GAO discussed the Department of Justice's (DOJ): (1) recent sale of surplus computer equipment that was later found to have highly sensitive data; and (2) continuing exposure to similar breaches of security. GAO noted that DOJ: (1) showed patterns of neglect and inattention in ensuring information security nationwide; (2) was unable to provide it with such basic factual information as the total number of employees in the U.S. Attorneys' Offices nationwide; and (3) could not be trusted to safely secure sensitive data.
Recommendations for Executive Action
|Department of Justice||1. Because of the seriousness of this situation and the possibility of loss of life, the Attorney General should immediately identify all computer equipment designated surplus by DOJ components and determine whether it contained sensitive data.|
|Department of Justice||2. Because of the seriousness of this situation and the possibility of loss of life, the Attorney General should immediately ensure that every DOJ component that may have compromised sensitive data immediately prepare a damage assessment of the impact of the compromise on carrying out its mission and on the identity of such people as witnesses, confidential informants, and undercover agents.|
|Department of Justice||3. The Attorney General should report the compromise of sensitive data and various security deficiencies as a material internal control weakness under the Federal Managers' Financial Integrity Act (FMFIA), and discuss the actions that will be taken to correct these weaknesses.|
|Office of Management and Budget||4. The Director, Office of Management and Budget (OMB), should designate computer security at DOJ as a high-risk area.|