Establishing Digital Trust: Don't Sacrifice Security for Convenience
"Consequently, billions of dollars of payments and collections are at significant risk of loss or fraud, sensitive data are at risk of inappropriate disclosure, and critical computer-based operations are vulnerable to serious disruptions," the report said of the Treasury Department's Financial Management Service (FMS).
FMS is the government's financial manager, central disburser and collections agency. In fiscal 2000, it disbursed more than $1.9 trillion, including Social Security benefits, tax refunds and federal employee salaries, while collecting more than $2 trillion in taxes, duties and fines.
GAO has been reporting on weaknesses in FMS computer systems since fiscal 1998. The latest report week was essentially a followup to determine how well FMS has complied with recommendations in last year's GAO report on the agencys computer security woes.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=iThe answer is, essentially, "not very."
"FMS's overall security control environment continues to be ineffective in identifying, deterring, and responding to computer control weaknesses promptly," the GAO report said, adding, "we continue to consider FMS's computer control problems a material weakness."
During its most recent fiscal 2000 review, conducted from August 2000 to February 2001 (yes, it took nearly a year to issue results), GAO found that FMS had remedied only 35 of the 61 computer control weaknesses discussed in the GAO's previous year's report. GAO also said it found new computer control weaknesses in security management programs, access controls and system software.
"The overriding reason that computer control problems at FMS continued to exist during fiscal year 2000 is that FMS does not have an effective entity-wide computer security management program," the report says.
Such a program should establish a framework for continual risk assessments, development and implementation of effective security procedures, and monitoring and evaluation of the effectiveness of those procedures, GAO says.
While FMS has developed various policy manuals and an implementation strategy, it hasn't yet fully implemented the plan. Its target date for full implementation is Sept. 30, less than eight months away.