Financial Management: General Computer Controls at the Senate Computer Center
AIMD-96-15
Published: Dec 22, 1995. Publicly Released: Dec 22, 1995.
Skip to Highlights
Highlights
Pursuant to a congressional request, GAO evaluated and tested the general computer controls that affect the overall security and effectiveness of the Senate Computer Center's (SCC) financial systems, focusing on whether those controls: (1) protect data, files, and programs from unauthorized access; (2) prevent unauthorized changes to systems and applications software; (3) provide segregation of duties among computer, security, and other SCC personnel; (4) ensure recovery of computer processing operations in case of unexpected interruption; and (5) ensure adequate computer security administration.
Recommendations
Matter for Congressional Consideration
| Matter | Status | Comments |
|---|---|---|
| To correct the existing weaknesses at SCC, the Senate Majority Leader should direct the Sergeant at Arms and Doorkeeper to develop and implement policies and procedures to limit access for the system's users to only those computer programs and data needed to perform their duties. Access controls should be improved by: (1) effectively utilizing SCC access control software, including assessing ongoing risks of incomplete implementation and taking appropriate control measures; (2) strengthening procedures to authorize, monitor, and review user access; and (3) implementing session timeout procedures. |
Closed – Not Implemented
|
More than half of the action items for resolving this recommendation remain open. Many of these items relate to defining and documenting management and technical procedures for an effective system in controlling user access. An effective system of control is predicated on executive-level commitment of resources and the establishment of an enterprise-wide security program and infrastructure. In August 2001, the SAA began a transition, including the Sergeant at Arms, director of IT Security, and new IT personnel at the Senate Committee on Rules and Administration. At the same time, the technical infrastructure of computing resources has changed since GAO conducted its review in 1995. Further action may be taken as a result of this transition. The Senate, however, would need to adjust the recommendation to reflect the new technical environment in which it operates. Based upon the significant organizational and technical changes taking place, this recommendation will be closed. |
| To correct the existing weaknesses at SCC, the Senate Majority Leader should direct the Sergeant at Arms and Doorkeeper to develop and implement policies and procedures for controlling software changes, including requiring documentation for the purpose of the change, management review and approval, and independent testing. |
Closed – Not Implemented
|
A formal software change process was originally planned to be addressed in a SAA reorganization. The SAA has begun a transition in its organizational and technical support structure for computing resources, which has changed since GAO conducted its review in 1995. Further action may be initiated as a result of the transition. The Senate may, however, need to adjust the recommendation to reflect the new technical environment in which it operates. Based upon the significant organizational and technical changes taking place, this recommendation will be closed. |
| To correct the existing weaknesses at SCC, the Senate Majority Leader should direct the Sergeant at Arms and Doorkeeper to provide for appropriate segregation of computer duties, including upgrading the position of data security administrator to allow for appropriate independence and authority. |
Closed – Not Implemented
|
This item was to be addressed in a Sergeant at Arms reorganization. The SAA has begun a transition of its organizational and technical infrastructure, which has changed since GAO conducted its review in 1995. Further action may be taken as a result of this transition. The Senate, however, would need to adjust the recommendation to reflect the new technical environment in which it operates. Based upon the significant organizational and technical changes taking place, this recommendation will be closed. |
| To correct the existing weaknesses at SCC, the Senate Majority Leader should direct the Sergeant at Arms and Doorkeeper to develop, implement, and test a disaster recovery plan for all critical SCC operations. |
Closed – Not Implemented
|
In 2001, GAO's follow-up review noted that the SCC had developed and implemented disaster recovery plans, but testing still needed to be conducted. At that time, the SAA had begun a transition of its organizational and technical infrastructure which had changed since GAO conducted its review in 1995. Further action is planned as a result of this transition. The Senate, however, may need to adjust the recommendation to reflect the new technical environment in which it operates. Based upon the significant organizational and technical changes taking place, this recommendation will be closed. |
| To improve Senate-wide computer security, the Senate Majority Leader should direct that the Senate develop and implement a comprehensive strategic plan that integrates and controls access and processing for all Senate files, programs, and data. |
Closed – Not Implemented
|
The Senate has begun a transition of its organizational and technical support structure, which has changed since GAO conducted its review in 1995. Further action is planned as a result of this transition. The Senate, however, would need to adjust the recommendation to reflect the new technical environment in which it operates. Based upon the significant organizational and technical changes taking place, this recommendation will be closed. |
Full Report
GAO Contacts
Office of Public Affairs
Topics
Access controlAuthorizationComputer networksComputer resourcesComputer securityData integrityFinancial management systemsFinancial recordsInternal controlsLegislative bodiesSoftwareStrategic planningComputer resources management