Strengthened Management Needed to Protect Critical Federal Operations and Assets
T-AIMD-98-312: Published: Sep 23, 1998. Publicly Released: Sep 23, 1998.
GAO discussed the state of information security in the federal government, focusing on the Department of Veterans Affairs' (VA) and the Social Security Administration's (SSA) efforts to develop and maintain an effective security management program.
GAO noted that: (1) as the importance of computer security has increased, so have the rigor and frequency of federal audits in this area; (2) during the last 2 years, GAO and the agency inspectors general (IG) have evaluated computer-based controls on a wide variety of financial and nonfinancial systems supporting critical federal programs and operations; (3) the most recent set of audit results described significant information security weakness in each of the 24 federal agencies covered by GAO's analysis; (4) these weaknesses cover a variety of areas, which GAO has grouped into six categories of general control weaknesses; (5) in GAO's report, it noted significant problems related to VA's control and oversight of access to its systems; (6) VA did not adequately limit the access of authorized users or effectively manage user identifications and passwords; (7) GAO also found that the department had not adequately protected its systems from unauthorized access from remote locations or through the VA network; (8) a primary reason for VA's continuing general computer control problems is that the department does not have a comprehensive computer security planning and management program in place to ensure that effective controls are established and maintained and that computer security receives adequate attention; (9) the public depends on SSA to protect trust fund revenues and assets from fraud and to protect sensitive information on individuals from inappropriate disclosure; (10) in addition, many current beneficiaries rely on the uninterrupted flow of monthly payments to meet their basic needs; in November 1997, the SSA IG reported serious weaknesses in controls over information resources, including access, continuity of service, and software program changes that unnecessarily place these assets and operations at risk; (11) internal control testing identified information protection-related weaknesses throughout SSA's information systems environment; (12) an underlying factor that contributes to SSA's information security weaknesses is inadequate entitywide security program planning and management; (13) substantively improving federal information security will require efforts at both the individual agency level and at the governmentwide level; and (14) over the last 2 years, a number of efforts have been initiated, but additional actions are still needed.