Serious and Widespread Weaknesses Persist at Federal Agencies
AIMD-00-295: Published: Sep 6, 2000. Publicly Released: Sep 11, 2000.
Pursuant to a congressional request, GAO reviewed inspectors' general information security audit findings for 24 federal agencies, focusing on: (1) information security weaknesses identified in audit reports issued from July 1999 through August 2000 and GAO's findings with similar information that GAO reported in September 1998; (2) weaknesses and the related risks at selected individual agencies; and (3) the most significant types of weaknesses in each of six categories of general controls that GAO used in its analysis.
GAO noted that: (1) evaluations of computer security published since July 1999 continue to show that federal computer security is fraught with weaknesses and that, as a result, critical operations and assets continue to be at risk; (2) as in 1998, GAO's analysis identified significant weaknesses in each of the 24 agencies covered by its review; (3) since July 1999, the range of weaknesses in individual agencies has broadened, at least in part because the scope of audits being performed is more comprehensive than in prior years; (4) while these audits are providing a more complete picture of the security problems agencies face, they also show that agencies have much work to do to ensure that their security programs are complete and effective; (5) the weaknesses identified place a broad array of federal operations and assets at risk of fraud, misuse, and disruption; (6) for example, weaknesses at the Department of the Treasury increase the risk of fraud associated with billions of dollars of federal payments and collections, and weaknesses at the Department of Defense increase the vulnerability of various military operations that support the department's war-fighting capability; (7) further, information security weaknesses place enormous amounts of confidential data, ranging from personal and tax data to proprietary business information, at risk of inappropriate disclosure; (8) for example, in 1999, a Social Security Administration employee pled guilty to unauthorized access of the administration's systems; (9) the related investigation determined that the employee had made many unauthorized queries, including obtaining earnings information for members of the local business community; (10) for most agencies, the weaknesses reported covered the full range of computer security controls; (11) security program planning and management were inadequate; (12) physical and logical access controls also were not effective in preventing or detecting system intrusions and misuse; (13) software change controls were ineffective in ensuring that only properly authorized and tested software programs were implemented; (14) duties were not adequately segregated to reduce the risk that one individual could execute unauthorized transactions or software changes without detection; (15) sensitive operating system software was not adequately controlled, and adequate steps had not been taken to ensure continuity of computerized operations; and (16) more needs to be done, especially in the area of security program planning and management, which involves instituting routine risk management activities aimed at ensuring that risks are understood and controls are implemented.