GAO: Boosting security would also benefit financial systems

GAO: Boosting security would also benefit financial systems

By Tony Lee Orr

GCN Staff

Federal officials throughout government are studying security plans in the wake of oversight reviews that carped on agencies' apparent inability to safeguard information.

Of 20 federal organizations studied, only one passed muster on security issues, said Jeffrey C. Steinhoff, assistant comptroller general with the General Accounting Office's Accounting and Information Management Division. He testified in June before the House Government Reform Subcommittee on Government Management, Information and Technology.

Inspectors general and GAO auditors cite poor security as a central reason most agencies fail to meet comply with the Federal Financial Management Improvement Act.

'Information security weaknesses are one of the primary causes of noncompliance with FFMIA and a huge concern for federal agencies and the general public,' Steinhoff said.

Failure to secure systems containing vast financial records 'are placing enormous amounts of federal assets at risk of inadvertent or deliberate misuse, financial information at risk of unauthorized modification or destruction, sensitive information at risk of inappropriate disclosure and critical operations at risk for disruption,' he said.

Big no-no

The most serious security error agencies make is inadequately restricting access to data, including taxpayer records, personal medical information and law enforcement files, Steinhoff said.

He cited a February Health and Human Services Department IG report that slammed systems security at the Health Care Financing Administration, which administers the Medicare program. Processes at HCFA have failed to prevent unauthorized access to Medicare records, he said.

Gloria L. Jarmon and Gary T. Engle, a director and an associate director for accounting and financial management in Steinhoff's division, took an equally dim view of the Education Department's security efforts.

Education suffers from poor user management controls because it has no procedures for requesting, authorizing and revalidating access to systems, they told the House Task Force on Education in May.

The pair testified that Education had failed to monitor and review access to systems, to document the methodology for the design and maintenance of the systems infrastructure, and to develop a comprehensive disaster recovery plan.

Education has since begun correcting the problems, the department's deputy chief information officer Robert Davidson said.

Each system has a disaster recovery plan, he said. Another exists for the entire department. But those plans vary in quality from extremely solid plans for constant backup of student aid information at off-site facilities to less-stellar plans for backup of data to tape, Davidson said.

To ensure that employees can only open the records needed to do their job, supervisors at Education now assign access levels based on user identification, he said.

Davidson said 13 of the department's 14 systems have processes in place to ensure access is determined on need. The levels are reviewed annually, he said.

The procedures have helped the department keep track of who goes where on EDNet, Education's backbone network comprising hundreds of servers running Microsoft Windows NT and Unix.

Additionally, about 80 percent of the department's 4,800 employees have taken computer-based training that includes a module on password selection, he said.

John L. Meche, the Transportation Department's deputy assistant IG for financial and information technology, found problems similar to those at Education lurking at the department's Federal Transit Administration.

In a May report, Computer Security Controls of Financial Management System, the IG noted that passwords did not have expiration dates and some computer rooms were not secure.

In addition, the IG said the agency failed to perform adequate background checks, did not use audit trail features in software to track contractors' work, kept primary and backup computers in the same room, did not secure backup tapes off-site and relied too heavily on contract employees to implement software modifications.

FTA officials told the IG that they were implementing controls to suspend user accounts automatically after three failed password attempts, had made plans to store backup tapes off-site and had begun using the Security Event Auditing feature in the agency's Microsoft Windows operating system.

The agency also noted that the computer room was only temporarily left unlocked because of an air conditioner failure. After it was repaired, the agency once again locked the room.

inside gcn

  • artificial intelligence (ktsdesign/Shutterstock.com)

    Machine learning with limited data

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group