Information Security: Weak Controls Place DC Highway Trust Fund and Other Data at Risk
GAO-01-155
Published: Jan 31, 2001. Publicly Released: Jan 31, 2001.
Skip to Highlights
Highlights
GAO reviewed information system general controls over the financial systems that process and account for the financial activities of the District of Columbia's Highway Trust Fund. GAO identified serious computer security weaknesses that place District information at risk of deliberate or inadvertent misuse. These general control problems affected the District's ability to (1) prevent or detect unauthorized changes to sensitive data and (2) control electronic and physical access to confidential information. The District's lack of a comprehensive computer management program was the primary reason for its information system control problems.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| District of Columbia | The Mayor should direct the Chief Financial Officer, Chief Technology Officer, and the Director of the Department of Public Works (DPW), as appropriate, to correct the specific access control weaknesses which are summarized in this report, and detailed, along with GAO's corresponding recommendations and the District's corrective action plans, in a separate report designated for "Limited Official Use." |
Closed – Implemented
The District of Columbia's Chief Financial Officer, Chief Technology Officer, and Director of Public Works took action to correct the information system control weaknesses GAO identified. Specifically, improvements were made to control access to sensitive personnel and financial information, restrict physical access to sensitive computing areas, appropriately segregate computing functions, properly control changes to application and system software, and completely develop and test disaster recovery plans.
|
| District of Columbia | The Mayor should direct the Chief Financial Officer, Chief Technology Officer, and the Director of DPW, as appropriate, to report periodically on progress in implementing the corrective action plans described in the separate report designated for "Limited Official Use." |
Closed – Implemented
In July 2001, the Office of the Chief Technology Officer established a quarterly reporting system to measure progress in correcting all security weaknesses and implementing GAO's corresponding recommendations. The quarterly reporting is provided by each of the District information system functions to the Chief Technology Officer as the Mayor's designee in this process.
|
| District of Columbia | The Mayor should direct the Chief Technology Officer to ensure that an effective entitywide security management program is developed and implemented. Such a program should include establishing a central focal point to manage an ongoing cycle of the following security management activities: (1) assessing risk to determine computer security needs, (2) developing and implementing policies and controls that meet these needs, (3) promoting awareness to ensure that risks and responsibilities are understood, and (4) instituting an ongoing program of tests and evaluations to ensure that policies and controls are appropriate and effective. |
Closed – Implemented
The Office of the Chief Technology Officer (OCTO) implemented an entity-wide security management program. Specifically, OCTO developed a risk assessment framework and, as of July 2004, had completed 14 agency risk assessments. Further, OCTO recently completed updates to its overall security policies and established a security awareness program for both its employees and contractors. In addition, OCTO developed and implemented a program to test and evaluate its information security on an ongoing basis.
|
Full Report
GAO Contacts
Office of Public Affairs
Topics
Computer securityConfidential communicationsFinancial management systemsInformation resources managementInternal controlsTrust fundsConfidential informationInformation systemsPublic roads or highwaysSystem software