GAO: Agencies Still at Security Risk

Security holes in agency computer systems still place operations and assets at risk for fraud, misuse and disruption, a top General Accounting Office official told House lawmakers during a Sept. 26 hearing on critical information technology infrastructure security.

Citing GAO reports going back to July 1999, Joel Willemssen, a managing director with the congressional watchdog agency, said federal systems are "not being adequately protected from computer-based threats, even though these systems process, store and transmit enormous amounts of sensitive data and are indispensable to many federal agency operations."

For example, Willemssen said the numerous Internet worms that have appeared in the last few months, such as Code Red, Code Red II and SirCam, have disrupted government operations. Willemssen testified before the House Government Reform subcommittee on government efficiency, financial management and intergovernmental relations.

Noting striking similarities in the nature of the weaknesses among each of the 24 agencies GAO reviewed, Willemssen said six areas need improvement:


*Access controls, to ensure only authorized individuals can read, alter or delete data.

*Software development, for assuring only authorized software programs are implemented.

*Security program management, for providing the framework for ensuring that risks are understood.

*Segregation of duties, to reduce the risk of unauthorized usage.

*Operating systems controls, to protect sensitive programs from tampering and misuse.

*Service continuity, to ensure significant disruptions.


Willemssen, who oversees IT issues for the GAO, said most agencies have remedial efforts under way, but recommended agencies should adopt "a strong agencywide security management framework" by assessing risks, promoting awareness of security polices and implementing routine tests and examinations.