Like most private sector and government organizations, the Department of Energy has an
aggressive program to provide its Federal and contractor personnel with the ability to remotely
access a number of unclassified information systems. Such access allows travelers,
telecommuters and those who occasionally work off-site to more easily perform businessrelated
functions from remote locations. Personnel are able, for example, to retrieve electronic
mail, access business or other operational systems and administer systems or networks by
using government or privately-owned computer equipment. Generally, remote access to the
Department's networks is achieved through dial-in modems or through internet connections.
While the benefits of such access are clear, there is a corresponding increase in certain inherent
risks, most importantly, the potential for unauthorized access to the Department's information
systems. Based on several recent investigative cases relating to attempts to intrude into the
Department's systems, we initiated this audit designed to assess the Department's performance
in managing the risk associated with remote access to unclassified information systems.
