Skip to main content

Information Systems: Agencies Overlook Security Controls During Development

IMTEC-88-11 Published: May 31, 1988. Publicly Released: May 31, 1988.
Jump To:
Skip to Highlights

Highlights

Pursuant to a congressional request, GAO reviewed federal civilian agencies' practices for incorporating security controls during the development of automated systems for sensitive information.

Recommendations

Recommendations for Executive Action

Agency Affected Sort descending Recommendation Status
Department of Energy The Department of Energy (DOE) should evaluate its current agency policies and procedures governing the development of sensitive information systems to determine if revisions or extensions are necessary to ensure that systems are developed with appropriate security controls. DOE may find the forthcoming NBS Special Publication 500-153 useful in this analysis. DOE should also review sensitive information systems that are currently under development to evaluate to what extent a sound security foundation has been laid for their implementation. Consideration of these evaluations should be included in the formulation of DOE information security plans required by the Computer Security Act of 1987.
Closed – Implemented
Policies regarding information systems development and use were modified to consider security controls during the design and development of DOE information systems. The modified policies formed the basis for one of the objectives of the reviews of systems under development.
Farmers Home Administration The Farmers Home Administration (FmHA) should evaluate its current agency policies and procedures governing the development of sensitive information systems to determine if revisions or extensions are necessary to ensure that systems are developed with appropriate security controls. FmHA may find the forthcoming NBS Special Publication 500-153 useful in this analysis. FmHA should also review sensitive information systems that are currently under development to evaluate to what extent a sound security foundation has been laid for their implementation. Consideration of these evaluations should be included in the formulation of FmHA information security plans required by the Computer Security Act of 1987.
Closed – Implemented
FmHA based its policies and procedures, as appropriate, on the guidance "Model Framework for Management Control Over Automated Information Systems" provided by the President's Council on Management Improvement and Integrity and Efficiency (January 1988). These policies were used in reviewing systems under development.
Federal Aviation Administration The Federal Aviation Administration (FAA) should evaluate its current agency policies and procedures governing the development of sensitive information systems to determine if revisions or extensions are necessary to ensure that systems are developed with appropriate security controls. FAA may find the forthcoming NBS Special Publication 500-153 useful in this analysis. FAA should also review sensitive information systems that are currently under development to evaluate to what extent a sound security foundation has been laid for their implementation. Consideration of these evaluations should be included in the formulation of FAA information security plans required by the Computer Security Act of 1987.
Closed – Implemented
FAA has established a policy that requires security reviews of system specifications to ensure that systems are developed with appropriate security controls. FAA submitted National Airspace System development efforts to a checklist, containing system security as a key component.
Immigration and Naturalization Service The Immigration and Naturalization Service (INS) should evaluate its current agency policies and procedures governing the development of sensitive information systems to determine if revisions or extensions are necessary to ensure that systems are developed with appropriate security controls. INS may find the forthcoming NBS Special Publication 500-153 useful in this analysis. INS should also review sensitive information systems that are currently under development to evaluate to what extent a sound security foundation has been laid for their implementation. Consideration of these evaluations should be included in the formulation of INS information security plans required by the Computer Security Act of 1987.
Closed – Implemented
As of May 9, 1989, INS had identified its sensitive information systems and developed associated security plans, which will be provided to OMB for approval. The Committee staff views INS actions as a seriously positive effort and will track the agency's compliance with the Computer Security Act, satisfying this recommendation.
Internal Revenue Service The Internal Revenue Service (IRS) should evaluate its current agency policies and procedures governing the development of sensitive information systems to determine if revisions or extensions are necessary to ensure that systems are developed with appropriate security controls. IRS may find the forthcoming NBS Special Publication 500-153 useful in this analysis. IRS should also review sensitive information systems that are currently under development to evaluate to what extent a sound security foundation has been laid for their implementation. Consideration of these evaluations should be included in the formulation of IRS information security plans required by the Computer Security Act of 1987.
Closed – Implemented
IRS obtained assistance from the Federal Computer Performance Evaluation and Simulation Center in: (1) reviewing federal and Treasury requirements for information systems security and control; (2) documenting IRS implementation of an information system's security program; and (3) developing an action plan ensuring that proper controls are put in place and in the area of tax system redesign.
International Trade Administration The International Trade Administration (ITA) should evaluate their current agency policies and procedures governing the development of sensitive information systems to determine if revisions or extensions are necessary to ensure that systems are developed with appropriate security controls. ITA may find the forthcoming NBS Special Publication 500-153 useful in this analysis. ITA should also review sensitive information systems that are currently under development to evaluate to what extent a sound security foundation has been laid for their implementation. Consideration of these evaluations should be included in the formulation of agency information security plans required by the Computer Security Act of 1987.
Closed – Implemented
The Department of Commerce has developed a policy for including adequate security controls in the system development process in its Methodology for Certifying Sensitive Computer Applications and has been disseminated to all Commerce organizational units. Commerce, as a continuing effort, is actively monitoring its organizational units of various federal and Commerce policies.
National Institute of Standards and Technology The National Institute of Standards and Technology should, pursuant to its responsibilities under the Computer Security Act of 1987 and in consultation with the appropriate agencies, perform a comprehensive reassessment and revision of the system development standards and guidelines needed by agencies to ensure cost-effective protection of sensitive information in federal computer systems under development.
Closed – Implemented
Because of the National Institute for Standards and Technology's (NIST) increased work load and time involved in reviewing the computer security plans for agencies, it is providing advice and comments on the plans, and lack of resources (staff and funding). The House Committee on Science, Space, and Technology support NIST status quo and will support additional funding requests.
Office of Management and Budget The Office of Management and Budget should, consistent with its broad authority under the Paperwork Reduction Act, revise its existing policies and guidelines to ensure appropriate management involvement in security-related decisions governing the development of sensitive information systems.
Closed – Implemented
Like NIST, the Committee supports the OMB status quo. The Committee, realizing that there must be a period of time allowed for public comments on guidance and that OMB is involved with the approval process of computer security plans, recognizes that it will take several years for OMB to satisfy the Computer Security Act's requirements, thereby implementing this recommendation.
Social Security Administration The Social Security Administration (SSA) should evaluate its current agency policies and procedures governing the development of sensitive information systems to determine if revisions or extensions are necessary to ensure that systems are developed with appropriate security controls. SSA may find the forthcoming NBS Special Publication 500-153 useful in this analysis. SSA should also review sensitive information systems that are currently under development to evaluate to what extent a sound security foundation has been laid for their implementation. Consideration of these evaluations should be included in the formulation of SSA information security plans required by the Computer Security Act of 1987.
Closed – Implemented
SSA had included security standards in five of the eight stages in the systems development life cycle (SDLC) prescribed in its Software Engineering Technology (SET) manuals. During FY 1989, SSA completed the remaining three stages with security standards. SSA compared its SDLC security requirements against those in the GAO report and adjusted, as necessary.
United States Customs Service The U.S. Customs Service should evaluate its current agency policies and procedures governing the development of sensitive information systems to determine if revisions or extensions are necessary to ensure that systems are developed with appropriate security controls. Customs may find the forthcoming NBS Special Publication 500-153 useful in this analysis. Customs should also review sensitive information systems that are currently under development to evaluate to what extent a sound security foundation has been laid for their implementation. Consideration of these evaluations should be included in the formulation of Customs information security plans required by the Computer Security Act of 1987.
Closed – Implemented
As of May 10, 1989, all of the agencies, with the exception of NIST, OMB, and INS, had: (1) complied with the GAO recommendations; (2) met the minimum requirements of the Computer Security Act of 1987; and (3) submitted their computer security plans, which reflect their compliance.
Veterans Administration The Veterans Administration (VA) should evaluate its current agency policies and procedures governing the development of sensitive information systems to determine if revisions or extensions are necessary to ensure that systems are developed with appropriate security controls. VA may find the forthcoming NBS Special Publication 500-153 useful in this analysis. VA should also review sensitive information systems that are currently under development to evaluate to what extent a sound security foundation has been laid for their implementation. Consideration of these evaluations should be included in the formulation of VA information security plans required by the Computer Security Act of 1987.
Closed – Implemented
The Office of Systems Planning, Policy and Acquisition Control has completed its review of agency policy and included security and internal controls in VA life-cycle management policies. A review for security issues for systems under development was conducted and the results were incorporated in the security plans required by the Computer Security Act of 1987.

Full Report

Office of Public Affairs

Topics

Computer securityInformation systemsRequirements definitionSystems designAutomated security systemsInformation securitySensitive informationRisk assessmentAviationTelecommunications