Increased computer interconnectivity and the popularity of the Internet are offering organizations of all types unprecedented opportunities to improve operations by reducing paper processing, cutting costs, and sharing information. However, the success of many of these efforts depends, in part, on an organization's ability to protect the integrity, confidentiality, and availability of the data and systems it relies on.
Deficiencies in federal information security are a growing concern. In a February 1997 series of reports to the Congress, GAO designated information security as a governmentwide high-risk area. In October 1997, the President's Commission on Critical Infrastructure Protection described the potentially devastating implications of poor information security from a broader perspective in its report entitled Critical Foundations: Protecting America's Infrastructures. Since then, audit reports have continued to identify widespread information security weaknesses that place critical federal operations and assets at risk.
Although many factors contribute to these weaknesses, audits by GAO and Inspectors General have found that an underlying cause is poor security program management. To help identify solutions to this problem, Senators Fred Thompson and John Glenn, Chairman and Ranking Minority Member, respectively, of the Senate Committee on Governmental Affairs, requested that we study organizations with superior security programs to identify management practices that could benefit federal agencies. This guide outlines the results of that study. It is intended to assist federal officials in strengthening their security programs, and we are pleased that it has been endorsed by the federal Chief Information Officers Council. (Message from the CIO)
This guide is one of a series of GAO publications, listed in appendix I, that are intended to define actions federal officials can take to better manage their information resources. It was prepared under the direction of Jack L. Brock, Director, Governmentwide and Defense Information Systems, who can be reached at 202-512-6240 or brockj.aimd@gao.gov.
Gene L. Dodaro
Assistant Comptroller General
Accounting and Information Management Division