Information Security: Weak Controls Place Interior's Financial and Other Data at Risk
Highlights
This report reviews information system general controls over the financial systems maintained by the Department of the Interior at its National Business Center (NBC) in Denver, Colorado. GAO found that although the Denver center has made progress in correcting previously cited computer security weaknesses, additional weaknesses affect the Denver center's information system control environment. These weaknesses affect the center's ability to prevent and detect unauthorized changes to financial information, control electronic access to sensitive personnel information, and restrict physical access to sensitive computing areas. The Denver center did not adequately limit access granted to authorized users, control all aspects of the system software controls, or secure access to its network. Also, the Denver center had not fully established a comprehensive program to routinely monitor access to its computer facilities and data and to identify and investigate unusual or suspicious access patterns that could indicate unauthorized access. The primary reason for these weaknesses was that the Denver center had not yet fully developed and implemented a comprehensive entitywide program to manage computer security.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of the Interior | To establish an effective information system general control environment, the Secretary of the Interior should instruct the Director of the National Business Center and the acting assistant director of NBC-Denver, in coordination with the Interior Chief Information Officer (CIO), to ensure that NBC-Denver corrects the information system control weaknesses related to access authority, system software, network security, access monitoring, physical access, segregation of duties, program changes, and service continuity. These specific weaknesses are described in a separate report designated for "Limited Official Use." |
Closed – Implemented
The National Business Center completed actions to correct the information system control weaknesses related to access authority, system software, network security, access monitoring, physical access, segregation of duties, program changes, and service continuity.
|
| Department of the Interior | To establish an effective information system general control environment, the Secretary of the Interior should instruct the Director of the National Business Center and the acting assistant director of NBC-Denver, in coordination with the Interior CIO to ensure that NBC-Denver develops and implements an effective computer security management program. Such a program would include (1) establishing a central security group to manage a cycle of security management activities, (2) assessing risk to determine computer security needs, (3) developing and implementing policies and controls that meet these needs, and (4) instituting an ongoing program of tests and evaluations to ensure that policies and controls are appropriate and effective. |
Closed – Implemented
NBC-Denver implemented an information security management program. Specifically, it established a central security management group to provide security guidance and oversight of the center's information security environment. Further, the center established a framework for performing risk assessments and has begun to conduct these assessments for all its key systems. In addition, it strengthened its security awareness program to include specialized training for staff in key information system areas. Also, NBC-Denver updated its security policies and procedures to address Interior's interconnected systems' environment. Finally, the center established an ongoing program to test and evaluate its information system controls and to ensure compliance with established policies and procedures.
|
| Department of the Interior | The Secretary of the Interior should instruct the Interior CIO, as the department's key official responsible for computer security, to report periodically on the progress in implementing Interior's corrective action plans. |
Closed – Implemented
NBC-Denver established a quarterly reporting system to measure progress in correcting all security weaknesses and implementing GAO's corresponding recommendations. This report is provided to the department's senior management.
|