GAO to examine ways nonfederal groups protect data

The chairman and the minority leader of the Senate Governmental Affairs Committee this month asked the General Accounting Office to study the best security measures and policies that nonfederal organizations use to protect their computer systems.

Sens. Fred Thompson (R-Tenn.) and John Glenn (D-Ohio) requested the study and cited the importance of security measures to protect data on citizens and to safeguard federal operations.

"Although a body of federal guidance exists regarding information security it is clear that federal agencies need additional direction in implementing effective security programs " the senators wrote. "We are asking that you review the activities of leading organizations in this arena in order to identify practices that could be successfully adopted by federal agencies."

The senators' letter asked GAO to review how these organizations assess and manage risk develop and disseminate security policies allocate resources for these activities and measure and monitor the effectiveness of their programs.

A committee staff member said she expects GAO to produce a report similar to ones it has issued recently on industry best practices in information technology management.

Jack Brock director of Defense information financial management issues at GAO and the team leader on the new best-practices project said he hopes the practices described in the report will serve as models for federal agencies struggling with how to establish and enforce efficient computer security guidelines. "Rather than looking at what people are doing wrong we want to focus on organizations that are doing things right " he said.

Brock said last week his staff had already met with five groups identified as having excellent computer security programs. He declined to name the organ-izations and said many of the subjects GAO interviewed were concerned about becoming targets of hackers if they were publicly identified as leaders in computer security. GAO will sign confidentiality agreements with most organizations involved in the study "because of the reasonably in-depth access we are getting to their computer security features " he said.

GAO tracked down many of the organizations it will cite in its report through recommendations from computer security experts at the National Institute of Standards and Technology Brock said. Others were groups known to GAO from work on related issues or were winners of awards for achievements in computer security.

Brock said GAO will focus on banks and other financial institutions decentralized retail operations and state agencies offering services to citizens.

GAO plans to publish its findings around the start of 1998 Brock said.