This report reviews information system general controls over the financial systems maintained by the Department of the Interior at its National Business Center (NBC) in Denver, Colorado. GAO found that although the Denver center has made progress in correcting previously cited computer security weaknesses, additional weaknesses affect the Denver center's information system control environment. These weaknesses affect the center's ability to prevent and detect unauthorized changes to financial information, control electronic access to sensitive personnel information, and restrict physical access to sensitive computing areas. The Denver center did not adequately limit access granted to authorized users, control all aspects of the system software controls, or secure access to its network. Also, the Denver center had not fully established a comprehensive program to routinely monitor access to its computer facilities and data and to identify and investigate unusual or suspicious access patterns that could indicate unauthorized access. The primary reason for these weaknesses was that the Denver center had not yet fully developed and implemented a comprehensive entitywide program to manage computer security.
Recommendations for Executive Action
|Department of the Interior||To establish an effective information system general control environment, the Secretary of the Interior should instruct the Director of the National Business Center and the acting assistant director of NBC-Denver, in coordination with the Interior Chief Information Officer (CIO), to ensure that NBC-Denver corrects the information system control weaknesses related to access authority, system software, network security, access monitoring, physical access, segregation of duties, program changes, and service continuity. These specific weaknesses are described in a separate report designated for "Limited Official Use."|
|Department of the Interior||To establish an effective information system general control environment, the Secretary of the Interior should instruct the Director of the National Business Center and the acting assistant director of NBC-Denver, in coordination with the Interior CIO to ensure that NBC-Denver develops and implements an effective computer security management program. Such a program would include (1) establishing a central security group to manage a cycle of security management activities, (2) assessing risk to determine computer security needs, (3) developing and implementing policies and controls that meet these needs, and (4) instituting an ongoing program of tests and evaluations to ensure that policies and controls are appropriate and effective.|
|Department of the Interior||The Secretary of the Interior should instruct the Interior CIO, as the department's key official responsible for computer security, to report periodically on the progress in implementing Interior's corrective action plans.|