USDA Information Security

The Department of Agriculture's National Finance Center manages payroll, personnel, and accounting systems for many federal agencies, including GAO. Serious access control weaknesses have compromised the Center's ability to detect and prevent unauthorized changes to payment data or computer software, control electronic access to Thrift Savings Plan account information, and restrict physical access to sensitive computing areas. These weaknesses have increased the risk that users could cause improper payments. Sensitive information, such as personnel data, was vulnerable to misuse, improper disclosure, or destruction. Also, the Center's payroll processing and other financial management operations were vulnerable to disruption. Management at the center recognizes the seriousness of these weaknesses and is committed to improving information system controls.

GAO noted that: (1) serious access control weaknesses affected NFC's ability to prevent or detect unauthorized changes to payroll and other payment data or computer software, control electronic access to Thrift Savings Program account information, and restrict physical access to sensitive computing areas; (2) these weaknesses increased the risk that users could cause improper payments; (3) in addition, sensitive information contained in NFC systems, including financial transaction data and personnel information, was vulnerable to inadvertent or deliberate misuse, fraudulent use, improper disclosure, or destruction; (4) furthermore, NFC payroll processing and other financial management operations were vulnerable to disruption due to these weaknesses; (5) GAO found significant problems related to the center's control and oversight of access to its systems and the data maintained on these systems; (6) NFC was not adequately limiting the access of authorized users or controlling its operating system software to prevent access controls from being circumvented; (7) for several years, the Office of Inspector General has reported that access control procedures were weak; (8) the access control weaknesses GAO identified were further compounded because NFC was not sufficiently protecting or overseeing access to its network; (9) the center was not providing adequate physical security for its computer resources; (10) the access control weaknesses GAO found indicated that NFC's computer security planning and management program had not adequately ensured that information system controls continued to work effectively; (11) an effective program would include guidance and procedures for assessing risks, establishing appropriate policies and related controls, raising awareness of prevailing risks and mitigating controls, and monitoring and evaluating the effectiveness of established controls; (12) NFC management has recognized the seriousness of the weaknesses GAO identified and expressed its commitment to improving information system controls; (13) in commenting on this report, the director of NFC agreed with GAO's findings and recommendations; (14) the director also stated that NFC had corrected most of the information security weaknesses GAO identified and planned actions to address remaining weaknesses; (15) NFC stated that it intends to strengthen its computer security planning and management program to encompass the best practices described in GAO's May 1998 report; and (16) addressing these issues will help ensure that an effective computer security environment is achieved and maintained.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.

Director: Team: Phone: