U.S. flag

An official website of the United States government, Department of Justice.

NCJRS Virtual Library

The Virtual Library houses over 235,000 criminal justice resources, including all known OJP works.
Click here to search the NCJRS Virtual Library

Federal Information Security: Actions Needed to Address Widespread Weaknesses

NCJ Number
189506
Author(s)
Jack L. Brock Jr.
Date Published
March 2000
Length
14 pages
Annotation
This document discusses Federal information security in the United States.
Abstract
Computers and electronic data are indispensable to critical Federal operations, including national defense, tax collection, import control, benefits payments, and law enforcement. This reliance on automated systems increases the risks of fraud, inappropriate disclosure of sensitive data, and disruption of critical operations and services. The same factors that benefit operations -- speed and accessibility -- also make it possible for individuals and organizations to inexpensively interfere with or eavesdrop on operations, possibly for purposes of fraud or sabotage or other malicious purposes. Threats of these acts are increasing because the number of individuals with computer skills is increasing. In addition, natural disasters and inadvertent errors by authorized computer users can have devastating consequences if information resources are poorly protected. There are six areas of management and general control weaknesses: (1)entitywide security program planning and management; (2) access controls; (3) application software development and change controls; (4)segregation of duties; (5) system software controls; and (6) service continuity controls. Agencies can address these weaknesses by increasing awareness, ensuring that existing controls are operating effectively, ensuring that software patches are up-to-date, and using automated scanning and testing tools to quickly identify problems. Also, these weaknesses can be addressed by propagating the agencies’ best practices, and ensuring that their most common vulnerabilities are addressed. Perhaps most important, the legal framework supporting Federal computer security needs to be updated. In particular, the Computer Security Act of 1987 is outmoded and inadequate, as well as poorly implemented. Among the recommendations are routine independent audits are needed to provide a basis for measuring agency performance and information for strengthened oversight; and a set of minimum mandatory control requirements for a set of data classifications that could be used by all Federal agencies. 9 footnotes