Justice Automation: Tighter Computer Security Needed
IMTEC-90-69
Published: Jul 30, 1990. Publicly Released: Aug 23, 1990.
Skip to Highlights
Highlights
Pursuant to a congressional request, GAO reviewed the Department of Justice's (DOJ) computer security program, focusing on compliance with the Computer Security Act of 1987 and other applicable laws and regulations.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of Justice | The Attorney General should immediately correct the security weaknesses described in this report; specifically, ensure that all litigating organizations prepare and test contingency plans, perform thorough risk analyses, correct the problems identified, and establish mandatory computer security training programs. |
Closed – Implemented
Documentation provided by the Department of Justice indicates that contingency plans have been prepared and tested for all litigating organizations. Risk analyses have been completed for all litigating organizations, and problems identified have been addressed. In May 1991, Justice made computer security training mandatory, included this training in its formal employee orientation process, and considered the benefits of providing additional formalized computer security training.
|
| Department of Justice | The Attorney General should immediately initiate steps at the main data center to ensure that: (1) a contingency plan is completed, and identified physical and computer operations weaknesses are corrected; and (2) a full-scope risk assessment of overall physical, system, and telecommunications security is conducted, and any weaknesses found are corrected. |
Closed – Implemented
The backup and disaster recovery plan for the main data center was completed in September 1991. Data center security upgrades were completed in September 1991. A three-part contingency plan for the main data center was completed in August 1992 and contingency backup plans are updated continually to reflect ongoing changes in hardware and software configurations, environmental upgrades, building security improvements, and workload enhancements. A formal risk analysis of physical and computer system security at the center was conducted in October 1992. Justice is working with NIST to develop a risk analysis methodology for the telecommunications networks. Justice expects the formal assessment to be completed in August 1994.
|
| Department of Justice | The Attorney General should improve the Justice Management Division's (JMD) leadership and oversight of departmental computer security programs by ensuring that security staff: (1) perform periodic audits and reviews of sensitive systems; (2) certify the adequacy of security safeguards; and (3) monitor the litigating organizations' compliance with computer security training requirements. |
Closed – Implemented
JMD security staff conduct security compliance reviews, including computer security, agencywide. IRM Systems Policy staff review sensitive system security plans to certify on a case-by-case basis. A new IRM staff office for computer security has been created to develop guidance, assist components with computer security concerns, and monitor computer security training.
|
| Department of Justice | The Attorney General should report the computer security deficiencies as a material internal control weakness under the Federal Managers' Financial Integrity Act (FMFIA), and discuss the actions that will be taken to correct the weakness. |
Closed – Implemented
In his 1991 Internal Control Report dated December 28, 1991, the Attorney General designated automatic data processing security as a material weakness under FMFIA and a high-risk area.
|
Full Report
Office of Public Affairs
Topics
Automated risk assessmentComputer securityConfidential communicationsFacility securityLaw enforcement information systemsLegal information systemsContingency plansComputer systemsSensitive informationData automation