improve their cybersecurity program, and cited
improvements since a previous review in 2002.
However, the IG staff found several areas in which FERC was deficient,
including:
* Access controls had in some cases not been implemented via strong
password management
* Some software with known security flaws was not replaced, and some
users were at times provided access at higher levels than their
duties required
* Not all cybersecurity weaknesses were traced and resolved.
Auditors said FERC had overlooked the problems because officials had
failed to complete compliance evaluations required by general federal
requirements and agency-specific rules.
The report, however, omitted information on specific vulnerabilities
and how they might be fixed. FERC management said that it generally
concurred with the IG's findings and recommendations.
[1] http://www.ig.doe.gov/pdf/ig-0704.pdf
More information about the ISN
mailing list