Budget and Spending: Challenges of Protecting Personal Information in an Expanding Federal Computer Network Environment

Citation
General Accounting Office, Budget and Spending: Challenges of Protecting Personal Information in an Expanding Federal Computer Network Environment (LCD-76-102) (Apr. 28, 1978) (full-text).

Overview
The concept of a federal computer network and the attendant benefits of economy and efficiency was recognized when the Brooks Act was enacted in 1965. Since the enactment of this legislation, public and private concern has grown over the ability of computer systems and networks to provide adequate protection for personal information maintained about U.S. citizens.

The concept of a government-wide computer network presents a dilemma: should the government take advantage of the economies that may be possible from using multiuser teleprocessing systems rather than individual agency-owned and operated data processing systems or protect the individual's right to privacy by prohibiting such networks? This dilemma could be solved and economies realized if adequate controls could be defined and established to ensure confidentiality of data. The major threat to privacy invasion stems from misuse of personel information by individuals having authorized access, and a secondary threat stems from individuals not allowed access to the information who have the technical ability to circumvent security measures. The risk to personal information varies with the type of data involved, the effectiveness of the controls exercised, and the configuration of the computer network. While absolute security cannot be assured, a high level of protection can be provided in a multiuser computer network.

The GAO recommended that the Director of the Office of Management and Budget should take action to provide federal agencies with comprehensive guidelines that: contain the definitions and criteria necessary to permit an assessment of their security requirements; provide the methodology to be used in conducting the assessment; identify the physical, administrative, and technical safeguards that should be applied in satisfying their security requirements; and specify the means to justify the associated cost.