GAO targets financial center's security steps

GAO targets financial center's security steps


A federal agency that processes more than $9 billion in payroll accounts for 200,000 employees has serious weaknesses in its computer security that leave its systems open to potential misuse, a General Accounting Office report found.

In a report issued earlier this month, GAO cited weaknesses in security for the Interior Department's National Business Center.

GAO found fault with the center's ability to prevent and detect unauthorized changes to financial information and payroll data. The report also criticized the center's insufficient control over electronic access to sensitive personnel information and physical access to computing areas.

'NBC-Denver did not adequately limit access granted to authorized users,' GAO said. Moreover, the agency does not routinely monitor access to its computer facilities.

Robert Lamb, acting assistant secretary for policy, management and budget at Interior, acknowledged the flaws and said the agency had taken steps to improve security.

The report stressed the importance of security for the center because it processes payroll and performs accounting functions for Interior and 30 other federal agencies. About 37,000 users have access to the center's system.

Not enough protection

As of last month, the center had implemented half of GAO's recommendations and expected to complete them by the end of the year, Lamb said.

Even though the center had taken steps to limit access and improve user ID and password management, GAO said it had not sufficiently regulated user access. In addition, people were able to walk by guards into a sensitive computer operations area without being checked for identification.

About 400 users have access to four software libraries that could circumvent all security controls, the report said.

'Such access increased the risk that users could bypass security controls to alter or delete any computer data or programs on the system, and that privilege should only be granted to system programmers,' GAO said.

'To protect our sensitive financial data, we have instituted a multilayered security environment composed of network, system and application security controls,' Lamb said.

More than 1,000 users had broad access privileges that allowed them to create and modify computer programs as well as read and copy sensitive data, according to the report.

Another 80 application developers had authorization to update payroll and personnel files.

'Developers with detailed knowledge of the system's processing functions could improperly add, alter or delete payroll and personnel data and programs without leaving evidence that the system had been compromised,' GAO said.

The center has successfully tested a plan to recover computer operations in the wake of a disaster, Lamb said.


  • 2020 Government Innovation Awards
    Government Innovation Awards -

    21 Public Sector Innovation award winners

    These projects at the federal, state and local levels show just how transformative government IT can be.

  • Federal 100 Awards
    cheering federal workers

    Nominations for the 2021 Fed 100 are now being accepted

    The deadline for submissions is Dec. 31.

Stay Connected