Information Security:

Weak Controls Place DC Highway Trust Fund and Other Data at Risk

GAO-01-155: Published: Jan 31, 2001. Publicly Released: Jan 31, 2001.

Contact:

Gregory C. Wilshusen
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

GAO reviewed information system general controls over the financial systems that process and account for the financial activities of the District of Columbia's Highway Trust Fund. GAO identified serious computer security weaknesses that place District information at risk of deliberate or inadvertent misuse. These general control problems affected the District's ability to (1) prevent or detect unauthorized changes to sensitive data and (2) control electronic and physical access to confidential information. The District's lack of a comprehensive computer management program was the primary reason for its information system control problems.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: The Mayor should direct the Chief Financial Officer, Chief Technology Officer, and the Director of the Department of Public Works (DPW), as appropriate, to correct the specific access control weaknesses which are summarized in this report, and detailed, along with GAO's corresponding recommendations and the District's corrective action plans, in a separate report designated for "Limited Official Use."

    Agency Affected: District of Columbia

    Status: Closed - Implemented

    Comments: The District of Columbia's Chief Financial Officer, Chief Technology Officer, and Director of Public Works took action to correct the information system control weaknesses GAO identified. Specifically, improvements were made to control access to sensitive personnel and financial information, restrict physical access to sensitive computing areas, appropriately segregate computing functions, properly control changes to application and system software, and completely develop and test disaster recovery plans.

    Recommendation: The Mayor should direct the Chief Financial Officer, Chief Technology Officer, and the Director of DPW, as appropriate, to report periodically on progress in implementing the corrective action plans described in the separate report designated for "Limited Official Use."

    Agency Affected: District of Columbia

    Status: Closed - Implemented

    Comments: In July 2001, the Office of the Chief Technology Officer established a quarterly reporting system to measure progress in correcting all security weaknesses and implementing GAO's corresponding recommendations. The quarterly reporting is provided by each of the District information system functions to the Chief Technology Officer as the Mayor's designee in this process.

    Recommendation: The Mayor should direct the Chief Technology Officer to ensure that an effective entitywide security management program is developed and implemented. Such a program should include establishing a central focal point to manage an ongoing cycle of the following security management activities: (1) assessing risk to determine computer security needs, (2) developing and implementing policies and controls that meet these needs, (3) promoting awareness to ensure that risks and responsibilities are understood, and (4) instituting an ongoing program of tests and evaluations to ensure that policies and controls are appropriate and effective.

    Agency Affected: District of Columbia

    Status: Closed - Implemented

    Comments: The Office of the Chief Technology Officer (OCTO) implemented an entity-wide security management program. Specifically, OCTO developed a risk assessment framework and, as of July 2004, had completed 14 agency risk assessments. Further, OCTO recently completed updates to its overall security policies and established a security awareness program for both its employees and contractors. In addition, OCTO developed and implemented a program to test and evaluate its information security on an ongoing basis.

    Apr 8, 2014

    Feb 28, 2014

    Feb 12, 2014

    Feb 5, 2014

    Feb 3, 2014

    Jan 31, 2014

    Jan 16, 2014

    Dec 9, 2013

    Looking for more? Browse all our products here