Page 1077 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1077
assessment reports, but those reports are intended for different
audiences that may include an organization’s board of directors,
government regulators, and other third parties. There are three main
types of audits: internal audits, external audits, and third-party audits.
Government Auditors Discover Air Traffic Control
Security Vulnerabilities
Federal, state, and local governments also use internal and
external auditors to perform security assessments. The U.S.
Government Accountability Office (GAO) performs audits at the
request of Congress, and these GAO audits often focus on
information security risks. In 2015, the GAO released an audit
report titled “Information Security: FAA Needs to Address
Weaknesses in Air Traffic Control Systems.”
The conclusion of this report was damning: “While the Federal
Aviation Administration (FAA) has taken steps to protect its air
traffic control systems from cyber-based and other threats,
significant security control weaknesses remain, threatening the
agency’s ability to ensure the safe and uninterrupted operation of
the national airspace system (NAS). These include weaknesses in
controls intended to prevent, limit and detect unauthorized access
to computer resources, such as controls for protecting system
boundaries, identifying and authenticating users, authorizing users
to access systems, encrypting sensitive data, and auditing and
monitoring activity on FAA’s systems.”
The report went on to make 17 recommendations on how the FAA
might improve its information security controls to better protect
the integrity and availability of the nation’s air traffic control
system. The full GAO report may be found at
http://gao.gov/assets/670/668169.pdf.
Internal Audits
Internal audits are performed by an organization’s internal audit staff
and are typically intended for internal audiences. The internal audit
