GAO Finds IT Security Weaknesses at Education Dept.

Key operations in the Department of EducationÕs central automated processing system are at risk of disruption and unauthorized access, according to a report released Sept. 12 by the General Accounting Office.

A primary reason for Education DepartmentÕs computer security weaknesses was it had not yet fully implemented a comprehensive computer security management program, according to the report.

The GAO made the report, ÒEducation Information Security: Improvements Made But Control Weaknesses Remain,Ó at the request of the House Education and the Workforce subcommittee on select education.

The GAO assessed the effectiveness of security controls in the Department of Education system that support general ledger and funds management, grant planning and payment processing, and purchasing and contract management.

The study followed up on work by the departmentÕs inspector general, who earlier had found serious control weaknesses in this system. The report said the department has made progress in correcting security weaknesses the inspector general identified, but also found the system still lacked adequate safeguards for:

*Protecting networks from unauthorized users;

*Managing user IDs and passwords;

*Limiting access to all authorized users;

*Maintaining system software controls;

*Monitoring user access activity routinely;

*Physically protecting computer resources.

The GAO recommended that the Department of EducationÕs chief information officer and the chief financial officer correct the weaknesses and implement a comprehensive departmentwide computer security.

During fiscal 2000, the central automated processing system reportedly moved about $45.5 billion for various grant and loan programs, according to the report. It serves about 1,200 internal users and about 17,600 external users.