Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

GAO faults Army Corps security

From: InfoSec News <isn () c4i org>
Date: Wed, 12 Jun 2002 03:02:09 -0500 (CDT)
Forwarded from: William Knowles <wk () c4i org>

http://www.fcw.com/fcw/articles/2002/0610/web-army-06-11-02.asp

By Dan Caterinicchia 
June 11, 2002

The Army Corps of Engineers has made great strides in managing its
computer systems since a scathing 1999 review by the General
Accounting Office, but the agency still has numerous security
shortcomings, according to a new GAO report.

"Information Security: Corps of Engineers Making Improvements, but
Weaknesses Continue," released June 10, details a number of computer
security issues that the Army Corps must address, including:

* Controlling access to critical systems and data.

* Developing adequate system software controls to protect programs and
  sensitive files.

* Documenting software changes.

* Securing networks.

"These vulnerabilities warrant management's attention to decrease the
risk of inappropriate disclosure and modification of data and
programs, misuse of or damage to computer resources, or disruption of
critical operations," according to the report. "Such vulnerabilities
also increase risks to other Department of Defense networks and
systems to which the corps' network is linked."

The audit, which was conducted from January through October 2001,
found that the Army Corps had not maintained accurate records of users
who were granted access to the Corps of Engineers Financial Management
System (CEFMS).

"The weaknesses that we identified...placed the Corps' computer
resources, programs and files at risk from inappropriate disclosure of
financial and sensitive data and programs, modification of data,
misuse of or damage to computer resources, or disruption of critical
operations," according to the report.

Additional tests also revealed problems with the smart cards that
store users' electronic signatures for use with CEFMS. In some cases,
smart cards were not under the sole control of an individual
cardholder, an audit found, and "as a result, authentication controls
were not effective to provide reasonable assurance that users'
electronic signatures are valid."

The GAO report said the primary reason for the Army Corps' computer
control weaknesses was that officials had not fully developed and
implemented a comprehensive security management program.

In a May 20 letter responding to a draft copy of the report, Lt. Gen.  
Robert Flowers, commander of the Army Corps, said the agency has
already taken corrective action on 11 past recommendations and has
developed an action plan to correct all but 12 of the remaining
recommendations by Sept. 30, 2002. He added that the remaining 12
recommendations would be completed in fiscal 2003 or beyond.
 

 
*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.
Previous By Date Next
Previous By Thread Next

Current thread: