RECOMMENDATIONS TO HEADS

OF FEDERAL AGENCIES

All agencies should strengthen their computer data security and integrity, highlighted as follows.

--Computer security programs should be
They should include

comprehensive.

plans, policies, and procedures in writing that clearly establish responsibilities throughout the organization. (See p. 25.)

--Agencies should establish a computer
security administration function with
independence from computer operations.
This organization should report directly
to or through a principal official who
reports directly to the agency head.
(See p. 24.)

--Programs should provide for feedback
for management control, both in routine
monitoring and reporting and in inde-
pendent internal audits. (See pp. 25
and 52.)

--Risk management should be provided

for and should be on the perspective
of the total data systems. (See p. 46.)

--Security planning should anticipate training needs, particularly for risk management. (See pp. 25, 46, and 52.)

OMB'S COMMENTS

OMB representatives indicated that GAO's examination of the status and effectiveness of computer system security programs provided information and recommendations which would be used and followed up in their own assessments of Federal agencies' plans to comply with their Circular A-71 and other requirements.

OMB is placing a high priority on efforts over the coming year to improving security programs in agencies and has organized a task force to accomplish reviews of agencies' plans. This effort is coupled with OMB's broader concerns for improving controls in agencies over fraud and abuse. OMB indicated that attention by agencies' inspector general functions will be focused on correcting these matters in recognition that they are important responsibilities of agency and department heads.

OMB expressed some concern that GAO's recommendation for organizing a highly placed computer security administration as a staff function, independent from computer operations, might cause difficulty with the agency head's span of control. That is, too many functions are now competing for top-level attention and this would add one more. GAO intends its recommendation to be sufficiently broad to allow each agency maximum flexibility in its implementation in a wide variety of agency organizations.

GAO agrees with OMB that elements of this security function such as monitoring, inspection, and audit could be placed under the inspector general function. But GAO sees the need for identification of a focal point at a high level, independent from responsibility for computer operations, to develop and oversee an automated systems security program. The security program itself should be promulgated by a directive and guidance issued by the agency head. (See p. 24.)