The Bureau of Prisons (BOP) appreciates the opportunity to respond to the recommendations from the OIG's draft report entitled The Bureau of Prisons Inmate Telephone System Independent Evaluation Pursuant to the Government Information Security Reform Act Fiscal Year 2002. The BOP understands the risks associated with computer systems and communication networks and works diligently to reduce security vulnerabilities associated with them. This report makes several recommendations that will assist us in reducing these risks.

The OIG points out several areas of vulnerability and two areas of high risk. The OIG also documented areas of improvements or satisfactory operations within the ITS II information security controls. The BOP would like to point out that these areas of improvement and satisfactory operations were a direct result of proactive steps taken by the BOP prior to the OIG's investigation. As noted in the OIG's report, the "BOP is in the process of addressing findings identified in the June 2002 Security Test and Evaluation (ST&E) ." The BOP was in the process of finalizing its report on system vulnerabilities and creating a corrective plan of action when the OIG began its audit in May 2002. These findings were provided to the OIG during their audit and were reflected throughout their report. The BOP appreciates the OIG's additional recommendations and will incorporate them into the existing project plan. The BOP will continue to seek methods of imprOving its system security and strive to build and maintain an exceptional system security program for the ITS II system.

The BOP, recognizing the importance of maintaining a secure ITS system, hereby submits its responses for each recommendation identified in the OIG's report.

Recommendation #1 - We recommend that the BOP Director ensure that BOP management incorporates security requirements into the development and acquisition phases of the SDLC.

Response: The BOP agrees with this recommendation. The BOP will incorporate security requirements into the development and acquisition phases of the BOP system development life cycle (SDLC). Completion is anticipated by March 2003.

Recommendation #2 - We recommend that the BOP Director ensure that the BOP management incorporate formal procedures to document certification testing activities, update system documentation when security controls are added, retest security controls, and recertify the system after changes have been made.

Response: The BOP agrees with this recommendation. The BOP will incorporate formal procedures to document certification/testing activities, update system documentation when security controls are added, retest security controls, and have the system recertified after changes have been made. Completion is anticipated by March 2003.

Recommendation #3 - We recommend that the BOP Director ensure that the BOP management update operating controls as outlined in the June 2002 ST&E report, and complete the "Conditions of Certification" outlined in the ITS II certification statement.

Response: The BOP agrees with this recommendation. The BOP is in the process of incorporating the in-place operating controls as outlined in the June 2002 ST&E report and completing the "Conditions of Certification" outlined in the ITS II certification statement. Completion is anticipated by April 2003.

Recommendation #4 - We recommend that the BOP Director ensure that BOP management requires all users, including vendor and contractor personnel, to read and sign the Rules of Behavior document (BOP Directive 1237-12) to ensure users are aware of its contents.

Response: The BOP agrees with this recommendation. The BOP will revise procedures to incorporate vendors and contractors. The BOP is currently in the process of rewrIting the Rules of Behavior for the vendor. The BOP anticipates having an updated copy completed and signed by all vendor staff by Decernber 2002.

Recommendation #5 - We recommend that the BOP Director ensure that the BOP management incorporate the guidelines for developing security plans outlined in the NIST SP 800-18 into the current ITS II security plan and incorporate the plan into the overall IRM strategic plan for the BOP.

Response: The BOP agrees with this recommendation. The BOP is currently rewriting the security plan using the NIST SP 800-18 as the guideline. Completion is anticipated by February 2003.

Recommendation #6 - We recommend that the BOP Director ensure that the BOP management:

1. Conduct an analysis on the current staff shortages by determining the current security and system administrator skills on the BOP team and determine what skills the BOP needs to close the "gap." If additional staff is required, hire additional personnel who are trained and experienced security and/or system administrators;
2. Ensure that those individuals who currently function as both security administrators and system administrators are moved to positions where these responsibilities do not conflict; and
3. Ensure that developers are not tasked with either system or security administration.

Response: The BOP agrees with this recommendation. The BOP will analyze current staff shortages by determining the current security and system administrator skills on the BOP team and determine what additional skills and positions are needed. Completion is anticipated by March 2003.

Recommendation #7 - Distribute the BOP's documented procedures on how to maintain flOP ITS II user accounts to ITS II security staff and contractor personnel.

1. Enforce procedures in accordance with the BOP Directive 1237.11 and Department policy.

Response: The BOP agrees with this recommendation. The BOP will distribute documented procedures on ITS II user accounts to ITS II security staff and contractor personnel. Additionally, the BOP will enforce the procedures as required by the BOP's Directive 1237.11. The BOP anticipates that all training will be completed by February 2003.

Recommendation #8 - We recommend that the BOP Director ensure that the BOP management implement all of the recommendations outlined in the June 2002 ST&E report, specifically those outlined in section 4.13.

Response: The BOP believes OIG intended to reference section 4.12, Physical Security instead of section 4.13, Computer Incident Response Capability. The BOP agrees with the recommendation with a reference to 4.12 Physical Security. The BOP will implement the recommendations outlined in section 412 of the June 2002 ST&E report. Completion is anticipated by February 2003.

Recommendation #9 - We recommend that the BOP Director ensure that BOP management document a process to control the transfer of media and BOP data. In addition, the BOP management should ensure the audit trails are kept and retained for extended periods of time, capturing relevant information such as name, date, media description, and authorization.

Response: The BOP agrees with this recommendation. The BOP will develop and document a formal procedure to control the transfer of BOP media and data. The BOP anticipates that the documentation will be completed by January 2003.

Recommendation #10 - We recommend that the BOP Director ensure the contingency plan is distributed to appropriate individuals, including contractor staff. The plan should be periodically tested and employees and contractor staff trained on their roles and respOnsibilities.

Response: The BOP agrees with the recommendation to distribute the contingency plan to the appropriate individuals. We are currently modifying the existing contingency plan and will distribute it to all required staff by January 2003. The BOP tested the contingency plan in January 2002 at our alternate COF and will continue to test the plan as necessary.

Recommendation #11 - We recommend that the BOP Director ensure that the BOP management develop a configuration standard for all systems that incorporate the most restrictive security settings possible. In addition, the BOP should implement all the recommendations outlined in the ST&E report.

Response: The BOP agrees with this recommendation. The BOP will develop a configuration standard for all systems that incorporates the most restrictive security settings possible. The BOP anticipates this process will be completed by March 2003.

Recommendation #12 - We recommend that the BOP Director ensure that the BOP management develop policies and procedures surrounding the use of intrusion detection software and integrity validation software and implement these policies and procedures on critical servers.

Response: The BOP agrees with this recommendation. The BOP will develop procedures surrounding the use of intrusion detection software and integrity validation software, and implement these policies and procedures at each of the vendor locations by February 2003.

Recommendation #13 - We recommend that the BOP Director ensure that the BOP management develop a policy for incident handling, response, and personnel support.

Response: The BOP agrees with this recommendation. The BOP will develop stronger incident handling, response, and personnel support procedures. Completion is anticipated by January 2003.

Recommendation #14 - We recommend that the BOP Director ensure that the BOP management enforce formal Department password policies and procedures and install and activate a password filter on all servers to enforce parameters that enforce restrictions on passwords.

Response: The BOP agrees with this recommendation. The BOP will enforce current Department password policies and procedures and install and activate a password filter on all servers to enforce parameters that enforce, restrictions on passwords. Completion is anticipated by December 2002.

Recommendation #15 - We recommend that the BOP Director ensure that the BOP management develop, implement, and monitor documented policy establishing specific security standards and settings for access controls. At a minimum, these standards and settings should:

1. Establish policy and procedures for disabling insecure protocols.
2. Establish policy dictating the reset of vendor default security parameters to more secure settings.
3. Configure network connections to automatically disconnect.
4. Establish standard firewall procedures for configuring the firewall.
5. Restrict access to tables defining network options, resources, and operator profiles.

Response: The BOP agrees with this recommendation. The BOP will develop, implement, and monitor documented procedures establishing specific security standards and settings for access controls. Completion is anticipated by February 2003. However, the BOP would like to request specific information about the findings to assist in the corrective action necessary to eliminate these issues.

Recommendation #16 - We recommend that the BOP Director ensure that the BOP management develop, implement, and monitor documented policy establishing specific security standards and settings for user authentication and access. At a minimum, these standards and settings should:

1. Prohibit the use of access scripts with embedded passwords.
2. Require data owners to review access authorizations to determine whether they remain appropriate.

Response: The BOP agrees with this recommendation. The BOP will develop, implement, and monitor documented procedures establishing specific security standards and settings for user authentication and access. Completion is anticipated by March 2003.

Recommendation #17 - We recommend that the BOP Director ensure that the BOP management implement the system key utility and restrict services so that they are running in a secured context. In addition, ensure the removal of all unnecessary services.

Response: The BOP agrees with this recommendation. The BOP will implement the system key utility, restrict services to run in a secured context, and remove all unnecessary services. Completion is anticipated by February 2003. However, the BOP would like to request specific information regarding the services OIG believes are "unnecessary" that were identified on the NT, UNIX, and Cisco platforms, in order to remove these services.

Recommendation #18 - We recommend that the BOP Director ensure that BOP management develop, implement, and monitor documented policy establishing specific security standards and settings for networking controls. At a minimum, these standards and settings should include:

1. a. The registry key on Windows NT servers, HKLM\Software\Microsoft \WindowsNT\CurrentVersion\ Winlogon CachedLogonsCount, should be set to 0.
2. b. The command on routers in global configuration mode: Passive-interface type number where "type" refers to the interface type and "number" is the interface number.

Response: The BOP agrees with this recommendation. The BOP will develop, implement, and'monitor documented procedures establishing specific security standards and settings for network controls. Completion is anticipated by February 2003.

Recommendation #19 - We recommend that the BOP Director ensure that the BOP management develop, implement, and monitor documented policy establishing specific security standards and settings for user and group management controls. At a minimum, these standards and settings should include:

1. Review user atcount activity and disable or remove accounts that have been inactive for an extended period of time or are no longer needed.
2. Develop procedures for renaming 'the Administrator and Guest accounts and assigning strong passwords that are a minimum of eight characters and contain alphanumeric and special characters.
3. Remove domain users from the local administrator group.
4. Replace references to the special group 'Everyone' with 'Domain Users', 'Authenticated'Us.ers' or Domain application groups.
5. Create the /etc/ftpusers file.

Response: The BOP agrees with this recommendation. The BOP will develop, implement, and monitor documented procedures establishing specific security standards and settings for user and group management controls. Completion is anticipated by March 2003.

Recommendation #20 - We recommend that the BOP' Director ensure that the BOP management develop, implement, and monitor documented policy establishing specific security standards and settings for account integrity management. At a minimum, these standards and settings should include:

1. "Log on locally,"
2. "Access this computer from the network,"
3. "Restore Files and Directories,"
4. "Shut down the system,"
5. "Take ownership of files or other objects,"
6. "Act as part of the operating system,"
7. "Log on as a service," and
8. "Increase Scheduling Priority."

Response: The BOP agrees with this recommendation. The BOP will develop, implement, and monitor documented procedures establishing specific security standards and settings for account integrity management. Completion is anticipated by March 2003.

Recommendation #21 - We recommend that the Director of the BOP ensure that the BOP management develop, implement, and monitor documented policy establishing specific security standards and settings for file system access. At a minimum, these standards and settings should:

1. Replace references to the special group 'Everyone' with 'Dornain users', 'Authenticated Users', or Domain application groups.
2. Remove access 'to sensitive system utilities from accounts that do not require access.
3. Review and remove unnecessary permissions on files and directories.
4. Restrict access to the network file system shares.

Response: The BOP agrees with this recommendation. The BOP will develop, implement, and monitor documented procedures establishing specific security standards and settings for file system access. Completion is anticipated by February 2003.

Recommendation #22 - We recommend that the BOP Director ensure that BOP management develop, implement, and monitor-documented policy establishing specific security standards and settings for maintenance controls. At a minimum, these standards and settings should:

1. Enable a password protected screen saver on the server.
2. Display a system-warning message when users log on the server.

Response: The BOP agrees with this recommendation. The BOP will develop, implement, and monitor documented procedures establishing specific security standards and settings for maintenance controls. Completion is anticipated by February 2003.

Recommendation #23 - We recommend that the BOP Director ensure that the BOP management develop, implement, and monitor -documented policy establishing specific security standards and settings for NT registry settings. At a minimum, these standards and settings should include reconfiguring the registry settings to a more secure configuration.

Response: The BOP agrees with this recommendation. The BOP will develop, implement, and monitor documented procedures establishing specific security standards and settings for Windows NT registry settings. Completion is anticipated by January 2003.

Recommendation #24 - We recommend that the BOP Director ensure that the BOP management obtains the latest security patches from the operating system vendor. The patches should be properly installed and configured.

Response: The BOP agrees with this recommendation. The BQP will obtain the latest security patches from the operating system vendors and test for compatibility with the system. Completion is anticipated by December 2003.

Recommendation #25 - We recommend that the Director of the BOP ensure that the BOP management develop, implement, and monitor documented policy establishing specific security standards and settings for router configuration. At a minimum, these standards and settings should:

1. Issue the "no ip source-route" command in interface configuration mode.
2. Issue the "no ip alias" command in configuration mode.
3. Issue the command: "ip tcp intercept list yyy," (where yyy is the access list number to which the connections will be intercepted), in configuration mode.
4. Enable encryption via the "crypto map" command.

Response: The BOP agrees with this recommendation. The BOP will develop, implement, and monitor documented procedures establishing specific security standards and settings for router configurations. Completion is anticipated by February 2003.

Recommendation #26 - We recommend that the BOP Director ensure that the BOP management implement Cisco's fail-over capabilities by configuring HSRP on critical external routers.

Response: The BOP does not agree with this recommendation. The ITS network currently has fail-over procedures in place and the SOP feels this change will not benefit the operation or security of the system.

Recommendation #27 - We recommend that the Director of the BOP ensure that the BOP management develop, implement, and monitor documented policy establishing specific security standards and settings for command line access. At a minimum, these standards and settings should include:

1. Enter the following command: privilege level command, in global configuration mode.
2. Create an appropriate access-list using the, access-list command in configuration mode. Once the access list has been created, apply it to the appropriate terminal (typically vty 0 4) using the access-group <basic access list number> in command.
3. Enable SSH on the router
4. Enable Authentication, Authorization, and Accounting.
5. Establish a session timeout.

Response: The BOP agrees with this recommendation. The BOP will develop, implement, and monitor documented procedures establishing 'specific security standards and settings for command line access. Completion is anticipated by January 2003.

Recommendation #28 - We recommend that the BOP Director ensure that the BOP management develop procedures: for logging and monitoring system activity and require that audit logs be reviewed periodically.

Response: The BOP agrees with this recommendation. The BOP will develop documented procedures for logging and monitoring system activity and require that audit logs be reviewed periodically. The BOP anticipates completing this requirement by February 2003.

If you have any questions regarding this response, please contact Michael W. Garrett, Senior Deputy Assistant Director, Program Review Division, at (202) 616-2099.