Skip to main content

Federal Family Education Loan Information System: Weak Computer Controls Increase Risk of Unauthorized Access to Sensitive Data

AIMD-95-117 Published: Jun 12, 1995. Publicly Released: Jun 12, 1995.
Jump To:
Skip to Highlights

Highlights

GAO reviewed the general controls over the Federal Family Education Loan Program (FFELP) information system, focusing on weaknesses that may affect the Department of Education's ability to safeguard assets, maintain sensitive loan data, and ensure the reliability of financial management information.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status Sort descending
Department of Education The Secretary of Education should direct the Director of the Program System Service to develop and implement a computer security administration program to oversee the FFELP information system's computer security control operations.
Closed – Implemented
In August 1995 the Computer Security Office within the Office of Postsecondary Education (OPE) was given responsibility for providing computer security oversight of the Federal Family Education Loan Program (FFELP). In conjunction with this action, in September 1995, broad institutional policies and procedures, which were part of OPE's Information Technology Security Manual, were adopted to cover FFELP.
Department of Education The Secretary of Education should direct the Director of the Program System Service to develop, and require the FFELP information system's contractor to implement, policies and procedures to limit access authorizations for the system's users to only those computer programs and data needed to perform their duties, and to approve the creation of special user identifications.
Closed – Implemented
Education required its contractor to place sensitive system data sets in a restricted library and sensitive utility programs in a controlled library, as of April 1, 1995. In addition, the FFEL Security Officer has performed periodic reviews to ensure that inappropriate changes were not made to the sensitive data sets. Also, it formalized the process to create special user identifications.
Department of Education The Secretary of Education should direct the Director of the Program System Service to identify sensitive data files and programs and monitor successful access to them, including access by users having special access privileges.
Closed – Implemented
On April 28, 1995, Education implemented security procedures to monitor and review Federal Family Education Loan Program system access by systems programmers. In addition, on September 30, 1995, it procured a new audit software product to assist in the detection of unauthorized changes to the FFELP relational data bases.
Department of Education The Secretary of Education should direct the Director of the Program System Service to require the FFELP information system's contractor to devise controls to ensure that only approved and tested changes are made to the systems software.
Closed – Implemented
In April 1995, Education reemphasized to the contractor the ongoing requirement that all proposed system software changes be documented, tested, and approved, before implementing changes. Failure to adhere to this will result in sanctions being imposed on the contractor. In addition, Education started to provide contractor oversight via weekly Configuration Control Board meetings.

Full Report

GAO Contacts

Office of Public Affairs

Topics

Computer securityComputer security policiesConfidential communicationsDisaster recovery plansFinancial managementFinancial recordsInformation systemsInternal controlsLoan defaultsStrategic information systems planningStudent loansUnauthorized accessSystem software