Federal Family Education Loan Information System: Weak Computer Controls Increase Risk of Unauthorized Access to Sensitive Data
AIMD-95-117
Published: Jun 12, 1995. Publicly Released: Jun 12, 1995.
Skip to Highlights
Highlights
GAO reviewed the general controls over the Federal Family Education Loan Program (FFELP) information system, focusing on weaknesses that may affect the Department of Education's ability to safeguard assets, maintain sensitive loan data, and ensure the reliability of financial management information.
Recommendations
Recommendations for Executive Action
Agency Affected | Recommendation | Status Sort ascending |
---|---|---|
Department of Education | The Secretary of Education should direct the Director of the Program System Service to develop and implement a computer security administration program to oversee the FFELP information system's computer security control operations. |
In August 1995 the Computer Security Office within the Office of Postsecondary Education (OPE) was given responsibility for providing computer security oversight of the Federal Family Education Loan Program (FFELP). In conjunction with this action, in September 1995, broad institutional policies and procedures, which were part of OPE's Information Technology Security Manual, were adopted to cover FFELP.
|
Department of Education | The Secretary of Education should direct the Director of the Program System Service to develop, and require the FFELP information system's contractor to implement, policies and procedures to limit access authorizations for the system's users to only those computer programs and data needed to perform their duties, and to approve the creation of special user identifications. |
Education required its contractor to place sensitive system data sets in a restricted library and sensitive utility programs in a controlled library, as of April 1, 1995. In addition, the FFEL Security Officer has performed periodic reviews to ensure that inappropriate changes were not made to the sensitive data sets. Also, it formalized the process to create special user identifications.
|
Department of Education | The Secretary of Education should direct the Director of the Program System Service to identify sensitive data files and programs and monitor successful access to them, including access by users having special access privileges. |
On April 28, 1995, Education implemented security procedures to monitor and review Federal Family Education Loan Program system access by systems programmers. In addition, on September 30, 1995, it procured a new audit software product to assist in the detection of unauthorized changes to the FFELP relational data bases.
|
Department of Education | The Secretary of Education should direct the Director of the Program System Service to require the FFELP information system's contractor to devise controls to ensure that only approved and tested changes are made to the systems software. |
In April 1995, Education reemphasized to the contractor the ongoing requirement that all proposed system software changes be documented, tested, and approved, before implementing changes. Failure to adhere to this will result in sanctions being imposed on the contractor. In addition, Education started to provide contractor oversight via weekly Configuration Control Board meetings.
|
Full Report
GAO Contacts
Office of Public Affairs
Topics
Computer securityComputer security policiesConfidential communicationsDisaster recovery plansFinancial managementFinancial recordsInformation systemsInternal controlsLoan defaultsStrategic information systems planningStudent loansUnauthorized accessSystem software