Page images
PDF
EPUB

Number of Sensitive Systems Reported and
Approaches Used by the Ten Agencies to
Identify the Systems

plans. According to the administrator, these systems were not reported because of a misinterpretation by Interior's Office of Information Resources Management as to what constituted a contractor-operated system.

Department of Justice

Response to Committees' Request of November 29, 1988

Before the Committees' November 1988 request, the Department of Jus-
tice sent a memorandum to 33 component managers or information
resources management officials requesting that they identify all sensi-
tive computer systems and provide lists of such systems to Justice head-
quarters to comply with the Computer Security Act of 1987. The
memorandum included a definition of a sensitive system and other
terms, a copy of the Computer Security Act, a list of implementation
dates, and a form to collect data on all sensitive computer systems. Jus-
tice's Systems Policy Staff reviewed the components' lists of sensitive
systems and compared the lists with departmental budget information
to ensure that all systems were identified.

In its response to the Committees' request, Justice reported to the Committees four sensitive computer systems that are operated by contractors and no systems operated by states or other organizations. In preparing its response, Justice sent a memorandum to its components and asked them to review and revise their lists of sensitive computer systems. Justice used the revised lists to compile its response to the Committees.

We contacted one Justice component, the Immigration and Naturalization Service (INS), to determine how it identified its sensitive computer systems. INS' Chief of ADP Security stated that upon receipt of the Department's memorandum, the Associate Commissioner sent a memorandum to three assistant commissioners and four regional ADP officers requesting that they identify their sensitive computer systems. The memorandum included guidance information and a data collection form supplied by Justice. The completed forms were returned to INS' headquarters where they were compiled into a list of sensitive systems that was forwarded to Justice.

Number of Sensitive Systems Reported and
Approaches Used by the Ten Agencies to
Identify the Systems

Response to Committees'
Request of March 7, 1989

Justice reported that it identified no additional sensitive computer systems that are operated by states or other organizations. In preparing its response, the Department said that it reviewed components' computer security plans to determine whether any additional sensitive systems are operated by states or other organizations.

Department of Labor

Response to Committees' Request of November 29, 1988

Response to Committees'
Request of March 7, 1989

Before the Committees' November 1988 request, the Department of Labor sent a letter to its components stating that they were required to identify sensitive computer systems and provide the lists to the Department to comply with the Computer Security Act of 1987. Labor also sent guidance to the components, which included a copy of the act, requirements relating to the act, information collection forms, and the Department's definitions of a sensitive system and other terms. Labor compiled an inventory from its components' lists of sensitive systems.

In its response to the Committees' request, Labor reported four sensitive
systems that are operated by contractors or other organizations and no
systems operated by states. In preparing its response, the Director of the
Office of Information Resources Management Planning, Policy and Eval-
uation told us that Labor requested that its components ensure that
their lists of sensitive systems were up-to-date and that they provide to
the Department lists of sensitive computer systems operated by contrac-
tors, states, or other organizations. According to the Director, Labor
compared the lists with components' computer security plans to ensure
that the lists were complete and accurate.

We contacted one Labor component, the Employment Standards Administration (ESA), to determine how it identified its sensitive computer systems. ESA's Director stated that the agency distributed Labor's memorandums and other information to its program managers and asked them to identify sensitive systems that are operated by contractors, states, or other organizations. ESA identified one sensitive computer system that is operated by a contractor.

Labor reported to the Committees a total of nine sensitive computer systems operated by contractors or other organizations and no systems operated by states. In its response, the Department stated that during

Number of Sensitive Systems Reported and
Approaches Used by the Ten Agencies to
Identify the Systems

the course of its evaluation of computer security plans, it discovered, in addition to the four systems reported in its original response, five additional contractor-operated systems and facilities that should have been reported to the Committees.

Department of the
Treasury

Response to Committees' Request of November 29, 1988

Response to Committees'
Request of March 7, 1989

Before the Committees' November 1988 request, the Department of the Treasury sent a letter to its components requesting them to identify sensitive computer systems to comply with the Computer Security Act of 1987. The Department attached a copy of the Computer Security Act and pointed out important provisions of the act including the definition of sensitive information. Treasury's letter also discussed the actions needed to meet the requirements of the act.

In its response to the Committees' request, Treasury reported to the Committees five sensitive systems that are operated by contractors or other organizations and no systems operated by states. In preparing its response, Treasury sent a letter to its components requesting lists of their sensitive systems that are operated by contractors, states, or other organizations. The Department verified the lists with components' officials and compared the lists with computer security plans to ensure the lists were accurate. If discrepancies were found, the components were asked to determine whether the systems were sensitive and to identify the operators of the systems.

We contacted one Treasury component, the Bureau of Public Debt, to determine how it identified its sensitive computer systems. The Director of Automated Information Systems Planning and Policy said the Bureau identified twelve sensitive systems, one of which is contractor-operated. The Bureau provided this information to the Department.

Treasury reported to the Committees one additional sensitive system that is operated by another organization. According to its response, Treasury identified the additional system during its review of components' computer security plans.

[blocks in formation]

Response to Committees' Request of November 29, 1988

The National Aeronautics and Space Administration (NASA) reported 15 sensitive computer systems that are operated by contractors and no systems operated by states or other organizations. According to a representative of the Office of the Assistant Associate Administrator, NASA inadvertently omitted from its response one page containing 14 sensitive computer systems. The official stated that the complete list would be sent to the Committees.

Number of Sensitive Systems Reported and
Approaches Used by the Ten Agencies to
Identify the Systems

Response to Committees'
Request of March 7, 1989

In responding to the Committees' request, the official told us that NASA sent to its 10 computer centers a letter requesting that they identify their sensitive computer systems that are operated by contractors, states, or other organizations. The computer centers used their own methodologies to identify the sensitive systems and sent lists of the systems to NASA headquarters. NASA headquarters compiled a list from the 10 computer centers' lists and sent it to the Committees.

We contacted one NASA component, the Goddard Space Flight Center, to determine how it identified its sensitive computer systems. The Center's Computer Security Officer stated that after it received the letter from headquarters, the Center reviewed its inventory of sensitive computer systems. According to the Computer Security Officer, the Center determined that it has no sensitive systems that are operated by contractors, states, or other organizations.

NASA reported that it identified no additional sensitive computer systems that are operated by contractors, states, or other organizations. In NASA'S response to the Committees, the Acting Assistant Administrator for Congressional Relations said NASA recently completed an on-site review of systems at the Ames Research Center and found the Center's list of systems that are operated by states or other organizations to be accurate. The Acting Assistant Administrator added that NASA plans to conduct similar reviews at two more centers this year.

« PreviousContinue »