Summary: The Department of Education relies heavily on the central automated processing system (EDCAPS) to support its core financial management information functions, including general ledger and funds management, grant planning and payment processing, and purchasing and contract management. Education's Inspector General (IG) has reported serious information system control weaknesses in this system. These weaknesses increase the risk of unauthorized access or disruption of services and make Education's sensitive grant and loan data vulnerable to misuse, fraud, improper disclosure, or destruction, which could go undetected. Education is making progress in correcting security weaknesses identified by the IG, and the department has taken other steps to improve security. However, GAO identified weaknesses that place critical financial and sensitive grant information at risk of unauthorized access and disclosure and key operations at risk disruption. Specifically, Education did not adequately protect its network from unauthorized users, effectively manage user IDs and passwords, appropriately limit access to unauthorized users, effectively maintain system software controls, or routinely monitor user access activity. Furthermore, Education did not provide adequate physical security for its computer resources, appropriately segregate all key operations and computer functions, effectively control changes to its applications, or fully address its service continuity needs. Education has since corrected some of the weaknesses and developed a corrective action plan to address the others.
