Federal Family Education Loan Information System:

Weak Computer Controls Increase Risk of Unauthorized Access to Sensitive Data

AIMD-95-117: Published: Jun 12, 1995. Publicly Released: Jun 12, 1995.

Additional Materials:

Contact:

Robert F. Dacey
(202) 512-3317
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

GAO reviewed the general controls over the Federal Family Education Loan Program (FFELP) information system, focusing on weaknesses that may affect the Department of Education's ability to safeguard assets, maintain sensitive loan data, and ensure the reliability of financial management information.

GAO found that: (1) Education's general controls over the FFELP information system do not adequately protect the system from unauthorized access, since outside users can potentially bypass access controls; (2) Education has improved the system's access controls, segregated computer system duties, and prepared and tested disaster recovery plans; (3) despite improvements, major weaknesses continue in controlling system access and systems software changes; (4) FFELP access and systems software control deficiencies have resulted primarily from Education's overall weak computer security administration; and (5) Education has not yet developed adequate policies and procedures in key control areas.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: In August 1995 the Computer Security Office within the Office of Postsecondary Education (OPE) was given responsibility for providing computer security oversight of the Federal Family Education Loan Program (FFELP). In conjunction with this action, in September 1995, broad institutional policies and procedures, which were part of OPE's Information Technology Security Manual, were adopted to cover FFELP.

    Recommendation: The Secretary of Education should direct the Director of the Program System Service to develop and implement a computer security administration program to oversee the FFELP information system's computer security control operations.

    Agency Affected: Department of Education

  2. Status: Closed - Implemented

    Comments: Education required its contractor to place sensitive system data sets in a restricted library and sensitive utility programs in a controlled library, as of April 1, 1995. In addition, the FFEL Security Officer has performed periodic reviews to ensure that inappropriate changes were not made to the sensitive data sets. Also, it formalized the process to create special user identifications.

    Recommendation: The Secretary of Education should direct the Director of the Program System Service to develop, and require the FFELP information system's contractor to implement, policies and procedures to limit access authorizations for the system's users to only those computer programs and data needed to perform their duties, and to approve the creation of special user identifications.

    Agency Affected: Department of Education

  3. Status: Closed - Implemented

    Comments: On April 28, 1995, Education implemented security procedures to monitor and review Federal Family Education Loan Program system access by systems programmers. In addition, on September 30, 1995, it procured a new audit software product to assist in the detection of unauthorized changes to the FFELP relational data bases.

    Recommendation: The Secretary of Education should direct the Director of the Program System Service to identify sensitive data files and programs and monitor successful access to them, including access by users having special access privileges.

    Agency Affected: Department of Education

  4. Status: Closed - Implemented

    Comments: In April 1995, Education reemphasized to the contractor the ongoing requirement that all proposed system software changes be documented, tested, and approved, before implementing changes. Failure to adhere to this will result in sanctions being imposed on the contractor. In addition, Education started to provide contractor oversight via weekly Configuration Control Board meetings.

    Recommendation: The Secretary of Education should direct the Director of the Program System Service to require the FFELP information system's contractor to devise controls to ensure that only approved and tested changes are made to the systems software.

    Agency Affected: Department of Education

 

Explore the full database of GAO's Open Recommendations »

Sep 26, 2016

Sep 15, 2016

Sep 14, 2016

Sep 8, 2016

Jun 29, 2016

Jun 22, 2016

Jun 10, 2016

Jun 9, 2016

Jun 2, 2016

May 25, 2016

Looking for more? Browse all our products here