Electronic information is essential to achieving the government's organizational objectives. Its reliability, integrity and availability are major concerns in most audits. The use of computer networks, particularly the Internet, is revolutionizing the way government conducts business. While the benefits have been enormous and vast amounts of information are now literally at our fingertips, these interconnections also pose significant risks to IT systems, information, and the critical operations and infrastructure they support. Infrastructure elements such as telecommunications, electricity distribution, national defense, law enforcement, and government and emergency services are subject to these risks. The same factors that benefit operations (speed and accessibility) if not properly controlled can leave them vulnerable to fraud, sabotage, and malicious or malicious acts. Additionally, natural disasters and unintentional errors by authorized computer users can have devastating consequences if information resources are poorly protected. Recent high-profile disruptions caused by viruses, worms, and denial-of-service attacks on commercial and government websites illustrate the potential for damage. Computer security is of increasing importance to all levels of government to minimize the risk of malicious attacks from individuals and groups. These risks include fraudulent loss or misuse of government resources, unauthorized access to disclosure of sensitive information such as tax and medical records, disruption of critical operations by viruses or hacker attacks , and the modification or destruction of data. The risk that computer attacks threaten vital national interests increases with the following developments in information technology: • Funds are increasingly transferred electronically between and among government agencies, commercial enterprises and individuals. • Governments are rapidly expanding their use of e-commerce. • National defense and intelligence communities increasingly rely on commercially available information technologies. • Utilities and telecommunications increasingly rely on IT systems to manage their daily operations. • More and more sensitive economic and commercial information is exchanged electronically. • IT systems are rapidly increasing in complexity and interconnectivity. The tools used by hackers are readily available and hacker activity is increasing. • Paper supporting documents are reduced or eliminated. Each of these factors significantly increases the need to ensure the privacy, security, and availability of state and local government systems. With 80% of security breaches likely never being reported, the number of reported incidents is increasing significantly. For example, the number of incidents handled by the CERT Coordination Center at Carnegie Mellon University1 has increased more than 86 times since 19902, from 252 in 1990 to 21,756 in 2000. In addition, the Center has handled more than 34,000 incidents during the first three quarters of 2001. Similarly, the Federal Bureau of Investigation (FBI) reports that its caseload of