Summary

Evaluations of computer security published since July 1999 continue to show that federal computer security is plagued by weaknesses that put critical operations and assets at risk. Significant weaknesses were identified in each of the 24 agencies covered by this review. These weaknesses place a broad array of federal operations and assets at risk of fraud, misuse, and disruption. For example, weaknesses at the Department of the Treasury increase the risk of fraud associated with billions of dollars of federal payments and collections. Weaknesses at the Department of Defense increase the vulnerability of various military operations that support its war-fighting capability. Information security weaknesses place confidential data at risk of inappropriate disclosure, such as the case of a Social Security Administration employee who pled guilty to unauthorized access of the administration's systems. The related investigation determined that the employee had made unauthorized queries, including obtaining earnings information for members of the local business community. Weaknesses cover the full range of computer security controls. They include inadequate security program planning and management, ineffective physical and logical access controls, ineffective software change controls, inadequate segregation of staff duties to reduce the risk of unauthorized transactions or software changes, and inadequate control over sensitive operating system software and insufficient planning to ensure continuity of computerized operations. Although most agencies have taken at least some corrective actions based on recommendations by GAO and agency inspectors general, more needs to be done, especially in the area of security program planning and management.

GAO noted that: (1) evaluations of computer security published since July 1999 continue to show that federal computer security is fraught with weaknesses and that, as a result, critical operations and assets continue to be at risk; (2) as in 1998, GAO's analysis identified significant weaknesses in each of the 24 agencies covered by its review; (3) since July 1999, the range of weaknesses in individual agencies has broadened, at least in part because the scope of audits being performed is more comprehensive than in prior years; (4) while these audits are providing a more complete picture of the security problems agencies face, they also show that agencies have much work to do to ensure that their security programs are complete and effective; (5) the weaknesses identified place a broad array of federal operations and assets at risk of fraud, misuse, and disruption; (6) for example, weaknesses at the Department of the Treasury increase the risk of fraud associated with billions of dollars of federal payments and collections, and weaknesses at the Department of Defense increase the vulnerability of various military operations that support the department's war-fighting capability; (7) further, information security weaknesses place enormous amounts of confidential data, ranging from personal and tax data to proprietary business information, at risk of inappropriate disclosure; (8) for example, in 1999, a Social Security Administration employee pled guilty to unauthorized access of the administration's systems; (9) the related investigation determined that the employee had made many unauthorized queries, including obtaining earnings information for members of the local business community; (10) for most agencies, the weaknesses reported covered the full range of computer security controls; (11) security program planning and management were inadequate; (12) physical and logical access controls also were not effective in preventing or detecting system intrusions and misuse; (13) software change controls were ineffective in ensuring that only properly authorized and tested software programs were implemented; (14) duties were not adequately segregated to reduce the risk that one individual could execute unauthorized transactions or software changes without detection; (15) sensitive operating system software was not adequately controlled, and adequate steps had not been taken to ensure continuity of computerized operations; and (16) more needs to be done, especially in the area of security program planning and management, which involves instituting routine risk management activities aimed at ensuring that risks are understood and controls are implemented.