ERIC Number: ED342362
Record Type: Non-Journal
Publication Date: 1990-May
Reference Count: N/A
Computer Security: Governmentwide Planning Process Had Limited Impact. Report to the Chairman, Committee on Science, Space, and Technology, House of Representatives.
General Accounting Office, Washington, DC. Information Management and Technology Div.
As required by the Computer Security Act of 1987, federal agencies have to identify systems that contain sensitive information and develop plans to safeguard them. The planning process was assessed in 10 civilian agencies as well as the extent to which they had implemented planning controls described in 22 selected plans. The National Institute of Standards and Technology (NIST)/National Security Agency (NSA) review of the plans was also assessed. Officials cited three problems relating to the design and implementation of the planning process: (1) the plans lacked adequate information to serve as management tools and some agencies already had planning processes in place; (2) managers had little time to prepare the plans; and (3) the Office of Management and Budget (OMB) planning guidance was sometimes unclear and misinterpreted by agency officials. This report provides background information on the Computer Security Act and discussions of each of the three major problems identified. It concludes by recommending that NIST, NSA, and OMB provide guidance and technical assistance to federal agencies by visiting the agencies and discussing their computer security programs, the extent to which they have identified their sensitive computer systems, the quality of their security plans, and their unresolved internal control weaknesses. Six appendices cover the objectives, scope, and methodology of the reviews; the systems covered by the 22 plans reviewed; a composite security and privacy plan; NIST/NSA feedback on computer security plans; the status of security controls in 1,542 plans; and major contributors to the report. Four related publications are listed. (DB)
Publication Type: Reports - Evaluative
Education Level: N/A
Authoring Institution: General Accounting Office, Washington, DC. Information Management and Technology Div.