i i Accwntabilii l Inte@y l Rcliibllity United States General Accounting Office Accounting and Information Washington, DC 20548 Management Division B-284007 November lo,1999 The Honorable Dianne Feinstein Ranking Minority Member Subcommittee on Technology, Terrorism and Government Information Committee on the Judiciary United States Senate Subject: Information Securitv: Weaknesses at 22 Agencies Dear Senator Feinstein: On October 6,1999, I testified before the Subcommittee on the need for improved federal information security.’ I noted that audits by GAO and agency inspectors general show that 22 of the largest federal agencies were not adequately protecting critical federal operations and assets from computer-based attacks. I concluded that addressing this widespread and persistent problem would require significant management attention and action within individual agencies as well as increased coordination and oversight at the governmentwide level. During the question-and-answer period of that hearing, you requested that we provide summaries of significant information security weaknesses previously reported at those 22 federal agencies. My response to your request is included in the two enclosures to this letter. Enclosure 1 provides brief summaries of the reported information security weaknesses at each of the 22 federal agencies and cites the reports from which this information was drawn. These reports were issued from May 1998 through October 1999, and they describe conditions that existed at the time of the related audits. Since then, many agencies have undertaken efforts to correct reported weaknesses. However, until the results of subsequent audits become available, we cannot assess the effectiveness of these corrective actions. cture Protection. . Fundamjatal Needed to Assure Secuntv of Federal 1 . . ImD rovements @emtiom (GAOA’-AIMD-O@7, dctober 6,1999). GAO/AI&ID-OO-32R Federal Information Security Weaknesses B-284007 Enclosure 2 lists GAO‘ reports that chronicle our assessments of federal information security since 1993. These reports provide additional insight into widespread information security weaknesses in the federal government. We are sending a copy of this response to the Honorable John Kyl, Chairman, Subcommittee on Technology, Terrorism and Government Information, Senate Committee on the Judiciary. Please contact me at (202) 512-6240 or Bob Dacey, , Director, Consolidated Audit and Computer Security Issues, at (202) 512-3317, if your ’ or your staff have any questions. I can also be reached by e-mail at i firstname.lastname@example.org. Key contributors to this summary were Jean Boltz, David Irvin, and Jeffrey Knott. Sincerely yours, Jack L. Brock Director, Governmentwide and Defense Information Systems Enclosures Page 2 GAOMMD-00-32R Federal Information Security Weaknesses Enclosure 1 Information Securitv Weaknesses ReDorted for Federal Agencies From Mav 18.1998 to October 4.1999 Department of Agriculture In July 1999, we reported that the Department of Agriculture’s (USDA) National Finance Center (NFC) had serious access control weaknesses that affected its ability to prevent and/or detect unauthorized changes to payroll and other payment data or computer software. NFC develops and operates administrative and financial systems, including payroll/personnel, property management, and accounting systems for both the USDA and over 60 other federal organizations. During fiscal year 1998, NFC processed more than $19 billion in payroll payments for more than 450,000 federal employees. NFC is also responsible for maintaining records for the world’s largest 401(k)-type program, the federal Thrift Savings Program. This program, which is growing at about $1 billion per month, covers about 2.3 million employees and had over $60 billion in assets as of September 30, 1.998. The weaknesses we identified increased the risk that users could cause improper payments and that sensitive information could be misused, improperly disclosed, or destroyed. Also, in February 1999, the USDA JG reported that Rural Development had not implemented a “firewall system” to provide security over Internet telecommunications. HInformation Fraud. Misuse. and Imurouer Disclosure (GAO/AIMD-99-227, July 30,1999) and u,S. DeDXtment of A&culture Consolidated Financial Statements for Fiscal Year 1998, Audit Report No. 50401-30-FM, February 1999. Deuartment of Commerce In March 1999, the Department of Commerce Inspector General (IG) reported weaknesses in the Department’s information system controls. The review found that formal, comprehensive security policies did not exist or were incomplete. Also, controls over access to operating systems and the associated fmancial applications were inadequate, and controls associated with the procedures for making software changes were weak. Weaknesses also existed in properly segregating duties and controlling physical access to the data centers. Furthermore, disaster recovery plans were incomplete or outdated. 1J., Office of Inspector General, Audit Report No. FSD-1OS999-0001, March 1999. DeDartment of Defense In August 1999, we reported that serious weaknesses in Department of Defense (DOD) information security continue to provide both hackers and hundreds of Page 3 GAOIAIMD-00-32R Federal Information Security Weaknesses Enclosure 1 thousands of authorized users the opportunity to modify, steal, inappropriately disclose, and destroy sensitive DOD data. These weaknesses impair DOD’s ability to (1) control physical and electronic access to its systems and data, (2) ensure that software running on its systems is properly authorized, tested, and functioning as intended, (3) limit employees’ ability to perform incompatible functions, and (4) resume operations in the event of a disaster. As a result, numerous Defense functions, including weapons and supercomputer research, logistics, finance, procurement, personnel management, military health, and payroll, have already been adversely affected by system attacks or fraud. DOD Information Securitv: Serious WeaknessesContinue to Place Defense Onerations at f&&c (GAO/AIMD-99-107,August 26,1999). Deuartment of Education In May 1998, the Department of Education IG reported that improvements were required in security over financial systems and in disaster recovery capabilities. The deficiencies in the department’s payment system could have enabled unauthorized users to access confidential data, change data, make unauthorized payments, or bring down the system. The payment system was used to annually process about $33 billion in grant and contract disbursements. Education decided to spend minimal resources on the system, which was replaced in fiscal year 1998 with a core financial management system. Annual Accountabilitv Renort - Fiscal Year Ended Seutember SO.199’7,Office of the Chief Financial Officer, July 21,1998. (As of October 15,1999,the Department of Education IG had not published its fiscal year 1998consolidated financial statement audit report, which is expected to include an updated assessment of information system general controls.) Deuartment of Energy In its fiscal year 1998 accountability report, the Department of Energy (DOE) recognized the need to improve unclassified computer security, noting the apparent increase in system and network vulnerabilities at the department. Such vulnerabilities increase the likelihood of unauthorized intrusions into DOE’s publicly available systems. The report states that one of the primary causes was the lack of a meaningful policy and program framework, while another root cause was the lack of awareness of system vulnerabilities by employees, line managers, and upper management. U.S. Denartment of EnerEfvFiscal Year 1998Accountabilitv Renort, DOE/CR-0067, February 1999. Page 4 GAO/AIMD-OO-32R Federal Information Security Weaknesses Enclosure 1 Environmental Protection Aaencv In September 1999, the Environmental Protection Agency (EPA) IG reported weaknesses in critical mainframe operating system software controls. These weaknesses could affect system integrity, or allow a knowledgeable user to circumvent or disable security mechanisms and/or modify programs or data files on the computer without leaving an audit trail. The IG also identified continuing security concerns for regional computer facilities and data, citing weaknesses in security planning, contingency and disaster recovery planning, and security training. Environmental Protection Agencv Office of Insuector General Audit Reuort - Financial Management: Audit of EPA’s Fiscal 1998Financial Statements, Report Number 99B0003, September 28, 1999. Federal Emernencv Management Arrencv In February 1999, as part of its audit of the Federal Emergency Management Agency’s (FEMA) financial statements, an independent accounting fum reported information system security and access control deficiencies. The fun? concluded that these deficiencies indicate that FEMA’s computer-based controls do not contribute to the reliability of the accounting systems. Federal Emereencv Management Agencv Office of Insuector General Audit Division, Auditor’s Reuort on FEMA’s Fiscal Year 1998F’inancial Statements, H-&99, March 1999. General Services Administration In February 1999, an independent accounting firm recommended that GSA (1) strengthen logical and physical access controls over its information technology environment, and (2) apply security policies and procedures uniformly across service lines. The fum’s review of four GSA systems identified weaknesses associated with (1) logical access granted being consistent with job responsibilities, (2) controls to monitor and detect unauthorized access, (3) physical access to computer resources, and (4) access privileges for users who had been terminated or had changed job responsibilities. These four systems include processes for accounting, tracking real property, supporting GSA’s worldwide supply function, and managing its motor vehicle fleet. The firm also found that security policies and procedures throughout GSA did not in all cases address control issues such as password administration and management, access violation monitoring, and security awareness training. In the absence of certain preventive and detective controls, GSA cannot ensure that its mission critical applications and data are protected from unauthorized access, modification, or deletion by internal users or external sources. Page 5 GAO/AIMD-00-32K Federal Information Security Wealmesses Enclosure 1 GSA 1998 Annual Report, February 1999. Department of Health and Human Services In February 1999, the Health and Human Services IG reported serious control weaknesses associated with the Department’s Health Care Financing Administration (HCFA) computers. HCFA relies on extensive automated operations at both its central office and the Medicare contractors to administer the Medicare program and to process and account for Medicare expenditures. The HCFA central office maintains administrative data, such as Medicare enrollment, eligibility, and paid claims data, and processes all payments for managed care. In fiscal year 1998, managed care payments totaled $33 billion. United States DeDartment of Health and Human Services. Accountabilitv ReDOIT: Fiscal Year 1998, February 26,1999. Department of Housing and Urban DeveloDment In March 1999, the Housing and Urban Development (HUD) IG reported the need for improvements related to general system security, administration of personnel security operations, and access controls over HUD’s two major payment systems. The IG identified general system security weaknesses associated with protecting sensitive and critical mainframe systems, administering local area network passwords, monitoring network security, developing and testing disaster recovery plans, and controlling software changes for critical mainframe applications. HUD’s automated information systems are critical in supporting all facets of its programs, including mortgage insurance, servicing, and administrative operations. During fiscal year 1998, HUD’s two major payment systems processed disbursements for approximately $33 billion, including support of Section 8 programs and a broad range of grants to states, municipalities, independent companies, nonprofit institutions, and individuals. Office of InsDector General Audit ReDort - US DeDartment of Housing: and Urban DeveloDment Audit of Fiscal Year 1998 Financial Statements, 99-FO-177-0003, March 29, 1999. Department of the Interior In April 1999, the Interior IG reported general control weaknesses at the Bureau of Indian Affairs and the U.S. Geological Survey. The IG considered general controls over certain automated information systems operated by the Bureau of lndian Affairs to be ineffective. For example, the Bureau did not (1) have an effective security program, (2) classify resources to determine the security level needed, (3) properly safeguard computer hardware, (4) perform reviews to ensure Page 6 GAO/AIMD-OO-32R Federal Information Security Weaknesses Enclosure 1 appropriate user access levels, (5) have segregation of duties for system support functions, (6) have controls over system software to effectively detect and deter inappropriate use, and (7) have an effective means of recovering or continuing computer operations in the event of system failure. The IG also reported that security weaknesses identified at one of the U.S. Geological Survey’s data centers increased the risk of unauthorized access and modifications to, and disclosure of, information processed on the data center’s mainframe computer. S, April 1999. DeDartment of Justice In February 1999, the Department of Justice IG reported that improvements were needed in general controls at the department’s data centers and component financial management systems. For example, at the Federal Bureau of Investigation, improvements were needed to correct deficiencies associated with entitywide security program enhancements, logical access controls, a formal change control process, and a comprehensive, tested business continuity plan. The Drug Enforcement Administration lacked an incident response training program for certain systems, a disaster recovery plan that includes alternate backup sites, and access controls that ensure transferred or terminated employees are promptly removed from user access files. Similar issues were noted at the Immigration and Naturalization Service and the U.S. Marshals Service. The control weaknesses identified increase the risk that software programs and data processed on these systems are not adequately protected from unauthorized access. U., Office of the inspector General, Report Number 99-05, February 1999. DeDartment of Labor In February 1999, the Department of Labor IG reported weaknesses associated with entitywide security, access controls, and application software development and change control. For example, standard security-related personnel policies had not been developed or coordinated for five of the six systems reviewed. As a result, these systems were exposed to potential risks that may result from accidental and/or intentional personnel security failures or violations. Also, for five of the six systems reviewed, independent risk assessments had not been performed or properly documented on a regular basis or whenever systems had changed. If risk assessments are not performed, then it is likely that threats and vulnerabilities are not being identified and considered. 1J S. DemZtrnent of Labor Consolidated Financial Statement Audit, Office of Inspector Gkneral, Report Number 12-99-002-13-001, February 26,1999. Page 7 GAO/AIMD-OO-32R Federal Information Security Weaknesses Enclosure 1 National Aeronautics and SDace Administration In May 1999, we reported that, as part of our tests of the National Aeronautics and Space Administration’s (NASA) computer-based controls, we successfully penetrated several mission-critical systems, including one responsible for calculating detailed positioning data for earth orbiting spacecraft and another that processes and distributes the scientific data received from these spacecraft. Having obtained access, we could have disrupted ongoing command and control operations and stolen, modified, or destroyed system software and data. A major factor in our ability to penetrate these systems was that NASA was not effectively managing information security throughout the agency. Information Securitv: Manv NASA Mission-Critical Svstems Face Serious Risks (GAO/AIMD-99-47, May X),1999). Office of Personnel Management In February 1999, an independent accounting firm reported weaknesses in OPM’s entity-wide security program, access controls, application change control, and service continuity based on its overall assessment of OPM’s information system control environment. The firm found that the Retirement and Insurance Service’s ri-minfi%me security policies did not specifically address important aspects of security, and its local area network did not have formal documented security policies and procedures. As a result, security controls may be inadequate, responsibilities may be unclear, and controls may be inconsistently applied. Such conditions may lead to insufficient protection of sensitive or critical resources and disproportionately high expenditures for controls over low-risk resources. Office of Personnel Management - Financial Statements - Retirement Program. Health Benefits Program. Life Insurance Program - Fiscal Year 1998,Report Number 2F-00-98 103, March 1,1999. Small Business Administration In September 1999, the Small Business Administration (SBA) IG reported that SBA’s general controls did not fully comply with established policies and procedures. For example, (1) SBA had not funded and implemented an entitywide security program, (2) unnecessary and excessive access privileges reduced accountability and created segregation of duties weaknesses, (3) application development and change control procedures were not consistently applied in systems outside the Office of the Chief Information Officer’s control, (4) programmers’ abilities to access operating systems could not be monitored, and (5) security administrators and program managers needed training. As a result of such weaknesses, SBA personnel, contractors, and business partners had access to information and functions involving loan applications, financial Page 8 GAOIAJMD-00-32R Federal Information Security Weaknesses Enclosure 1 obligations, collections, disbursements, and write-offs that may be unnecessary or reduce accountability. This increased the risks of financial loss and misuse of information. Audit of SBA’s Information Svstems Controls, U.S. Small Business Administration, Offke of Inspector General, Audit Report Number 9-19, September 2,1999. Social Security Administration In November 1998, an independent accounting firm found that the Social Security Administration’s (SSA) systems environment remained threatened by weaknesses in several components of its information protection control structure. Weaknesses were noted in the entitywide security program, and associated weaknesses were identified in local area network and distributed systems security, SSA’s mainframe computer security (controlling access to sensitive information), and physical access controls. The fum concluded that, until corrected, these weaknesses would continue to increase the risks of unauthorized access to, and modification or disclosure of, sensitive SSA information. In turn, unauthorized access to sensitive data can result in the loss of data, loss of trust fund resources, and compromised privacy of information associated with SSA’s enumeration, earnings, retirement, and disability processes and programs. SSA programs disbursed about $416 billion in-fiscal year 1998, and delivered cash benefits to about 50 million beneficiaries every month. >, November 20, 1998. DeDartment of State In August 1999, an independent accounting firm reported that the Department of State’s mainframe computers for domestic operations are considered vulnerable to unauthorized access. Consequently, other systems, which process data using these computers, may also be vulnerable. Similar weaknesses were found in the Paris Financial Service Center’s Accounting and Disbursing Center. A year earlier, in May 1998, we had reported that our tests at State demonstrated that its computer systems and the information they maintained were very susceptible to hackers, terrorists, or other unauthorized individuals seeking to damage State operations or reap financial gain by exploiting the department’s information security weaknesses. For example, without any passwords or specific knowledge of State’s systems, we successfully gained access to State’s networks through dial- in connections to modems. Having obtained this access, we could havemodified, stolen, downloaded, or deleted important data; shut down services; and monitored network traffic, such as e-mail and data files. In addition, we were able to circumvent State’s internal network security controls and access.information and sensitive data that would normally be off limits to most employees. Page 9 GAO/AlMD-00-3ZR Federal Information Security Weaknesses Enclosure 1 Audit of the DeDartment of State’s 1997 and 1998 PrincitxIl Financial Statements, Leonard G. Birnbaum and Company, I.&P, August 9, 1999; Computer Serious Weaknesses JeoDardize State Department Orlerations (GAO/AIMD-98145, May 18, 1998). Department of TransDortation In March 1999, the Department of Transportation IG reported that DOT’s Intermodal Data Network, which connects local area networks within DOT agencies, was found vulnerable to unauthorized access. This weakness was identified in fiscal year 1996 and considered on target for correction as of December 1998. DOT was continuing work to ensure that weaknesses identified in a previous GAO report were corrected. In May 1998, we reported that the Federal Aviation Administration’s controls were ineffective in all critical areas included in our security review, including facilities physical security, operational systems information security, future systems modernization security, management structure, and policy implementation. Vulnerabilities created by inadequate controls place the safety of the airplane passengers at risk, while sensitive information could be compromised and flight services interrupted. Offke of InsDector General Audit ReDort - F’iscal Year 1998 Consolidated Financial Statements, Department of Transportation, Report Number FE1999081, March 30, 1999, and Air Traffic Control: Weak Securitv Practices Jeowrdize Flight Safetv (GAO/ AIMD-98-155, May l&1998). DeDartment of the Treasury In December 1998, we reported that weaknesses in the Internal Revenue Service’s (IRS) computer security controls continued to place IRS’ automated systems and taxpayer data at serious risk to both internal and external threats that could result m the denial of computer services or in the unauthorized disclosure, modification, or destruction of taxpayer data. Also, in October 1999, we reported that general computer controls at the Department’s Financial Management Service and its contractor data centers placed its financial systems at significant risk of unauthorized disclosure and modification of sensitive data and programs, misuse or damage to computer resources, or disruption of critical operations. As a result, billions of dollars of payments and collections were at risk of fraud. IRS Svstems Securitv: Although Significant Imm-ovements Made. Tax Processing ODerations and Data Still at Serious Risk (GAO/AIMD-99-38, December 14, 1998) and F’inancial Management Service: Significant Weaknesses in Comwter Controls (GAO/A.IMD-OO-4, October 4,1999). Department of Veterans Affairs In October 1999, we reported that Department of Veterans Affairs (VA) systems continued to be vulnerable to unauthorized access. VA operates the largest health Page 10 GAO/AIMD-OO-32R Federal Information Security Weaknesses Enclosure 1 care deIivery system in the United States and reported spending more than $17 billion on medical care in fiscal year 1998. The department also processed more than 42 million benefit payments totaling about $22 billion in fiscal year 1998 and provided life insurance protection through more than 2.4 million ,policies that represented about $23 billion in coverage. In providing these benefits and services, VA collects and maintains sensitive medical record and benefit payment information for veterans and their family members. We, as well as the VA IG, continued to find serious problems that placed sensitive information at increased risk of inadvertent or deliberate misuse, fraudulent use, improper disclosure, or destruction, possibly occurring without detection. For example, at one VA insurance center, 265 users who had not been authorized to perform data entry had the ability to read, write, and delete information related to insurance awards. Such unauthorized access could lead to improper insurance payments. Information &stems: The Status of CommuterSecuritv at the Denartment of Veterans Affairs (GAO/AIMD-00-05,October 4,1999). U.S. Agencv for International DeveloDment In March 1999, the U. S. Agency for International Development (USAID) IG reported that USAID’s client-server and mainframe general controls are not effective. Specifically, the audit found that USAID’s (1) entity-wide security program and management, (2) access controls, (3) application software development and change control, and (4) segregation of computer system duties provided inadequate control over client-server and mainframe operations. Also, deficiencies were noted for system software controls and continuity of services for the client-server computer environment. Because of these weaknesses, USAID lacks the assurance that the data are accurately processed or that systems and data are adequately secured. A primary reason for the ineffective controls is the lack of an agencywide security program that includes clear security responsibilities and agencywide security processes. Audit of GeneralControls Over USAID’s Mainframe Commuter Environment, Office of the Insuector General,Audit Report No. A-000-99-004-P, March 1,1999 and Audit of General 9,Oflke of the Inspector General, Audit Report No. A-00@!39-00&P, March 1,1999. Page 11 GAO/AIMD-00-32R Federal Information Security Weaknesses Enclosure 2 GAO Information Securitv Reports and Testi-mow Issued Since SeWember 1993 Critical Infrastructure Protection: Fundamental Improvements Needed to Assure Securitv of Federal Onerations (GAO/T-AIMD-00-7, October 6, 1999). Financial Management Service: Significant Weaknesses in Computer Controls (GAO/A.IMD-004, October 4,1999). Information Svstems: The Status of Commuter Securitv at the Denartment of Veterans Affairs (GAO/AIMD-00-5, October 4, 1999). Critical Infrastructure Protection: Comprehensive Stratedr Can Draw on Year 2000 Exneriences (GAO/AIMD-00-1, October 1, 1999). Information Securitv: The Pronosed Commuter Securitv Enhancement Act of 1999 (GAO/T-AlMD-99-302, September 30, 1999). Federal Reserve Banks: Areas for Improvement in Computer Controls (GAO/ AIMD-99-280, September 15). Information Securilx -NRC’s Commuter Intrusion--Detection Capabilities (GAO/ AIMD-99-273R, August 27, 1999). DOD Information Securitv: Serious Weaknesses Continue to Place Defense Operations at Risk (GAO/AIMD-99-107, August 26, 1999). Battlefield Automation: Opportunities to Inmrove the Armv’s Information Protection Effort (GAO/‘NSIAD-99-166, August l&1999). Information Securitv: Answers to Posthearing Questions(GAO/AIMD-99-272R, August 9, 1999). Bureau of the Public Debt: Areas for Improvement in Computer Controls (GAO/ AIMD-99-242, August 6,1999). USDA Information Securitv: Weaknesses at National Finance Center Increase Risk of Fraud. Misuse. and Improper Disclosure (GA.O/AIMD-99-227, July 30,1999). Medicare: Improvements Needed to Enhance Protection of Confidential Health Information (GAOHEHS-99-140, July 20,1999). Medicare: HCFA Needs to Better Protect Beneficiaries’ Confidential Health Information (GAO/T-HEHS99-172, July 20,1999). Page 12 GAO/AIMD-00-32R Federal Information Security Weaknesses Enclosure 2 Information Securitv: Recent Attacks on Federal Web Sites Underscore INeed for St,rengthened Information Securitv ManagemBt (GAO/T-AIMDi99-223, June 24,1999). VA Information Svstems: The Austin Automation Center Has Made Progress in Imoroving Information Svstem Controls (GAO/AIMD-99-161, June 8, 1999). Information Securitv: Manv NASA Mission-Critical Svstems Face Serious Risks (GAO/AIMD-99-47, May 20, 1999). Information Securitv: The Melissa Commuter Virus Demonstrates Urgent Need for Stronger Protection over Svstems and Sensitive Data (GAO/T-AIMD-99-146, April 15, 1999). Financial Audit: 1998 Consolidated Financial Statements of the United States Government (GAO/AIMD-99-130, March 31,1999). Securities Fraud: The Internet Poses Challenges to Regulators and Investors (GAO/ T-GGD-99-34, March 22,1999). IRS Svstems Securitv: Although Signifi;cant Improvements Made. Tax Processing Ooerations and Data Still at Serious Risk (GAO/AIMD-99-38, December 14, 1998). Financial Management Service: Areas for Imnrovement in Commuter Controls (GAO/AIMD-99-10, October 20,1998). Federal Reserve Banks: Areas for Imnrovement in Computer Controls (GAO/AIMD-99-6, October 14,1998). Bureau of the Public Debt: Areas for Imnrovement in Computer Controls (GAO/ AIMD-99-2, October 14, 1998). b and Controls (GAO/AIMD-98-274, September 28,1998). tv: Information Securi at, Risk (GAO/AIMD-9892, September 23,1998). Information Securitv: Strentiened Management Needed to Protect Critical Federal Ooerations and Assets (GAO!I’-AIMD-98-312, September 23,1998). V.A Information Svstems: Computer Control Weaknesses Increase Risk of Fraud. Misuse and Imoroner Disclosure (GAO/AIMD-98-175, September 23,1998). Defense Information Superioritv: Progress Made, but Significant Challenges Remain (GAOMSIADIAIMD98257, August 31,1998). Page 13 GAO/AIMD-OO-32R Federal Information Security Weaknesses Enclosure 2 F’AA Svstems: Serious Challenges Remain in Resolving Year 2000.and Comnuter Security Problems (GAO/T-AIMD-98251, August 6,1998). DOD’s Information Assurance Efforts (GAOLNSIAD-98132R, June 11, 1998). Information Securitv: Serious Weaknesses Put State Demu-tment and FAA Ouerations at IX& (GAO/T-AIMD-98170, May 19,1998). Commuter Securitv: Pervasive, Serious Weaknesses Jeopardize State Demu-trnent Onerations (GAO/AIMD-98-145, May 181998). Air Traffic Control: Weak Computer Securitv Practices Jeopardize Flight Safety (GAO/AIMD-98155, May 18,1998). Executive Guide: Information Securitv Management: Learning From Leading Organizations (GAO/AIMD-98-68, May 1998). U.S. Government Financial Statements: Results of GAO’s Fiscal Year 1997 Audit (GAO/T-AIMD-98128, April. 1,1998). Financial Audit: 1997 Consolidated Financial Statements of the United States Government (GAO/AIMD-98127, March 31,1998). Financial Audit: Examination of IRS’ Fiscal Year 1996 Custodial Financial Statements (GAO/AIMD9818, December 24,1997). Financial Management: Review of the Militarv .Retirement Trust Fund’s Actuarial Model and Related Computer Controls (GAO/AIMD97-128, September 9, 1997). Financial Audit: Examination of IRS’ Fiscal Year 1996 Administrative Financial Statements (GAO/AIMD97-89, August 29,1997). Small Business Administration: Better Planning and Controls Needed for Information Systems (GAO/AIMD97-94, June 27,1997). Social Securitv Administration: Internet Access to Personal Earnings and Benefits Information (GAO/T-AIMDHEHS-97-123, May 6,1997). Budget Process: Comments on S-261-Biennial Budgeting and Anprom-iations Act (GAO~ AIMD-97-84). IRS Svstems Securitv and Fundine: EmDIovee Browsing Not Being Addressed Effectivelv and Budget Reauests for New Svstems Development Not Justified(GAO/ T-AIMD-97-82, April 151997). Page 14 GAOIAIMD-00-32R Federal Information Security Weaknesses Enclosure 2 IRS Svstems Securitv: Tax Processing Operations and Data Still at Risk Due to Serious Weaknesses (GAOm-AIMD-97-76, April 10,1997). IRS Svstems Securitv: Tax Processing Operations and Data Still at Risk Due to Serious Weaknesses (GAO/AIMD-9749, April 8,1997). High Risk Series: Information Management and Technology(GAO/HR-97-9, February 1997). lnformation Securitv: Opuortunities for Improved OMB Oversight of Agencv Practices (GAO/AIMD-96-110, September 24,1996). Financial Audit: Examination of IRS’ Fiscal Year 1995 Financial Statements(GAO/AIMD- 96-101, July 11, 1996). Tax Svstems Modernization: Actions Underwav But IRS Has Not Yet Corrected Management and Technical Weaknesses (GAO/AIMD-96-106, June 7,1996). Information Securitv: Computer Hacker Information Available on the Intemet(GAO/T- AIMD-96108, June 5,1996). Information Securitv: Cornouter Attacks at Dewrtment of Defense Pose Increasing Risks (GAO/AIMD-9884, May 22,1996). tv: InformationSecuri Risks (GAO/T-AIMD-9692, May 22,1996). Securitv Weaknesses at IRS’ Cvberfile Data Center(GAO/AIMD-9685R, May 9, 1996). Tax Svstems Modernization: Management and Technical Weaknesses Must Be Overcome to Achieve Success (GAOA’XMD-9675, March 26, 1996). Financial Audit: Federal Familv Education Loan Program’s Financial Statements for Fiscal Years 1994 and 1995 (GAO/AIMD-9622, February 26,1996). Financial Management: General Computer Controls at the Senate Comwter Center (GAO/AZMD-9615, December 22,1995). E’inancialf Financial Officers Act (GAOm-AIMD-961, November 14,1995). Financial Audit: Examination of IRS’ Fiscal Year 1994 Financial Statements (GAO/ Al-MD-95141, August 4,1995). Financial Audit: Resolution Trust Corporation’s 1994 and 1993 Financial Statements (GAO/MD-95-157, June 22,1995). Page 15 GAO/AI&ID-OO-32R Federal Information Security Weaknesses Enclosure 2 Federal Familv Education Loan Information Svstem: Weak Computer Controls increase Risk of Unauthorized Access to Sensitive Data (GAO/AIMD-95-117, June 12, 1995). Deoartment of Energv Procedures Lacking to Protect Computerized Data (GAO/ AIMD-95118, June 5,1995). Financial Management Control Weaknesses Increase Risk of Improper Navv Civilian Pavroll Pavments (GAO/AIMD-95-73, May 8,1995). Information Superhighwav: An Overview of Technoloev Challenges (GAO/AIMD-9523, January 23,1995). IRS Automation: Controlling Electronic Filing Fraud and Improper Access to Taxoaver Data (GAO/T-AIMD/GGD-94-183, July 19,1994). Financial Audit: Federal Familv Education LoanProgram’s Financial Statements for Fiscal Years 1993 and 1992 (GAO/A.IMD-94131, June 30, 1994). Financial Audit: Examination of Customs’ Fiscal Year 1993 Financial Statements (GAO/AIMD-94-119, June 15, 1994). Financial Audit: Examination of IRS’ Fiscal Year 1993 Financial Statements(GAO/ AIMD-94120, June 15,1994). HUD Information Resources Strategic Focus and Improved Management Controls Needed (GAO/AIMD-9434, April 14,1994). Financial Audit Federal Deoosit Insurance Corooration’s Internal Controls as of December 31.1992 (GAO/A.IMD-9435, February 4,1994). Financial Management Strong Leadership Needed to Improve Armv’s FinanciaI Accountabilitv (GAO/AIMD-9412, December 22,1993). Communications Privacy Federal Policv and Actions (GAO/OSI-942, November 4, 1993). Document Securitv Justice Can Imorove Its Controls Over Classified and Sensitive Documents (GAO/GGD-93-134, September 7,1993). IRS Information Svstems: Weaknesses Increase Risk of Fraud and Impair Reliabilitv of Manapement Information (GAO/AIMD-93-34, September 22,1993). I (511863) Page 16 GAOIAIMD-00-32R Federal Information Security Weaknesses x Ordering Information , The first copy of each GAO report and testimony is free. Additional copies are $2 each. Orders should be sent to the following address, accompanied by a check or money order made out to the Superintendent of Documents, when necessary. VISA and MasterCard credit cards are accepted, also. Orders for 100 or more copies to be mailed to a single address are discounted 25 percent. Orders by mail: U.S. General Accounting Office P.O. Box 37050 Washington, DC 20013 or visit: Room 1100 700 4th St. NW (comer of 4th and G Sts. NW) U.S. General Accounting Office Washington, DC Orders may also be placed by calling (202) 512-6000 or by using fax number (202) 512-6061, or TDD (202) 512-2537. Each day, GAO issues a list of newly available reports and testimony. To receive facsimile copies of the daily list or any list from the past 30 days, please caU (202) 5126000 using a touchtone phone. A recorded menu will provide information on how to obtain these lists. For information on how to access GAO reports on the INTERNET, send an e-mail message with “info” in the body to: email@example.com or visit GAO’s World Wide Web Home Page at: http Y/www.gao .gov PRINTED ON c’h& RECYCLED PAPER United States Bulk Mail General Accounting Office Postage & Fees Paid Washington, D.C. 20548-0001 GAO Permit No. GlOO Official Business Penalty for Private Use $300 , Address Correction Requested ,
Information Security: Weaknesses at 22 Agencies
Published by the Government Accountability Office on 1999-11-10.
Below is a raw (and likely hideous) rendition of the original report. (PDF)