Return to the USDOJ/OIG Home Page

Independent Evaluation Pursuant to the Government Information Security Reform Act
Fiscal Year 2002

The Federal Bureau of Prisons' Inmate Telephone System II

Report No. 03-04
November 2002
Office of the Inspector General


APPENDIX III

OIG, AUDIT DIVISION ANALYSIS AND SUMMARY
OF ACTIONS NECESSARY TO CLOSE REPORT

Recommendation Number:

  1. Resolved. In order to close this recommendation, the Bureau of Prisons (BOP) needs to incorporate security requirements into the development and acquisition phases of the SDLC.
  2. Resolved. In order to close this recommendation, the BOP needs to incorporate procedures to document certification testing activities, update system documentation when security controls are added, retest security controls, and recertify the system after changes have been made.
  3. Resolved. In order to close this recommendation, the BOP needs to update operating controls as outlined in the June 2002 Security Test and Evaluation (ST&E) report, and complete the "Conditions of Certification" outlined in the Inmate Telephone System II (ITS II) certification statement.
  4. Resolved. In order to close this recommendation, the BOP needs to require all users, including vendor and contractor personnel, to read and sign the Rules of Behavior document (BOP Directive 1237-12) to ensure users are aware of its contents.
  5. Resolved. In order to close this recommendation, the BOP needs to incorporate guidelines for developing security plans outlined in the National Institute of Standard Technology (NIST) Special Publication (SP) 800-18 into the current ITS II security plan and incorporate the plan into the overall IRM strategic plan for the BOP.
  6. Resolved. In order to close this recommendation, the BOP needs to conduct an analysis on the current staff shortages by determining the current security and system administrator skills on the current BOP team and ensure that those individuals are moved to positions that do not conflict.
  7. Resolved. In order to close this recommendation, the BOP needs to enforce procedures in accordance with the BOP Directive 1237.11 and Department policy for the distribution of the BOP's documented procedures on how to maintain ITS II user accounts to ITS II security staff and contractor personnel.
  8. Resolved. In order to close this recommendation, the BOP needs to implement all of the recommendations outlined in the June 2002 ST&E report, specifically those outlined in section 4.12.
  9. Resolved. In order to close this recommendation, the BOP needs to document a process to control the transfer of media and BOP data.
  10. Resolved. In order to close this recommendation, the BOP needs to ensure the contingency plan is distributed to appropriate individuals, including contractor staff.
  11. Resolved. In order to close this recommendation, the BOP needs to develop a configuration standard for all systems that incorporates the most restrictive security settings possible.
  12. Resolved. In order to close this recommendation, the BOP needs to develop policies and procedures surrounding the use of intrusion detection software and integrity validation software.
  13. Resolved. In order to close this recommendation, the BOP needs to develop a policy for incident handling, response, and personnel support.
  14. Resolved. In order to close this recommendation, the BOP needs to enforce Department password policies and procedures and install and activate a password filter on all servers to enforce parameters that enforce restrictions on passwords.
  15. Resolved. In order to close this recommendation, the BOP needs to develop and monitor documented procedures establishing specific security standards and settings for access controls.
  16. Resolved. In order to close this recommendation, the BOP needs to develop and monitor documented procedures establishing specific security standards and settings for user authentication and access.
  17. Resolved. In order to close this recommendation, the BOP needs to implement the system key utility and restrict services so that they are running in a secured context.
  18. Resolved. In order to close this recommendation, the BOP needs to develop, implement, and monitor documented procedures establishing specific security standards and settings for network controls.
  19. Resolved. In order to close this recommendation, the BOP needs to develop, implement, and monitor documented procedures establishing specific security standards and settings for user and group management controls.
  20. Resolved. In order to close this recommendation, the BOP needs to develop, implement, and monitor documented procedures establishing specific security standards and settings for account integrity management.
  21. Resolved. In order to close this recommendation, the BOP needs to develop, implement, and monitor documented procedures establishing specific security standards and settings for file system access.
  22. Resolved. In order to close this recommendation, the BOP needs to develop, implement, and monitor documented procedures establishing specific security standards and settings for maintenance controls.
  23. Resolved. In order to close this recommendation, the BOP needs to develop, implement, and monitor documented procedures establishing specific security standards and settings for Windows NT registry settings.
  24. Resolved. In order to close this recommendation, the BOP needs to obtain the latest security patches from the operating system vendor.
  25. Resolved. In order to close this recommendation, the BOP needs to develop, implement, and monitor documented procedures establishing specific security standards and settings for router configuration.
  26. Unresolved. In order to resolve this recommendation, the BOP needs to comply with the recommendation to implement Cisco's fail-over capabilities by configuring hot standby router protocol (HSRP) on critical external routers. In addition, the BOP needs to provide the OIG with documentation reflecting the current fail-over capabilities for Cisco routers residing on the ITS II network.
  27. Resolved. In order to close this recommendation, the BOP needs to develop, implement, and monitor documented procedures establishing specific security standards and settings for command line access.
  28. Resolved. In order to close this recommendation, the BOP needs to develop procedures for logging and monitoring system activity and require that audit logs be reviewed.