Financial Management:

General Computer Controls at the Senate Computer Center

AIMD-96-15: Published: Dec 22, 1995. Publicly Released: Dec 22, 1995.

Additional Materials:

Contact:

Robert F. Dacey
(202) 512-3317
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Pursuant to a congressional request, GAO evaluated and tested the general computer controls that affect the overall security and effectiveness of the Senate Computer Center's (SCC) financial systems, focusing on whether those controls: (1) protect data, files, and programs from unauthorized access; (2) prevent unauthorized changes to systems and applications software; (3) provide segregation of duties among computer, security, and other SCC personnel; (4) ensure recovery of computer processing operations in case of unexpected interruption; and (5) ensure adequate computer security administration.

GAO found that: (1) SCC general computer controls do not adequately protect sensitive data files and computer programs from unauthorized disclosure and modification; (2) SCC has not fully implemented its access control software to control access to other mainframe programs due to a preference for easier access, resource constraints, the planned transition to decentralized networks, conflicting technical options, and poor access monitoring capabilities; (3) SCC lacks formal software change control and documentation procedures; (4) SCC has not adequately segregated computer duties, particularly regarding security privileges; (5) although SCC is developing off-site disaster recovery and contingency capabilities, the Senate could be exposed to significant security risk as it moves toward a decentralized network environment because it does not have a comprehensive strategic plan for its computer resources; and (6) the two Senate offices responsible for Senate receipts and disbursements supplement SCC general computer management controls to ensure data integrity and authorization when reconciling disbursement information with independent records.

Matters for Congressional Consideration

  1. Status: Closed - Not Implemented

    Comments: In 2001, GAO's follow-up review noted that the SCC had developed and implemented disaster recovery plans, but testing still needed to be conducted. At that time, the SAA had begun a transition of its organizational and technical infrastructure which had changed since GAO conducted its review in 1995. Further action is planned as a result of this transition. The Senate, however, may need to adjust the recommendation to reflect the new technical environment in which it operates. Based upon the significant organizational and technical changes taking place, this recommendation will be closed.

    Matter: To correct the existing weaknesses at SCC, the Senate Majority Leader should direct the Sergeant at Arms and Doorkeeper to develop, implement, and test a disaster recovery plan for all critical SCC operations.

  2. Status: Closed - Not Implemented

    Comments: This item was to be addressed in a Sergeant at Arms reorganization. The SAA has begun a transition of its organizational and technical infrastructure, which has changed since GAO conducted its review in 1995. Further action may be taken as a result of this transition. The Senate, however, would need to adjust the recommendation to reflect the new technical environment in which it operates. Based upon the significant organizational and technical changes taking place, this recommendation will be closed.

    Matter: To correct the existing weaknesses at SCC, the Senate Majority Leader should direct the Sergeant at Arms and Doorkeeper to provide for appropriate segregation of computer duties, including upgrading the position of data security administrator to allow for appropriate independence and authority.

  3. Status: Closed - Not Implemented

    Comments: A formal software change process was originally planned to be addressed in a SAA reorganization. The SAA has begun a transition in its organizational and technical support structure for computing resources, which has changed since GAO conducted its review in 1995. Further action may be initiated as a result of the transition. The Senate may, however, need to adjust the recommendation to reflect the new technical environment in which it operates. Based upon the significant organizational and technical changes taking place, this recommendation will be closed.

    Matter: To correct the existing weaknesses at SCC, the Senate Majority Leader should direct the Sergeant at Arms and Doorkeeper to develop and implement policies and procedures for controlling software changes, including requiring documentation for the purpose of the change, management review and approval, and independent testing.

  4. Status: Closed - Not Implemented

    Comments: More than half of the action items for resolving this recommendation remain open. Many of these items relate to defining and documenting management and technical procedures for an effective system in controlling user access. An effective system of control is predicated on executive-level commitment of resources and the establishment of an enterprise-wide security program and infrastructure. In August 2001, the SAA began a transition, including the Sergeant at Arms, director of IT Security, and new IT personnel at the Senate Committee on Rules and Administration. At the same time, the technical infrastructure of computing resources has changed since GAO conducted its review in 1995. Further action may be taken as a result of this transition. The Senate, however, would need to adjust the recommendation to reflect the new technical environment in which it operates. Based upon the significant organizational and technical changes taking place, this recommendation will be closed.

    Matter: To correct the existing weaknesses at SCC, the Senate Majority Leader should direct the Sergeant at Arms and Doorkeeper to develop and implement policies and procedures to limit access for the system's users to only those computer programs and data needed to perform their duties. Access controls should be improved by: (1) effectively utilizing SCC access control software, including assessing ongoing risks of incomplete implementation and taking appropriate control measures; (2) strengthening procedures to authorize, monitor, and review user access; and (3) implementing session timeout procedures.

  5. Status: Closed - Not Implemented

    Comments: The Senate has begun a transition of its organizational and technical support structure, which has changed since GAO conducted its review in 1995. Further action is planned as a result of this transition. The Senate, however, would need to adjust the recommendation to reflect the new technical environment in which it operates. Based upon the significant organizational and technical changes taking place, this recommendation will be closed.

    Matter: To improve Senate-wide computer security, the Senate Majority Leader should direct that the Senate develop and implement a comprehensive strategic plan that integrates and controls access and processing for all Senate files, programs, and data.

 

Explore the full database of GAO's Open Recommendations »

Sep 20, 2016

Sep 6, 2016

Aug 19, 2016

Aug 12, 2016

Jul 29, 2016

Jul 28, 2016

Jul 13, 2016

Jul 11, 2016

Jun 13, 2016

Looking for more? Browse all our products here