Education Information Security: Improvements Made But Control Weaknesses Remain
Highlights
The Department of Education relies heavily on the central automated processing system (EDCAPS) to support its core financial management information functions, including general ledger and funds management, grant planning and payment processing, and purchasing and contract management. Education's Inspector General (IG) has reported serious information system control weaknesses in this system. These weaknesses increase the risk of unauthorized access or disruption of services and make Education's sensitive grant and loan data vulnerable to misuse, fraud, improper disclosure, or destruction, which could go undetected. Education is making progress in correcting security weaknesses identified by the IG, and the department has taken other steps to improve security. However, GAO identified weaknesses that place critical financial and sensitive grant information at risk of unauthorized access and disclosure and key operations at risk disruption. Specifically, Education did not adequately protect its network from unauthorized users, effectively manage user IDs and passwords, appropriately limit access to unauthorized users, effectively maintain system software controls, or routinely monitor user access activity. Furthermore, Education did not provide adequate physical security for its computer resources, appropriately segregate all key operations and computer functions, effectively control changes to its applications, or fully address its service continuity needs. Education has since corrected some of the weaknesses and developed a corrective action plan to address the others.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of Education | The Secretary of Education should direct the Chief Information Officer (CIO) and Chief Financial Officer (CFO) to ensure that the information system control weaknesses related to access authority, system software, network security, user ID and password management, access monitoring, physical access, segregation of duties, application program changes, and service continuity are corrected. |
Closed – Implemented
Based on our review of the work performed by the Education's IG in evaluating information system controls in connection with department's 2003 financial audit, we concluded that Education had taken sufficient action to correct the information system control weaknesses reported. Specifically, we determined that Education had corrected and strengthened controls for its logical and physical access, established a comprehensive program to monitor access to its critical financial systems, improved user ID and password management, and implemented a service continuity plan to include periodic testing. Further, the department took steps to correct and strengthen its network security, enhance its application change control process, and ensure adherence to the segregation of duties principle.
|
| Department of Education | The Secretary of Education should direct the CIO and CFO to ensure that a comprehensive departmentwide computer security management program is implemented. Such a program would include (1) coordination of security management activities, (2) ongoing assessment of risk, (3) comprehensive security awareness training, (4) complete security policies, procedures, and standards, and (5) a program to routinely monitor and evaluate the effectiveness of information system controls. |
Closed – Implemented
Based on our review of the work performed by Education's IG in evaluating information system controls in connection with department's 2003 financial audit, we concluded that Education had taken adequate steps to fully implement a comprehensive computer security management program. Specifically, Education had (1) established coordinating procedures between key department security functions, (2) conducted risk assessments, (3) established a security awareness program, and (4) issued security policies, procedures, and standards. Further, the department had developed and implemented an ongoing program to test and evaluate its information system control environment.
|