Information Security:

Weak Controls Place Interior's Financial and Other Data at Risk

GAO-01-615: Published: Jul 3, 2001. Publicly Released: Jul 3, 2001.

Contact:

Robert F. Dacey
(202) 512-3317
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

This report reviews information system general controls over the financial systems maintained by the Department of the Interior at its National Business Center (NBC) in Denver, Colorado. GAO found that although the Denver center has made progress in correcting previously cited computer security weaknesses, additional weaknesses affect the Denver center's information system control environment. These weaknesses affect the center's ability to prevent and detect unauthorized changes to financial information, control electronic access to sensitive personnel information, and restrict physical access to sensitive computing areas. The Denver center did not adequately limit access granted to authorized users, control all aspects of the system software controls, or secure access to its network. Also, the Denver center had not fully established a comprehensive program to routinely monitor access to its computer facilities and data and to identify and investigate unusual or suspicious access patterns that could indicate unauthorized access. The primary reason for these weaknesses was that the Denver center had not yet fully developed and implemented a comprehensive entitywide program to manage computer security.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: To establish an effective information system general control environment, the Secretary of the Interior should instruct the Director of the National Business Center and the acting assistant director of NBC-Denver, in coordination with the Interior Chief Information Officer (CIO), to ensure that NBC-Denver corrects the information system control weaknesses related to access authority, system software, network security, access monitoring, physical access, segregation of duties, program changes, and service continuity. These specific weaknesses are described in a separate report designated for "Limited Official Use."

    Agency Affected: Department of the Interior

    Status: Closed - Implemented

    Comments: The National Business Center completed actions to correct the information system control weaknesses related to access authority, system software, network security, access monitoring, physical access, segregation of duties, program changes, and service continuity.

    Recommendation: To establish an effective information system general control environment, the Secretary of the Interior should instruct the Director of the National Business Center and the acting assistant director of NBC-Denver, in coordination with the Interior CIO to ensure that NBC-Denver develops and implements an effective computer security management program. Such a program would include (1) establishing a central security group to manage a cycle of security management activities, (2) assessing risk to determine computer security needs, (3) developing and implementing policies and controls that meet these needs, and (4) instituting an ongoing program of tests and evaluations to ensure that policies and controls are appropriate and effective.

    Agency Affected: Department of the Interior

    Status: Closed - Implemented

    Comments: NBC-Denver implemented an information security management program. Specifically, it established a central security management group to provide security guidance and oversight of the center's information security environment. Further, the center established a framework for performing risk assessments and has begun to conduct these assessments for all its key systems. In addition, it strengthened its security awareness program to include specialized training for staff in key information system areas. Also, NBC-Denver updated its security policies and procedures to address Interior's interconnected systems' environment. Finally, the center established an ongoing program to test and evaluate its information system controls and to ensure compliance with established policies and procedures.

    Recommendation: The Secretary of the Interior should instruct the Interior CIO, as the department's key official responsible for computer security, to report periodically on the progress in implementing Interior's corrective action plans.

    Agency Affected: Department of the Interior

    Status: Closed - Implemented

    Comments: NBC-Denver established a quarterly reporting system to measure progress in correcting all security weaknesses and implementing GAO's corresponding recommendations. This report is provided to the department's senior management.

    Apr 17, 2014

    Apr 2, 2014

    Jan 28, 2014

    Jan 8, 2014

    Sep 26, 2013

    Feb 20, 2013

    Feb 1, 2013

    Sep 27, 2012

    Sep 18, 2012

    Jul 17, 2012

    Looking for more? Browse all our products here