Education aims to bolster security after criticism from IG, GAO

By Tony Lee OrrGCN StaffThe Education Department received failing grades in recent months from its Inspector General's Office as well as the General Accounting Office because of its inability to secure its systems.Education's information technology workers also received poor marks for their knowledge of computer security, according to testimony by Lorraine Lewis, Education's inspector general, before the House Budget Committee in February, and in March before the House Education and the Workforce Subcommittee on Oversight and Investigations.Gloria L. Jarmon and Gary T. Engel, a director and associate director, respectively, at GAO, supported Lewis' assessment during the same budget hearing and in testimony given before the House Budget Committee's Task Force on Education in May. Additional GAO testimony, given in June before the House Government Reform Subcommittee on Government Management, Information and Technology, further supported their take on the matter [].But Bob Davidson, Education's deputy chief information officer for information assurance, said the department recognizes and is responding to the problems identified in the IG's testimony.'But we do not feel the department systems themselves present a major security risk,' he said.The IG has accepted Education's plan to deal with the criticisms, he said.The department's own review of its mission-critical systems should be completed this month, he said.The systems have been built and improved over the last several years, Davidson said of upgrades that have included firewalls and other security measures. Education's systems are due for another round of upgrades soon, he said.Education has not implemented proper procedures for requesting, authorizing and revalidating access to the department's computer resources, and the department failed to monitor and review users with access to sensitive data, Jarmon and Engel said.Lewis has testified many times about what she called serious weaknesses in securing the department's 14 mission-critical systems.Those flaws include a lack of security plans and reviews for six mission-critical systems, no process to fix security problems and an absence of technical security training for many employees responsible for keeping watch over Education's systems, Lewis testified on March 1 before the Subcommittee on Oversight and Investigations.'I don't know of any security breaches and problems,' Davidson said. He agreed that the department faced difficulties because of poor training.But it could be difficult for the department to design a training schedule for its IT workers, because Education isn't sure what they know, Jarmon and Engel said.'The department has neither fully implemented a capital planning and investment process nor performed an assessment of the information resource management knowledge and skills of personnel,' the pair reported. That problem would have been corrected if the department had implemented the IT Management Reform Act, they noted.Davidson said Education is addressing those issues with across-the-board training.The department has also formed a steering committee made up of senior Education officials to take on training and security concerns similar to the way the department handled the year 2000 problem, Davidson said. Serious security difficulties continue in 11 Student Financial Aid systems, the department's Central Automated Processing System, the department- wide network and the Impact Aid System, Lewis said during Feb. 17 testimony.Jarmon and Engel agreed.'Information systems control weaknesses increase the risk of unauthorized access or disruption in services and make Education's sensitive grant and loan data vulnerable to inadvertent or deliberate misuse, fraudulent use, improper disclosure or destruction, which could occur without being detected,' they testified.Education officials have acknowledged that the IG conducted penetration testing, but they would not say whether the cyberattacks were successful. The IG told legislators that Education officials have agreed with her assessment concerning systems security and training.Education also faced criticism of its handling of property and equipment. A case involving theft of technology equipment is working its way through federal courts.Jarmon and Engel reported that the department has not inventoried its property in two years. Without inventories, no one knows when duplicate or fraudulent ordering is taking place, they told legislators.Robert J. Sweeney, a Verizon Corp. employee on contract at Education, pleaded guilty to one count of conspiracy and one count of theft of government property in connection with the theft of about $300,000 worth of high-tech equipment, Lewis testified.Working with a telecommunications specialist in Education's Chief Information Office over a three-year period, Sweeney fraudulently ordered items under a company service agreement, including printers, software, scanners and eight computers, the IG testified.Testimony given before the House Budget Committee by Michael Lampley of Ernst and Young LLP of New York supported the government investigators' contentions that Education needs to improve its reporting and monitoring of property and equipment in addition to improving controls over its information systems.'The department plans to complete a comprehensive physical inventory count of all fixed assets, including furniture and fixtures,' Lampley testified. 'We suggest that, upon completion of these physical inventories, an independent review of the inventory results be performed to ensure that the process provided a complete and reliable inventory, and to assess the significance of any issues identified as a part of conducting the inventory.'Officials are also working with a contractor to complete an IT architecture plan, the IG told legislators.