Computer Security:

Pervasive, Serious Weaknesses Jeopardize State Department Operations

AIMD-98-145: Published: May 18, 1998. Publicly Released: May 19, 1998.

Additional Materials:

Contact:

Jack L. Brock, Jr
(202) 512-4841
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Pursuant to a congressional request, GAO reviewed: (1) how susceptible the Department of State's unclassified automated information systems are to unauthorized access; (2) what State is doing to address information security issues; and (3) what additional actions may be needed to address the computer security problem.

GAO noted that: (1) State's information systems and the information contained within them are vulnerable to access, change, disclosure, disruption or even denial of service by unauthorized individuals; (2) GAO conducted penetration tests to determine how susceptible State's systems are to unauthorized access and found that it was able to access sensitive information; (3) moreover, GAO's penetration of State's computer resources went largely undetected, further underscoring the department's serious vulnerability; (4) the results of GAO's tests show that individuals or organizations seeking to damage State operations, commit terrorism, or obtain financial gain could possibly exploit the department's information security weaknesses; (5) although State has some projects under way to improve security of its information systems and help protect sensitive information, it does not have a security program that allows State officials to comprehensively manage the risks associated with the department's operations; (6) State lacks a central focal point for overseeing and coordinating security activities; (7) State does not routinely perform risk assessments to protect its sensitive information based on its sensitivity, criticality, and value; (8) the department's primary information security policy document is incomplete; (9) the department lacks key controls for monitoring and evaluating the effectiveness of its security programs and it has not established a robust incident response capability; (10) State needs to greatly accelerate its efforts and address these serious information security weaknesses; (11) however, to date, its top managers have not demonstrated that they are committed to doing so; (12) Internet security was the only area in which GAO found that State's controls were currently adequate; (13) however, plans to expand its Internet usage will create new security risks; (14) State conducted an analysis of the risks involved with using the Internet more extensively, but has not yet decided how to address the security risks of additional external connectivity to the concerns this review has raised; and (15) if State increases its Internet use before instituting a comprehensive security program and addresses the additional vulnerabilities unique to the Internet, it will unnecessarily increase the risks of unauthorized access to its systems and information.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: The State Department clarified in writing computer security roles and responsibilities for the CIO, IRM, and DS offices.

    Recommendation: The Department of State should establish a central information security unit and assign it responsibility for facilitating, coordinating, and overseeing the department's information security activities. In doing so, State should clarify the computer security responsibilities of the Bureau of Diplomatic Security, the Office of Information Management, and individual bureaus and diplomatic posts.

    Agency Affected: Department of State

  2. Status: Closed - Implemented

    Comments: State designated the Chief Information Office as its central information security unit. The CIO and Diplomatic Security have agreed to a matrix of responsibilities to support this centralization of responsibility.

    Recommendation: The Department of State should establish a central information security unit and assign it responsibility for facilitating, coordinating, and overseeing the department's information security activities. In doing so, State should consider whether some duties that have been assumed by these offices can be assigned to, or at a minimum coordinated with, the central information security unit.

    Agency Affected: Department of State

  3. Status: Closed - Implemented

    Comments: State issued policies and procedures, and revised its Foreign Affairs Manual, to require managers to determine risks and threats to systems, as well as vulnerabilities and weaknesses to these systems. State has also performed several independent vulnerability analyses of selected networks to implement these policies and procedures.

    Recommendation: The Department of State should develop policy and procedures that require senior State managers to regularly determine the: (a) value and sensitivity of the information to be protected; (2) vulnerabilities of their computers and networks; (3) threats, including hackers, thieves, disgruntled employees, foreign adversaries, and spies; (4) countermeasures available to combat the problem; and (5) cost-effectiveness of the countermeasures.

    Agency Affected: Department of State

  4. Status: Closed - Implemented

    Comments: The FAM was revised in May 2000 to document the CIO's legislatively prescribed information security responsibilities.

    Recommendation: The Department of State should revise the Foreign Affairs Manual (FAM) so that it clearly describes the legislatively-mandated security responsibilities of the Chief Information Officer, the security responsibilities of senior managers and all computer users, and the need for and use of risk assessments.

    Agency Affected: Department of State

  5. Status: Closed - Implemented

    Comments: The Department has completed its Integrated Information Security Management Plan. The plan is comprehensive and, if implemented, will greatly improve State's information security posture. State advises that it will revise the plan as new risk-based information becomes available.

    Recommendation: The Department of State should develop and maintain an up-to-date security plan and ensure that revisions to the plan incorporate the results obtained from risk assessments.

    Agency Affected: Department of State

  6. Status: Closed - Implemented

    Comments: State has acknowledged its need to establish key controls, including performing its own computer security assessments and periodic penetration testing. The Department contracted with FEDCIRC to perform penetration testing of selected networks between May and June 1998. In addition, the Bureau of Diplomatic Security recently completed a security evaluation of OPENNET, using the GAO findings as a baseline for the evaluation.

    Recommendation: The Department of State should establish and implement key controls to help the department protect its information systems and information, including periodic penetration testing to identify vulnerabilities in State's information resources.

    Agency Affected: Department of State

  7. Status: Closed - Implemented

    Comments: State implemented key controls to help the agency detect and respond to computer security events and incidents. The Department implemented its Computer Incident Response Center and clarified for all personnel when an event should be reported to the center.

    Recommendation: The Department of State should establish and implement key controls to help the department protect its information systems and information, including assessments of the department's ability to: (1) react to intrusion and attacks on its information systems; (2) respond quickly and effectively to security incidents; (3) help contain and repair any damage caused; and (4) prevent future damage and central reporting and tracking of information security incidents to ensure that knowledge of these problems can be shared across the department and with other federal agencies.

    Agency Affected: Department of State

  8. Status: Closed - Implemented

    Comments: State established and staffed a position responsible for providing the results of the annual financial statement audits to the IRM office so they can be used to help improve the Department's information security posture. IRM officials advised that they have used the results of the most recent financial statement audit to help address access control issues and develop a departmentwide certification and accreditation process.

    Recommendation: The Department of State should ensure that the results of the annual financial statement audits required by the Chief Financial Officers Act of 1990 are used to track the department's progress in establishing, implementing, and adhering to sound information security controls.

    Agency Affected: Department of State

  9. Status: Closed - Implemented

    Comments: State officials advised that they met weekly to discuss and resolve the specific weaknesses and vulnerabilities identified during the GAO testing. According to these officials, the majority of weaknesses were corrected and only a select few were considered to be acceptable risks. The Security Infrastructure Working Group has been given the task of centrally tracking the disposition of the GAO audit findings.

    Recommendation: The Department of State should require department managers to work with the central unit to expeditiously review the specific vulnerabilities and suggested actions GAO provided to State officials at the conclusion of GAO's testing. After the department has reviewed these weaknesses and determined the extent to which it is willing to accept or mitigate security risks, State should assign the central unit responsibility for tracking the implementation or disposition of these actions.

    Agency Affected: Department of State

  10. Status: Closed - Implemented

    Comments: State obtained a more effective turnstile, assigned an additional uniformed officer at one entrance, repositioned a magnetometer, and increased the level of awareness among its security personnel for the need for greater security.

    Recommendation: The Department of State should direct the Assistant Secretary for Diplomatic Security to follow up on the planned implementation of cost-effective enhanced security measures for the turnstiles designed for handicapped use.

    Agency Affected: Department of State

  11. Status: Closed - Implemented

    Comments: State made the CIO responsible for all aspects of the department's computer security program.

    Recommendation: The Department of State should establish a central information security unit and assign it responsibility for facilitating, coordinating, and overseeing the department's information security activities. In doing so, State should assign the Chief Information Officer (CIO) the responsibility and full authority for ensuring that the information security policies, procedures, and practices are adequate.

    Agency Affected: Department of State

  12. Status: Closed - Not Implemented

    Comments: State disagreed with the GAO recommendation, stating that expanding Internet connectivity was a high priority and that planned security for accomplishing this was sufficient. State is proceeding with its planned approach.

    Recommendation: The Department of State should defer the expansion of Internet usage until: (1) known vulnerabilities are addressed using risk-based techniques; and (2) actions are taken to provide appropriate security measures commensurate with the planned level of Internet expansion.

    Agency Affected: Department of State

 

Explore the full database of GAO's Open Recommendations »

Sep 18, 2014

Sep 16, 2014

Sep 8, 2014

Jul 17, 2014

Jun 25, 2014

May 30, 2014

Apr 17, 2014

Apr 2, 2014

Jan 28, 2014

Jan 8, 2014

Looking for more? Browse all our products here