February 23, 2012

The Department's Configuration Management of Non-Financial Systems

The Department of Energy (Department) utilizes many types of information technology (IT) systems to support its various missions related to environmental cleanup, national security, energy and scientific research.  Protecting these systems has become increasingly challenging as the frequency and sophistication of cyber attacks continues to rise.  A key component of helping to ensure an adequate information security posture is the implementation of an effective configuration management program.  Configuration management helps to protect the confidentiality, integrity and availability of IT resources through controls over the processes for initializing, changing and monitoring information systems.  Prior Office of Inspector General (OIG) reports identified systemic issues with the Department's cyber security and configuration management programs.  In light of the need to ensure effective security practices over the Department's information systems and the challenges noted in prior OIG reports, we initiated this audit to determine whether the Department implemented an effective configuration management process over non-financial systems.

Topic: Management & Administration