Summary: Testimony was given on the status of computer and telecommunications security for selected automated information systems within federal agencies. GAO found that each of the systems was vulnerable to abuse, destruction, error, fraud, and waste because: (1) key management responsibilities were missing; and (2) the actual safeguards needed to protect systems from potential threats were not always in place. GAO found that the agencies had not executed all of the management responsibilities prescribed by federal regulations which include: (1) risk management; (2) training; (3) assigned responsibility; (4) budgeting and accounting for security costs; (5) automatic data processing personnel security; (6) contingency plans; (7) independent audit and evaluation; and (8) written procedures. GAO found that: (1) only two of the agencies it surveyed had formalized their training approach; (2) risk management was applied to only eight of the systems studied; (3) only nine contingency plans had been tested; and (4) only five systems contained each of the physical, technical, and administrative safeguards studied. The agencies stated that the shortfalls were due to a lack of management commitment, funds and resources, and assistance in implementing policy and guidance.
