GAO finds security lax for federal employees' personal info

Weak access controls are placing sensitive government personnel and financial information stored on the National Finance Center's computer systems at risk of disclosure or destruction, according to a new General Accounting Office report.

The Agriculture Department's NFC operates financial systems such as payroll/personnel and accounting systems for the USDA and about 60 other federal organizations. The NFC also maintains the records of the multibillion dollar Thrift Savings Program, a type of 401(k) program for federal employees.

The GAO concluded that problems with NFC's access control "placed sensitive personnel information at risk of disclosure, critical financial operations at risk of disruption and assets at risk of loss." Logical, system software and physical access controls are designed to protect computer databases from enabling unauthorized users to access or change the data stored in the systems.

The GAO found that NFC had given legitimate users too much access to financial and sensitive personal information. For example, GAO found that 86 users had the ability to read and alter any data stored on tape regardless of other security software controls that were in place. NFC said they have taken steps to limit this access, according to the report.

In addition, GAO found that users could bypass certain access controls and gain unauthorized access to financial and other sensitive data that the NFC maintains or cause system failures. For example, the system software that controls batch processing allowed any user with the ability to execute a batch program also to shut down the system or turn off features such as the security software.

In its response to the report, the NFC said it has "already completed corrective actions on most of the items and [it has] planned appropriate corrective actions on the rest."

Featured

  • People
    Federal CIO Suzette Kent

    Federal CIO Kent to exit in July

    During her tenure, Suzette Kent pushed on policies including Trusted Internet Connection, identity management and the creation of the Chief Data Officers Council

  • Defense
    Essye Miller, Director at Defense Information Management, speaks during the Breaking the Gender Barrier panel at the Air Space, Cyber Conference in National Harbor, Md., Sept. 19, 2017. (U.S. Air Force photo/Staff Sgt. Chad Trujillo)

    Essye Miller: The exit interview

    Essye Miller, DOD's outgoing principal deputy CIO, talks about COVID, the state of the tech workforce and the hard conversations DOD has to have to prepare personnel for the future.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.