Summary

GAO reviewed the Social Security Administration's (SSA) computing environment, focusing on its policies, procedures, and techniques designed to detect, respond to, and report on incidents of computer intrusion and misuse.

GAO noted that: (1) while SSA has a basic system and network management policies and procedures that provide a foundation for more effective intrusion and misuse detection capabilities, SSA does not have an integrated set of procedures for effectively detecting, responding to, and reporting such incidents; (2) access control and other weaknesses that were identified through the independent audit of SSA's fiscal year (FY) 1998 financial statements diminish the value of SSA's intrusion detection techniques; (3) this is because these weaknesses increase the risk that either authorized users or intruders will find a way to bypass, alter, or in other ways compromise sensors intended to monitor system activity and identify suspicious events and patterns; (4) during GAO's work, it identified the following weaknesses that affect SSA's intrusion and misuse detection and reporting capabilities: (a) SSA has installed a firewall between its main network and the Internet to provide control, however, SSA's firewall policy has not been updated since 1996, and it does not reflect which Internet services are permitted or disallowed; (b) SSA does not have effective procedures in place for analyzing data, such as those captured in mainframe computer access violation logs; (c) SSA has not developed computer emergency response procedures or designated a computer emergency response team; and (d) SSA's computer security monitoring and reporting activities have not been integrated with its routine system and network management monitoring operations; (5) at the close of GAO's work in June, tests of SSA's information security controls had recently begun as part of the independent audit of its FY 1999 financial statements; and (6) the results of the audit are likely to provide valuable information on the effectiveness of SSA's information security controls, including SSA's efforts to address previously reported weaknesses.