Critical Federal Operations and Assets Remain at Risk
T-AIMD-00-314: Published: Sep 11, 2000. Publicly Released: Sep 11, 2000.
- Full Report:
Pursuant to a congressional request, GAO discussed information security audits at federal agencies, focusing on: (1) the pervasive weaknesses that continue since the results of a similar analysis 2 years ago; (2) the serious risks that these weaknesses pose; and (3) major common weaknesses that agencies need to address in order to improve their information security programs.
GAO noted that: (1) evaluations published since July 1999 continue to show that federal computer systems are riddled with weaknesses that continue to put critical operations and assets at risk; (2) just as in 1998, weaknesses were reported in all six major areas of general controls--the policies, procedures, and technical controls that apply to all or a large segment of an entity's information systems and help ensure their proper operation; (3) these weaknesses placed a broad range of critical operations and assets at risk for fraud, misuse, and disruption; (4) virtually all federal operations are supported by automated systems and electronic data, and agencies would find it difficult, if not impossible, to carry out their missions and account for their resources without these information assets; (5) hence, the degree of risk caused by security weaknesses is extremely high; (6) the nature of agency operations and the related risks vary; (7) each organization needs a set of management procedures and an organizational framework for identifying and assessing risk, deciding what policies and controls are needed, periodically evaluating the effectiveness of these policies and controls, and acting to address any identified weaknesses; (8) of the 21 agencies for which security program management was reviewed, all had deficiencies; (9) access controls were evaluated at all 24 of the agencies covered by GAO's analysis, and all were reported to have significant weaknesses; (10) GAO's auditors have been successful, in almost every test, in readily gaining unauthorized access that would allow intruders to read, modify, or delete data; (11) weaknesses in software program change controls were identified for 19 of the 21 agencies where such controls were evaluated; (12) segregation of duties was evaluated at 20 of the 24 agencies and weaknesses were identified at 17 of these agencies; (13) weaknesses were identified at each of the 18 agencies for which operating system controls were reviewed; (14) service continuity controls were evaluated for 21 of the 24 agencies included in the analysis; and (15) of these 21, weaknesses were reported for 20 agencies.