Information Systems

Agencies Overlook Security Controls During Development Gao ID: IMTEC-88-11 May 31, 1988

Pursuant to a congressional request, GAO reviewed federal civilian agencies' practices for incorporating security controls during the development of automated systems for sensitive information.

GAO found that the National Bureau of Standards (NBS), the Office of Management and Budget (OMB), and the General Services Administration issued considerable but general guidance for agencies to follow in incorporating security controls during systems development. GAO also found that agencies did not adequately: (1) determine their systems' security needs; (2) assess threats, vulnerabilities, and risks to their systems; (3) identify alternative system security approaches or compare their feasibility, costs, or benefits; (4) analyze potential risks for their specific system concepts; (5) define the sensitivity of their information; (6) define security requirements to permit implementation of appropriate controls; or (7) develop security test plans.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.

Director: Team: Phone:


The Justia Government Accountability Office site republishes public reports retrieved from the U.S. GAO These reports should not be considered official, and do not necessarily reflect the views of Justia.