NCJ Number
61589
Date Published
1979
Length
81 pages
Annotation
THE STATUS AND EFFECTIVENESS OF AUTOMATED SYSTEMS SECURITY PROGRAMS IN THE FEDERAL GOVERNMENT ARE ADDRESSED IN THIS GENERAL ACCOUNTING OFFICE REPORT.
Abstract
THE GENERAL ACCOUNTING OFFICE SURVEYED AUTOMATED SYSTEMS SECURITY PROGRAMS IN SELECTED FEDERAL AGENCIES IN 1977 IN RESPONSE TO CONGRESSIONAL INTEREST IN FEDERAL INFORMATION POLICIES FOLLOWING THE ENACTMENT OF THE PRIVACY ACT AND THE FREEDOM OF INFORMATION ACT AMENDMENTS IN 1974. THE REVIEW INCLUDED 10 CIVIL AGENCIES BUT EXCLUDED THE HIGHLY SPECIALIZED AREA OF CONTROLS OVER NATIONAL SECURITY CLASSIFIED DATA IN DEFENSE AGENCIES. THE FEDERAL AGENCIES SURVEYED DID NOT HAVE A CENTRALLY DIRECTED PROGRAM TO EFFECTIVELY PROTECT PERSONAL AND OTHER SENSITIVE DATA IN COMPUTER SYSTEMS. PROGRAMS FELL SHORT OF BEING COMPREHENSIVE, AND TOP MANAGEMENT SUPPORT WAS LACKING BECAUSE UPPER MANAGEMENT EITHER DID NOT RECOGNIZE OR ADEQUATELY APPRECIATE THEIR RESPONSIBILITIES IN THIS AREA OR PERCEIVE THE POTENTIAL FOR INVADING THE PRIVACY OF PEOPLE OR ORGANIZATIONS SERVED BY THE AGENCY. ALL AGENCIES SHOULD STRENGTHEN THEIR COMPUTER DATA SECURITY AND INTEGRITY BY THE FOLLOWING MEANS: (1) ESTABLISH CLEARLY DEFINED, COMPREHENSIVE COMPUTER SECURITY PROGRAMS; (2) ESTABLISH A COMPUTER SECURITY ADMINISTRATION FUNCTION TO BE INDEPENDENT OF COMPUTER OPERATIONS; (3) ESTABLISH PROGRAMS WHICH PROVIDE FOR FEEDBACK AND MANAGEMENT CONTROL IN ROUTINE MONITORING, REPORTING, AND INDEPENDENT INTERNAL AUDITS; (4) PROVIDE FOR RISK MANAGEMENT FOR THE DATA SYSTEMS AS A WHOLE; AND (5) ANTICIPATE TRAINING NEEDS, PARTICULARLY FOR RISK MANAGEMENT. THE APPENDIXES PRESENT THE NEED FOR AND BENEFITS OF COMPREHENSIVE SECURITY PLANNING, REFERENCE SOURCES; A LIST OF AGENCIES AND LOCATIONS COVERED IN THE SURVEY; AND A COPY OF THE OFFICE OF MANAGEMENT AND BUDGET CIRCULAR NO. A-71, WHICH DEALS WITH MANAGEMENT DIRECTIVES FOR IMPROVING COMPUTER SECURITY. (RCB)