Justice and Law Enforcement:
Computer Security Weaknesses at the Department of Justice
T-IMTEC-91-15, Jun 27, 1991
GAO discussed computer security weaknesses in the Department of Justice's (DOJ) computer systems that store highly sensitive law enforcement information. GAO noted that DOJ: (1) security weaknesses have life-and-death implications for such individuals as witnesses, informants, and law enforcement officials whose identities could be disclosed because of inadequate controls; (2) did not develop security plans or conduct risk analyses for its computer systems; (3) did not ensure adequate protection for its highly sensitive computer systems, did not exercise adequate system oversight, lacked contingency plans to combat service interruptions, and did not mandate computer security training for employees using the systems; (4) did not properly control access to its main data center, did not position guards to visually survey activities at the center, and lacked recording mechanisms to store and retrieve information about data center activities; and (5) disposed of surplus computer equipment which was later found to contain highly sensitive data. GAO also noted that DOJ acknowledged its need to improve computer security and identified such efforts as: (1) a more proactive leadership role; (2) a major security upgrade of the data center; (3) increased security awareness training; and (4) more aggressive oversight of contingency plan preparation and use.