Computer Security: Pervasive, Serious Weaknesses Jeopardize State
Department Operations (Letter Report, 05/01/98, GAO/AIMD-98-145).
Pursuant to a congressional request, GAO reviewed: (1) how susceptible
the Department of State's unclassified automated information systems are
to unauthorized access; (2) what State is doing to address information
security issues; and (3) what additional actions may be needed ed to
address the computer security problem.
GAO noted that: (1) State's information systems and the information
contained within them are vulnerable to access, change, disclosure,
disruption or even denial of service by unauthorized individuals; (2)
GAO conducted penetration tests to determine how susceptible State's
systems are to unauthorized access and found that it was able to access
sensitive information; (3) moreover, GAO's penetration of State's
computer resources went largely undetected, further underscoring the
department's serious vulnerability; (4) the results of GAO's tests show
that individuals or organizations seeking to damage State operations,
commit terrorism, or obtain financial gain could possibly exploit the
department's information security weaknesses; (5) although State has
some projects under way to improve security of its information systems
and help protect sensitive information, it does not have a security
program that allows State officials to comprehensively manage the risks
associated with the department's operations; (6) State lacks a central
focal point for overseeing and coordinating security activities; (7)
State does not routinely perform risk assessments to protect its
sensitive information based on its sensitivity, criticality, and value;
(8) the department's primary information security policy document is
incomplete; (9) the department lacks key controls for monitoring and
evaluating the effectiveness of its security programs and it has not
established a robust incident response capability; (10) State needs to
greatly accelerate its efforts and address these serious information
security weaknesses; (11) however, to date, its top managers have not
demonstrated that they are committed to doing so; (12) Internet security
was the only area in which GAO found that State's controls were
currently adequate; (13) however, plans to expand its Internet usage
will create new security risks; (14) State conducted an analysis of the
risks involved with using the Internet more extensively, but has not yet
decided how to address the security risks of additional external
connectivity to the concerns this review has raised; and (15) if State
increases its Internet use before instituting a comprehensive security
program and addresses the additional vulnerabilities unique to the
Internet, it will unnecessarily increase the risks of unauthorized
access to its systems and information.
--------------------------- Indexing Terms -----------------------------
REPORTNUM: AIMD-98-145
TITLE: Computer Security: Pervasive, Serious Weaknesses Jeopardize
State Department Operations
DATE: 05/01/98
SUBJECT: Computer security
Information systems
Data integrity
Internal controls
Confidential communication
Information resources management
IDENTIFIER: Internet