oversight

USDA Information Security: Weaknesses at National Finance Center Increase Risk of Fraud, Misuse, and Improper Disclosure

Published by the Government Accountability Office on 1999-07-30.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                  United States General Accounting Office

GAO               Report to the Secretary of Agriculture




July 1999
                  USDA INFORMATION
                  SECURITY

                  Weaknesses at
                  National Finance
                  Center Increase Risk
                  of Fraud, Misuse, and
                  Improper Disclosure




GAO/AIMD-99-227
United States General Accounting Office                                                              Accounting and Information
Washington, D.C. 20548                                                                                    Management Division



                                    B-283156                                                                                          Letter

                                    July 30, 1999

                                    The Honorable Dan Glickman
                                    The Secretary of Agriculture

                                    Dear Mr. Secretary:

                                    We reviewed information system access controls1 over the financial
                                    information systems maintained by the Department of Agriculture (USDA)
                                    at its National Finance Center (NFC), which is located in New Orleans,
                                    Louisiana. Our work was done in cooperation with the USDA Office of
                                    Inspector General's internal control audit of NFC, which was part of its
                                    audit of USDA’s fiscal year 1998 consolidated financial statements.

                                    NFC develops and operates administrative and financial systems for USDA
                                    and other federal organizations under cross-servicing or franchising
                                    agreements. Access controls are critical to NFC's ability to safeguard
                                    assets and ensure the confidentiality and reliability of financial
                                    management information. Such controls, however, also affect the security
                                    and reliability of nonfinancial information, such as personnel information,
                                    maintained by NFC.

                                    Today, we are also issuing a report designated for “Limited Official Use,”
                                    which details weaknesses in access controls over NFC computer systems.
                                    This version of the report, which was excerpted for public release, provides
                                    a general summary of the weaknesses we identified and the
                                    recommendations we made. After we completed our fieldwork, the
                                    director of NFC provided us with updated information regarding corrective
                                    actions. However, these reported actions, which are noted in this report,
                                    will need to be verified to ensure that they are operating effectively.




                                    1
                                     Access controls are a component of information security designed to protect computer resources from
                                    unauthorized modification, loss, or disclosure. They include logical, system software, and physical
                                    controls. Logical controls prevent or detect unauthorized access to sensitive data and programs that are
                                    stored or transmitted electronically. Controls over access to and modification of system software are
                                    essential to protect the overall integrity and reliability of information systems. Physical controls limit
                                    access to computer facilities and associated resources.




                   Leter            Page 1                                                GAO/AIMD-99-227 NFC Information Security
                      B-283156




Results in Brief      Serious access control weaknesses affected NFC’s ability to prevent and/or
                      detect unauthorized changes to payroll and other payment data or
                      computer software, control electronic access to Thrift Savings Program
                      account information, and restrict physical access to sensitive computing
                      areas. These weaknesses increased the risk that users could cause
                      improper payments. In addition, sensitive information contained in NFC
                      systems, including financial transaction data and personnel information,
                      was vulnerable to inadvertent or deliberate misuse, fraudulent use,
                      improper disclosure, or destruction. Furthermore, NFC payroll processing
                      and other financial management operations were vulnerable to disruption
                      due to these weaknesses.

                      We found significant problems related to the center’s control and oversight
                      of access to its systems and the data maintained on these systems. NFC
                      was not adequately limiting the access of authorized users or controlling its
                      operating system software to prevent access controls from being
                      circumvented. For several years, the Office of Inspector General has
                      reported that access control procedures were weak. The access control
                      weaknesses we identified were further compounded because NFC was not
                      sufficiently protecting or overseeing access to its network. In addition, the
                      center was not providing adequate physical security for its computer
                      resources.

                      The access control weaknesses we found indicate that NFC’s computer
                      security planning and management program had not adequately ensured
                      that information system controls continued to work effectively. An
                      effective program would include guidance and procedures for assessing
                      risks, establishing appropriate policies and related controls, raising
                      awareness of prevailing risks and mitigating controls, and monitoring and
                      evaluating the effectiveness of established controls.

                      Importantly, NFC management has recognized the seriousness of the
                      weaknesses we identified and expressed its commitment to improving
                      information system controls. In commenting on this report, the director of
                      NFC agreed with our findings and recommendations. The director also
                      stated that NFC had corrected most of the information security
                      weaknesses we identified and planned actions to address remaining
                      weaknesses. In addition, NFC stated that it intends to strengthen its
                      computer security planning and management program to encompass the
                      best practices described in our May 1998 report. Addressing these issues




              Leter   Page 2                                 GAO/AIMD-99-227 NFC Information Security
                        B-283156




                        will help ensure that an effective computer security environment is
                        achieved and maintained.



Background              The National Finance Center develops and operates administrative and
                        financial systems, including payroll/personnel, administrative payments,
                        accounts receivable, property management, and accounting systems for
                        both USDA and more than 60 other federal organizations, including GAO,
                        under cross-servicing or franchising agreements. During fiscal year 1998,
                        NFC processed more than $19 billion in payroll payments for more than
                        450,000 employees from federal organizations including the Secret Service,
                        Internal Revenue Service, and Drug Enforcement Administration. The
                        center also serviced more than $1 billion in accounts receivable and
                        processed more than 450 million accounting transactions in fiscal year
                        1998.

                        NFC is also responsible for maintaining records for the world’s largest
                        401(k)-type program, the federal Thrift Savings Program. This program,
                        which is growing at about $1 billion per month, covers about 2.3 million
                        employees and totaled more than $60 billion as of September 30, 1998.

                        NFC is operated by USDA’s Office of the Chief Financial Officer (OCFO) in
                        New Orleans, Louisiana. The center relies on a nationwide
                        telecommunications network that links computer hardware at remote
                        locations to the NFC mainframe computers. Certain financial applications,
                        such as the Purchase Card Management System that manages around
                        $34 million in payments, are also processed on the network.



Objective, Scope, and   Our objective was to evaluate the design and test the operational
                        effectiveness of access controls over the financial systems maintained and
Methodology             operated by USDA at NFC. We evaluated controls intended to protect data
                        and application programs from unauthorized access. Specifically, we
                        reviewed

                        • the technical implementation of NFC’s security software and other
                          system software,
                        • network access controls, and
                        • physical access controls.




                        Page 3                                GAO/AIMD-99-227 NFC Information Security
B-283156




We restricted our evaluation at NFC to these controls because USDA's
Office of Inspector General planned to review the other information system
general controls2 as part of the fiscal year 1998 internal control audit of
NFC.

To evaluate access controls, we identified and reviewed NFC policies and
procedures related to access control, conducted tests and observations of
controls in operation, and held discussions with NFC staff to determine
whether access controls were in place, adequately designed, and operating
effectively. Our evaluation was based on the guidance provided in our
Federal Information System Controls Audit Manual (FISCAM)3 and the
results of our May 1998 study of security management best practices at
leading organizations.4 We performed our work from July 1998 through
February 1999 in accordance with generally accepted government auditing
standards.

After we completed our fieldwork, the director of NFC provided us with
updated information regarding corrective actions. However, these reported
corrective actions will need to be verified to ensure that they are operating
effectively.

USDA provided us with written comments on a draft of this report, which
are discussed in the “Agency Comments” section and reprinted in
appendix I.




2
 General controls affect the overall effectiveness and security of computer operations as opposed to
being unique to any specific computer application. They include security management, operating
procedures, software security features, and physical protection designed to ensure that access to data
and programs is appropriately restricted, only authorized changes are made to computer programs,
computer security duties are segregated, and backup and recovery plans are adequate to ensure the
continuity of essential operations.
3
 Federal Information System Controls Audit Manual, Volume I – Financial Statement Audits
(GAO/AIMD-12.19.6, January 1999).
4
  Information Security Management: Learning From Leading Organizations (GAO/AIMD-98-68, May
1998).




Page 4                                               GAO/AIMD-99-227 NFC Information Security
                            B-283156




Information in NFC          A basic management objective for any organization is to protect its data
                            from unauthorized access and prevent improper modification, disclosure,
Systems Was                 or deletion of financial and sensitive information. Our review of NFC's
Vulnerable to               access controls found that the center was not adequately protecting
                            financial and sensitive personnel information. Specifically, NFC had not
Unauthorized Access         appropriately limited access granted to authorized users, effectively
                            controlled its operating system software, sufficiently secured access to its
                            network, or adequately restricted physical access to its computer
                            resources. As a result, NFC's computer systems, programs, and data are at
                            risk of inadvertent or deliberate misuse, fraudulent use, unauthorized
                            alteration, or destruction possibly occurring without detection.

                            NFC management has recognized the weaknesses we identified and has
                            expressed its commitment to improving information system controls. We
                            have noted those instances where management has implemented
                            corrective actions or indicated that corrective actions are planned. A
                            summary of the weaknesses follows.


Access Authority Was Not    A key weakness in NFC's access controls was that the center had not
Appropriately Limited for   sufficiently restricted the access for authorized users. Organizations can
                            protect information from unauthorized changes or disclosures by granting
Authorized Users
                            employees authority to read or modify only those programs and data that
                            are necessary to perform their duties and periodically reviewing access
                            granted to ensure that it is appropriate. NFC, however, had not adequately
                            limited access to financial and sensitive personal information maintained
                            on its systems. We found several examples, detailed below, where NFC had
                            not sufficiently restricted access authority for legitimate users.

                            • Eighty-six user IDs had an access privilege that allows users to read and
                              alter any data stored on tape regardless of other security software
                              controls. These users included staff from the Accounting Systems
                              Branch, the Foundation Financial Information System Development
                              team, and the Financial Reporting team. As a result, these users have
                              access to all NFC tape files, including payroll files. Although this
                              privilege is generally required to process tapes received from external
                              organizations, it should be limited to one group, such as the tape library
                              group, that copies external tapes to the format required by NFC for
                              processing. In April 1999, the director of NFC told us that actions had
                              been taken to limit this access privilege to 20 technical employees, with
                              only 1 having the ability to update all tapes.



                            Page 5                                 GAO/AIMD-99-227 NFC Information Security
                           B-283156




                           • More than 60 mainframe user IDs enabled users to update a sensitive
                             system file that controlled certain access privileges and files containing
                             audit trail information. Allowing such broad access to these files
                             increases the risk that users could circumvent the security software and
                             alter or delete audit trail information. In April 1999, the director of NFC
                             told us that this access had been removed from all individuals.
                           • Sensitive system files on a network system were not adequately
                             protected from unauthorized users. These files could be exploited using
                             readily available “hacker” tools to gain access to this system, which
                             could lead to improper payments related to the Purchase Card
                             Management System.


System Software Controls   In addition to restricting user access authority, controls over access to and
Were Not Effective         modification of system software are also essential to protect the overall
                           integrity and reliability of information systems. System software controls
                           limit and monitor access to the powerful programs and sensitive files
                           associated with computer system operation. Generally, one set of system
                           software is used to support and control all of the applications that run on
                           the system. System software helps control and coordinate the input,
                           processing, output, and data storage associated with all of the applications
                           that run on the system. Some system software can change data and
                           program code on files without leaving an audit trail or can be used to
                           modify or delete audit trails. Examples of system software include the
                           operating system, system utilities, program library systems, file
                           maintenance software, security software, data communications systems,
                           and database management systems.

                           System software controls are important in providing reasonable assurance
                           that access controls are not compromised and that the system will not be
                           impaired. If controls in this area are not adequate, system software might
                           be used to bypass security controls or gain unauthorized privileges to
                           perform unauthorized actions or circumvent edits and other controls built
                           into application programs. We found that NFC was not properly controlling
                           system software to prevent access controls from being circumvented. Such
                           weaknesses diminish the reliability of information produced by all
                           applications supported by the computer system and increase the risk of
                           inadvertent or deliberate misuse, fraudulent use, improper disclosure, and
                           disruption.

                           We identified the following system software configuration weaknesses that
                           could allow users to bypass access controls and gain unauthorized access



                           Page 6                                 GAO/AIMD-99-227 NFC Information Security
B-283156




to financial and other sensitive information maintained at NFC or cause
system failures.

• A system software component that could be used to bypass security
  access controls and alter data, programs, and audit trail information was
  available to all users who could submit a program for batch processing.5
  As a result, all information, including payroll, personnel, and investment
  data, was at risk of unauthorized modification and deletion occurring
  without detection. NFC staff subsequently modified this component to
  prevent security controls from being circumvented.
• The system software that controls batch processing allowed any user
  with the ability to execute a batch program to also use any operator
  command without intervention. Allowing such broad access to operator
  commands that can turn off other components of the system software,
  such as the security software, or cause the system to stop increases the
  risk that operations could be severely disrupted. NFC staff restricted the
  ability to execute operator commands through batch programs within
  2 hours of our telling them about this problem.
• Versions of at least seven network system software programs with
  known vulnerabilities that could be exploited to gain unlimited access
  to the network had not been updated or disabled to prevent
  unauthorized access. These exposures could allow unauthorized users
  to obtain access privileges that would allow them to bypass security
  controls. In April 1999, the director of NFC told us that his staff had
  begun correcting these vulnerabilities and planned to complete this
  process by the end of July 1999.

In addition, NFC had not instituted a process to periodically review
programs in certain system software libraries, which are allowed to
perform sensitive functions that can be used to circumvent all security
controls and to identify and correct weaknesses. Until NFC begins actively
managing programs in sensitive system libraries, the center will not have
adequate assurance that mainframe security controls cannot be bypassed.
In April 1999, the director of NFC told us that the center had established a
process to monitor programs in sensitive system software libraries.




5
 Batch processing is a mode of computer operation in which transactions are accumulated over a
period of time and then processed at one time. Users do not interact with the system while their
programs are processing in batch mode.




Page 7                                              GAO/AIMD-99-227 NFC Information Security
                              B-283156




Network Security Was Not      The risks created by these access control problems were heightened
Sufficient                    because NFC was not sufficiently protecting access to its network.
                              Specifically, NFC had not adequately managed user identifications (ID) and
                              passwords, controlled access to its systems from remote locations, or
                              monitored system activity. Thus, sensitive financial information processed
                              on the network, including the Purchase Card Management System
                              payments, is at increased risk of unauthorized modification or disclosure
                              occurring without detection. Because of NFC’s interconnected
                              environment, these network control weaknesses also increase the risk of
                              unauthorized access to financial and other sensitive information, such as
                              payroll, personnel, and investment data, maintained on the NFC mainframe
                              computer.

Network Password Management   It is important to actively manage user IDs and passwords to ensure that
Controls Were Not Effective   users can be identified and authenticated. To accomplish this objective,
                              organizations should establish controls to maintain individual
                              accountability and protect the confidentiality of passwords. These controls
                              should include requirements to ensure that IDs uniquely identify users;
                              passwords are changed periodically, contain a specified number of
                              characters, and are not common words; default IDs and passwords are
                              changed to prevent their use; and the number of invalid password attempts
                              is limited to preclude password guessing. Organizations should also
                              evaluate these controls periodically to ensure that they are operating
                              effectively. At NFC, however, network user IDs and passwords were not
                              being effectively managed to ensure individual accountability and reduce
                              the risk of unauthorized access.

                              We found several weaknesses relating to network password management.

                              • Seventy-six network IDs did not require passwords, which makes them
                                more susceptible to misuse because user authentication is not required.
                                More than 50 of these IDs were especially vulnerable because the
                                account identifiers were common words, software product names, or
                                derivations of words or products that could be easily guessed. In April
                                1999, the director of NFC told us that a password is now required for all
                                user IDs.
                              • Seventy-seven network IDs were allowed to reuse the same password,
                                which enables these IDs to circumvent password change requirements.
                                This increases the risk that a password could be discovered and used to
                                obtain improper access to the NFC system. In April 1999, the director of




                              Page 8                                GAO/AIMD-99-227 NFC Information Security
                        B-283156




                          NFC told us that all user IDs are now required to have a unique
                          password.
                        • Sixteen network IDs were not disabled after a specified number of
                          invalid password attempts. Allowing unlimited attempts to guess
                          passwords increases the risk of unauthorized access to the NFC
                          network and the financial information processed on the network. In
                          April 1999, the director of NFC told us that these accounts are now
                          disabled after five unsuccessful attempts are made to access them using
                          invalid passwords.

Remote Access Was Not   Organizations must also control access to computer resources from remote
Adequately Controlled   locations to protect sensitive information from improper modification,
                        disclosure, or destruction by outside hackers. Because allowing dial-in
                        connections from remote locations significantly increases the risk of
                        unauthorized access, such access should be limited, justified, approved,
                        and periodically reviewed. Organizations should also control all modems6
                        and telephone lines centrally, establish controls to verify that dial-in
                        connections are authorized, and test for unauthorized modems. We found
                        that NFC could not ensure that dial-in access was adequately secured.
                        These weaknesses, along with the user ID and password problems
                        described above, significantly increase the risk that unauthorized users
                        could gain access to the NFC network.

                        NFC had drafted a network and personal computer security policy that
                        acknowledged that dial-in access to a network or personal computer could
                        subject critical applications and mainframe systems to unauthorized
                        modification, deletion, and disclosure, and required dial-in access to be
                        secured through passwords or dial-back7 features. However, the security
                        group was not involved in approving modem usage at NFC. In addition,
                        although NFC planned to centralize control of dial-in access to minimize
                        individual modems, only 16 of the 230 modems were controlled through a
                        central system where user authentication was assured. NFC did not have
                        procedures in place to ensure that dial-in access was adequately protected
                        for the remaining 214 modems. Furthermore, NFC did not have a process in



                        6
                         A modem is a device that allows digital signals to be transmitted and received over analog telephone
                        lines.
                        7
                         A dial-back system requires a user initiating a call to a network or workstation to provide a confidential
                        code. The system then terminates the call and dials back to a previously specified location to complete
                        the dial-in connection.




                        Page 9                                                 GAO/AIMD-99-227 NFC Information Security
                              B-283156




                              place to periodically reassess dial-in access to ensure that it was still
                              required.

                              In April 1999, the director of NFC told us that his staff would remove all
                              individual modems and provide dial-in access through a secured modem
                              pool. The director also stated that formal guidance on modem usage would
                              be included in the NFC network security policy, which is scheduled to be
                              issued later in 1999.

Network Security Monitoring   The risks created by these network access control problems were
Program Was Not Effective     exacerbated because NFC did not have a proactive network monitoring
                              program. Such a program would require NFC to promptly identify and
                              investigate unusual or suspicious network activity indicative of malicious,
                              unauthorized, or improper activity, such as repeated failed attempts to log
                              on to the network, attempts to identify systems and services on the
                              network, connections to the network from unauthorized locations, and
                              efforts to overload the network to disrupt operations. Network monitoring
                              programs should also include provisions for logging and regularly
                              reviewing network access activities. Without these controls, NFC has little
                              assurance that unauthorized access to systems on its network would be
                              detected in time to prevent or minimize damage.

                              Although NFC had begun planning for a network monitoring program, it
                              had not implemented a network intrusion detection system capable of
                              detecting attacks on a real-time basis. Such a system would require NFC to
                              identify suspicious access patterns and set up the intrusion detection
                              system to automatically log unusual activity, provide necessary alerts, and
                              terminate sessions when necessary.

                              Also, NFC could not ensure that network attacks would be detected
                              because the center was not monitoring network access activity. Although
                              the draft local area network and personal computer security policy
                              described procedures for event logging and audit trails, this policy did not
                              include requirements for logging access to sensitive data and resources or
                              reviewing access to these resources for unusual or suspicious activity.
                              Furthermore, despite the requirements in the draft policy, NFC was not
                              logging security events on its main operational network even though this is
                              the primary means of identifying unauthorized users or unauthorized usage
                              of the system by authorized users.

                              In April 1999, the director of NFC told us that his staff plan to implement a
                              comprehensive network intrusion detection program by the end of July



                              Page 10                                  GAO/AIMD-99-227 NFC Information Security
                             B-283156




                             1999. The director also stated that security logging and monitoring policies
                             and practices would be established in the network security policy, which is
                             scheduled for issue later in 1999.


Physical Security Controls   Physical controls are also important for protecting access to computer
Were Not Adequate            facilities and resources from espionage, sabotage, damage, and theft. These
                             controls involve restricting physical access to computer resources, usually
                             by limiting access to the buildings and rooms where these resources are
                             stored. At NFC, physical access control measures, such as locks, guards,
                             badges, and alarms, (used alone or in combination), are critical to
                             safeguarding critical financial and sensitive personnel information and
                             computer operations from internal and external threats. However, NFC had
                             not adequately controlled access to computer resources.

                             We found that more than 120 people, including maintenance and
                             nontechnical support staff, had access to the computer room and tape
                             library. At NFC, this unnecessary access not only increased the risk of
                             inadvertent or deliberate damage to computer resources, but also
                             heightened the risk of unauthorized changes to data stored on tape. In April
                             1999, NFC management told us that the center had eliminated unrestricted
                             access to the computer room and tape library for maintenance and
                             nontechnical support staff, who are now admitted by authorized staff
                             members when access is required.

                             We also determined that physical access to a console, which could be used
                             to issue sensitive operator commands, had not been restricted.
                             Consequently, anyone could use this console to issue commands that
                             would disable security access checking or cause the system to fail.
                             Allowing unrestricted access to this console increases the risk of
                             unauthorized access to NFC systems and disruptions in service. In April
                             1999, the director of NFC told us that constructing a separate room for this
                             console is cost prohibitive; therefore, his staff plans to replace the terminal
                             that provides these functions with a personal computer that will be
                             password protected.




                             Page 11                                 GAO/AIMD-99-227 NFC Information Security
                     B-283156




Computer Security    Our May 1998 study of security management best practices pointed out that
                     a comprehensive computer security planning and management program is
Planning and         essential to ensure that information system controls continue to work
Management Program   effectively. However, the access control weaknesses we identified indicate
                     that NFC’s computer security planning and management program had not
Was Not Adequate     ensured that effective controls were established and maintained. The
                     USDA Office of Inspector General has also reported since 1996 that access
                     controls to prevent unauthorized access to or modification of sensitive data
                     at NFC were weak. In addition, USDA began reporting inadequate
                     computer security and application controls at NFC as a material weakness
                     in its Federal Managers’ Financial Integrity Act8 report in 1998.

                     We found weaknesses in the design of NFC’s computer security planning
                     and management program. Under an effective computer security planning
                     and management program, staff (1) periodically assess risks, (2) implement
                     comprehensive policies and procedures, (3) promote awareness of
                     prevailing risks and mitigating controls, and (4) monitor and evaluate the
                     effectiveness of established controls. In addition, a central security staff is
                     important for providing guidance and oversight for the computer security
                     planning and management program to ensure an effective information
                     system control environment. We found that NFC had not instituted a
                     sufficient framework for managing information system controls or
                     monitoring their effectiveness on an ongoing basis.

                     One key aspect of effective security planning and management is
                     establishing appropriate policies and procedures governing a complete
                     computer security program. Such policies and procedures should integrate
                     all security aspects of an organization’s interconnected environment,
                     including network and mainframe security. The integration of network and
                     mainframe security is particularly important as computer systems become
                     more and more interconnected. However, we found that NFC had not
                     finalized its network security policy, which was drafted in 1996 and did not
                     include provisions for an intrusion detection system. Furthermore, the
                     USDA Office of Inspector General reported in March 1998 that NFC
                     policies and procedures relating to physical security were not sufficient. In
                     April 1999, the director of NFC told us that his staff was updating its draft
                     Network and Personal Computer Security Policy to address the current


                     8
                      The Federal Managers’ Financial Integrity Act of 1982 requires agencies to establish controls that
                     reasonably ensure that assets are safeguarded against waste, loss, or unauthorized use.




                     Page 12                                              GAO/AIMD-99-227 NFC Information Security
              B-283156




              network architecture and environment and plan to issue the updated policy
              later in 1999.

              In addition, NFC had not established a comprehensive program to evaluate
              the effectiveness of controls and compliance with established security
              policies and procedures. For example, we found that NFC did not have a
              network self-assessment program in place even though the network
              security environment is a dynamic one. Although NFC had performed some
              self-assessments in the beginning of 1998 to identify network security
              vulnerabilities, the program had not been formalized to ensure periodic
              self-assessments. Consequently, these self-assessments ceased when the
              staff member who had been performing them left NFC. We also found that
              certain policies and procedures were not being followed. For example, we
              found that certain NFC systems did not present an adequate warning to
              discourage unauthorized use on the initial screen because the warning
              required by NFC Directive 70 was not used on all systems.

              In July 1999, NFC management told us that the center had installed
              software and implemented a network self-assessment program. The
              director also told us, in April 1999, that the Network and Personal
              Computer Security Policy, which is scheduled for release later in 1999,
              would define an adequate and consistent warning banner to be used on
              initial screens.



Conclusions   Access controls are critical to NFC's ability to ensure the reliability of
              financial management information and maintain confidentiality of sensitive
              information. However, NFC's access control problems placed sensitive
              personnel information at risk of disclosure, critical financial operations at
              risk of disruption, and assets at risk of loss. The access control weaknesses
              we identified could have also adversely affected other agencies that depend
              on NFC for computer processing support.

              Implementing more effective and lasting controls that protect payments
              and sensitive personnel information and maintain an effective general
              computer control environment requires that NFC establish a
              comprehensive computer security planning and management program.
              This program should provide for periodically assessing risks, implementing
              effective controls for restricting access based on job requirements and
              proactively reviewing access activities, communicating the established
              policies and controls to those who are responsible for their
              implementation, and, perhaps most important, monitoring and evaluating



              Page 13                                GAO/AIMD-99-227 NFC Information Security
                  B-283156




                  the effectiveness of policies and controls to ensure that they remain
                  appropriate and accomplish their intended purpose.

                  NFC management has recognized the weaknesses we identified and has
                  expressed its commitment to improving information system controls.



Recommendations   We recommend that the Secretary of Agriculture direct the Chief Financial
                  Officer to take the following actions.

                  • Correct the specific access control weaknesses we identified and
                    communicated to NFC management during our testing. These
                    weaknesses are summarized in this report and detailed in a separate
                    report, which is designated for “Limited Official Use,” also issued today.
                  • Ensure that an effective entitywide security planning and management
                    program, as described in our May 1998 study of security management
                    best practices, is in place at NFC. Such a program would include
                    • assessing risks periodically to determine needs and select
                       cost-effective policies and related controls,
                    • implementing policies and controls that are based on risk,
                    • communicating the policies and controls, as well as the risks that
                       prompted their adoption, to those responsible for complying with
                       them,
                    • evaluating the effectiveness of policies and related controls, and
                    • establishing a central security management focal point to ensure that
                       major elements of the security planning and management program
                       are carried out and provide a communications link among
                       organizational units.



Agency Comments   In commenting on a draft of this report, NFC agreed with our findings and
                  recommendations. NFC stated that it had corrected most of the
                  information security weaknesses we identified and planned actions to
                  address remaining weaknesses. In addition, NFC stated that it intends to
                  strengthen its computer security planning and management program to
                  encompass the best practices described in our May 1998 report.


                  This report contains recommendations to you. The head of a federal agency
                  is required by 31 U.S.C. 720 to submit a written statement on actions taken
                  on these recommendations to the Senate Committee on Governmental



                  Page 14                                GAO/AIMD-99-227 NFC Information Security
B-283156




Affairs and the House Committee on Government Reform and Oversight
not later than 60 days after the date of this report. A written statement also
must be sent to the House and Senate Committees on Appropriations with
the agency's first request for appropriations made more than 60 days after
the date of this report.

We are sending copies of this report to Senator Fred Thompson, Senator
Joseph Lieberman, Representative Dan Burton, Representative Larry
Combest, Representative John R. Kasich, Representative John M. Spratt,
Jr., Representative Charles W. Stenholm, and Representative Henry A.
Waxman in their capacities as Chairmen or Ranking Minority Members of
Senate and House Committees and the Honorable Jacob J. Lew, Director of
the Office of Management and Budget. Copies will also be made available
to others upon request.

Please contact me at (202) 512-3317 if you or your staff have any questions
concerning this report. Key contributors to this report are listed in
appendix II.

Sincerely yours,




Robert F. Dacey
Director, Consolidated Audit and Computer Security Issues




Page 15                                 GAO/AIMD-99-227 NFC Information Security
Appendix I

Comments From the Department of
Agriculture                                                       Appenx
                                                                       Idi




             Page 16       GAO/AIMD-99-227 NFC Information Security
Appendix II

GAO Contacts and Staff Acknowledgements                                                              AppenIx
                                                                                                           di




GAO Contacts         Carol A. Langelier, (202) 512-5079
                     Edward M. Glagola, Jr., (202) 512-6270
                     Lon C. Chin, (202) 512-2842



Acknowledgements     In addition to those named above, Debra M. Conner, Vernon L. Conyers, Jr.,
                     Shannon Q. Cross, Walter P. Opaska, and Christopher J. Warweg made key
                     contributions to this report.




(919386)      Lert   Page 17                                  GAO/AIMD-99-227 NFC Information Security
Ordering Information

The first copy of each GAO report and testimony is free.
Additional copies are $2 each. Orders should be sent to the
following address, accompanied by a check or money order made
out to the Superintendent of Documents, when necessary, VISA and
MasterCard credit cards are accepted, also.

Orders for 100 or more copies to be mailed to a single address are
discounted 25 percent.

Orders by mail:

U.S. General Accounting Office
P.O. Box 37050
Washington, DC 20013

or visit:

Room 1100
700 4th St. NW (corner of 4th and G Sts. NW)
U.S. General Accounting Office
Washington, DC

Orders may also be placed by calling (202) 512-6000
or by using fax number (202) 512-6061, or TDD (202) 512-2537.

Each day, GAO issues a list of newly available reports and
testimony. To receive facsimile copies of the daily list or any list
from the past 30 days, please call (202) 512-6000 using a touchtone
phone. A recorded menu will provide information on how to obtain
these lists.

For information on how to access GAO reports on the INTERNET,
send an e-mail message with “info” in the body to:

info@www.gao.gov

or visit GAO’s World Wide Web Home Page at:

http://www.gao.gov
United States                       Bulk Rate
General Accounting Office      Postage & Fees Paid
Washington, D.C. 20548-0001           GAO
                                 Permit No. GI00
Official Business
Penalty for Private Use $300

Address Correction Requested