Summary

Recent audit evidence indicates that serious and widespread weaknesses in information security are jeopardizing the government's ability to adequately protect (1) federal assets from fraud and misuse; (2) sensitive information from inappropriate disclosure; and (3) critical operations, including some affecting public safety, from disruption. Significant information security weaknesses were reported in each of the 24 largest federal agencies, with inadequately restricted access to sensitive data being the most commonly cited problem. These weaknesses place critical government operations, such as national defense, tax collection, law enforcement, and benefits payments, as well as the assets associated with these operations, at great risk for fraud, disruption, and inappropriate disclosures. Also, many intrusions or other potentially malicious acts could be occurring but going undetected because agencies have not introduced effective controls to identify suspicious activity in their networks and computer systems. Individual agencies have not done enough to effectively address these problems. Similarly, agency performance in this area is not being adequately managed from a governmentwide perspective, although some important steps have been taken. In GAO's view, what is needed is a coordinated and comprehensive strategy that incorporates the worthwhile efforts already under way and takes advantage of the expanded amount of evidence that has become available in recent years. This testimony summarizes the September 1998 report GAO/AIMD-98-92.

GAO noted that: (1) as the importance of computer security has increased, so have the rigor and frequency of federal audits in this area; (2) during the last 2 years, GAO and the agency inspectors general (IG) have evaluated computer-based controls on a wide variety of financial and nonfinancial systems supporting critical federal programs and operations; (3) the most recent set of audit results described significant information security weakness in each of the 24 federal agencies covered by GAO's analysis; (4) these weaknesses cover a variety of areas, which GAO has grouped into six categories of general control weaknesses; (5) in GAO's report, it noted significant problems related to VA's control and oversight of access to its systems; (6) VA did not adequately limit the access of authorized users or effectively manage user identifications and passwords; (7) GAO also found that the department had not adequately protected its systems from unauthorized access from remote locations or through the VA network; (8) a primary reason for VA's continuing general computer control problems is that the department does not have a comprehensive computer security planning and management program in place to ensure that effective controls are established and maintained and that computer security receives adequate attention; (9) the public depends on SSA to protect trust fund revenues and assets from fraud and to protect sensitive information on individuals from inappropriate disclosure; (10) in addition, many current beneficiaries rely on the uninterrupted flow of monthly payments to meet their basic needs; in November 1997, the SSA IG reported serious weaknesses in controls over information resources, including access, continuity of service, and software program changes that unnecessarily place these assets and operations at risk; (11) internal control testing identified information protection-related weaknesses throughout SSA's information systems environment; (12) an underlying factor that contributes to SSA's information security weaknesses is inadequate entitywide security program planning and management; (13) substantively improving federal information security will require efforts at both the individual agency level and at the governmentwide level; and (14) over the last 2 years, a number of efforts have been initiated, but additional actions are still needed.