Information Security:

Weak Controls Place Interior's Financial and Other Data at Risk

GAO-01-615: Published: Jul 3, 2001. Publicly Released: Jul 3, 2001.

Additional Materials:

Contact:

Robert F. Dacey
(202) 512-3317
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

This report reviews information system general controls over the financial systems maintained by the Department of the Interior at its National Business Center (NBC) in Denver, Colorado. GAO found that although the Denver center has made progress in correcting previously cited computer security weaknesses, additional weaknesses affect the Denver center's information system control environment. These weaknesses affect the center's ability to prevent and detect unauthorized changes to financial information, control electronic access to sensitive personnel information, and restrict physical access to sensitive computing areas. The Denver center did not adequately limit access granted to authorized users, control all aspects of the system software controls, or secure access to its network. Also, the Denver center had not fully established a comprehensive program to routinely monitor access to its computer facilities and data and to identify and investigate unusual or suspicious access patterns that could indicate unauthorized access. The primary reason for these weaknesses was that the Denver center had not yet fully developed and implemented a comprehensive entitywide program to manage computer security.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: The National Business Center completed actions to correct the information system control weaknesses related to access authority, system software, network security, access monitoring, physical access, segregation of duties, program changes, and service continuity.

    Recommendation: To establish an effective information system general control environment, the Secretary of the Interior should instruct the Director of the National Business Center and the acting assistant director of NBC-Denver, in coordination with the Interior Chief Information Officer (CIO), to ensure that NBC-Denver corrects the information system control weaknesses related to access authority, system software, network security, access monitoring, physical access, segregation of duties, program changes, and service continuity. These specific weaknesses are described in a separate report designated for "Limited Official Use."

    Agency Affected: Department of the Interior

  2. Status: Closed - Implemented

    Comments: NBC-Denver implemented an information security management program. Specifically, it established a central security management group to provide security guidance and oversight of the center's information security environment. Further, the center established a framework for performing risk assessments and has begun to conduct these assessments for all its key systems. In addition, it strengthened its security awareness program to include specialized training for staff in key information system areas. Also, NBC-Denver updated its security policies and procedures to address Interior's interconnected systems' environment. Finally, the center established an ongoing program to test and evaluate its information system controls and to ensure compliance with established policies and procedures.

    Recommendation: To establish an effective information system general control environment, the Secretary of the Interior should instruct the Director of the National Business Center and the acting assistant director of NBC-Denver, in coordination with the Interior CIO to ensure that NBC-Denver develops and implements an effective computer security management program. Such a program would include (1) establishing a central security group to manage a cycle of security management activities, (2) assessing risk to determine computer security needs, (3) developing and implementing policies and controls that meet these needs, and (4) instituting an ongoing program of tests and evaluations to ensure that policies and controls are appropriate and effective.

    Agency Affected: Department of the Interior

  3. Status: Closed - Implemented

    Comments: NBC-Denver established a quarterly reporting system to measure progress in correcting all security weaknesses and implementing GAO's corresponding recommendations. This report is provided to the department's senior management.

    Recommendation: The Secretary of the Interior should instruct the Interior CIO, as the department's key official responsible for computer security, to report periodically on the progress in implementing Interior's corrective action plans.

    Agency Affected: Department of the Interior

 

Explore the full database of GAO's Open Recommendations »

Sep 18, 2014

Sep 16, 2014

Sep 8, 2014

Jul 17, 2014

Jun 25, 2014

May 30, 2014

Apr 17, 2014

Apr 2, 2014

Jan 28, 2014

Jan 8, 2014

Looking for more? Browse all our products here