Serious Questions Remain About Justice's Management of ADP and Computer Security

GAO discussed the Department of Justice's (DOJ) management of its automatic data processing (ADP) resources and its computer security. GAO noted that: (1) the actions DOJ took to address ADP management shortcomings have mainly been organizational and structural and may be insufficient to solve the pervasive problems in DOJ information resources management (IRM); (2) DOJ lacks a system that can accurately provide the total number of cases in litigation or the total number of litigation staff; (3) DOJ lacks a comprehensive IRM plan and a senior IRM official with clear authority to implement IRM decisions; and (4) DOJ acknowledged that it did not have sufficient staff with adequate technical and managerial capabilities to conduct ADP acquisitions and provide oversight. GAO also noted that: (1) DOJ did not ensure adequate protection of its computer systems containing highly sensitive data; (2) DOJ did not control access to its main data center or position guards to adequately protect and survey the facility; (3) DOJ disposed of excess computer equipment which was later discovered to contain highly sensitive data; (4) to improve computer system security, DOJ established a more active leadership role for security staff, planned a major security upgrade of its data center, and increased security awareness training; and (5) DOJ did not develop security plans or conduct risk analyses for its planned Enhanced Automation for the Government Legal Environment network of computer systems, intended to hold highly sensitive law enforcement information.