Information Security

Unclassified information systems for scientific research are not consistently protected at all Department of Energy (DOE) laboratories. Although some laboratories are taking significant steps to strengthen access controls, many systems remain vulnerable. In four recent cases, Internet attacks forced DOE laboratories to disconnect their networks from the Internet, interrupting scientific research for as long as a week on at least two occasions. A major contributing factor to the continuing security shortfalls at these laboratories is that DOE lacks an effective program for consistently managing information technology security throughout the agency. Moreover, line management within DOE has not effectively overseen implementation of computer security at the laboratories. DOE is aware that its unclassified security program has been inadequate and has taken steps to improve it, including issuing an updated, unclassified information technology security policy and developing a five-year action plan. However, further action will be needed to reform the Department's line management oversight structure for information technology security.

GAO noted that: (1) unclassified information systems for scientific research are not consistently protected at all DOE laboratories; (2) although some laboratories are taking significant measures to strengthen access controls, many systems remain vulnerable; (3) in four recent cases, Internet-based attacks forced specific laboratories to disconnect their networks from the Internet, interrupting scientific research for as long as a week on at least two occasions; (4) independent reviews conducted at various DOE labs confirm significant continuing vulnerabilities; (5) GAO supplemented these evaluations with its own penetration tests at four DOE laboratories; (6) GAO tests showed that two of the laboratories have recently taken steps that would prevent many casual Internet-based attacks; (7) nevertheless, some DOE systems remain vulnerable; (8) a major contributing factor to the continuing existence of security vulnerabilities at the DOE laboratories is that DOE has not had an effective program for managing information technology (IT) security consistently throughout the department; (9) GAO found that DOE lacks key elements of a comprehensive IT security program as outlined in GAO's 1998 Executive Guide; (10) no security plans had been prepared for 17 of the 20 major systems in GAO's sample; (11) DOE has not effectively assessed risks; (12) although all but 2 of the 10 laboratories that GAO reviewed had performed risk assessments on a laboratorywide level, no system-specific risk assessments had been done for 19 of the 20 systems in GAO's sample; (13) also, a lack of clear policy on what information is appropriate for public Internet access has led some laboratories to publicly post information on the World Wide Web that could facilitate a potential intruder's attempt to break into DOE systems; (14) moreover, line management within the department has not effectively overseen implementation of computer security at the labs; (15) few on-site audits or reviews have been conducted, and official IT security policies have not been enforced; (16) DOE management is aware that its unclassified security program has been inadequate and has taken several steps to improve it, including issuing an updated IT security policy and developing a five-year action plan; (17) the department's independent oversight function for information security was strengthened in 1999 and is now more active in reviewing IT security at the laboratories; and (18) further continuing action will be needed to effectively reform the department's line management oversight structure for IT security.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.

Director: Team: Phone: