Information Security:

Software Change Controls at the Department of Labor

AIMD-00-192R: Published: Jun 30, 2000. Publicly Released: Jun 30, 2000.

Contact:

Joel C. Willemssen
(202) 512-6253
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Pursuant to a congressional request, GAO reviewed software change controls at the Department of Labor (DOL), focusing on: (1) whether key controls as described in agency policies and procedures regarding software change authorization, testing, and approval complied with federal guidance; and (2) the extent to which agencies contracted for Year 2000 remediation of mission-critical systems and involved foreign nationals in these efforts.

GAO noted that: (1) use of personnel security controls, such as background screenings of contract personnel involved in the software change process were important because 38 percent of 44 DOL mission-critical systems covered by GAO's study involved the use of contractors for year 2000 remediation and all 5 of the Employment and Standards Administration (ESA) contracts involved foreign nationals; (2) of potential concern is that all components included in GAO's review sent application source code for a total of 8 mission-critical systems to contractor facilities for remediation, during which time the code was out of the agency's direct control; (3) as a general practice, controls over code are important during the transmission of code to a contractor facility and while at the contractor facility to prevent access to code by, or disclosure of code to, unauthorized individuals for malicious purposes and intelligence gathering activities; (4) in GAO's review, GAO identified weaknesses related to formal policies and procedures for the software change control process; (5) specifically, formally documented change control policies and procedures did not exist at the department-level; (6) however, agency officials told GAO that substantial efforts were in process to develop and formalize department-level criteria; (7) also, GAO found that formally documented component-level policies and procedures for the Bureau of Labor and Statistics and ESA needed improvement to reflect controls over mainframe operating system software that officials told GAO that were practiced but not documented; and (8) the component-level formally documented process for the Mine Safety and Health Administration did not address documenting and authorizing software changes, controlling application software libraries and controlling operating system software.

Apr 17, 2014

Apr 2, 2014

Jan 28, 2014

Jan 8, 2014

Sep 26, 2013

Feb 20, 2013

Feb 1, 2013

Sep 27, 2012

Sep 18, 2012

Jul 17, 2012

Looking for more? Browse all our products here