The computer systems that support the Department of Energy's (DOE) civilian research and development programs house enormous amounts of data. Although unclassified, some of the information in these systems is nevertheless sensitive and must be protected from inappropriate access or disclosure. For this reason, DOE property management regulations require the agency to clear the hard drives of all computers before they are transferred into the excess category for reuse or disposal. GAO found that DOE lacks standardized instructions, verification procedures, and training for agency and contract employees on how to properly clear excessed computers. DOE also does not ensure that procedures used to remove all software, information, and data from systems are effective. As a result, some of the excessed computers GAO inspected at DOE headquarters had information still stored on the hard drives.
Recommendations for Executive Action
|Department of Energy||The Secretary of Energy should develop and implement standardized written procedures on how to effectively clear hard drives of all software, information and data.|
|Department of Energy||The Secretary of Energy should require an independent verification that these procedures have been followed prior to turning in computers for excess to ensure that employees and contractor personnel of all DOE organizations are in compliance.|
|Department of Energy||The Secretary of Energy should emphasize these procedures in the computer security training and awareness program that is required for all DOE employees and contractor personnel.|