Information Security:
Safeguarding of Data in Excessed Department of Energy Computers
GAO-01-469: Published: Mar 29, 2001. Publicly Released: Apr 4, 2001.
Additional Materials:
- Full Report:
Contact:
(202) 512-3317
contact@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
The computer systems that support the Department of Energy's (DOE) civilian research and development programs house enormous amounts of data. Although unclassified, some of the information in these systems is nevertheless sensitive and must be protected from inappropriate access or disclosure. For this reason, DOE property management regulations require the agency to clear the hard drives of all computers before they are transferred into the excess category for reuse or disposal. GAO found that DOE lacks standardized instructions, verification procedures, and training for agency and contract employees on how to properly clear excessed computers. DOE also does not ensure that procedures used to remove all software, information, and data from systems are effective. As a result, some of the excessed computers GAO inspected at DOE headquarters had information still stored on the hard drives.
Recommendations for Executive Action
Status: Closed - Implemented
Comments: DOE has developed a draft procedure that applies to all DOE headquarters and field elements. Its objectives include: (1) establishing minimum requirements for the clearing, sanitization, and destruction of automated information systems storage media, memory, and hardware that have contained classified information and (2) ensuring that all information has been removed from unclassified computer equipment. In addition, the draft procedure defines terms and establishes what needs to be done to clear, sanitize, or destroy storage media, memory, and hardware. As of July 2003, DOE officials stated that the draft procedure was revised in July 2003 to reflect changes in requirements and the Office of the CIO was working to schedule the policy for formal approval. In August 2004, a DOE official stated that this draft had been finalized and issued in February 2004 as "DOE N 205.12 Clearing, Sanitizing, and Destroying Information System Storage Media, Memory Devices, and Other Related Hardware".
Recommendation: The Secretary of Energy should develop and implement standardized written procedures on how to effectively clear hard drives of all software, information and data.
Agency Affected: Department of Energy
Status: Closed - Implemented
Comments: DOE has developed a draft procedure that applies to all DOE headquarters and field elements. For classified drives, the procedure outlines requirements for the independent verification that appropriate procedures have been followed and that classified information has been overwritten. For clearing and sanitizing unclassified computer equipment, the draft procedure states that DOE organizations must include in written procedures a method for independently verifying the process. As of July 2003, DOE officials stated that the draft procedure was revised in July 2003 to reflect changes in requirements and the Office of the CIO was working to schedule the policy for formal approval. In August 2004, a DOE official stated that this draft had been finalized and issued in February 2004 as "DOE N 205.12 Clearing, Sanitizing, and Destroying Information System Storage Media, Memory Devices, and Other Related Hardware".
Recommendation: The Secretary of Energy should require an independent verification that these procedures have been followed prior to turning in computers for excess to ensure that employees and contractor personnel of all DOE organizations are in compliance.
Agency Affected: Department of Energy
Status: Closed - Implemented
Comments: DOE has developed a draft procedure that applies to all DOE headquarters and field elements. The draft procedure states that local sanitization procedures must be addressed in each DOE organization's computer security training and awareness program. It also states that the heads of departmental elements are responsible for ensuring that personnel receive adequate training in both the requirements set forth in the procedures and the local sanitization procedures. As of July 2003, DOE officials stated that the draft procedure was revised in July 2003 to reflect changes in requirements and the Office of the CIO was working to schedule the policy for formal approval. In August 2004, a DOE official stated that this draft had been finalized and issued in February 2004 as "DOE N 205.12 Clearing, Sanitizing, and Destroying Information System Storage Media, Memory Devices, and Other Related Hardware".
Recommendation: The Secretary of Energy should emphasize these procedures in the computer security training and awareness program that is required for all DOE employees and contractor personnel.
Agency Affected: Department of Energy
Explore the full database of GAO's Open Recommendations
»
Oct 9, 2020
-
Aviation Cybersecurity:
FAA Should Fully Implement Key Practices to Strengthen Its Oversight of Avionics RisksGAO-21-86: Published: Oct 9, 2020. Publicly Released: Oct 9, 2020.
Sep 22, 2020
-
Cybersecurity:
Clarity of Leadership Urgently Needed to Fully Implement the National StrategyGAO-20-629: Published: Sep 22, 2020. Publicly Released: Sep 22, 2020.
Sep 21, 2020
-
Information Security and Privacy:
HUD Needs a Major Effort to Protect Data Shared with External EntitiesGAO-20-431: Published: Sep 21, 2020. Publicly Released: Sep 21, 2020.
Sep 17, 2020
-
Critical Infrastructure Protection:
Treasury Needs to Improve Tracking of Financial Sector Cybersecurity Risk Mitigation EffortsGAO-20-631: Published: Sep 17, 2020. Publicly Released: Sep 17, 2020.
Sep 16, 2020
-
Veterans Affairs:
VA Needs to Address Persistent IT Modernization and Cybersecurity ChallengesGAO-20-719T: Published: Sep 16, 2020. Publicly Released: Sep 16, 2020.
Aug 18, 2020
-
Cybersecurity:
DHS and Selected Agencies Need to Address Shortcomings in Implementation of Network Monitoring ProgramGAO-20-598: Published: Aug 18, 2020. Publicly Released: Aug 18, 2020.
May 27, 2020
-
Cybersecurity:
Selected Federal Agencies Need to Coordinate on Requirements and Assessments of StatesGAO-20-123: Published: May 27, 2020. Publicly Released: May 27, 2020.
May 13, 2020
-
Management Report:
Improvements Are Needed to Enhance the Internal Revenue Service's Information System Security ControlsGAO-20-411R: Published: May 13, 2020. Publicly Released: May 13, 2020.
Apr 24, 2020
-
Information Security:
FCC Made Significant Progress, but Needs to Address Remaining Control Deficiencies and Improve Its ProgramGAO-20-265: Published: Mar 25, 2020. Publicly Released: Apr 24, 2020.
Apr 13, 2020
-
Cybersecurity:
DOD Needs to Take Decisive Actions to Improve Cyber HygieneGAO-20-241: Published: Apr 13, 2020. Publicly Released: Apr 13, 2020.
Looking for more? Browse all our products here