Justice Automation:

Tighter Computer Security Needed

IMTEC-90-69: Published: Jul 30, 1990. Publicly Released: Aug 23, 1990.

Additional Materials:

Contact:

Linda D. Koontz
(202) 512-7487
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Pursuant to a congressional request, GAO reviewed the Department of Justice's (DOJ) computer security program, focusing on compliance with the Computer Security Act of 1987 and other applicable laws and regulations.

GAO found that: (1) DOJ computer security program weaknesses posed significant risks to the integrity of its computer systems and sensitive information within its organizations; (2) weaknesses included security deficiencies, unprepared or untested contingency plans, and inadequate security training; (3) although DOJ moved its main data center operations from an older facility to improve computer operations security, the new center's material security weaknesses could adversely affect its operations and pose significant risks to litigating organizations' data; and (4) data center weaknesses included inadequate physical security, inadequate contingency planning and risk assessment, computer operations weaknesses, long-standing security weaknesses, and inadequate oversight.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: Documentation provided by the Department of Justice indicates that contingency plans have been prepared and tested for all litigating organizations. Risk analyses have been completed for all litigating organizations, and problems identified have been addressed. In May 1991, Justice made computer security training mandatory, included this training in its formal employee orientation process, and considered the benefits of providing additional formalized computer security training.

    Recommendation: The Attorney General should immediately correct the security weaknesses described in this report; specifically, ensure that all litigating organizations prepare and test contingency plans, perform thorough risk analyses, correct the problems identified, and establish mandatory computer security training programs.

    Agency Affected: Department of Justice

  2. Status: Closed - Implemented

    Comments: The backup and disaster recovery plan for the main data center was completed in September 1991. Data center security upgrades were completed in September 1991. A three-part contingency plan for the main data center was completed in August 1992 and contingency backup plans are updated continually to reflect ongoing changes in hardware and software configurations, environmental upgrades, building security improvements, and workload enhancements. A formal risk analysis of physical and computer system security at the center was conducted in October 1992. Justice is working with NIST to develop a risk analysis methodology for the telecommunications networks. Justice expects the formal assessment to be completed in August 1994.

    Recommendation: The Attorney General should immediately initiate steps at the main data center to ensure that: (1) a contingency plan is completed, and identified physical and computer operations weaknesses are corrected; and (2) a full-scope risk assessment of overall physical, system, and telecommunications security is conducted, and any weaknesses found are corrected.

    Agency Affected: Department of Justice

  3. Status: Closed - Implemented

    Comments: JMD security staff conduct security compliance reviews, including computer security, agencywide. IRM Systems Policy staff review sensitive system security plans to certify on a case-by-case basis. A new IRM staff office for computer security has been created to develop guidance, assist components with computer security concerns, and monitor computer security training.

    Recommendation: The Attorney General should improve the Justice Management Division's (JMD) leadership and oversight of departmental computer security programs by ensuring that security staff: (1) perform periodic audits and reviews of sensitive systems; (2) certify the adequacy of security safeguards; and (3) monitor the litigating organizations' compliance with computer security training requirements.

    Agency Affected: Department of Justice

  4. Status: Closed - Implemented

    Comments: In his 1991 Internal Control Report dated December 28, 1991, the Attorney General designated automatic data processing security as a material weakness under FMFIA and a high-risk area.

    Recommendation: The Attorney General should report the computer security deficiencies as a material internal control weakness under the Federal Managers' Financial Integrity Act (FMFIA), and discuss the actions that will be taken to correct the weakness.

    Agency Affected: Department of Justice

 

Explore the full database of GAO's Open Recommendations »

Nov 18, 2014

Nov 13, 2014

Oct 10, 2014

Sep 30, 2014

Sep 22, 2014

Jul 9, 2014

May 14, 2014

Apr 30, 2014

Mar 26, 2014

Looking for more? Browse all our products here