Information Security: Corps of Engineers Making Improvements, But Weaknesses Continue
GAO tested selected general and application controls of the Corps of Engineers Financial Management System (CEFMS). The Corps relies on CEFMS to perform key financial management functions supporting the Corps' military and civil works missions. The Corps has made substantial progress in improving computer controls at each of its data processing centers and other Corps sites. The Corps had completed action on 54 of GAO's 93 previous recommendations and partially completed or had action plans to correct the remainder. During the current review, nine new weaknesses were identified and corrected. Nevertheless, continuing and newly identified vulnerabilities involving general and application computer controls continue to impair the Corps' ability to ensure the reliability, confidentiality, and availability of financial and sensitive data. Such vulnerabilities increase risks to other Department of Defense networks and systems to which the Corps' network is linked. Weaknesses in general controls impaired the Corps' ability to ensure that (1) computer risks are adequately assessed, and security policies and procedures within the organization are effective and consistent with overall organizational policies and procedures; (2) users have only the access needed to perform their duties; (3) system software changes are properly documented before being placed in operation; (4) test plans and results for application changes are formally documented; (5) duties and responsibilities are adequately segregated; (6) critical applications are properly restored in the case of a disaster or interruption; and (7) the Corps has adequately protected its network from unauthorized traffic. Application control weaknesses impaired the Corps' ability to ensure that (1) current and accurate CEFMS access authorizations were maintained, (2) user manuals reflect the current CEFMS environment, and (3) the Corps is effectively using electronic signature capabilities.