USDA Information Security: Weaknesses at National Finance Center Increase
Risk of Fraud, Misuse, and Improper Disclosure (Letter Report,
07/30/1999, GAO/AIMD-99-227).
The Department of Agriculture's National Finance Center manages payroll,
personnel, and accounting systems for many federal agencies, including
GAO. Serious access control weaknesses have compromised the Center's
ability to detect and prevent unauthorized changes to payment data or
computer software, control electronic access to Thrift Savings Plan
account information, and restrict physical access to sensitive computing
areas. These weaknesses have increased the risk that users could cause
improper payments. Sensitive information, such as personnel data, was
vulnerable to misuse, improper disclosure, or destruction. Also, the
Center's payroll processing and other financial management operations
were vulnerable to disruption. Management at the center recognizes the
seriousness of these weaknesses and is committed to improving
information system controls.
--------------------------- Indexing Terms -----------------------------
REPORTNUM: AIMD-99-227
TITLE: USDA Information Security: Weaknesses at National Finance
Center Increase Risk of Fraud, Misuse, and Improper
Disclosure
DATE: 07/30/1999
SUBJECT: Computer security
Internal controls
Financial management systems
Information resources management
Confidential communication
Private sector practices
IDENTIFIER: USDA PurchaseCard Management System
Federal Thrift Savings Plan
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO report. This text was extracted from a PDF file. **
** Delineations within the text indicating chapter titles, **
** headings, and bullets have not been preserved, and in some **
** cases heading text has been incorrectly merged into **
** body text in the adjacent column. Graphic images have **
** not been reproduced, but figure captions are included. **
** Tables are included, but column deliniations have not been **
** preserved. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
** A printed copy of this report may be obtained from the GAO **
** Document Distribution Center. For further details, please **
** send an e-mail message to: **
** **
** **
** **
** with the message 'info' in the body. **
******************************************************************
United States General Accounting Office GAO Report
to the Secretary of Agriculture July 1999 USDA
INFORMATION SECURITY Weaknesses at National Finance Center
Increase Risk of Fraud, Misuse, and Improper Disclosure GAO/AIMD-
99-227 United States General Accounting Office
Accounting and Information Washington, D.C. 20548
Management Division B-283156
Letter July 30, 1999 The Honorable Dan Glickman The Secretary of
Agriculture Dear Mr. Secretary: We reviewed information system
access controls1 over the financial information systems maintained
by the Department of Agriculture (USDA) at its National Finance
Center (NFC), which is located in New Orleans, Louisiana. Our work
was done in cooperation with the USDA Office of Inspector
General's internal control audit of NFC, which was part of its
audit of USDA's fiscal year 1998 consolidated financial
statements. NFC develops and operates administrative and financial
systems for USDA and other federal organizations under cross-
servicing or franchising agreements. Access controls are critical
to NFC's ability to safeguard assets and ensure the
confidentiality and reliability of financial management
information. Such controls, however, also affect the security and
reliability of nonfinancial information, such as personnel
information, maintained by NFC. Today, we are also issuing a
report designated for "Limited Official Use," which details
weaknesses in access controls over NFC computer systems. This
version of the report, which was excerpted for public release,
provides a general summary of the weaknesses we identified and the
recommendations we made. After we completed our fieldwork, the
director of NFC provided us with updated information regarding
corrective actions. However, these reported actions, which are
noted in this report, will need to be verified to ensure that they
are operating effectively. 1Access controls are a component of
information security designed to protect computer resources from
unauthorized modification, loss, or disclosure. They include
logical, system software, and physical controls. Logical controls
prevent or detect unauthorized access to sensitive data and
programs that are stored or transmitted electronically. Controls
over access to and modification of system software are essential
to protect the overall integrity and reliability of information
systems. Physical controls limit access to computer facilities and
associated resources. Letter Page 1
GAO/AIMD-99-227 NFC Information Security B-283156 Results in Brief
Serious access control weaknesses affected NFC's ability to
prevent and/or detect unauthorized changes to payroll and other
payment data or computer software, control electronic access to
Thrift Savings Program account information, and restrict physical
access to sensitive computing areas. These weaknesses increased
the risk that users could cause improper payments. In addition,
sensitive information contained in NFC systems, including
financial transaction data and personnel information, was
vulnerable to inadvertent or deliberate misuse, fraudulent use,
improper disclosure, or destruction. Furthermore, NFC payroll
processing and other financial management operations were
vulnerable to disruption due to these weaknesses. We found
significant problems related to the center's control and oversight
of access to its systems and the data maintained on these systems.
NFC was not adequately limiting the access of authorized users or
controlling its operating system software to prevent access
controls from being circumvented. For several years, the Office of
Inspector General has reported that access control procedures were
weak. The access control weaknesses we identified were further
compounded because NFC was not sufficiently protecting or
overseeing access to its network. In addition, the center was not
providing adequate physical security for its computer resources.
The access control weaknesses we found indicate that NFC's
computer security planning and management program had not
adequately ensured that information system controls continued to
work effectively. An effective program would include guidance and
procedures for assessing risks, establishing appropriate policies
and related controls, raising awareness of prevailing risks and
mitigating controls, and monitoring and evaluating the
effectiveness of established controls. Importantly, NFC management
has recognized the seriousness of the weaknesses we identified and
expressed its commitment to improving information system controls.
In commenting on this report, the director of NFC agreed with our
findings and recommendations. The director also stated that NFC
had corrected most of the information security weaknesses we
identified and planned actions to address remaining weaknesses. In
addition, NFC stated that it intends to strengthen its computer
security planning and management program to encompass the best
practices described in our May 1998 report. Addressing these
issues Letter Page 2 GAO/AIMD-
99-227 NFC Information Security B-283156 will help ensure that an
effective computer security environment is achieved and
maintained. Background The National Finance
Center develops and operates administrative and financial systems,
including payroll/personnel, administrative payments, accounts
receivable, property management, and accounting systems for both
USDA and more than 60 other federal organizations, including GAO,
under cross-servicing or franchising agreements. During fiscal
year 1998, NFC processed more than $19 billion in payroll payments
for more than 450,000 employees from federal organizations
including the Secret Service, Internal Revenue Service, and Drug
Enforcement Administration. The center also serviced more than $1
billion in accounts receivable and processed more than 450 million
accounting transactions in fiscal year 1998. NFC is also
responsible for maintaining records for the world's largest
401(k)-type program, the federal Thrift Savings Program. This
program, which is growing at about $1 billion per month, covers
about 2.3 million employees and totaled more than $60 billion as
of September 30, 1998. NFC is operated by USDA's Office of the
Chief Financial Officer (OCFO) in New Orleans, Louisiana. The
center relies on a nationwide telecommunications network that
links computer hardware at remote locations to the NFC mainframe
computers. Certain financial applications, such as the Purchase
Card Management System that manages around $34 million in
payments, are also processed on the network. Objective, Scope, and
Our objective was to evaluate the design and test the operational
Methodology effectiveness of access controls
over the financial systems maintained and operated by USDA at NFC.
We evaluated controls intended to protect data and application
programs from unauthorized access. Specifically, we reviewed * the
technical implementation of NFC's security software and other
system software, * network access controls, and * physical access
controls. Page 3 GAO/AIMD-99-227
NFC Information Security B-283156 We restricted our evaluation at
NFC to these controls because USDA's Office of Inspector General
planned to review the other information system general controls2
as part of the fiscal year 1998 internal control audit of NFC. To
evaluate access controls, we identified and reviewed NFC policies
and procedures related to access control, conducted tests and
observations of controls in operation, and held discussions with
NFC staff to determine whether access controls were in place,
adequately designed, and operating effectively. Our evaluation was
based on the guidance provided in our Federal Information System
Controls Audit Manual (FISCAM)3 and the results of our May 1998
study of security management best practices at leading
organizations.4 We performed our work from July 1998 through
February 1999 in accordance with generally accepted government
auditing standards. After we completed our fieldwork, the director
of NFC provided us with updated information regarding corrective
actions. However, these reported corrective actions will need to
be verified to ensure that they are operating effectively. USDA
provided us with written comments on a draft of this report, which
are discussed in the "Agency Comments" section and reprinted in
appendix I. 2General controls affect the overall effectiveness and
security of computer operations as opposed to being unique to any
specific computer application. They include security management,
operating procedures, software security features, and physical
protection designed to ensure that access to data and programs is
appropriately restricted, only authorized changes are made to
computer programs, computer security duties are segregated, and
backup and recovery plans are adequate to ensure the continuity of
essential operations. 3Federal Information System Controls Audit
Manual, Volume I Financial Statement Audits (GAO/AIMD-12.19.6,
January 1999). 4Information Security Management: Learning From
Leading Organizations (GAO/AIMD-98-68, May 1998). Page 4
GAO/AIMD-99-227 NFC Information Security B-283156 Information in
NFC A basic management objective for any organization
is to protect its data Systems Was from
unauthorized access and prevent improper modification, disclosure,
or deletion of financial and sensitive information. Our review of
NFC's Vulnerable to access controls found that the
center was not adequately protecting Unauthorized Access
financial and sensitive personnel information. Specifically, NFC
had not appropriately limited access granted to authorized users,
effectively controlled its operating system software, sufficiently
secured access to its network, or adequately restricted physical
access to its computer resources. As a result, NFC's computer
systems, programs, and data are at risk of inadvertent or
deliberate misuse, fraudulent use, unauthorized alteration, or
destruction possibly occurring without detection. NFC management
has recognized the weaknesses we identified and has expressed its
commitment to improving information system controls. We have noted
those instances where management has implemented corrective
actions or indicated that corrective actions are planned. A
summary of the weaknesses follows. Access Authority Was Not A
key weakness in NFC's access controls was that the center had not
Appropriately Limited for sufficiently restricted the access
for authorized users. Organizations can Authorized Users
protect information from unauthorized changes or disclosures by
granting employees authority to read or modify only those programs
and data that are necessary to perform their duties and
periodically reviewing access granted to ensure that it is
appropriate. NFC, however, had not adequately limited access to
financial and sensitive personal information maintained on its
systems. We found several examples, detailed below, where NFC had
not sufficiently restricted access authority for legitimate users.
* Eighty-six user IDs had an access privilege that allows users to
read and alter any data stored on tape regardless of other
security software controls. These users included staff from the
Accounting Systems Branch, the Foundation Financial Information
System Development team, and the Financial Reporting team. As a
result, these users have access to all NFC tape files, including
payroll files. Although this privilege is generally required to
process tapes received from external organizations, it should be
limited to one group, such as the tape library group, that copies
external tapes to the format required by NFC for processing. In
April 1999, the director of NFC told us that actions had been
taken to limit this access privilege to 20 technical employees,
with only 1 having the ability to update all tapes. Page 5
GAO/AIMD-99-227 NFC Information Security B-283156 * More than 60
mainframe user IDs enabled users to update a sensitive system file
that controlled certain access privileges and files containing
audit trail information. Allowing such broad access to these files
increases the risk that users could circumvent the security
software and alter or delete audit trail information. In April
1999, the director of NFC told us that this access had been
removed from all individuals. * Sensitive system files on a
network system were not adequately protected from unauthorized
users. These files could be exploited using readily available
"hacker" tools to gain access to this system, which could lead to
improper payments related to the Purchase Card Management System.
System Software Controls In addition to restricting user
access authority, controls over access to and Were Not Effective
modification of system software are also essential to protect the
overall integrity and reliability of information systems. System
software controls limit and monitor access to the powerful
programs and sensitive files associated with computer system
operation. Generally, one set of system software is used to
support and control all of the applications that run on the
system. System software helps control and coordinate the input,
processing, output, and data storage associated with all of the
applications that run on the system. Some system software can
change data and program code on files without leaving an audit
trail or can be used to modify or delete audit trails. Examples of
system software include the operating system, system utilities,
program library systems, file maintenance software, security
software, data communications systems, and database management
systems. System software controls are important in providing
reasonable assurance that access controls are not compromised and
that the system will not be impaired. If controls in this area are
not adequate, system software might be used to bypass security
controls or gain unauthorized privileges to perform unauthorized
actions or circumvent edits and other controls built into
application programs. We found that NFC was not properly
controlling system software to prevent access controls from being
circumvented. Such weaknesses diminish the reliability of
information produced by all applications supported by the computer
system and increase the risk of inadvertent or deliberate misuse,
fraudulent use, improper disclosure, and disruption. We identified
the following system software configuration weaknesses that could
allow users to bypass access controls and gain unauthorized access
Page 6 GAO/AIMD-99-227 NFC
Information Security B-283156 to financial and other sensitive
information maintained at NFC or cause system failures. * A system
software component that could be used to bypass security access
controls and alter data, programs, and audit trail information was
available to all users who could submit a program for batch
processing.5 As a result, all information, including payroll,
personnel, and investment data, was at risk of unauthorized
modification and deletion occurring without detection. NFC staff
subsequently modified this component to prevent security controls
from being circumvented. * The system software that controls batch
processing allowed any user with the ability to execute a batch
program to also use any operator command without intervention.
Allowing such broad access to operator commands that can turn off
other components of the system software, such as the security
software, or cause the system to stop increases the risk that
operations could be severely disrupted. NFC staff restricted the
ability to execute operator commands through batch programs within
2 hours of our telling them about this problem. * Versions of at
least seven network system software programs with known
vulnerabilities that could be exploited to gain unlimited access
to the network had not been updated or disabled to prevent
unauthorized access. These exposures could allow unauthorized
users to obtain access privileges that would allow them to bypass
security controls. In April 1999, the director of NFC told us that
his staff had begun correcting these vulnerabilities and planned
to complete this process by the end of July 1999. In addition, NFC
had not instituted a process to periodically review programs in
certain system software libraries, which are allowed to perform
sensitive functions that can be used to circumvent all security
controls and to identify and correct weaknesses. Until NFC begins
actively managing programs in sensitive system libraries, the
center will not have adequate assurance that mainframe security
controls cannot be bypassed. In April 1999, the director of NFC
told us that the center had established a process to monitor
programs in sensitive system software libraries. 5Batch processing
is a mode of computer operation in which transactions are
accumulated over a period of time and then processed at one time.
Users do not interact with the system while their programs are
processing in batch mode. Page 7
GAO/AIMD-99-227 NFC Information Security B-283156 Network Security
Was Not The risks created by these access control
problems were heightened Sufficient
because NFC was not sufficiently protecting access to its network.
Specifically, NFC had not adequately managed user identifications
(ID) and passwords, controlled access to its systems from remote
locations, or monitored system activity. Thus, sensitive financial
information processed on the network, including the Purchase Card
Management System payments, is at increased risk of unauthorized
modification or disclosure occurring without detection. Because of
NFC's interconnected environment, these network control weaknesses
also increase the risk of unauthorized access to financial and
other sensitive information, such as payroll, personnel, and
investment data, maintained on the NFC mainframe computer. Network
Password Management It is important to actively manage user IDs
and passwords to ensure that Controls Were Not Effective
users can be identified and authenticated. To accomplish this
objective, organizations should establish controls to maintain
individual accountability and protect the confidentiality of
passwords. These controls should include requirements to ensure
that IDs uniquely identify users; passwords are changed
periodically, contain a specified number of characters, and are
not common words; default IDs and passwords are changed to prevent
their use; and the number of invalid password attempts is limited
to preclude password guessing. Organizations should also evaluate
these controls periodically to ensure that they are operating
effectively. At NFC, however, network user IDs and passwords were
not being effectively managed to ensure individual accountability
and reduce the risk of unauthorized access. We found several
weaknesses relating to network password management. * Seventy-six
network IDs did not require passwords, which makes them more
susceptible to misuse because user authentication is not required.
More than 50 of these IDs were especially vulnerable because the
account identifiers were common words, software product names, or
derivations of words or products that could be easily guessed. In
April 1999, the director of NFC told us that a password is now
required for all user IDs. * Seventy-seven network IDs were
allowed to reuse the same password, which enables these IDs to
circumvent password change requirements. This increases the risk
that a password could be discovered and used to obtain improper
access to the NFC system. In April 1999, the director of Page 8
GAO/AIMD-99-227 NFC Information Security B-283156 NFC told us that
all user IDs are now required to have a unique password. * Sixteen
network IDs were not disabled after a specified number of invalid
password attempts. Allowing unlimited attempts to guess passwords
increases the risk of unauthorized access to the NFC network and
the financial information processed on the network. In April 1999,
the director of NFC told us that these accounts are now disabled
after five unsuccessful attempts are made to access them using
invalid passwords. Remote Access Was Not Organizations must
also control access to computer resources from remote Adequately
Controlled locations to protect sensitive information from
improper modification, disclosure, or destruction by outside
hackers. Because allowing dial-in connections from remote
locations significantly increases the risk of unauthorized access,
such access should be limited, justified, approved, and
periodically reviewed. Organizations should also control all
modems6 and telephone lines centrally, establish controls to
verify that dial-in connections are authorized, and test for
unauthorized modems. We found that NFC could not ensure that dial-
in access was adequately secured. These weaknesses, along with the
user ID and password problems described above, significantly
increase the risk that unauthorized users could gain access to the
NFC network. NFC had drafted a network and personal computer
security policy that acknowledged that dial-in access to a network
or personal computer could subject critical applications and
mainframe systems to unauthorized modification, deletion, and
disclosure, and required dial-in access to be secured through
passwords or dial-back7 features. However, the security group was
not involved in approving modem usage at NFC. In addition,
although NFC planned to centralize control of dial-in access to
minimize individual modems, only 16 of the 230 modems were
controlled through a central system where user authentication was
assured. NFC did not have procedures in place to ensure that dial-
in access was adequately protected for the remaining 214 modems.
Furthermore, NFC did not have a process in 6A modem is a device
that allows digital signals to be transmitted and received over
analog telephone lines. 7A dial-back system requires a user
initiating a call to a network or workstation to provide a
confidential code. The system then terminates the call and dials
back to a previously specified location to complete the dial-in
connection. Page 9
GAO/AIMD-99-227 NFC Information Security B-283156 place to
periodically reassess dial-in access to ensure that it was still
required. In April 1999, the director of NFC told us that his
staff would remove all individual modems and provide dial-in
access through a secured modem pool. The director also stated that
formal guidance on modem usage would be included in the NFC
network security policy, which is scheduled to be issued later in
1999. Network Security Monitoring The risks created by these
network access control problems were Program Was Not Effective
exacerbated because NFC did not have a proactive network
monitoring program. Such a program would require NFC to promptly
identify and investigate unusual or suspicious network activity
indicative of malicious, unauthorized, or improper activity, such
as repeated failed attempts to log on to the network, attempts to
identify systems and services on the network, connections to the
network from unauthorized locations, and efforts to overload the
network to disrupt operations. Network monitoring programs should
also include provisions for logging and regularly reviewing
network access activities. Without these controls, NFC has little
assurance that unauthorized access to systems on its network would
be detected in time to prevent or minimize damage. Although NFC
had begun planning for a network monitoring program, it had not
implemented a network intrusion detection system capable of
detecting attacks on a real-time basis. Such a system would
require NFC to identify suspicious access patterns and set up the
intrusion detection system to automatically log unusual activity,
provide necessary alerts, and terminate sessions when necessary.
Also, NFC could not ensure that network attacks would be detected
because the center was not monitoring network access activity.
Although the draft local area network and personal computer
security policy described procedures for event logging and audit
trails, this policy did not include requirements for logging
access to sensitive data and resources or reviewing access to
these resources for unusual or suspicious activity. Furthermore,
despite the requirements in the draft policy, NFC was not logging
security events on its main operational network even though this
is the primary means of identifying unauthorized users or
unauthorized usage of the system by authorized users. In April
1999, the director of NFC told us that his staff plan to implement
a comprehensive network intrusion detection program by the end of
July Page 10 GAO/AIMD-99-227 NFC
Information Security B-283156 1999. The director also stated that
security logging and monitoring policies and practices would be
established in the network security policy, which is scheduled for
issue later in 1999. Physical Security Controls Physical
controls are also important for protecting access to computer Were
Not Adequate facilities and resources from espionage,
sabotage, damage, and theft. These controls involve restricting
physical access to computer resources, usually by limiting access
to the buildings and rooms where these resources are stored. At
NFC, physical access control measures, such as locks, guards,
badges, and alarms, (used alone or in combination), are critical
to safeguarding critical financial and sensitive personnel
information and computer operations from internal and external
threats. However, NFC had not adequately controlled access to
computer resources. We found that more than 120 people, including
maintenance and nontechnical support staff, had access to the
computer room and tape library. At NFC, this unnecessary access
not only increased the risk of inadvertent or deliberate damage to
computer resources, but also heightened the risk of unauthorized
changes to data stored on tape. In April 1999, NFC management told
us that the center had eliminated unrestricted access to the
computer room and tape library for maintenance and nontechnical
support staff, who are now admitted by authorized staff members
when access is required. We also determined that physical access
to a console, which could be used to issue sensitive operator
commands, had not been restricted. Consequently, anyone could use
this console to issue commands that would disable security access
checking or cause the system to fail. Allowing unrestricted access
to this console increases the risk of unauthorized access to NFC
systems and disruptions in service. In April 1999, the director of
NFC told us that constructing a separate room for this console is
cost prohibitive; therefore, his staff plans to replace the
terminal that provides these functions with a personal computer
that will be password protected. Page 11
GAO/AIMD-99-227 NFC Information Security B-283156 Computer
Security Our May 1998 study of security management
best practices pointed out that Planning and a
comprehensive computer security planning and management program is
essential to ensure that information system controls continue to
work Management Program effectively. However, the access control
weaknesses we identified indicate Was Not Adequate
that NFC's computer security planning and management program had
not ensured that effective controls were established and
maintained. The USDA Office of Inspector General has also reported
since 1996 that access controls to prevent unauthorized access to
or modification of sensitive data at NFC were weak. In addition,
USDA began reporting inadequate computer security and application
controls at NFC as a material weakness in its Federal Managers'
Financial Integrity Act8 report in 1998. We found weaknesses in
the design of NFC's computer security planning and management
program. Under an effective computer security planning and
management program, staff (1) periodically assess risks, (2)
implement comprehensive policies and procedures, (3) promote
awareness of prevailing risks and mitigating controls, and (4)
monitor and evaluate the effectiveness of established controls. In
addition, a central security staff is important for providing
guidance and oversight for the computer security planning and
management program to ensure an effective information system
control environment. We found that NFC had not instituted a
sufficient framework for managing information system controls or
monitoring their effectiveness on an ongoing basis. One key aspect
of effective security planning and management is establishing
appropriate policies and procedures governing a complete computer
security program. Such policies and procedures should integrate
all security aspects of an organization's interconnected
environment, including network and mainframe security. The
integration of network and mainframe security is particularly
important as computer systems become more and more interconnected.
However, we found that NFC had not finalized its network security
policy, which was drafted in 1996 and did not include provisions
for an intrusion detection system. Furthermore, the USDA Office of
Inspector General reported in March 1998 that NFC policies and
procedures relating to physical security were not sufficient. In
April 1999, the director of NFC told us that his staff was
updating its draft Network and Personal Computer Security Policy
to address the current 8The Federal Managers' Financial Integrity
Act of 1982 requires agencies to establish controls that
reasonably ensure that assets are safeguarded against waste, loss,
or unauthorized use. Page 12
GAO/AIMD-99-227 NFC Information Security B-283156 network
architecture and environment and plan to issue the updated policy
later in 1999. In addition, NFC had not established a
comprehensive program to evaluate the effectiveness of controls
and compliance with established security policies and procedures.
For example, we found that NFC did not have a network self-
assessment program in place even though the network security
environment is a dynamic one. Although NFC had performed some
self-assessments in the beginning of 1998 to identify network
security vulnerabilities, the program had not been formalized to
ensure periodic self-assessments. Consequently, these self-
assessments ceased when the staff member who had been performing
them left NFC. We also found that certain policies and procedures
were not being followed. For example, we found that certain NFC
systems did not present an adequate warning to discourage
unauthorized use on the initial screen because the warning
required by NFC Directive 70 was not used on all systems. In July
1999, NFC management told us that the center had installed
software and implemented a network self-assessment program. The
director also told us, in April 1999, that the Network and
Personal Computer Security Policy, which is scheduled for release
later in 1999, would define an adequate and consistent warning
banner to be used on initial screens. Conclusions Access
controls are critical to NFC's ability to ensure the reliability
of financial management information and maintain confidentiality
of sensitive information. However, NFC's access control problems
placed sensitive personnel information at risk of disclosure,
critical financial operations at risk of disruption, and assets at
risk of loss. The access control weaknesses we identified could
have also adversely affected other agencies that depend on NFC for
computer processing support. Implementing more effective and
lasting controls that protect payments and sensitive personnel
information and maintain an effective general computer control
environment requires that NFC establish a comprehensive computer
security planning and management program. This program should
provide for periodically assessing risks, implementing effective
controls for restricting access based on job requirements and
proactively reviewing access activities, communicating the
established policies and controls to those who are responsible for
their implementation, and, perhaps most important, monitoring and
evaluating Page 13 GAO/AIMD-99-
227 NFC Information Security B-283156 the effectiveness of
policies and controls to ensure that they remain appropriate and
accomplish their intended purpose. NFC management has recognized
the weaknesses we identified and has expressed its commitment to
improving information system controls. Recommendations We
recommend that the Secretary of Agriculture direct the Chief
Financial Officer to take the following actions. * Correct the
specific access control weaknesses we identified and communicated
to NFC management during our testing. These weaknesses are
summarized in this report and detailed in a separate report, which
is designated for "Limited Official Use," also issued today. *
Ensure that an effective entitywide security planning and
management program, as described in our May 1998 study of security
management best practices, is in place at NFC. Such a program
would include * assessing risks periodically to determine needs
and select cost-effective policies and related controls, *
implementing policies and controls that are based on risk, *
communicating the policies and controls, as well as the risks that
prompted their adoption, to those responsible for complying with
them, * evaluating the effectiveness of policies and related
controls, and * establishing a central security management focal
point to ensure that major elements of the security planning and
management program are carried out and provide a communications
link among organizational units. Agency Comments In commenting
on a draft of this report, NFC agreed with our findings and
recommendations. NFC stated that it had corrected most of the
information security weaknesses we identified and planned actions
to address remaining weaknesses. In addition, NFC stated that it
intends to strengthen its computer security planning and
management program to encompass the best practices described in
our May 1998 report. This report contains recommendations to you.
The head of a federal agency is required by 31 U.S.C. 720 to
submit a written statement on actions taken on these
recommendations to the Senate Committee on Governmental Page 14
GAO/AIMD-99-227 NFC Information Security B-283156 Affairs and the
House Committee on Government Reform and Oversight not later than
60 days after the date of this report. A written statement also
must be sent to the House and Senate Committees on Appropriations
with the agency's first request for appropriations made more than
60 days after the date of this report. We are sending copies of
this report to Senator Fred Thompson, Senator Joseph Lieberman,
Representative Dan Burton, Representative Larry Combest,
Representative John R. Kasich, Representative John M. Spratt, Jr.,
Representative Charles W. Stenholm, and Representative Henry A.
Waxman in their capacities as Chairmen or Ranking Minority Members
of Senate and House Committees and the Honorable Jacob J. Lew,
Director of the Office of Management and Budget. Copies will also
be made available to others upon request. Please contact me at
(202) 512-3317 if you or your staff have any questions concerning
this report. Key contributors to this report are listed in
appendix II. Sincerely yours, Robert F. Dacey Director,
Consolidated Audit and Computer Security Issues Page 15
GAO/AIMD-99-227 NFC Information Security Appendix I Comments From
the Department of Agriculture
Appendix I Page 16 GAO/AIMD-99-227 NFC Information Security
Appendix II GAO Contacts and Staff Acknowledgements Appendix II
GAO Contacts Carol A. Langelier, (202) 512-5079 Edward
M. Glagola, Jr., (202) 512-6270 Lon C. Chin, (202) 512-2842
Acknowledgements In addition to those named above, Debra
M. Conner, Vernon L. Conyers, Jr., Shannon Q. Cross, Walter P.
Opaska, and Christopher J. Warweg made key contributions to this
report. (919386) Letter Page 17
GAO/AIMD-99-227 NFC Information Security Ordering Information The
first copy of each GAO report and testimony is free. Additional
copies are $2 each. Orders should be sent to the following
address, accompanied by a check or money order made out to the
Superintendent of Documents, when necessary, VISA and MasterCard
credit cards are accepted, also. Orders for 100 or more copies to
be mailed to a single address are discounted 25 percent. Orders by
mail: U.S. General Accounting Office P.O. Box 37050 Washington, DC
20013 or visit: Room 1100 700 4th St. NW (corner of 4th and G Sts.
NW) U.S. General Accounting Office Washington, DC Orders may also
be placed by calling (202) 512-6000 or by using fax number (202)
512-6061, or TDD (202) 512-2537. Each day, GAO issues a list of
newly available reports and testimony. To receive facsimile
copies of the daily list or any list from the past 30 days, please
call (202) 512-6000 using a touchtone phone. A recorded menu will
provide information on how to obtain these lists. For information
on how to access GAO reports on the INTERNET, send an e-mail
message with "info" in the body to: [email protected] or visit
GAO's World Wide Web Home Page at: http://www.gao.gov United
States Bulk Rate General Accounting Office
Postage & Fees Paid Washington, D.C. 20548-0001 GAO
Permit No. GI00 Official Business Penalty for Private Use $300
Address Correction Requested
*** End of document. ***