Information Security

Recent audit evidence indicates that serious and widespread weaknesses in information security are jeopardizing the government's ability to adequately protect (1) federal assets from fraud and misuse; (2) sensitive information from inappropriate disclosure; and (3) critical operations, including some affecting public safety, from disruption. Significant information security weaknesses were reported in each of the 24 largest federal agencies, with inadequately restricted access to sensitive data being the most commonly cited problem. These weaknesses place critical government operations, such as national defense, tax collection, law enforcement, and benefits payments, as well as the assets associated with these operations, at great risk for fraud, disruption, and inappropriate disclosures. Also, many intrusions or other potentially malicious acts could be occurring but going undetected because agencies have not introduced effective controls to identify suspicious activity in their networks and computer systems. Individual agencies have not done enough to effectively address these problems. Similarly, agency performance in this area is not being adequately managed from a governmentwide perspective, although some important steps have been taken. In GAO's view, what is needed is a coordinated and comprehensive strategy that incorporates the worthwhile efforts already under way and takes advantage of the expanded amount of evidence that has become available in recent years. GAO summarized this report in testimony before Congress; see: Information Security: Strengthened Management Needed to Protect Critical Federal Operations and Assets, by Gene L. Dodaro, Assistant Comptroller General for Accounting and Information Management Issues, before the Senate Committee on Governmental Affairs. GAO/T-AIMD-98-312, Sept. 23 (19 pages).

GAO noted that: (1) the expanded amount of audit evidence that has become available since mid-1996 describes widespread and serious weaknesses in the federal government's ability to adequately protect: (a) federal assets from fraud and misuse; (b) sensitive information from inappropriate disclosure; and (c) critical operations, including some affecting public safety, from disruption; (2) significant information security weaknesses were reported in each of the 24 largest federal agencies, with inadequately restricted access to sensitive data being the most widely reported problem; (3) this and the other types of weaknesses identified place critical government operations at great risk of fraud, disruption, and inappropriate disclosures; (4) in addition, many intrusions or other potentially malicious acts could be occurring but going undetected because agencies have not implemented effective controls to identify suspicious activity on their networks and computer systems; (5) agency officials have not instituted procedures for ensuring that risks are fully understood and that controls implemented to mitigate risks are effective; (6) implementing such procedures as part of a proactive, organization-wide security management program is essential in today's interconnected computing environments; (7) similarly, agency performance in this area is not yet being adequately managed from a governmentwide perspective, although some important steps have been taken; (8) the CIO Council, under OMB's leadership, designated information security as a priority area in late 1997 and, since then, has taken some steps to develop a preliminary strategy, promote awareness, and identify ways to improve a federal incident response program; (9) in May 1998, Presidential Decision Directive (PDD) 63 on critical infrastructure protection was issued; (10) PDD 63 acknowledged computer security as a national security risk and established several entities to address critical infrastructure protection, including federal agency information infrastructures; (11) what needs to emerge is a coordinated and comprehensive strategy that incorporates the worthwhile efforts already under way and takes advantage of the expanded amount of evidence that has become available in recent years; and (12) the objectives of such a strategy should be to encourage agency improvement efforts and measure their effectiveness through an appropriate level of oversight.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.

Director: Team: Phone: