GAO finds security lax for federal employees' personal info

Weak access controls are placing sensitive government personnel and financial information stored on the National Finance Center's computer systems at risk of disclosure or destruction, according to a new General Accounting Office report.

The Agriculture Department's NFC operates financial systems such as payroll/personnel and accounting systems for the USDA and about 60 other federal organizations. The NFC also maintains the records of the multibillion dollar Thrift Savings Program, a type of 401(k) program for federal employees.

The GAO concluded that problems with NFC's access control "placed sensitive personnel information at risk of disclosure, critical financial operations at risk of disruption and assets at risk of loss." Logical, system software and physical access controls are designed to protect computer databases from enabling unauthorized users to access or change the data stored in the systems.

The GAO found that NFC had given legitimate users too much access to financial and sensitive personal information. For example, GAO found that 86 users had the ability to read and alter any data stored on tape regardless of other security software controls that were in place. NFC said they have taken steps to limit this access, according to the report.

In addition, GAO found that users could bypass certain access controls and gain unauthorized access to financial and other sensitive data that the NFC maintains or cause system failures. For example, the system software that controls batch processing allowed any user with the ability to execute a batch program also to shut down the system or turn off features such as the security software.

In its response to the report, the NFC said it has "already completed corrective actions on most of the items and [it has] planned appropriate corrective actions on the rest."