morning, Mr. Chairman. I appreciate this opportunity to discuss
the Information Technology Security Audit of the Department
of Commerce that was recently conducted by the General Accounting
Office (GAO). Accompanying me today is Tom Pyke, Acting Chief
Information Officer for the Department. Although Tom took
on this role only recently, his information technology (IT)
security experience includes directing the National Institute
of Standards and Technology's (NIST's) program for the development
of government-wide computer security standards and guidelines.
Evans and I are very concerned about the findings of this
GAO review because much of the work of the Department on behalf
of our citizens depends on the quality and integrity of our
data and IT systems. We thank the Committee and GAO for bringing
this serious issue to the attention of the Department's new
leadership. Having managed the IT security programs at Fidelity
Investments and the Cabot Corporation, I appreciate the critical
importance of IT security, and I trust that my management
experience in this area will be of some value in meeting the
challenges presented by the findings of the GAO review.
for the Secretary and myself, we accept the findings of the
GAO report, as to both the specific weaknesses identified
in the audit and their underlying causes. To correct these
security problems and prevent future incidents, Secretary Evans
is acting to build a strong and effective Commerce IT Security
Program and to correct the technical problems identified by
the GAO audit.
Secretary Evans has directed all Commerce agency heads to
focus their personal attention on establishing IT security
as a priority. Working in conjunction with their Chief Information
Officers, they will allocate necessary resources to assure
that the Department's data and IT systems are protected in
order to avoid data loss, misuse, or unauthorized access,
and to assure the integrity and availability of Commerce data.
In this connection, the Secretary has also recently appointed
a Senior Advisor for Privacy, another area important to overall
the Secretary has ordered the implementation of a Department-wide
IT restructuring plan. The plan provides the Departmental
Chief Information Officer (CIO) with the authority to guide
individual agency CIOs as they address IT security problems.
This oversight function ensures that appropriate action will
be taken at the agency level to implement new Departmental
IT policies. In the past, the Departmental CIO apparently
had little management authority, and policy often stalled
when it reached the agencies. I believe that the new priority
given this matter by Secretary Evans and me, our agency heads
and our CIOs will produce positive results.
plan also gives each of our CIOs the authority to manage IT
security, IT planning and operations, and IT capital investment
review. This new approach is in sharp contrast to the old
way of doing business in which CIOs apparently were not key
members of the Commerce management team.
Commerce has established an IT Security Task Force, which
will work under my personal oversight. This Task Force will
improve Commerce IT security by developing a comprehensive,
Department-wide IT security program. The Task Force is made
up of individuals with expertise in IT security management,
including people from NIST, which has a critical Government-wide
role in developing standards and guidelines for effective
IT security programs. We also have enlisted the assistance
of the National Security Agency. We appreciate NSA's willingness
to share its institutional knowledge and leadership in this
field as part of the Task Force.
new Task Force is already working on a fast track to develop
an effective IT Security Program for the Department and to
identify actions that Commerce should take quickly to bolster
its IT security posture. These recommendations for short-term
action will be made in the context of the Corrective Action
Plans already developed by Commerce agencies in response to
specific concerns identified in the GAO review.
the program developed by the Task Force will address the assessment
of risks throughout the Department and the means for providing
security commensurate with those risks. The Task Force will
provide a roadmap for updating the Department's IT security
policies, develop an oversight
process with compliance testing as a key component, and plan
a Department-wide IT security awareness training program.
Task Force is also addressing specific issues, including strengthening
access controls for the Department's IT systems, segregating
assigned duties consistent with mitigating risk, and developing
policies and procedures for authorizing, testing, reviewing
and documenting software changes prior to implementation.
Special attention is being given to network security, an area
the GAO audit singled out in light of the Department's reliance
on network connectivity to carry out its mission. The Task
Force is designing recovery plans for the Department's sensitive
systems; developing a Department-wide IT security incident
detection and response process; and looking at other areas
essential to a comprehensive Commerce IT Security Program.
Secretary and I are committed to supporting the efforts of
the Commerce IT Security Task Force and to implementing its
recommendations throughout the Department. Under the leadership
of our agency heads and our CIOs, and guided by the efforts
of this Task Force, we are confident that we are moving in
the right direction, and that the Department's IT security
program will be effective.
you for this opportunity to discuss the IT security initiatives
underway at the Department of Commerce. Secretary Evans and
I appreciate that effective IT security is vital to the Department's
mission, and I am pleased that this important issue is among
the first I have devoted my time and attention to after having
been sworn in last week. I would be pleased to respond to
any questions you may have.