Justice's Weak ADP Security Compromises Sensitive Data
T-IMTEC-91-6
Published: Mar 21, 1991. Publicly Released: Mar 21, 1991.
Skip to Highlights
Highlights
GAO discussed the Department of Justice's (DOJ): (1) recent sale of surplus computer equipment that was later found to have highly sensitive data; and (2) continuing exposure to similar breaches of security. GAO noted that DOJ: (1) showed patterns of neglect and inattention in ensuring information security nationwide; (2) was unable to provide it with such basic factual information as the total number of employees in the U.S. Attorneys' Offices nationwide; and (3) could not be trusted to safely secure sensitive data.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of Justice | Because of the seriousness of this situation and the possibility of loss of life, the Attorney General should immediately identify all computer equipment designated surplus by DOJ components and determine whether it contained sensitive data. |
Closed – Implemented
DOJ reports that it identified all excessed, lost, and stolen storage media and no damage was ascertained. Departmental and component procedures for disposal of magnetic media were reviewed and updated as needed.
|
| Department of Justice | Because of the seriousness of this situation and the possibility of loss of life, the Attorney General should immediately ensure that every DOJ component that may have compromised sensitive data immediately prepare a damage assessment of the impact of the compromise on carrying out its mission and on the identity of such people as witnesses, confidential informants, and undercover agents. |
Closed – Implemented
DOJ reports that it identified all excessed, lost, and stolen storage media and no damage was ascertained.
|
| Department of Justice | The Attorney General should report the compromise of sensitive data and various security deficiencies as a material internal control weakness under the Federal Managers' Financial Integrity Act (FMFIA), and discuss the actions that will be taken to correct these weaknesses. |
Closed – Implemented
In his 1991 Internal Control Report dated December 28, 1991, the Attorney General designated automatic data processing security as a material weakness under FMFIA and a high-risk area.
|
| Office of Management and Budget | The Director, Office of Management and Budget (OMB), should designate computer security at DOJ as a high-risk area. |
Closed – Implemented
OMB is designating computer security at DOJ as a high-risk area.
|
Full Report
Office of Public Affairs
Topics
Computer equipment managementComputer securityInformation securityConfidential communicationsFacility securityFederal property managementInternal controlsLaw enforcement information systemsLegal information systemsProperty disposal