Department of Energy: Procedures Lacking to Protect Computerized Data
AIMD-95-118
Published: Jun 05, 1995. Publicly Released: Jul 06, 1995.
Skip to Highlights
Highlights
Pursuant to a congressional request, GAO provided information on the alleged sale of surplus Department of Energy (DOE) computer equipment to a private businessman, focusing on whether: (1) the sale actually occurred; (2) the surplus computers contained any classified or sensitive unclassified information; and (3) DOE is subject to Federal Information Resources Management Regulation (FIRMR) guidance concerning the security and protection of federal computer resources.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of Energy | The Secretary of Energy should direct the Deputy Assistant Secretaries for Information Management and for Procurement and Assistance Management to develop and implement procedures in DOE operations and field offices that instruct all contractors on the proper disposal of excess automatic data (ADP) processing equipment. These procedures should include instructions on how contractors should properly sanitize excess computers. The Secretary should then require all operations and field offices to adhere to these procedures when disposing of excess ADP equipment. |
Closed – Implemented
DOE published a Technical Security Advisory that provides information on the proper disposal of excess ADP equipment. It addresses the need to ensure that magnetic media, storage, or memory devices have been sanitized prior to being transferred or removed from service or declared excess. The transmittal memo provides information on software products that may be used for sanitization. However, according to the Unclassified Computer Security Program Manager, this advisory is not a departmental policy, and therefore, is not mandatory. Energy had intended to publish guidance in a mandatory policy that it was developing, but that policy was never finalized, and the Advisory was issued instead. Recent security concerns led Energy to reevaluate its security and to develop new computer security policies, which were implemented in July 1999. However, Energy has not incorporated the Advisory in the new policies.
|
Full Report
Office of Public Affairs
Topics
Computer equipment managementComputer securityPersonal computersProperty disposalSurplus federal propertyComputer resourcesComputersSensitive dataEngineeringHard drives