The Department of Education relies heavily on the central automated processing system (EDCAPS) to support its core financial management information functions, including general ledger and funds management, grant planning and payment processing, and purchasing and contract management. Education's Inspector General (IG) has reported serious information system control weaknesses in this system. These weaknesses increase the risk of unauthorized access or disruption of services and make Education's sensitive grant and loan data vulnerable to misuse, fraud, improper disclosure, or destruction, which could go undetected. Education is making progress in correcting security weaknesses identified by the IG, and the department has taken other steps to improve security. However, GAO identified weaknesses that place critical financial and sensitive grant information at risk of unauthorized access and disclosure and key operations at risk disruption. Specifically, Education did not adequately protect its network from unauthorized users, effectively manage user IDs and passwords, appropriately limit access to unauthorized users, effectively maintain system software controls, or routinely monitor user access activity. Furthermore, Education did not provide adequate physical security for its computer resources, appropriately segregate all key operations and computer functions, effectively control changes to its applications, or fully address its service continuity needs. Education has since corrected some of the weaknesses and developed a corrective action plan to address the others.
Recommendations for Executive Action
|Department of Education||The Secretary of Education should direct the Chief Information Officer (CIO) and Chief Financial Officer (CFO) to ensure that the information system control weaknesses related to access authority, system software, network security, user ID and password management, access monitoring, physical access, segregation of duties, application program changes, and service continuity are corrected.|
|Department of Education||The Secretary of Education should direct the CIO and CFO to ensure that a comprehensive departmentwide computer security management program is implemented. Such a program would include (1) coordination of security management activities, (2) ongoing assessment of risk, (3) comprehensive security awareness training, (4) complete security policies, procedures, and standards, and (5) a program to routinely monitor and evaluate the effectiveness of information system controls.|