GAO targets financial center's security steps

GAO targets financial center's security steps


A federal agency that processes more than $9 billion in payroll accounts for 200,000 employees has serious weaknesses in its computer security that leave its systems open to potential misuse, a General Accounting Office report found.

In a report issued earlier this month, GAO cited weaknesses in security for the Interior Department's National Business Center.

GAO found fault with the center's ability to prevent and detect unauthorized changes to financial information and payroll data. The report also criticized the center's insufficient control over electronic access to sensitive personnel information and physical access to computing areas.

'NBC-Denver did not adequately limit access granted to authorized users,' GAO said. Moreover, the agency does not routinely monitor access to its computer facilities.

Robert Lamb, acting assistant secretary for policy, management and budget at Interior, acknowledged the flaws and said the agency had taken steps to improve security.

The report stressed the importance of security for the center because it processes payroll and performs accounting functions for Interior and 30 other federal agencies. About 37,000 users have access to the center's system.

Not enough protection

As of last month, the center had implemented half of GAO's recommendations and expected to complete them by the end of the year, Lamb said.

Even though the center had taken steps to limit access and improve user ID and password management, GAO said it had not sufficiently regulated user access. In addition, people were able to walk by guards into a sensitive computer operations area without being checked for identification.

About 400 users have access to four software libraries that could circumvent all security controls, the report said.

'Such access increased the risk that users could bypass security controls to alter or delete any computer data or programs on the system, and that privilege should only be granted to system programmers,' GAO said.

'To protect our sensitive financial data, we have instituted a multilayered security environment composed of network, system and application security controls,' Lamb said.

More than 1,000 users had broad access privileges that allowed them to create and modify computer programs as well as read and copy sensitive data, according to the report.

Another 80 application developers had authorization to update payroll and personnel files.

'Developers with detailed knowledge of the system's processing functions could improperly add, alter or delete payroll and personnel data and programs without leaving evidence that the system had been compromised,' GAO said.

The center has successfully tested a plan to recover computer operations in the wake of a disaster, Lamb said.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected