Computer Security

With malicious attacks on computer systems on the rise, GAO assessments have found that computer systems at the State Department are vulnerable to hackers, terrorists, and others seeking to damage the Department's operations or reap financial gains. For example, by accessing State's systems, someone could obtain sensitive information on diplomatic negotiations and agreements. Although State has some projects under way to improve the security of its information systems and help protect sensitive information, it lacks a security program that allows State officials to comprehensively manage the risks associated with the Department's operations. Clearly, State needs to speed its efforts to address these serious information security shortcomings. So far, however, its top managers have not shown a commitment to doing so. Internet security was the only area in which GAO found that State's controls were adequate. Plans to expand Internet use, however, will create new security risks. If State increases its use of the Internet before instituting a comprehensive security program and addressing the additional vulnerabilities unique to the Internet, it will unnecessarily increase the risk of unauthorized access to its systems and information.

GAO noted that: (1) State's information systems and the information contained within them are vulnerable to access, change, disclosure, disruption or even denial of service by unauthorized individuals; (2) GAO conducted penetration tests to determine how susceptible State's systems are to unauthorized access and found that it was able to access sensitive information; (3) moreover, GAO's penetration of State's computer resources went largely undetected, further underscoring the department's serious vulnerability; (4) the results of GAO's tests show that individuals or organizations seeking to damage State operations, commit terrorism, or obtain financial gain could possibly exploit the department's information security weaknesses; (5) although State has some projects under way to improve security of its information systems and help protect sensitive information, it does not have a security program that allows State officials to comprehensively manage the risks associated with the department's operations; (6) State lacks a central focal point for overseeing and coordinating security activities; (7) State does not routinely perform risk assessments to protect its sensitive information based on its sensitivity, criticality, and value; (8) the department's primary information security policy document is incomplete; (9) the department lacks key controls for monitoring and evaluating the effectiveness of its security programs and it has not established a robust incident response capability; (10) State needs to greatly accelerate its efforts and address these serious information security weaknesses; (11) however, to date, its top managers have not demonstrated that they are committed to doing so; (12) Internet security was the only area in which GAO found that State's controls were currently adequate; (13) however, plans to expand its Internet usage will create new security risks; (14) State conducted an analysis of the risks involved with using the Internet more extensively, but has not yet decided how to address the security risks of additional external connectivity to the concerns this review has raised; and (15) if State increases its Internet use before instituting a comprehensive security program and addresses the additional vulnerabilities unique to the Internet, it will unnecessarily increase the risks of unauthorized access to its systems and information.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.

Director: Team: Phone: