oversight

Information Security: Improvements Needed in Treasury's Security Management Program

Published by the Government Accountability Office on 2003-11-14.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                United States General Accounting Office

GAO             Report to the Subcommittee on
                Technology, Information Policy,
                Intergovernmental Relations and the
                Census, Committee on Government
                Reform, House of Representatives
November 2003
                INFORMATION
                SECURITY
                Improvements Needed
                in Treasury’s Security
                Management Program




GAO-04-77
                                                November 2003


                                                INFORMATION SECURITY

                                                Improvements Needed in Treasury's
Highlights of GAO-04-77, a report to the        Security Management Program
Subcommittee on Technology, Information
Policy, Intergovernmental Relations and
the Census, House Committee on
Government Reform




The Department of the Treasury                  The Department of the Treasury and its key bureaus have not consistently
relies heavily on information                   implemented information security controls to protect the confidentiality,
systems—and on the public’s trust               integrity, and availability of their information systems and data. Several
in its work. Information security is            bureaus have reported effective controls over their systems. However, long-
therefore critical to Treasury                  standing information security weaknesses in access and software change
operations. In support of its annual
audit of the government’s financial
                                                controls, segregation of duties, and service continuity have been consistently
statements, GAO assessed the                    identified at certain key Treasury bureaus, such as IRS and the Financial
effectiveness of (1) Treasury’s                 Management Service. Weaknesses at these bureaus place the sensitive
information security controls in                information managed by the bureaus at increased risk of unauthorized
protecting the confidentiality,                 access, use, disclosure, disruption, modification, or destruction. Moreover,
integrity, and availability of the              bureaus have not consistently implemented key information security
department’s systems and data and               requirements. An analysis of performance data for the 11 Treasury bureaus
(2) Treasury’s implementation of                that reported on these requirements for fiscal years 2002 and 2003 reveals
its departmentwide information                  that most Treasury systems did not meet certain key information security
security program.                               requirements in fiscal year 2003 and that the percentage of systems that meet
                                                certain requirements has decreased from fiscal year 2002 (see chart).
In assessing the adequacy of
Treasury’s information security
program, GAO focused on the                     The information security weaknesses and inconsistent implementation of
effectiveness of its departmentwide             security controls at Treasury bureaus exist, in part, because Treasury’s
policies and processes, rather than             departmentwide security program, while evolving, has not yet been fully
on bureau-specific directives and               institutionalized across the entire department. During fiscal year 2003,
guidance.                                       Treasury launched or expanded several initiatives to implement key
                                                elements of its program. However, additional actions are needed to
                                                effectively and consistently implement information security controls
                                                throughout the department.
GAO recommends that the
Secretary of the Treasury direct the            Percentage of Treasury Systems Meeting Certain Information Security Requirements
chief information officer to take
specific actions to implement a
more effective departmentwide
information security program and
improve management oversight of
Treasury’s operating bureaus.

Treasury’s chief information
officer, responding on behalf of the
department, concurred with our
assessment and recommendations.




www.gao.gov/cgi-bin/getrpt?GAO-04-77.

To view the full product, including the scope
and methodology, click on the link above.
For more information, contact Robert F.
Dacey at (202) 512-3317 or daceyr@gao.gov.
Contents


Letter                                                                                              1
                       Results in Brief                                                             1
                       Background                                                                   2
                       Objectives, Scope, and Methodology                                           6
                       Implementation of Information Security Controls Has Been
                         Inconsistent                                                               7
                       Treasury Has Begun to Implement Key Elements of a
                         Departmentwide Information Security Program, but Challenges
                         Remain                                                                   20
                       Conclusions                                                                26
                       Recommendations for Executive Action                                       26
                       Agency Comments                                                            26

Appendix I             Comments from the Department of the Treasury                               28



Related GAO Products                                                                              29



Table
                       Table 1: Analysis of BPD’s Prior Year Weaknesses                             9


Figures
                       Figure 1: Percentage of Systems with Risk Assessments during
                                Fiscal Year 2003                                                  15
                       Figure 2: Percentage of Systems with Up-to-Date Security Plans
                                during Fiscal Year 2003                                           16
                       Figure 3: Percentage of Systems Certified and Accredited for Fiscal
                                Year 2003                                                         17
                       Figure 4: Percentage of Systems with Security Controls Tested in
                                Fiscal Year 2003                                                  18
                       Figure 5: Percentage of Systems with Tested Contingency Plans              19
                       Figure 6: Percentage of Treasury Systems Meeting Certain
                                Information Security Requirements                                 23




                       Page i                                 GAO-04-77 Treasury Information Security
Abbreviations

BPD               Bureau of the Public Debt
CIO               chief information officer
FISMA             Federal Information Security Management Act
FMS               Financial Management Service
GISRA             Government Information Security Reform Act
IRS               Internal Revenue Service
NIST              National Institute of Standards and Technology
OIG               Office of the Inspector General
OMB               Office of Management and Budget
POA&M             plan of action and milestones
TIGTA             Treasury Inspector General for Tax Administration




This is a work of the U.S. government and is not subject to copyright protection in the
United States. It may be reproduced and distributed in its entirety without further
permission from GAO. However, because this work may contain copyrighted images or
other material, permission from the copyright holder may be necessary if you wish to
reproduce this material separately.




Page ii                                        GAO-04-77 Treasury Information Security
United States General Accounting Office
Washington, DC 20548




                                   November 14, 2003

                                   The Honorable Adam H. Putnam
                                   Chairman
                                   The Honorable William Lacy Clay, Jr.
                                   Ranking Minority Member
                                   Subcommittee on Technology, Information Policy,
                                    Intergovernmental Relations and the Census
                                   Committee on Government Reform
                                   House of Representatives

                                   Information security is a critical consideration for any organization that
                                   depends on information systems and computer networks to carry out its
                                   mission or business. It is especially important for government agencies,
                                   where maintaining the public’s trust is essential. Federal agencies face
                                   increasing security risks from viruses, hackers, and others who seek to
                                   disrupt federal operations or obtain sensitive information stored in federal
                                   computers.

                                   The Department of the Treasury, which collects and maintains a
                                   significant amount of sensitive information, needs effective security
                                   controls to prevent the improper disclosure, manipulation, or destruction
                                   of this information. This report presents the results of our evaluation of
                                   the effectiveness of Treasury information security controls at key bureaus
                                   and its implementation of a departmentwide information security
                                   program. In response to your request, we are addressing this report to you.


                                   Treasury and its key bureaus have been inconsistent in implementing
Results in Brief                   information security controls to protect the confidentiality, integrity, and
                                   availability of their systems and data. Several Treasury bureaus have
                                   reported effective controls that help to secure and protect their
                                   information systems and data. However, long-standing weaknesses in
                                   information security controls (including logical access controls, physical
                                   security, software change controls, segregation of duties, and service
                                   continuity) at key bureaus have reduced these bureaus’ effectiveness in
                                   preventing and detecting unauthorized access to sensitive systems and
                                   data, protecting and controlling physical access to assets, mitigating the
                                   risk of unauthorized or inappropriate software programs, minimizing the
                                   risk of errors or fraud, and ensuring the continuity of data processing
                                   operations when unexpected interruptions occur. In addition, Treasury
                                   bureaus have not consistently performed required information security


                                   Page 1                                   GAO-04-77 Treasury Information Security
             activities. These weaknesses expose Treasury to increased risks of
             unauthorized disclosure and modification of data and disruption of service
             that threaten the confidentiality, integrity, and availability of its sensitive
             systems and data.

             The information security weaknesses and inconsistent security practices
             identified at the bureaus exist, in part, because Treasury’s departmentwide
             security program, while evolving, is not yet fully institutionalized across
             the entire department. Prior to fiscal year 2003, Treasury had not provided
             adequate direction and oversight to ensure that the bureaus fully or
             consistently implemented effective information security controls. During
             fiscal year 2003, Treasury launched or expanded several initiatives that
             were designed to promote the implementation of key elements of its
             departmental information security program. Although Treasury has made
             progress implementing these initiatives, it remains challenged to
             effectively and consistently implement security controls across the
             department. The effects of a major reorganization on departmental
             information technology security staffing, the lack of a designated senior
             agency information security official, and issues relating to the reliability
             and completeness of performance management data contribute to the
             challenges confronting Treasury as it endeavors to improve the security of
             its information systems and data. Until Treasury can fully implement its
             departmentwide program and adequately mitigate known weaknesses,
             increased risk exists that individuals could gain unauthorized access to
             critical hardware and software, and intentionally or inadvertently use,
             disclose, disrupt, modify, or destroy sensitive data or computer programs.

             We are making recommendations to the Secretary of the Treasury that
             address these issues. In providing written comments on a draft of this
             report, the Treasury chief information officer responded on behalf of the
             department and concurred with our assessment and recommendations,
             and provided technical comments that were incorporated into the report
             as appropriate.


             The dramatic expansion in computer interconnectivity and the rapid
Background   increase in the use of the Internet are changing the way our government,
             the nation, and much of the world communicate and conduct business.
             Without proper safeguards, these factors also pose enormous risks that
             make it easier for individuals and groups with malicious intent to intrude
             into inadequately protected systems and use such access to obtain
             sensitive information, commit fraud, disrupt operations, or launch attacks
             against other computer systems and networks.


             Page 2                                   GAO-04-77 Treasury Information Security
Protecting the computer systems that support critical operations and
infrastructures has never been more important because of concerns about
attacks from individuals and groups with such malicious intent, including
terrorists. These concerns are well founded for a number of reasons,
including the dramatic increase in reported computer security incidents,
the ease of obtaining and using hacking tools, the steady advance in the
sophistication and effectiveness of attack technology, and the dire
warnings of new and more destructive cyber attacks to come.

Computer-supported federal operations are likewise at risk. Our previous
reports, and those of agency inspectors general, describe persistent
computer security weaknesses that place a variety of critical federal
operations, including those at Treasury, at risk of disruption, fraud, and
inappropriate disclosure.1 This body of audit evidence led us, in 1997, to
designate computer security as a governmentwide high-risk area in reports
to the Congress.2 It remains so today.3

How well federal agencies are addressing these risks is a topic of
increasing interest in both the Congress and the executive branch. This is
evidenced by recent hearings on information security4 and recent
legislation intended to strengthen it—the Federal Information Security
Management Act (FISMA) and the Government Information Security
Reform (GISRA) provisions of the Fiscal Year 2001 National Defense
Authorization Act.5 In addition, the administration has taken important


1
 U.S. General Accounting Office, Information Security: Serious and Widespread
Weaknesses Persist at Federal Agencies, GAO/AIMD-00-295 (Washington, D.C.: Sept. 6,
2000).
2
 U.S. General Accounting Office, High-Risk Series: Information Management and
Technology, GAO/HR-97-9 (Washington, D.C.: February 1997).
3
 U.S. General Accounting Office, High-Risk Series: Protecting Information Systems
Supporting the Federal Government and the Nation’s Critical Infrastructures, GAO-03-
121 (Washington, D.C.: January 2003).
4
 U.S. General Accounting Office, Information Security: Continued Efforts Needed to Fully
Implement Statutory Requirements, GAO-03-852T (Washington, D.C.: June 24, 2003);
Information Security: Progress Made, But Challenges Remain to Protect Federal Systems
and the Nation’s Critical Infrastructures, GAO-03-564T (Washington, D.C.: Apr. 8, 2003);
Computer Security: Progress Made, But Critical Federal Operations and Assets Remain
at Risk, GAO-03-303T (Washington, D.C.: Nov. 19, 2002).
5
 Federal Information Security Management Act (FISMA), Title III, Public Law 107-347, Dec.
17, 2002, and the Government Information Security Reform provisions (commonly referred
to as GISRA) of the Fiscal Year 2001 National Defense Authorization Act, Division A,
Title X, Subtitle G, Public Law 106-398, Oct. 30, 2000.




Page 3                                         GAO-04-77 Treasury Information Security
                               actions to improve information security, such as integrating information
                               security into the President’s Management Agenda Scorecard. Moreover,
                               the Office of Management and Budget (OMB) and the National Institute of
                               Standards and Technology (NIST) have issued security guidance to
                               agencies.


Treasury Helps Promote         The Department of the Treasury is responsible for promoting prosperous
the Nation’s Economy and       and stable domestic and international economies, managing the
Manages Federal Finances       government’s finances, and safeguarding federal financial systems.
                               Treasury is organized into two major components—departmental offices
                               and operating bureaus. The departmental offices are primarily responsible
                               for formulating policy and managing the department as a whole, while the
                               operating bureaus carry out the specific functions of the department. The
                               basic functions of the department include

                           •   managing federal finances;

                           •   collecting taxes and monies due to the U.S. and making most of the
                               payments of the U.S. government;

                           •   producing all postage stamps, currency, and coinage;

                           •   managing government accounts and the public debt;

                           •   supervising national banks and thrift institutions;

                           •   advising on domestic and international financial, monetary, economic,
                               trade, and tax policy;

                           •   enforcing federal finance and tax laws; and

                           •   investigating and prosecuting tax evaders.

                               In fiscal year 2003, Treasury experienced significant organizational
                               changes. The Homeland Security Act of 20026 (signed by the President on
                               November 25, 2002) called for several Treasury bureaus or elements to be
                               transferred to the newly formed Department of Homeland Security and to
                               the Department of Justice. On January 24, 2003, the Bureau of Alcohol,



                               6
                               Public Law 107-296.




                               Page 4                                   GAO-04-77 Treasury Information Security
Tobacco, and Firearms’ law enforcement function moved to Justice. The
tax and trade functions of the bureau remained with Treasury under the
newly formed Alcohol and Tobacco Tax and Trade Bureau. On March 1,
2003, three Treasury bureaus moved to Homeland Security: the Federal
Law Enforcement Training Center, the U.S. Customs Service, and the U.S.
Secret Service. The reorganized department had a fiscal year 2003 budget
of $10.7 billion and a staff of about 115,000. Staff located at the bureaus
makes up about 97 percent of the Treasury work force.

To support the department’s overall mission, Treasury and its key bureaus,
including the Internal Revenue Service (IRS)—-by far the largest; Financial
Management Service (FMS); U.S. Mint; and the Bureau of the Public Debt
(BPD), have diverse functions. For example, IRS is responsible for
determining, assessing, and collecting internal revenue in the United
States. It collects taxes, processes tax returns, and enforces the nation’s
tax laws. In fiscal year 2003, IRS processed about 130 million7 individual
tax returns, accounted for almost $2 trillion in collections, and paid about
$300 billion in refunds to taxpayers. FMS receives and disburses public
monies, maintains government accounts, and prepares reports on the
status of government finances. As the government’s financial manager,
FMS disbursed more than $1.6 trillion in fiscal year 2003. BPD borrows the
money needed to finance the federal government and administers the
public debt through Treasury financial instruments. It is responsible for
ensuring that reliable systems and processes are in place for purchasing
and servicing Treasury securities. In fiscal year 2003, BPD conducted
about 200 auctions and issued about $4 trillion in marketable securities.

Treasury and its bureaus rely heavily on information management systems
to fulfill their many financial management stewardship roles and
responsibilities for the nation. The bureaus have distinct, numerous, and
complex information systems to process, store, and secure highly sensitive
data. Treasury and its bureaus report in fiscal year 2003 that they have 708
distinct information systems supporting their operations. A centralized
data communications network and management system interconnects
networks and systems at the bureaus and departmental offices.

FISMA provides that the Secretary of the Treasury is responsible for,
among other things, (1) providing information security protections
commensurate with the risk and magnitude of the harm resulting from


7
As of August 31, 2003.




Page 5                                  GAO-04-77 Treasury Information Security
                     unauthorized access, use, disclosure, disruption, modification, or
                     destruction of the agency’s information systems and information; (2)
                     ensuring that senior agency officials provide information security for the
                     information and information systems that support the operations and
                     assets under their control; and (3) delegating to the agency chief
                     information officer (CIO) the authority to ensure compliance with the
                     requirements imposed on the agency under the act. Treasury’s CIO is
                     responsible for developing and maintaining a departmentwide information
                     security program; developing and maintaining information security
                     policies, procedures, and control techniques that address all applicable
                     requirements; and assisting senior agency officials concerning their
                     responsibilities under the act. In addition, the CIO provides oversight,
                     strategic management, and policy direction on all information security
                     programs within Treasury. The Office of Security Compliance within the
                     Office of the CIO is responsible for developing departmentwide
                     information security policies and ensuring bureau implementation. Each
                     bureau is responsible for implementing Treasury-mandated security
                     policies within its domain. In order to implement departmentwide security
                     policies, the bureaus are required to develop their own information
                     security programs, including their own security compliance functions.


                     Our objectives were to (1) determine whether Treasury and its key
Objectives, Scope,   bureaus have effectively implemented information security controls to
and Methodology      protect the confidentiality, integrity, and availability of their systems and
                     data and (2) determine whether Treasury has effectively implemented its
                     departmentwide information security program.

                     To determine the effectiveness of the information security controls
                     implemented at Treasury and its bureaus, we considered the results of
                     prior information security reviews that we performed at IRS, BPD, and
                     FMS. We also examined and analyzed the contents of audit reports and
                     associated work papers for information security and internal control8
                     reviews performed by the Treasury Office of the Inspector General (OIG)
                     or independent auditors in connection with their audits of the bureaus’
                     financial statements. In addition, we reviewed the department’s




                     8
                      A review of an entity’s internal controls includes a review of the information security
                     controls—general controls and application controls—that protect an organization’s
                     computer environment.




                     Page 6                                           GAO-04-77 Treasury Information Security
                           performance and accountability reports to document Treasury’s
                           information security-related weaknesses.

                           To assess Treasury’s departmentwide information security program, we

                       •   reviewed and evaluated the department’s information security policies in
                           effect at the time of our review;

                       •   analyzed data presented in Treasury’s GISRA report for fiscal year 2002
                           and FISMA report for fiscal year 2003; 9

                       •   examined and assessed reports and other documents related to the
                           department’s information security program, and

                       •   interviewed Treasury officials regarding their processes and procedures
                           for overseeing, monitoring, evaluating, and reporting on the
                           implementation of information security across the department.

                           Our review was performed at Treasury headquarters and our headquarters
                           in Washington, D.C., from March through October 2003, in accordance
                           with generally accepted government auditing standards.


                           The effective implementation of appropriate, properly designed security
Implementation of          controls is an essential element for ensuring the confidentiality, integrity,
Information Security       and availability of information systems and information. Weak security
                           controls can expose information systems and information to an increased
Controls Has Been          risk of unauthorized access, use, disclosure, disruption, modification, and
Inconsistent               destruction.

                           Treasury’s bureaus have not consistently implemented effective
                           information security programs and resolved known information security
                           control weaknesses. Some bureaus have consistently reported
                           implementing effective controls over their information systems and/or
                           limiting the negative effect control weaknesses could have on the
                           preparation of financial statements and internal controls. Other key
                           Treasury bureaus, including IRS and FMS, have reported long-standing
                           weaknesses in information security controls and continued to report



                           9
                            GISRA expired Nov. 29, 2002. Effective Dec. 17, 2002, FISMA replaced GISRA with similar,
                           but strengthened, provisions.




                           Page 7                                         GAO-04-77 Treasury Information Security
                          significant weaknesses in fiscal year 2002. As a result of the weaknesses
                          and inconsistencies in the overall implementation of the bureaus’
                          information security programs, the Treasury OIG designated information
                          security as a departmentwide material weakness10 in its fiscal year 2002
                          financial audit report.


Several Bureaus Have      Several Treasury bureaus have consistently implemented effective
Effectively Implemented   information security controls over their computing environments and/or
Controls                  implemented compensating controls to correct or mitigate the weaknesses
                          identified during previous audits. For example, the external auditors for
                          the Office of Thrift Supervision, the Office of the Comptroller of the
                          Currency, and the Bureau of Engraving and Printing have not reported
                          significant information security control weaknesses. BPD has also
                          consistently implemented internal control over its financial systems. Since
                          1997 we have reviewed the general and application controls over key BPD
                          systems as part of our audit of the Schedule of Federal Debt managed by
                          BPD. We found that, although security over its computer systems and
                          service continuity controls needed strengthening, BPD maintained, in all
                          material respects, effective internal control, including general and
                          application computer controls, related to reporting reliable financial
                          information on the Schedule of Federal Debt.

                          In instances in which information security improvements were needed,
                          BPD management has been responsive in taking corrective action or in
                          implementing compensating controls to mitigate the weaknesses identified
                          during our reviews. As the following table indicates, our subsequent audits
                          have found that, as of May 2003, BPD had taken action to correct or
                          mitigate a substantial percentage of the security weaknesses reported
                          during the prior year’s audit.




                          10
                           A material weakness is a condition that precludes the agency’s internal controls from
                          providing reasonable assurance that material misstatements in the financial statements
                          would be prevented or detected on a timely basis.




                          Page 8                                         GAO-04-77 Treasury Information Security
                       Table 1: Analysis of BPD’s Prior Year Weaknesses

                                                                                 Weaknesses resolved
                                                         Weaknesses from
                        Fiscal year audited                    prior year         Number        Percentage
                        2002                                             17             12                  71
                        2001                                             13              8                  62
                        2000                                             17             16                  94
                        Total/Average                                    47             36                  77
                       Source: GAO.



Key Bureaus Have       Strengthening information systems controls at other bureaus is one of the
Ineffective Security   management challenges currently facing the Department of the Treasury.
Controls               In fiscal year 2002, significant information security weaknesses existed in
                       the computer systems used at key Treasury bureaus to process sensitive
                       information and data needed to accomplish Treasury’s mission.
                       Weaknesses span all six general control audit areas addressed in our
                       information security audit methodology.11 These six areas are (1) security
                       program management, which provides the framework for ensuring that
                       risks are understood and that effective controls are selected and properly
                       implemented; (2) access controls, which ensure that only authorized
                       individuals can read, alter, or delete data; (3) software development and
                       change controls, which ensure that only authorized software programs are
                       implemented; (4) segregation of duties, which reduces the risk that one
                       individual can independently perform inappropriate actions without
                       detection; (5) operating systems controls, which protect sensitive
                       programs that support multiple applications from tampering and misuse;
                       and (6) service continuity, which ensures that computer-dependent
                       operations experience no significant disruptions. We identified
                       information systems security as a major challenge for Treasury in our 2003
                       performance and accountability report on the department.12 The following
                       examples highlight the serious information security weaknesses that
                       existed at Treasury’s key bureaus.




                       11
                        U.S. General Accounting Office, Federal Information System Controls Audit Manual,
                       GAO/AIMD-12.19.6 (Washington, D.C.: January 1999).
                       12
                        U. S General Accounting Office, Major Management Challenges and Program Risks:
                       Department of the Treasury, GAO-03-109 (Washington, D.C.: January 2003).




                       Page 9                                       GAO-04-77 Treasury Information Security
Internal Revenue Service       Since 1992,13 we have reviewed the effectiveness of IRS information
                               security in connection with our annual audit of IRS’s financial statements
                               and conducted information security reviews over IRS’s computing
                               facilities and electronic filing systems at the request of the Congress. The
                               results of these reviews have led us each year to designate information
                               security as a material weakness. During the 3-year period ending July 31,
                               2002, we conducted 14 information security reviews at 11 IRS tax
                               processing facilities nationwide. These reviews identified 765 specific
                               general control weaknesses and demonstrate the departmentwide
                               challenge IRS and Treasury face in addressing information security. In
                               addition, we conducted 5 application control reviews and reported 112
                               application control weaknesses during this same period. While the
                               majority of general control weaknesses identified fell in the area of logical
                               access controls, weaknesses in physical security, software change
                               controls, segregation of duties, and service continuity also posed
                               significant risk to IRS systems and taxpayer information, as the following
                               illustrates:

                           •   Inadequate logical access controls diminished the reliability of IRS’s
                               computerized data and increased the risk of unauthorized disclosure,
                               modification, and use of sensitive systems and taxpayer data. Logical
                               access controls at IRS facilities did not effectively prevent, limit, or detect
                               access to computing resources. IRS did not adequately control user
                               accounts and passwords to ensure that only authorized individuals were
                               allowed access to computer systems. Inactive and unused user system
                               accounts were found at all 11 IRS computing facilities reviewed. In
                               addition, IRS inappropriately granted powerful operating system privileges
                               to users who did not need them and granted users access to certain system
                               files for which they had no business need. Further, inadequate controls
                               over network services and devices were found that could allow intruders
                               to gain unauthorized access to valuable information about IRS systems
                               without logging on to the systems.

                           •   Physical security control weaknesses, such as inadequate physical barriers
                               and ineffective screening of visitors, contributed to weakening the
                               perimeter security at several IRS facilities. As a result, increased risk
                               exists that individuals could gain unauthorized access to facility grounds,
                               buildings, sensitive computing resources, and taxpayer data, without
                               detection.


                               13
                                U.S. General Accounting Office, Financial Audit: Examination of IRS’s Fiscal Year
                               1992 Financial Statements, GAO/AIMD-93-2 (Washington, D.C.: June 30, 1993).




                               Page 10                                       GAO-04-77 Treasury Information Security
                               •   Software change control procedures at two facilities did not provide
                                   sufficient control mechanisms to ensure that the facilities received all
                                   authorized program updates. In addition, software developer accounts
                                   and/or development tools were allowed on production servers at five
                                   facilities, which increases the risk that individuals could make
                                   unauthorized modifications to production software on these servers.

                               •   Inadequate segregation of duties was also an issue, as IRS did not
                                   consistently separate incompatible computer-related activities among
                                   individuals performing system administration and security administration
                                   duties at its computing facilities. In addition, IRS assigned incompatible
                                   operating system privileges to users, such as granting auditing privileges to
                                   system administrators at 10 facilities. As a result, increased risk exists that
                                   erroneous or unauthorized activity could occur and go undetected.

                               •   Service continuity control weaknesses limited IRS’s ability to restore and
                                   continue critical data processing services in the event of unexpected
                                   service interruptions. IRS had not developed disaster recovery plans for
                                   certain key systems and/or had not adequately tested service continuity
                                   plans at several facilities. As a result, increased risk exists that IRS will not
                                   be able to protect or recover essential information and critical business
                                   processes in the event of an unexpected interruption of service.

                                   IRS has made progress in correcting the general and application control
                                   weaknesses identified in our information security reviews during this 3-
                                   year period. In May 2003 we reported that IRS had corrected about one-
                                   third of the 765 general control weaknesses and 55 percent of the
                                   application control weaknesses identified in our reviews.14 Although IRS
                                   has corrected a significant number of weaknesses, many significant
                                   weaknesses in information security controls remain.

Financial Management Service       FMS has experienced long-standing weaknesses in its computer controls.
                                   It has reported its overall information systems security environment as a
                                   material weakness every year since fiscal year 1998. Treasury has
                                   recognized the seriousness of this problem and reported FMS’s computer
                                   controls as a material weakness in its annual accountability reports for
                                   each of those fiscal years. In January 2002, we reported that FMS’s overall
                                   information security control environment was ineffective in identifying,



                                   14
                                    U.S. General Accounting Office, Information Security: Progress Made, but Weaknesses
                                   at the Internal Revenue Service Continue to Pose Risks, GAO-03-44 (Washington, D.C.:
                                   May 30, 2003).




                                   Page 11                                      GAO-04-77 Treasury Information Security
    deterring, and responding promptly to computer control weaknesses.15 In
    November 2002, the independent external auditor responsible for auditing
    FMS’s fiscal year 2001 and 2002 financial statements reported a material
    weakness in the general controls over the Hyattsville (Md.) Regional
    Operations Center. The external auditor reported that general controls did
    not effectively prevent (1) unauthorized access to the disclosure of
    sensitive information, (2) unauthorized changes to systems and
    application software, (3) unauthorized access to programs and files that
    control computer hardware and secure applications, or (4) disruption of
    critical operations. Specifically, the external auditor found weaknesses in
    the following areas:

•   Access controls. The majority of information security weaknesses were
    identified in this area. Weaknesses were found in the administration of
    access controls, access to computer programs and files, and access to
    sensitive data.

•   Systems software. The development and enforcement of systems software
    policies and procedures over usage and modifications to operating system
    upgrades and utilities were inadequate.

•   Change controls. Configuration change management control procedures
    were not consistently enforced across all major FMS applications
    reviewed.

•   Service continuity. Although FMS has completed its business impact
    assessment,16 the results of this assessment had not been incorporated into
    detailed disaster recovery plans.

    Although the independent external auditor reported that FMS had made
    improvements in its information security control environment during
    fiscal year 2002, the external auditor was critical of the overall
    effectiveness of FMS’s information security management program. FMS
    management was still in the process of implementing its new entitywide
    security plan—authorized in September 2002—for most of the year under
    audit. While FMS has corrected vulnerabilities in some areas, subsequent



    15
     U.S. General Accounting Office, Financial Management Service: Significant Weaknesses
    in Computer Controls Continue, GAO-02-317 (Washington, D.C.: Jan. 31, 2002).
    16
     FMS’s business continuity planning activities have been split into two phases: conducting
    a business impact assessment and preparing detailed recovery plans.




    Page 12                                         GAO-04-77 Treasury Information Security
                             reviews have found that previously identified weaknesses continue to
                             exist on other systems.

U.S. Mint                    Significant information security weaknesses also existed at the U.S. Mint.
                             The independent external auditor responsible for auditing the Mint’s fiscal
                             year 2001 financial statements identified numerous general and
                             application control weaknesses. Due to the magnitude of these
                             weaknesses, the external auditor reported two separate material
                             weaknesses—one for general controls and one for application controls. In
                             its audit report on the Mint’s fiscal year 2002 financial statements, the
                             external auditor aggregated the two previously reported material
                             weaknesses into one material weakness on information systems controls.
                             The auditor noted that the Mint had made improvements in its computer
                             control environment and systems security control activities, which
                             included the development of a comprehensive corrective action plan, and
                             hired a new chief information officer. However, the external auditor noted
                             weaknesses in the Mint’s information systems general controls relating to
                             its network infrastructure, systems documentation, software change
                             control, and related security policies and procedures.


Bureaus Have Not             Assessing and managing the risks associated with information systems are
Consistently Performed       key elements of an information security program. FISMA17 and other
Required Information         federal guidance18 require federal agencies to develop comprehensive
                             information security programs based on assessing and managing risks.
Security Activities          OMB requires agencies to report performance measure data related to
                             required aspects of their information security programs. These data
                             include the number and percentage of systems that have

                         •   been assessed for risk and assigned a level of risk,

                         •   up-to-date security plans,

                         •   been certified and accredited,



                             17
                              Public Law 107-347, section 301(2002); 44 USC 3544(b).
                             18
                              The February 1996 revision to OMB Circular A-130, Appendix III, Security of Federal
                             Automated Information Resources, directs agencies to use a risk-based approach to
                             determine adequate security, including a consideration of the major factors in risk
                             management: the value of the system or application, threats, vulnerabilities, and the
                             effectiveness of current or proposed safeguards.




                             Page 13                                        GAO-04-77 Treasury Information Security
                           •   security controls that have been tested/evaluated within the last year,

                           •   contingency plans, and

                           •   tested contingency plans.

                               Treasury also requires that its bureaus use these same performance
                               measures when reporting to it on the status of bureau information security
                               programs. Performance data reported by the bureaus indicate that the
                               bureaus have not consistently performed these required information
                               security activities and that certain bureaus performed them better than
                               others. For example, bureaus reported that the percentage of systems that
                               they performed these required activities ranged from 0 to 100 percent of
                               their systems.

Many Systems Do Not Have       Risk management is a process that allows information technology
Risk Assessments               managers to balance the operational and economic costs of protective
                               measures to achieve gains in mission capability by protecting the
                               information technology systems and data that support organizational
                               missions. Agencies, including Treasury, are required to perform periodic
                               threat-based risk assessments for systems and data. Risk assessments are
                               an essential element of risk management and overall security program
                               management and, as our best practice work has shown, are an integral
                               part of the management processes of leading organizations.19 Risk
                               assessments help ensure that the greatest risks have been identified and
                               addressed, increase the understanding of risk, and provide support for
                               needed controls.

                               Treasury bureaus have not consistently assessed their systems for risk.
                               According to Treasury’s FISMA report for 2003 and as illustrated in figure
                               1, four bureaus reported that they had assessed risk for 90 to 100 percent
                               of their systems. However, figure 1 also shows that the other nine bureaus,
                               including the four that reported that less than half of their systems had
                               been assessed for risk, did not consistently assess risks for their systems.




                               19
                                GAO/AIMD-98-68.




                               Page 14                                 GAO-04-77 Treasury Information Security
                                Figure 1: Percentage of Systems with Risk Assessments during Fiscal Year 2003




                                The bureaus also experienced mixed results in fiscal year 2003 with
                                increasing the percentage of their systems that have been assessed for
                                risk. Of the 11 bureaus that reported this security metric in both fiscal
                                years, 4 reported an increase in the percentage of systems assessed for
                                risk in fiscal year 2003 compared with fiscal year 2002, while 4 reported a
                                decrease. The remaining 3 bureaus did not report a change in the
                                percentage of systems assessed for risk.

Systems Often Lack Up-to-Date   OMB Circular A-130 requires that security plans be prepared for all federal
Security Plans                  systems that contain sensitive information. The purpose of these plans is
                                to (1) provide an overview of the security requirements of the system and
                                describe the controls in place or planned for meeting those requirements,
                                (2) delineate the responsibilities and expected behavior of all individuals
                                who access the system, and (3) serve as documentation of the structured
                                process of planning adequate, cost-effective security protection for a
                                system.

                                Treasury bureaus did not consistently maintain up-to-date security plans
                                for their systems. According to Treasury’s FISMA report for 2003, only 304
                                (43 percent) of the department’s 708 systems had up-to-date security
                                plans. Although IRS had by far the largest number of systems without a
                                security plan, 8 of the 13 bureaus reported that they had up-to-date




                                Page 15                                   GAO-04-77 Treasury Information Security
                                 security plans for less than 90 percent of their systems for fiscal year 2003,
                                 as shown in figure 2.

                                 Figure 2: Percentage of Systems with Up-to-Date Security Plans during Fiscal Year
                                 2003




Bureaus Have Not Certified and   OMB and Treasury require management officials to formally authorize the
Accredited Many Systems          use of each general support system and major application through a
                                 certification and accreditation process before it becomes operational,
                                 when a significant change occurs, and at least every 3 years thereafter.
                                 System certification is based on a technical evaluation of an information
                                 system to see how well it meets its security requirements, including all
                                 applicable federal laws, policies, regulations, and standards. System
                                 accreditation is the written management authorization for a system to
                                 operate and/or process information.

                                 Treasury bureaus did not certify and accredit many of their systems.
                                 According to Treasury’s FISMA report for fiscal year 2003 and as shown in
                                 figure 3, 11 of 13 bureaus reported that less than 90 percent of their
                                 systems had been certified and accredited for fiscal year 2003. Moreover, 2
                                 bureaus reported that none of their systems had been authorized for
                                 processing following system certification and accreditation.




                                 Page 16                                    GAO-04-77 Treasury Information Security
                                  Figure 3: Percentage of Systems Certified and Accredited for Fiscal Year 2003




                                  Our analysis of data submitted by the 11 bureaus that reported on this
                                  performance measure for both fiscal years 2002 and 2003 showed mixed
                                  progress. For example, 5 of the 11 bureaus reported a decrease in the
                                  percentage of systems authorized for processing following certification
                                  and accreditation, while 5 of the remaining 6 bureaus showed
                                  improvement in this area.

Bureaus Are Not Routinely         An agency head is responsible for ensuring that the appropriate agency
Testing and Evaluating Security   officials evaluate the effectiveness of the information security program,
Controls                          including testing controls. Further, the agencywide information security
                                  program is to include periodic management testing and evaluation of the
                                  effectiveness of information security policies and procedures. Periodically
                                  evaluating the effectiveness of security policies and controls and acting to
                                  address any identified weaknesses are fundamental activities that allow an
                                  organization to manage its information security risks cost-effectively,
                                  rather than reacting to individual problems ad hoc only after a violation
                                  has been detected or an audit finding has been reported. Further,
                                  management control testing and evaluation as part of the program reviews
                                  can supplement control testing and evaluation in IG and our audits to help
                                  provide a more complete picture of the agency’s security posture. FISMA
                                  requires that agencies test the management, operational, and technical
                                  controls of every information system identified in their inventories of
                                  major information systems no less than annually.


                                  Page 17                                    GAO-04-77 Treasury Information Security
                                Most Treasury bureaus did not test the security controls on each of their
                                inventoried systems during fiscal year 2003. As illustrated below, 9 of the
                                13 Treasury bureaus reported in Treasury’s FISMA report that they had
                                tested the controls on less than 90 percent of their systems for fiscal year
                                2003, including 6 that tested controls on less than half of their systems.

                                Figure 4: Percentage of Systems with Security Controls Tested in Fiscal Year 2003




Bureaus Have Not Consistently   Contingency plans provide specific instructions for restoring critical
Prepared or Tested              systems, including such items as arrangements for alternative processing
Contingency Plans               facilities, in case the usual facilities are significantly damaged or cannot be
                                accessed.

                                These plans and procedures help to ensure that critical operations can
                                continue when unexpected events occur, such as a temporary power
                                failure, an accidental loss of files, or a major disaster. Contingency plans
                                should also identify which operations and supporting resources are critical
                                and need to be restored first and should be tested to identify their
                                weaknesses. Without such tested plans, agencies have inadequate
                                assurance that they can recover operational capability in a timely, orderly
                                manner after a disruptive attack.

                                Treasury bureaus have not consistently prepared or tested contingency
                                plans for their information systems. According to Treasury’s FISMA report
                                for fiscal year 2003, only 44 percent of its systems had a contingency plan.



                                Page 18                                    GAO-04-77 Treasury Information Security
Bureaus also reported that 41 percent of their systems had tested
contingency plans. As shown in figure 5, only 2 of 13 bureaus reported that
they had tested contingency plans for at least 90 percent of their systems.
Moreover, 4 bureaus reported that none of their contingency plans had
been tested.

Figure 5: Percentage of Systems with Tested Contingency Plans




The bureaus’ inconsistent track record for performing these essential
information security activities can lead to the implementation of insecure
systems and/or the implementation of inadequate or inappropriate security
controls that do not sufficiently address threats to these systems and
could result in costly efforts to subsequently implement effective controls.




Page 19                                   GAO-04-77 Treasury Information Security
                           The information security weaknesses and inconsistent security practices
Treasury Has Begun         identified at the bureaus exist, in part, because Treasury’s departmentwide
to Implement Key           security program, while evolving, is not yet fully institutionalized across
                           the entire department. At Treasury, the vast majority of the department’s
Elements of a              information system assets and computing operations are located at the
Departmentwide             operating bureaus. Each bureau has been assigned responsibility for
                           developing and maintaining an effective information security program for
Information Security       managing its information security risks, in accordance with departmental
Program, but               policies. Although responsibility for developing and maintaining an
Challenges Remain          effective bureau-specific information security program has been delegated
                           to each operating bureau, broad program responsibility for information
                           security throughout the department is assigned to the Treasury CIO.
                           However, prior to fiscal year 2003, Treasury had not provided adequate
                           direction to or oversight of the bureaus to ensure that key elements of a
                           strong information security program were fully and consistently
                           implemented at each bureau, as the following examples illustrate.

                       •   Treasury’s information security policies and procedures were outdated
                           and incomplete. The principal policy document governing Treasury’s
                           information security program was Treasury Directive 71-10, Department of
                           Treasury Security Manual. The primary purpose of this document was to
                           establish comprehensive, uniform security policies, procedures, and
                           guidelines that were to be followed by each bureau in developing its own
                           specific policies and operating directives. However, the security manual
                           contained policies that had not been revised since 1992 and did not reflect
                           current federal guidance. For example, the manual was silent in many
                           areas where security policy was needed, such as voice mail, e-mail, and
                           security-incident reporting. In addition, Treasury’s security manual did not
                           provide to the bureaus policies or guidance in the areas of virus
                           protection, audit trails, and warning banners. Although most bureaus have
                           developed their own information security policies, five relied exclusively
                           on these outdated and incomplete policies to implement their information
                           security programs.

                       •   Treasury had not established effective processes and procedures for
                           monitoring and overseeing the implementation of security at the
                           bureaus. The Office of Security Compliance within the Office of Treasury
                           CIO is responsible for monitoring Treasury bureaus and ensuring
                           compliance with federal and Treasury security policies. However, prior to
                           fiscal year 2002, the office did not conduct security reviews of bureau
                           information security programs. In fiscal year 2002, the office conducted 35
                           security reviews of the bureaus’ information systems and programs.
                           According to Treasury officials, these reviews were limited in scope, were
                           conducted only at selected bureaus, and did not represent a complete


                           Page 20                                 GAO-04-77 Treasury Information Security
                                 security program review. For example, some security reviews consisted
                                 primarily of reviewing a system’s security plan and did not include testing
                                 security controls for the system.

Treasury Is Implementing         To address these issues and improve oversight of information security at
Elements of an Information       the bureaus, Treasury launched or expanded several initiatives during
Security Program                 fiscal year 2003 that were designed to promote the implementation of key
                                 elements of a departmentwide information security program.

                             •   Appointment of chief information officer. In March 2003, Treasury
                                 appointed a new departmental CIO. FISMA provides that the authority to
                                 ensure compliance with the requirements imposed on the agency under
                                 the act be delegated to the agency CIO. The CIO’s responsibilities include
                                 developing and maintaining a departmentwide information security
                                 program and security policies and providing oversight, strategic
                                 management, and policy direction on all information security programs
                                 within Treasury.

                             •   Development of information security governance model. The Treasury
                                 CIO proposed a governance model for information security during fiscal
                                 year 2003. Elements of the model include integrating security programs
                                 both functionally with capital planning and organizationally across
                                 bureaus; increasing CIO oversight; increasing bureau self-assessments;
                                 creating and distributing comprehensive security policies, standards, and
                                 procedures; establishing a security policy forum; and linking the
                                 information technology governance process to the enterprise architecture
                                 and capital investment and planning process.

                             •   Updated departmental information security policies and procedures.
                                 During fiscal year 2003, Treasury undertook a major revision of its
                                 outdated and incomplete information security policies. In August 2003,
                                 Treasury published a comprehensive, up-to-date body of information
                                 security policies and procedures—the Treasury Information Systems
                                 Security Program—consisting of the Treasury Information Technology
                                 Security Program Policy (Volume 1) and the Treasury Information
                                 Technology Security Program Handbook (Volume 2). The documents
                                 replaced Treasury Directive 71-10 and formally establish a uniform
                                 baseline for the department’s information security requirements. They are
                                 based on requirements levied by the FISMA, NIST, and OMB and are to
                                 serve as a framework for the bureaus as they develop their specific
                                 policies and operating directives.

                             •   Expanded program and system review. Treasury expanded its review of
                                 the bureaus’ information security programs and systems during fiscal year



                                 Page 21                                 GAO-04-77 Treasury Information Security
                                   2003. According to Treasury’s fiscal year 2003 FISMA report, one
                                   departmental initiative to create and maintain a system inventory revealed
                                   an additional 270 systems in fiscal year 2003. The department also
                                   conducted reviews of each bureau’s information security program and
                                   performed 21 system certification and accreditation package reviews. In
                                   addition, Treasury conducted vulnerability scans on networks and
                                   performed system penetration tests as part of its program and system
                                   reviews.

                               •   Analysis of bureaus’ plans of action and milestones. Treasury continued
                                   tracking and analyzing the plan of action and milestones (POA&M)
                                   reported by the bureaus on a quarterly basis. This plan is a tool that details
                                   the tasks that need to be accomplished and the resources required,
                                   milestones, and scheduled completion dates for accomplishing the tasks.
                                   The purpose of a POA&M is to help agencies identify, assess, prioritize,
                                   and monitor the progress of corrective efforts for security weaknesses
                                   found in programs and systems. OMB requires agencies to (1) develop a
                                   separate POA&M for every program and system for which weaknesses
                                   were identified and (2) report quarterly on progress implementing the
                                   plans. Accordingly, Treasury requires its bureaus to maintain POA&Ms on
                                   all information security weaknesses and provide quarterly updates to the
                                   Treasury CIO’s office. Treasury monitors bureau progress in correcting
                                   weaknesses by using the plans as a performance tracking mechanism.
                                   According to the Treasury CIO, Treasury analyzes the updated plans for
                                   quality and completeness and evaluates progress and other significant
                                   trends that may influence the resolution of security-related weaknesses.

                               •   Educational outreach programs. According to Treasury’s FISMA report
                                   for fiscal year 2003, Treasury’s oversight and compliance program also
                                   developed and maintained a series of outreach programs that are designed
                                   to educate Treasury employees about elements of information security
                                   compliance and to stimulate dialogue among security practitioners and
                                   stakeholders across the department.

                               •   Increased funding for information technology security. According to
                                   Treasury’s FISMA report for fiscal year 2003, the department more than
                                   doubled its total information security spending, from $85 million in fiscal
                                   year 2002 to $174 million in fiscal year 2003.

Despite Initiatives, Information   Although Treasury has significantly increased funding for information
Security Challenges Remain         security and has begun to make progress implementing key elements of its
                                   information security program, it remains challenged to effectively and
                                   consistently implement security controls and procedures across the
                                   department. As illustrated in figure 6, an analysis of security metric data in



                                   Page 22                                  GAO-04-77 Treasury Information Security
    Treasury’s fiscal year 2002 GISRA report and its fiscal year 2003 FISMA
    report20 shows that

•   the majority of Treasury systems do not meet key information security
    requirements, and

•   Treasury’s reported performance in meeting certain of these requirements
    has decreased.

    Figure 6: Percentage of Treasury Systems Meeting Certain Information Security
    Requirements




    Note: This chart reflects data for the 11 Treasury bureaus that reported on these security
    requirements for both years.




    20
      IRS management indicated that controls in additional systems were tested subsequent to
    the effective date of Treasury’s FISMA report.




    Page 23                                               GAO-04-77 Treasury Information Security
    Treasury reported that it did not implement any of these six required
    information security activities on a majority of its systems for fiscal year
    2003. For example, Treasury established a specific goal that 80 percent of
    all information systems be certified and accredited by the end of fiscal
    year 2003. However, as of August 15, 2003—the date of data contained in
    its FISMA report for fiscal year 2003—Treasury had certified and
    accredited only about 24 percent of its 708 systems. According to
    Treasury’s CIO, this was due to (1) the discovery of 276 additional systems
    at the IRS as a result of an effort to compile an accurate inventory and (2)
    a new reporting requirement that stipulated that systems with an interim
    authority to operate not be counted in fiscal year 2003 as an accredited
    system. In fiscal year 2002, such systems were counted as accredited for
    reporting purposes.

    In addition, implementation of certain information security requirements
    has decreased from fiscal year 2002. For the 11 bureaus that reported
    performance measures for both years, the percentage of Treasury systems
    implementing five of the six requirements decreased in fiscal year 2003,
    while it increased for one. For example, Treasury-reported data for fiscal
    year 2002 shows that 93 percent of the systems at those bureaus were
    assessed for risk and assigned a level of risk, while for fiscal year 2003
    only 42 percent were.

    Treasury’s overall performance demonstrates that it continues to face
    challenges implementing and monitoring information security throughout
    the department. The following factors contribute to the challenges
    confronting Treasury as it endeavors to improve the security of its
    information systems and data:

•   Treasury reorganization. Throughout fiscal year 2003, Treasury
    underwent a major reorganization. The reorganization resulted in the
    reassignment of three bureaus to the Department of Homeland Security,
    the creation of a new entity within Treasury, and the transfer of about 50
    percent of Treasury’s information technology security staff to the
    Department of Homeland Security. The reduction in staff resulting from
    the reorganization, combined with the reported increase in the total
    number of departmental systems, could hinder the department’s ability to
    provide effective oversight and direction over the bureaus’ information
    security programs.

•   Senior information security officer has not been designated. FISMA
    requires that a senior agency information security officer be designated to
    carry out the information security duties and responsibilities of the CIO



    Page 24                                 GAO-04-77 Treasury Information Security
    under the act. This senior level official is to (1) have information security
    as his or her primary duty; (2) head an office with the mission and
    resources necessary to assist in ensuring compliance with the act; and (3)
    possess the professional qualifications, including training and experience,
    required to administer the functions described in the act. The official
    would oversee the development and implementation of departmental
    information policies, procedures, and control techniques and coordinate
    departmentwide security-related activities to ensure that weaknesses
    identified in one bureau’s systems do not place the entire department’s
    information assets at undue risk. However, Treasury has not designated a
    senior agency information security officer to develop, maintain, and
    oversee the department’s security program. The lack of a senior
    information security officer with the stature and experience as well as the
    responsibility and authority for directing and overseeing the
    implementation of the departmentwide program could impair
    departmental control or influence in information security program
    decisions made by the bureaus.

•   Reliability and completeness of performance information. Although
    FISMA reporting provided performance information on key security areas,
    it is important for agencies to ensure that they have the appropriate
    management structures and processes in place to strategically manage
    information security, as well as to ensure the reliability of performance
    information. For example, disciplined processes can routinely provide the
    agency with timely, accurate, and useful information for day-to-day
    management of information security. Treasury has established a process
    for receiving quarterly updates on the bureaus’ plans of actions and
    milestones and issuing an annual data call to the bureaus for performance
    information on key information security requirements used in FISMA
    reports. However, the Treasury reports reveal issues with the reliability
    and completeness of bureau-reported information. For example, in
    Treasury’s fiscal year 2002 GISRA report, there were significant
    differences between what Treasury and the OIG reported for the
    percentage of systems that met certain information security requirements.

    In addition, the Treasury Inspector General for Tax Administration
    (TIGTA) states in the fiscal year 2003 FISMA report that IRS’s POA&Ms do
    not report on the status of system-specific vulnerabilities and are not
    specific enough to ensure accountability and timely remediation of the
    vulnerabilities. TIGTA also states that since IRS’s POA&Ms are not
    reported by system, justifications for information security funding found
    in its business cases cannot be tied to or linked with weaknesses reported
    in the POA&M. With the need for effective oversight to ensure compliance
    with the departmentwide information security program and the need to



    Page 25                                  GAO-04-77 Treasury Information Security
                      comply with a new requirement by OMB for quarterly reporting of agency
                      progress against certain information security performance measures,
                      disciplined processes that can routinely provide Treasury with timely,
                      accurate, and useful information for day-to-day management of
                      information security will become more important for the department.


                      Weaknesses in information security controls at Treasury bureaus have
Conclusions           placed its financial and information management systems at risk and could
                      hinder its ability to effectively and efficiently accomplish its mission.
                      Although Treasury has taken the initial steps necessary to implement a
                      departmentwide information security program, key elements of such a
                      program—those needed to help mitigate Treasury’s long-standing
                      information security weaknesses—have not been fully implemented.
                      Implementing an effective information security program could help ensure
                      that known weaknesses affecting Treasury’s computing resources are
                      promptly mitigated and that general controls effectively protect its
                      computing environments. Until Treasury oversees the implementation of a
                      departmentwide security program, limited assurance exists that it and its
                      bureaus will be able to resolve known information security weaknesses
                      and adequately safeguard their information resources.


                      To improve oversight and compliance with Treasury’s information security
Recommendations for   program, we recommend that the Secretary of the Treasury direct the
Executive Action      chief information officer to do the following:

                  •   Assess the staffing and resource requirements for performing the
                      department’s oversight and compliance efforts to ensure that departmental
                      information security policies are effectively and consistently implemented
                      throughout the organization.

                  •   Designate a senior agency information security officer.

                  •   Examine existing reporting processes and implement procedures to
                      enhance the reliability and completeness of the bureau-provided
                      information required for day-to-day management of information security.


                      In providing written comments on a draft of this report (which are
Agency Comments       reprinted as appendix 1), the Treasury CIO responded on behalf of the
                      department and concurred with our assessment and recommendations. In
                      addition, the CIO underscored his commitment to implementing a new



                      Page 26                                GAO-04-77 Treasury Information Security
security governance model that not only aligns with Treasury’s
information technology governance model but also aligns with security
policies and security operations. The Treasury CIO also provided technical
comments that have been incorporated into the report as appropriate.

If you have any questions or need further information, please contact
Gregory C. Wilshusen, Assistant Director, at (202) 512-6244, or me at
(202) 512-3317. We can also be reached by e-mail at wilshuseng@gao.gov
and daceyr@gao.gov, respectively. Kenneth A. Johnson and Ronald E.
Parker made key contributions to this report.




Robert F. Dacey
Director, Information Security Issues




Page 27                                 GAO-04-77 Treasury Information Security
         Appendix I: Comments from the Department of the
Appendix I: Comments from the Department
         Treasury



of the Treasury




                     Page 28                               GAO-04-77 Treasury Information Security
             Related GAO Products
Related GAO Products


             Information Security: Computer Controls Over Key Treasury Internet
             Payment System. GAO-03-837. Washington, D.C.: July 30, 2003.

             Information Security: Progress Made, but Weaknesses at the Internal
             Revenue Service Continue to Pose Risks. GAO-03-44. Washington, D.C.:
             May 30, 2003.

             Bureau of the Public Debt: Areas for Improvement in Computer Controls.
             GAO-03-524R. Washington, D.C.: May 1, 2003.

             Information Security: Progress Made, But Challenges Remain to Protect
             Federal Systems and the Nation’s Critical Infrastructures. GAO-03-564T.
             Washington, D.C.: Apr. 8, 2003.

             High-Risk Series: Protecting Information Systems Supporting the
             Federal Government and the Nation’s Critical Infrastructures.
             GAO-03-121. Washington, D.C.: January 2003.

             Major Management Challenges and Program Risks: Department of the
             Treasury. GAO-03-109. Washington, D.C.: January 2003.

             Computer Security: Progress Made, But Critical Federal Operations and
             Assets Remain at Risk. Washington, D.C.: GAO-03-303T. Nov. 19, 2002.

             Financial Audit: IRS’s Fiscal Years 2002 and 2001 Financial
             Statements. GAO-03-243. Washington, D.C.: Nov. 15, 2002.

             Financial Audit: Bureau of the Public Debt’s Fiscal Years 2002 and 2001
             Schedules of Federal Debt. GAO-03-199. Washington, D.C.: Nov. 1, 2002.

             Bureau of the Public Debt: Areas for Improvement in Computer Controls.
             GAO-02-1082R. Washington, D.C.: Sept. 18, 2002.

             Information Security: Comments on the Proposed Federal Information
             Security Management Act of 2002. GAO-02-677T. Washington, D.C.: May
             2, 2002.

             Information Security: Additional Actions Needed to Implement Reform
             Legislation. GAO-02-470T. Washington, D.C.: Mar. 6, 2002.

             Financial Audit: IRS’s Fiscal Years 2001 and 2000 Financial
             Statements. GAO-02-414. Washington, D.C.: Feb. 27, 2002.



             Page 29                              GAO-04-77 Treasury Information Security
Related GAO Products




Financial Audit: Bureau of the Public Debt’s Fiscal Years 2001 and 2000
Schedules of Federal Debt. GAO-02-354. Washington, D.C.: Feb. 15, 2002.

Financial Management Service: Significant Weaknesses in Computer
Controls Continue. GAO-02-317. Washington, D.C.: Jan. 31, 2002.

Computer Security: Improvements Needed to Reduce Risk to Critical
Federal Operations and Assets. GAO-02-231T. Washington, D.C.: Nov. 9,
2001.

Bureau of the Public Debt: Areas for Improvement in Computer Controls.
GAO-01-1131R. Washington, D.C.: Sept. 13, 2001.

Management Letter: Improvements Needed in IRS’s Accounting
Procedures and Internal Controls. GAO-01-880R. Washington, D.C.:
July 30, 2001.

Computer Security: Weaknesses Continue to Place Critical Federal
Operations and Assets at Risk. GAO-01-600T. Washington, D.C.: Apr. 5,
2001.

Internal Revenue Service: Progress Continues But Serious Management
Challenges Remain. GAO-01-562T. Washington, D.C.: Apr. 2, 2001.

Financial Audit: Bureau of the Public Debt’s Fiscal Years 2000 and 1999
Schedule of Federal Debt. GAO-01-389. Washington, D.C.: Mar. 1, 2001.

Financial Audit: IRS’ Fiscal Year 2000 Financial Statements.
GAO-01-394. Washington, D.C.: Mar. 1, 2001.

Information Security: IRS Electronic Filing System. GAO-01-306.
Washington, D.C.: Feb. 16, 2001.

Computer Security: Critical Federal Operations and Assets Remain at
Risk. GAO/AIMD-00-314. Washington, D.C.: Sept. 11, 2000.

Information Security: Serious and Widespread Weaknesses Persist at
Federal Agencies. GAO/AIMD-00-295. Washington, D.C.: Sept. 6, 2000.

Information Security: Software Change Controls at the Department of
Treasury. GAO/AIMD-00-200R. Washington, D.C.: June 30, 2000.




Page 30                               GAO-04-77 Treasury Information Security
           Related GAO Products




           Management Letter: Suggested Improvements in IRS’s Accounting
           Procedures and Internal Controls. AIMD-00-162R. Washington, D.C.: June
           14, 2000.

           Financial Audit: IRS’s Fiscal Year 1999 Financial Statements. AIMD-00-
           76. Washington, D.C.: Feb. 29, 2000.

           Federal Information System Controls Audit Manual. GAO/AIMD-12.19.6.
           Washington, D.C.: January 1999.

           Organizations Information Security Management: Learning from
           Leading. GAO/AIMD-98-68. Washington, D.C.: May 1998.

           High-Risk Series: Information Management and Technology. GAO/HR-
           97-9. Washington, D.C.: February 1997.

           Financial Audit: Examination of IRS’s Fiscal Year 1992 Financial
           Statements. GAO/AIMD-93-2. Washington, D.C.: June 30, 1993.




(310192)
           Page 31                              GAO-04-77 Treasury Information Security
                         The General Accounting Office, the audit, evaluation and investigative arm of
GAO’s Mission            Congress, exists to support Congress in meeting its constitutional responsibilities
                         and to help improve the performance and accountability of the federal
                         government for the American people. GAO examines the use of public funds;
                         evaluates federal programs and policies; and provides analyses,
                         recommendations, and other assistance to help Congress make informed
                         oversight, policy, and funding decisions. GAO’s commitment to good government
                         is reflected in its core values of accountability, integrity, and reliability.


                         The fastest and easiest way to obtain copies of GAO documents at no cost is
Obtaining Copies of      through the Internet. GAO’s Web site (www.gao.gov) contains abstracts and full-
GAO Reports and          text files of current reports and testimony and an expanding archive of older
                         products. The Web site features a search engine to help you locate documents
Testimony                using key words and phrases. You can print these documents in their entirety,
                         including charts and other graphics.
                         Each day, GAO issues a list of newly released reports, testimony, and
                         correspondence. GAO posts this list, known as “Today’s Reports,” on its Web site
                         daily. The list contains links to the full-text document files. To have GAO e-mail
                         this list to you every afternoon, go to www.gao.gov and select “Subscribe to e-mail
                         alerts” under the “Order GAO Products” heading.


Order by Mail or Phone   The first copy of each printed report is free. Additional copies are $2 each. A
                         check or money order should be made out to the Superintendent of Documents.
                         GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a
                         single address are discounted 25 percent. Orders should be sent to:
                         U.S. General Accounting Office
                         441 G Street NW, Room LM
                         Washington, D.C. 20548
                         To order by Phone:     Voice:    (202) 512-6000
                                                TDD:      (202) 512-2537
                                                Fax:      (202) 512-6061


                         Contact:
To Report Fraud,
                         Web site: www.gao.gov/fraudnet/fraudnet.htm
Waste, and Abuse in      E-mail: fraudnet@gao.gov
Federal Programs         Automated answering system: (800) 424-5454 or (202) 512-7470


                         Jeff Nelligan, Managing Director, NelliganJ@gao.gov (202) 512-4800
Public Affairs           U.S. General Accounting Office, 441 G Street NW, Room 7149
                         Washington, D.C. 20548