Skip to main content

USDA Information Security: Weaknesses at National Finance Center Increase Risk of Fraud, Misuse, and Improper Disclosure

AIMD-99-227 Published: Jul 30, 1999. Publicly Released: Jul 30, 1999.
Jump To:
Skip to Highlights

Highlights

Pursuant to a legislative requirement, GAO provided information on the quality of the Department of Agriculture's (USDA) information security at its National Finance Center (NFC).

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Agriculture The Secretary of Agriculture should direct the Chief Financial Officer to correct the specific access control weaknesses GAO identified and communicated to NFC management during GAO's testing.
Closed – Implemented
Based on GAO's June 2002 field visit to NFC, all specific access control weaknesses identified by GAO have been corrected.
Department of Agriculture The Secretary of Agriculture should direct the Chief Financial Officer to ensure that an effective entitywide security planning and management program, as described in GAO's May 1998 study of security management best practices, is in place at NFC. Such a program would include assessing risks periodically to determine needs and select cost-effective policies and related controls.
Closed – Implemented
Based on current GAO audit efforts, GAO has determined that USDA has published a policy, Cybersecurity guidance CS-016, to address risk assessment.
Department of Agriculture The Secretary of Agriculture should direct the Chief Financial Officer to ensure that an effective entitywide security planning and management program, as described in GAO's May 1998 study of security management best practices, is in place at NFC. Such a program would include implementing policies and controls that are based on risk.
Closed – Not Implemented
As of July 2003, based on current audit work, this has not been implemented.
Department of Agriculture The Secretary of Agriculture should direct the Chief Financial Officer to ensure that an effective entitywide security planning and management program, as described in GAO's May 1998 study of security management best practices, is in place at NFC. Such a program would include communicating the policies and controls, as well as the risks that prompted their adoption, to those responsible for complying with them.
Closed – Not Implemented
Based on current GAO audit efforts, this recommendation has not been implemented.
Department of Agriculture The Secretary of Agriculture should direct the Chief Financial Officer to ensure that an effective entitywide security planning and management program, as described in GAO's May 1998 study of security management best practices, is in place at NFC. Such a program would include evaluating the effectiveness of policies and related controls.
Closed – Not Implemented
Based on current GAO audit efforts, this recommendation has not been implemented.
Department of Agriculture The Secretary of Agriculture should direct the Chief Financial Officer to ensure that an effective entitywide security planning and management program, as described in GAO's May 1998 study of security management best practices, is in place at NFC. Such a program would include establishing a central security management focal point to ensure that major elements of the security planning and management program are carried out and provide a communications link among organizational units.
Closed – Implemented
Based on current GAO audit work, GAO has determined that USDA has appointed an Associate CIO for Cyber Security. The Associate CIO is the central management person responsible for ensuring information security planning and management, and communicating policies and procedures to USDA units.

Full Report

GAO Contacts

Office of Public Affairs

Topics

Access controlBest practicesComputer resourcesComputer securityComputer security policiesConfidential communicationsFinancial management systemsInformation resources managementInformation securityInternal controlsPrivate sector practices