Electronic Information

Electronic information is essential to the achievement of government organizational

objectives. Its reliability, integrity, and availability are significant concerns in most

audits. The use of computer networks, particularly the Internet, is revolutionizing the

way government conducts business. While the benefits have been enormous and vast

amounts of information are now literally at our fingertips, these interconnections also

pose significant risks to computer systems, information, and to the critical operations

and infrastructures they support. Infrastructure elements such as telecommunications,

power distribution, national defense, law enforcement, and government and emergency

services are subject to these risks. The same factors that benefit operations--speed and

accessibility--if not properly controlled, can leave them vulnerable to fraud, sabotage,

and malicious or mischievous acts. In addition, natural disasters and inadvertent errors

by authorized computer users can have devastating consequences if information

resources are poorly protected. Recent publicized disruptions caused by virus, worm,

3

and denial of service attacks on both commercial and governmental Web sites illustrate

the potential for damage.

Computer security is of increasing importance to all levels of government in minimizing

the risk of malicious attacks from individuals and groups. These risks include the

fraudulent loss or misuse of government resources, unauthorized access to release of

sensitive information such as tax and medical records, disruption of critical operations

through viruses or hacker attacks, and modification or destruction of data. The risk that

information attacks will threaten vital national interests increases with the following

developments in information technology:

* Monies are increasingly transferred electronically between and among

governmental agencies, commercial enterprises, and individuals.

* Governments are rapidly expanding their use of electronic commerce.

* National defense and intelligence communities increasingly rely on commercially

available information technology.

* Public utilities and telecommunications increasingly rely on computer systems to

manage everyday operations.

* More and more sensitive economic and commercial information is exchanged

electronically.

* Computer systems are rapidly increasing in complexity and interconnectivity.

* Easy-to-use hacker tools are readily available, and hacker activity is increasing.

* Paper supporting documents are being reduced or eliminated.

Each of these factors significantly increases the need for ensuring the privacy, security,

and availability of state and local government systems.

Although as many as 80 percent of security breaches are probably never reported, the

number of reported incidents is growing dramatically. For example, the number of

4

incidents handled by Carnegie-Mellon University's CERT Coordination Center1 has

multiplied over 86 times since 1990,2 rising from 252 in 1990 to 21,756 in 2000. Further,

the Center has handled over 34,000 incidents during the first three quarters of 2001.

Similarly, the Federal Bureau of Investigation (FBI) reports that its case load of

computer intrusion-related cases is more than doubling every year. The fifth annual

survey conducted by the Computer Security Institute in cooperation with the FBI found

that 70 percent of respondents (primarily large corporations and government agencies)

had detected serious computer security breaches within the last 12 months and that

quantifiable financial losses had increased over past years.3

Are agencies responding to the call for greater security? There is great cause for concern

regarding this question, since GAO's November 2001 analyses4 of computer security

identified significant weaknesses in each of the 24 major agencies covered by its reviews.

The weaknesses identified place a broad array of federal operations and assets at risk of

fraud, misuse, and disruption. For example, weaknesses at the Department of Treasury

increase the risk of fraud associated with billions of dollars of federal payments and

collections, and weaknesses at the Department of Defense increase the vulnerability of

various military operations that support the department's war-fighting capability.

Further, information security weaknesses place enormous amounts of confidential data,

ranging from personal, financial, tax, and health data to proprietary business

information, at risk of inappropriate disclosure.

Reviews of general and application controls often point up basic control weaknesses in

IT systems of state agencies as well. Typical weaknesses include the following:

*

...