GAO Knocks Interior's Security Measures

Find opportunities — and win them.

The General Accounting Office said the Interior Department's lack of information security measures is placing financial, personnel and other sensitive information at risk of being manipulated, corrupted or otherwise compromised.

The General Accounting Office said the Interior Department's lack of information security measures is placing financial, personnel and other sensitive information at risk of being manipulated, corrupted or otherwise compromised.


The July 10 report, "Information Security: Weak Controls Place Interior's Financial and Other Data at Risk," found the department's National Business Center in Denver has computer security weaknesses that inhibit its ability to detect and prevent unauthorized changes to financial data, including payroll and other payments.


In fiscal 2000, the center processed more than $9 billion in payroll payments for more than 200,000 federal employees, and more than 3 million other financial transactions worth more than $3 billion.


The GAO recommended the Interior Department correct the security weaknesses and implement an effective entitywide computer security management program.


"The good news is this [report] is very much geared to the executive level," said Diane Fraiman, vice president of marketing for Sanctum Inc., an information security firm based in Santa Clara, Calif.


Fraiman, who reviewed the GAO's findings, said: "This is a problem that no longer resides at the information technology director's level. It's at the management level."


But the GAO's suggestion that Interior fix the actual security problems doesn't address the questions of cost and resources, particularly when there is not yet a sign of the Bush administration's depth of commitment to information technology, she said.


"The reality is I don't think President Bush is adding more dollars and more resources to the federal government," she said.


Fraiman also faulted the GAO report for appearing to concentrate on external threats to the Interior systems. Whether or not it's a happy thought, the individuals within an organization generally are more of a threat, she said.


"The recommendations [GAO is] making only go up to the network level. Once you're in, you're in," she said. "None of the recommendations do one bit of good once you're inside."