Computer Security Report Card: Hearing Before the Subcommittee on Government Management, Information, and Technology of the Committee on Government Reform, House of Representatives, One Hundred Sixth Congress, Second Session, September 11, 2000

Front Cover
 

What people are saying - Write a review

We haven't found any reviews in the usual places.

Other editions - View all

Common terms and phrases

Popular passages

Page 111 - Common problems involved computer programmers and operators who were authorized to perform a variety of duties, thus providing them the ability to independently modify, circumvent, and disable system security features. For example, at one data center, a single individual could independently develop, test, review, and approve software changes for implementation. Segregation of duties problems were also identified related to transaction processing. For example, at one agency, 11 staff members involved...
Page 110 - At another, documentation was not retained to demonstrate user testing and acceptance. Implementation procedures did not ensure that only authorized software was used. In particular, procedures did not ensure that emergency changes were subsequently tested and formally approved for continued use and that implementation of "locally developed" (unauthorized) software programs was prevented or detected. Agencies' policies and procedures frequently did not address the maintenance and protection of program...
Page 110 - Such controls can prevent both errors in software programming as well as malicious efforts to insert unauthorized computer program code. Without adequate controls, incompletely tested or unapproved software can result in erroneous data processing that, depending on the application, could lead to losses or faulty outcomes. In addition, individuals could surreptitiously modify software programs to include processing steps or features that could later be exploited for personal gain or sabotage.
Page 111 - Operating system software controls limit and monitor access to the powerful programs and sensitive files associated with the computer systems operation. Generally, one set of system software is used to support and control a variety of applications that may run on the same computer hardware. System software helps control and coordinate the input, processing, output, and data storage associated with all of the applications that run on the system.
Page 110 - Segregation of Duties Segregation of duties refers to the policies, procedures, and organizational structure that help ensure that one individual cannot independently control all key aspects of a process or computerrelated operation and thereby conduct unauthorized actions or gain unauthorized access to assets or records without detection. For example, one computer programmer should not be allowed to independently write, test, and approve program changes. Although segregation of duties alone will...
Page 145 - Ranking Minority Member, Subcommittee on Government Management, Information and Technology, House Committee on Government Reform; and Representative Constance A.
Page 111 - In addition, 9 of the 11 staff members had system access privileges that allowed them to edit the vendor file, which could result in fictitious vendors being added to the file for fraudulent purposes. For fiscal year 1999, we identified 60 purchases, totaling about $300,000, that were requested, approved, and receipt-recorded by the same individual. Operating system software controls limit and monitor access to the powerful programs and sensitive files associated with the computer systems operation....
Page 111 - ... damaged or destroyed. For example, • an individual who was independently responsible for authorizing, processing, and reviewing payroll transactions could inappropriately increase payments to selected individuals without detection; or • a computer programmer responsible for authorizing, writing, testing, and distributing program modifications could either inadvertently or deliberately implement computer programs that did not process transactions in accordance with...
Page 54 - ... continuity and viability of critical infrastructures. President Clinton intends that the United States will take all necessary measures to swiftly eliminate any significant vulnerability to both physical and cyber attacks on our critical infrastructures, including especially our cyber systems. III. A National Goal No later than the year 2000, the United States shall have achieved an initial operating capability and no later than five years from the day the President signed Presidential Decision...
Page 57 - We must focus on preventative measures as well as threat and crisis management. To that end, private sector owners and operators should be encouraged to provide maximum feasible security for the infrastructures they control and to provide the government necessary information to assist them in that task. In order to engage the private sector fully, it is preferred that participation by owners and operators in a national infrastructure protection system be voluntary. Close cooperation and coordination...

Bibliographic information