Computer Security: DEA Is Not Adequately Protecting Sensitive Drug Enforcement Data
IMTEC-92-83
Published: Sep 22, 1992. Publicly Released: Sep 30, 1992.
Skip to Highlights
Highlights
Pursuant to a congressional request, GAO assessed the adequacy of the Drug Enforcement Administration's (DEA) computer security, focusing on: (1) DEA compliance with laws and requirements for protecting sensitive computer information; and (2) Department of Justice (DOJ) oversight of DEA compliance with computer security requirements.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of Justice | The Attorney General should direct the Administrator, DEA, to establish and implement an agencywide computer security program as required by DOJ and other federal directives. As part of this program, DEA should ensure that all sensitive computer systems are properly identified and that security plans are prepared and implemented for each of these systems. To adequately protect its sensitive computer systems and facilities, DEA should also ensure that thorough risk analyses are conducted for all sensitive computer systems and any identified weaknesses are corrected, contingency plans are tested and implemented, and all employees are made aware of federal and agency computer security requirements and how to fulfill them. |
Closed – Implemented
DEA has submitted an action plan responsive to the GAO recommendations.
|
| Department of Justice | The Attorney General should direct the Administrator, DEA, to strengthen DEA monitoring and oversight of computer security. Specifically, DEA should issue clear and specific requirements for designated security officers to follow in monitoring and enforcing computer security. Also, the Office of Security Programs should train its staff in computer security and conduct more thorough security surveys that effectively identify and correct vulnerabilities. |
Closed – Implemented
DEA has made computer security a top priority, established a training curriculum, trained over 7,000 employees, and implemented a number of other activities to respond to this recommendation.
|
| Department of Justice | The Attorney General should direct the Administrator, DEA, to ensure that computer security weaknesses identified in this report are corrected and that similar weaknesses do not exist elsewhere. At a minimum, DEA needs to: (1) control access to areas where sensitive data are processed and stored; (2) adequately protect computer data, including the establishment of safeguards to restrict data access to individuals having a right to know; (3) collect and review computer audit trail information to detect improper access to and use of sensitive computer data; and (4) ensure that computer equipment used to process and store sensitive information is properly accounted for and controlled. Moreover, DEA should take appropriate steps to ensure that sensitive data are removed from computer equipment released outside the agency for repair or disposal. |
Closed – Implemented
DEA has contracted out to: (1) identify each sensitive system; and (2) perform risk analyses and vulnerability assessments. DEA is also doing a number of other things to enhance security.
|
| Department of Justice | The Attorney General should direct the Administrator, DEA, to report the computer security deficiencies that GAO found as material internal control weaknesses under the Federal Managers' Financial Integrity Act. |
Closed – Implemented
On October 26, 1992, the DEA contractor identified and reported vulnerabilities. Risk analyses and vulnerability assessments have been conducted for major sensitive DEA systems. Weaknesses were reported in the Department of Justice's FY 1992 report.
|
| Department of Justice | The Attorney General should direct the DOJ Justice Management Division to work closely with DEA to ensure that the agency implements the above recommendations and complies with all federal and departmental computer security requirements. |
Closed – Implemented
DEA has taken action to respond to this recommendation.
|
Full Report
Office of Public Affairs
Topics
Classified informationComputer equipment managementComputer securitySecurity threatsConfidential communicationsContingency plansFacility securityInformation resources managementInternal controlsLaw enforcement agenciesLaw enforcement information systemsNoncompliancePasswords