General Accounting Office, Information Technology: Federal Information Systems Remain Highly Vulnerable to Fraudulent, Wasteful, Abusive, and Illegal Practices (MASAD-82-18) (Apr. 21, 1982) (full-text).
The GAO was requested to evaluate the information security programs in the executive agencies. Specifically, GAO was asked to address: (1) whether the Office of Management and Budget (OMB) guidelines, if fully implemented by the executive agencies, provide an acceptable level of protection over information systems; (2) whether the central agencies fulfill their Government-wide information security program responsibilities; (3) what the executive agencies are doing to implement Government-wide information security program policy and guidance; and (4) what the executive agencies must do to achieve a reasonable level of protection over their automated information systems, particularly those using telecommunications networks. An examination was made of the vulnerability of automated information systems in the executive agencies to abusive and unauthorized practices.
The GAO found that: (1) OMB Circular No. A-71 was not sufficiently comprehensive to provide needed policy and guidance to executive agencies for establishing reasonable levels of protection; (2) the central agencies have not fulfilled their automated information security program responsibilities; (3) executive agencies are doing little to implement information security program policy and guidance; (4) executive agencies have not developed and maintained a total system of controls to eliminate the fraudulent, wasteful, abusive, and illegal practices to which their automated information systems have been and are being subjected. These conditions have precluded the establishment and maintenance of a reasonable level of protection over automated information systems used by executive agencies.
The GAO noted the following specific problems: (1) deficiencies in OMB Circular No. A-71 have left some executive agencies confused as to the nature and extent to which it should be implemented and its application to the automated systems; (2) the ineffective information security programs of the central agencies have been a primary contributing factor to the continuing vulnerability of the automated information systems in the executive agencies; and (3) the increasing Federal investments in automated information systems have resulted in growing vulnerability to fraudulent, wasteful, abusive, and illegal practices because greater concentrations of information are accessible from remote terminals.