A Review of FBI Security Programs
A Review of FBI Security Programs
A Review of FBI Security Programs
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
compromised insider is deterred by the risk <strong>of</strong> detection or actually thwarted by a security<br />
layer, the Defense-in-Depth approach restricts a compromised insider’s unauthorized access<br />
to data.<br />
In the course <strong>of</strong> our review, we identified a wide range <strong>of</strong> problems affecting the<br />
<strong>FBI</strong>’s computer systems and INFOSEC programs, which we will briefly summarize, saving<br />
a detailed discussion for the appendices.<br />
• The Bureau has failed to develop an effective strategy to identify and<br />
protect critical information. The <strong>FBI</strong> has not defined its security<br />
environment and therefore lacks the analytical framework necessary to<br />
address insider threats.<br />
• Classified information has been moved into systems not properly<br />
accredited for its protection.<br />
• Until recently, the Bureau had not begun to certify and accredit most<br />
<strong>of</strong> its computer systems, including many classified systems. The<br />
current approach to certification is inadequate.<br />
• Inadequate physical protections place electronically stored information<br />
at risk <strong>of</strong> compromise.<br />
• The <strong>FBI</strong> lacks adequate, documented INFOSEC policies.<br />
• The Bureau’s approach to system design has been deficient. It has<br />
failed to ascertain the security requirements <strong>of</strong> the “owners” <strong>of</strong><br />
information on its systems and identify the threats and vulnerabilities<br />
that must be countered.<br />
• Classified information stored on some <strong>of</strong> the <strong>FBI</strong>’s most widely utilized<br />
systems is not adequately protected because computer users lack<br />
sufficient guidance about critical security features.<br />
• The <strong>FBI</strong> has failed to limit user access to systems and databases that<br />
employees need to perform their jobs.<br />
• Many key INFOSEC positions remain unfilled, and, when they have<br />
-36-