USDA Information Security:

Weaknesses at National Finance Center Increase Risk of Fraud, Misuse, and Improper Disclosure

AIMD-99-227: Published: Jul 30, 1999. Publicly Released: Jul 30, 1999.

Additional Materials:

Contact:

Robert F. Dacey
(202) 512-3317
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Pursuant to a legislative requirement, GAO provided information on the quality of the Department of Agriculture's (USDA) information security at its National Finance Center (NFC).

GAO noted that: (1) serious access control weaknesses affected NFC's ability to prevent or detect unauthorized changes to payroll and other payment data or computer software, control electronic access to Thrift Savings Program account information, and restrict physical access to sensitive computing areas; (2) these weaknesses increased the risk that users could cause improper payments; (3) in addition, sensitive information contained in NFC systems, including financial transaction data and personnel information, was vulnerable to inadvertent or deliberate misuse, fraudulent use, improper disclosure, or destruction; (4) furthermore, NFC payroll processing and other financial management operations were vulnerable to disruption due to these weaknesses; (5) GAO found significant problems related to the center's control and oversight of access to its systems and the data maintained on these systems; (6) NFC was not adequately limiting the access of authorized users or controlling its operating system software to prevent access controls from being circumvented; (7) for several years, the Office of Inspector General has reported that access control procedures were weak; (8) the access control weaknesses GAO identified were further compounded because NFC was not sufficiently protecting or overseeing access to its network; (9) the center was not providing adequate physical security for its computer resources; (10) the access control weaknesses GAO found indicated that NFC's computer security planning and management program had not adequately ensured that information system controls continued to work effectively; (11) an effective program would include guidance and procedures for assessing risks, establishing appropriate policies and related controls, raising awareness of prevailing risks and mitigating controls, and monitoring and evaluating the effectiveness of established controls; (12) NFC management has recognized the seriousness of the weaknesses GAO identified and expressed its commitment to improving information system controls; (13) in commenting on this report, the director of NFC agreed with GAO's findings and recommendations; (14) the director also stated that NFC had corrected most of the information security weaknesses GAO identified and planned actions to address remaining weaknesses; (15) NFC stated that it intends to strengthen its computer security planning and management program to encompass the best practices described in GAO's May 1998 report; and (16) addressing these issues will help ensure that an effective computer security environment is achieved and maintained.

Recommendations for Executive Action

  1. Status: Closed - Not Implemented

    Comments: Based on current GAO audit efforts, this recommendation has not been implemented.

    Recommendation: The Secretary of Agriculture should direct the Chief Financial Officer to ensure that an effective entitywide security planning and management program, as described in GAO's May 1998 study of security management best practices, is in place at NFC. Such a program would include evaluating the effectiveness of policies and related controls.

    Agency Affected: Department of Agriculture

  2. Status: Closed - Not Implemented

    Comments: Based on current GAO audit efforts, this recommendation has not been implemented.

    Recommendation: The Secretary of Agriculture should direct the Chief Financial Officer to ensure that an effective entitywide security planning and management program, as described in GAO's May 1998 study of security management best practices, is in place at NFC. Such a program would include communicating the policies and controls, as well as the risks that prompted their adoption, to those responsible for complying with them.

    Agency Affected: Department of Agriculture

  3. Status: Closed - Not Implemented

    Comments: As of July 2003, based on current audit work, this has not been implemented.

    Recommendation: The Secretary of Agriculture should direct the Chief Financial Officer to ensure that an effective entitywide security planning and management program, as described in GAO's May 1998 study of security management best practices, is in place at NFC. Such a program would include implementing policies and controls that are based on risk.

    Agency Affected: Department of Agriculture

  4. Status: Closed - Implemented

    Comments: Based on current GAO audit efforts, GAO has determined that USDA has published a policy, Cybersecurity guidance CS-016, to address risk assessment.

    Recommendation: The Secretary of Agriculture should direct the Chief Financial Officer to ensure that an effective entitywide security planning and management program, as described in GAO's May 1998 study of security management best practices, is in place at NFC. Such a program would include assessing risks periodically to determine needs and select cost-effective policies and related controls.

    Agency Affected: Department of Agriculture

  5. Status: Closed - Implemented

    Comments: Based on GAO's June 2002 field visit to NFC, all specific access control weaknesses identified by GAO have been corrected.

    Recommendation: The Secretary of Agriculture should direct the Chief Financial Officer to correct the specific access control weaknesses GAO identified and communicated to NFC management during GAO's testing.

    Agency Affected: Department of Agriculture

  6. Status: Closed - Implemented

    Comments: Based on current GAO audit work, GAO has determined that USDA has appointed an Associate CIO for Cyber Security. The Associate CIO is the central management person responsible for ensuring information security planning and management, and communicating policies and procedures to USDA units.

    Recommendation: The Secretary of Agriculture should direct the Chief Financial Officer to ensure that an effective entitywide security planning and management program, as described in GAO's May 1998 study of security management best practices, is in place at NFC. Such a program would include establishing a central security management focal point to ensure that major elements of the security planning and management program are carried out and provide a communications link among organizational units.

    Agency Affected: Department of Agriculture

 

Explore the full database of GAO's Open Recommendations »

Nov 18, 2014

Nov 17, 2014

Sep 18, 2014

Sep 16, 2014

Sep 8, 2014

Jul 17, 2014

Jun 25, 2014

May 30, 2014

Apr 17, 2014

Apr 2, 2014

Looking for more? Browse all our products here