DOE rapped over computer disposal
GAO finds shortcomings in Energy Department procedures for clearing excess
A review of the way the Energy Department deals with excess property turned up computers that still had readable data and a lack of policies on how DOE should deal with used machines.
A random sample of 40 computers in DOE's excess property holding area in Germantown, Md., found that three machines had not been properly cleared, leaving recoverable information and data, according to a General Accounting Office report.
The report, "Safeguarding of Data in Excessed Department of Energy Computers," also found that DOE "does not have standardized instructions, verification procedures, or training for agency or contract employees on how to properly clear excessed computers."
The DOE's federal property management regulations require that all software, information and data be cleared from computers before still-useful machines are transferred to other agencies, schools, prisons and nonprofit organizations.
At the time of the review, which took place from August through November 2000, GAO interviewed officials from nine DOE headquarters program offices regarding their policies for handling excess computers. Of the 10 facilities surveyed, only one complied with federal property management regulations. And of the random sample from Germantown, seven computers had the operating system software still installed, and three had not been cleared of readable information.
In submitting the report to the House Science Committee, GAO made three recommendations to the department:
Develop and implement standard written procedures on how to clear hard drives of all software and data. Require an independent verification that the procedures have been done before turning in the computers. Emphasize the procedures in the computer security training and awareness program that is required of all DOE employees and contractors. In a March 14 letter to GAO, Joseph Mahaley, acting director of the Office of Security and Emergency Operations at DOE, agreed with the findings and recommendations of the draft report and said efforts are under way to solve the problems.
Also, as part of its Cyber Security Management Program, the office of DOE's chief information officer is preparing a manual to be issued this summer that includes procedures for:
Sanitizating media during the disposal phase of an system's life cycle. Sanitizing electronic media for reuse. Ensuring that need-to-know criteria are applied to workers granted access to classified data archives. Verifiying that sanitization has been effective.
NEXT STORY: Letter to the editor