Managers Need To Provide Better Protection for Federal Automatic Data Processing Facilities
FGMSD-76-40: Published: May 10, 1976. Publicly Released: May 10, 1976.
- Full Report:
The federal government currently relies on the services of about 9,000 computers in its day-to-day operations, and this equipment is valued at billions of dollars. The value of some of the data which are processed on these computers is immeasurable. Consequently, protecting the equipment and data from unauthorized or inadvertent acts of destruction, alteration, or misuse is a matter of inestimable importance.
Catastrophic losses to government-sponsored data processing installations, such as the loss of human life, irreplaceable data, and equipment, have occurred. Information on the physical security measures employed by 28 federal data processing facilities led GAO to believe that many federal data processing assets and much valuable data are not protected properly. Less than half of the 28 installations visited had developed and put into operation contingency plans to provide for continuity of operations if a loss occurred. The impact from losses at data processing installations which did not have contingency plans could: (1) interfere seriously with efficient and economical operations of the government; (2) have an immeasurable impact on individuals and organizations relying on government data; and (3) result in costly reconstruction efforts. In 1974, the National Bureau of Standards issued guidelines for establishing physical security measures for data processing activities. However, the guidelines are only a reference document, and there is no requirement that agencies must use them when determining their security needs.
Recommendation for Executive Action
Comments: Please call 202/512-6100 for additional information.
Recommendation: To provide more security over government automatic data processing operations at a reasonable cost, the Director of the Office of Management and Budget should direct that management officials be appointed at federal installations having data processing systems and that they be assigned responsibility for automatic data processing physical security and risk management. These officials should be directed to use the National Bureau of Standards guidelines when developing physical security and risk management programs.