COMPUTER SECURITY AT THE
DRUG ENFORCEMENT ADMINISTRATION
Audit Report 97-14, (3/97)
TABLE OF CONTENTS
FINDINGS AND RECOMMENDATIONS
I. SYSTEM SOFTWARE CONTROLS
II. COMPUTER SECURITY MANAGEMENT
Personnel Security Controls
Individual Access Controls
Administrative Security Controls
Physical and Environmental Security Controls
III. SECURITY SOFTWARE
STATEMENT ON INTERNAL CONTROLS
STATEMENT ON COMPLIANCE WITH LAWS AND REGULATIONS
APPENDIX I - Objectives, Scope and Methodology, and Background
APPENDIX II - Locations Reviewed
APPENDIX III - DEA Comments on the Audit Recommendations
APPENDIX IV - Office of the Inspector General, Audit Division Analysis and Summary of Actions Taken to Close Report
Computer security was reported by the Attorney General to the President in 1995 as a high risk area for six Department of Justice components, including the Drug Enforcement Administration (DEA). We found computer security continues to be a high risk at the DEA, as we found in 1989 and the General Accounting Office found in 1992. Our current audit found that:
Computer default settings and audit trails were not implemented effectively to protect DEA's sensitive computer resources and to detect unauthorized access.
Computer security management was inadequate because: (1) personnel were not properly cleared, authorized, and trained for access to sensitive computer resources; (2) computer equipment was not properly controlled and safeguarded; (3) risk analyses and contingency plans were not always performed and tested; and (4) visitor access and lock combination change procedures were inadequate to restrict access to sensitive resources.
Computer security software was not fully utilized to detect and investigate unauthorized access to DEA's sensitive data base applications processed at the Justice Data Center.
Collectively, these weaknesses substantially increase the risks of unauthorized disclosure of sensitive information. These matters are discussed in the findings and recommendations section of the report. Our objectives, scope and methodology, and background information are contained in Appendix I of the report.