Automated Systems Security--Federal Agencies Should Strengthen Safeguards Over Personal and Other Sensitive Data

Gao ID: LCD-78-123 January 23, 1979

GAO surveyed selected agencies in 1977 because of the generally high level of congressional interest in federal information policies following the enactment of the Privacy Act and the Freedom of Information Act Amendments in 1974. Subsequently, GAO was specifically requested to examine and report on the status and effectiveness of major computer security programs.

At a time when increasing reliance is placed on computers and rapidly advancing ADP technology, security procedures for systems processing personal and other sensitive data generally were inadequate. The agencies: (1) lacked comprehensive computer security programs and technical, administrative, and physical safeguards; (2) did not place the computer security functions at a sufficiently high level, with independence from operating functions, to preclude preemption by operational priorities; (3) did not understand and employ risk management techniques for economic selection of safeguards; (4) did not take advantage of the technical guidance provided by the National Bureau of Standards; and (5) did not effectively use their internal audit resources.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.

Director: No director on record Team: No team on record Phone: No phone on record


The Justia Government Accountability Office site republishes public reports retrieved from the U.S. GAO These reports should not be considered official, and do not necessarily reflect the views of Justia.