Skip to main content

Computer Security: Pervasive, Serious Weaknesses Jeopardize State Department Operations

AIMD-98-145 Published: May 18, 1998. Publicly Released: May 19, 1998.
Jump To:
Skip to Highlights

Highlights

Pursuant to a congressional request, GAO reviewed: (1) how susceptible the Department of State's unclassified automated information systems are to unauthorized access; (2) what State is doing to address information security issues; and (3) what additional actions may be needed to address the computer security problem.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of State The Department of State should establish a central information security unit and assign it responsibility for facilitating, coordinating, and overseeing the department's information security activities. In doing so, State should assign the Chief Information Officer (CIO) the responsibility and full authority for ensuring that the information security policies, procedures, and practices are adequate.
Closed – Implemented
State made the CIO responsible for all aspects of the department's computer security program.
Department of State The Department of State should establish a central information security unit and assign it responsibility for facilitating, coordinating, and overseeing the department's information security activities. In doing so, State should clarify the computer security responsibilities of the Bureau of Diplomatic Security, the Office of Information Management, and individual bureaus and diplomatic posts.
Closed – Implemented
The State Department clarified in writing computer security roles and responsibilities for the CIO, IRM, and DS offices.
Department of State The Department of State should establish a central information security unit and assign it responsibility for facilitating, coordinating, and overseeing the department's information security activities. In doing so, State should consider whether some duties that have been assumed by these offices can be assigned to, or at a minimum coordinated with, the central information security unit.
Closed – Implemented
State designated the Chief Information Office as its central information security unit. The CIO and Diplomatic Security have agreed to a matrix of responsibilities to support this centralization of responsibility.
Department of State The Department of State should develop policy and procedures that require senior State managers to regularly determine the: (a) value and sensitivity of the information to be protected; (2) vulnerabilities of their computers and networks; (3) threats, including hackers, thieves, disgruntled employees, foreign adversaries, and spies; (4) countermeasures available to combat the problem; and (5) cost-effectiveness of the countermeasures.
Closed – Implemented
State issued policies and procedures, and revised its Foreign Affairs Manual, to require managers to determine risks and threats to systems, as well as vulnerabilities and weaknesses to these systems. State has also performed several independent vulnerability analyses of selected networks to implement these policies and procedures.
Department of State The Department of State should revise the Foreign Affairs Manual (FAM) so that it clearly describes the legislatively-mandated security responsibilities of the Chief Information Officer, the security responsibilities of senior managers and all computer users, and the need for and use of risk assessments.
Closed – Implemented
The FAM was revised in May 2000 to document the CIO's legislatively prescribed information security responsibilities.
Department of State The Department of State should develop and maintain an up-to-date security plan and ensure that revisions to the plan incorporate the results obtained from risk assessments.
Closed – Implemented
The Department has completed its Integrated Information Security Management Plan. The plan is comprehensive and, if implemented, will greatly improve State's information security posture. State advises that it will revise the plan as new risk-based information becomes available.
Department of State The Department of State should establish and implement key controls to help the department protect its information systems and information, including periodic penetration testing to identify vulnerabilities in State's information resources.
Closed – Implemented
State has acknowledged its need to establish key controls, including performing its own computer security assessments and periodic penetration testing. The Department contracted with FEDCIRC to perform penetration testing of selected networks between May and June 1998. In addition, the Bureau of Diplomatic Security recently completed a security evaluation of OPENNET, using the GAO findings as a baseline for the evaluation.
Department of State The Department of State should establish and implement key controls to help the department protect its information systems and information, including assessments of the department's ability to: (1) react to intrusion and attacks on its information systems; (2) respond quickly and effectively to security incidents; (3) help contain and repair any damage caused; and (4) prevent future damage and central reporting and tracking of information security incidents to ensure that knowledge of these problems can be shared across the department and with other federal agencies.
Closed – Implemented
State implemented key controls to help the agency detect and respond to computer security events and incidents. The Department implemented its Computer Incident Response Center and clarified for all personnel when an event should be reported to the center.
Department of State The Department of State should ensure that the results of the annual financial statement audits required by the Chief Financial Officers Act of 1990 are used to track the department's progress in establishing, implementing, and adhering to sound information security controls.
Closed – Implemented
State established and staffed a position responsible for providing the results of the annual financial statement audits to the IRM office so they can be used to help improve the Department's information security posture. IRM officials advised that they have used the results of the most recent financial statement audit to help address access control issues and develop a departmentwide certification and accreditation process.
Department of State The Department of State should require department managers to work with the central unit to expeditiously review the specific vulnerabilities and suggested actions GAO provided to State officials at the conclusion of GAO's testing. After the department has reviewed these weaknesses and determined the extent to which it is willing to accept or mitigate security risks, State should assign the central unit responsibility for tracking the implementation or disposition of these actions.
Closed – Implemented
State officials advised that they met weekly to discuss and resolve the specific weaknesses and vulnerabilities identified during the GAO testing. According to these officials, the majority of weaknesses were corrected and only a select few were considered to be acceptable risks. The Security Infrastructure Working Group has been given the task of centrally tracking the disposition of the GAO audit findings.
Department of State The Department of State should direct the Assistant Secretary for Diplomatic Security to follow up on the planned implementation of cost-effective enhanced security measures for the turnstiles designed for handicapped use.
Closed – Implemented
State obtained a more effective turnstile, assigned an additional uniformed officer at one entrance, repositioned a magnetometer, and increased the level of awareness among its security personnel for the need for greater security.
Department of State The Department of State should defer the expansion of Internet usage until: (1) known vulnerabilities are addressed using risk-based techniques; and (2) actions are taken to provide appropriate security measures commensurate with the planned level of Internet expansion.
Closed – Not Implemented
State disagreed with the GAO recommendation, stating that expanding Internet connectivity was a high priority and that planned security for accomplishing this was sufficient. State is proceeding with its planned approach.

Full Report

Office of Public Affairs

Topics

Automated security systemsComputer securityConfidential communicationsData integrityDenial of serviceInformation resources managementInformation securityInformation systemsInternal controlsInternetTerroristsComputer resources