Summary

As organizations increasingly rely on electronic information, they need to ensure that the information they use has not been inappropriately altered and that its confidentiality is protected. Moreover, the information must be readily available with few disruptions in the operation of supporting computer and telecommunications systems. Without these assurances, organizations are vulnerable to a host of problems, including fraud, sabotage, user errors, and natural disasters. Although many factors underlie information security shortcomings at federal agencies, the lack of a management framework to explore and reduce information security risks is a significant factor. This guide, one of a series of GAO reports on steps that federal officials can take to better manage information resources, studies organizations with reputations for having superior security programs and identifies practices that could be adopted successfully by federal agencies.