Return to the USDOJ/OIG Home Page

Independent Evaluation Pursuant to the Government Information Security Reform Act
Fiscal Year 2002

The Federal Bureau of Prisons' Inmate Telephone System II

Report No. 03-04
November 2002
Office of the Inspector General


EXECUTIVE SUMMARY

The Federal Bureau of Prisons (BOP) is tasked with protecting society by confining offenders in the controlled environments of prisons and community-based facilities that are safe, humane, cost-efficient, and appropriately secure; and providing work and other self-improvement opportunities to assist offenders in becoming law-abiding citizens.

The Inmate Telephone System II (ITS II) is a system that allows inmates at a federal correctional facility to place telephone calls while providing BOP staff with the ability to control their access, make records of the calls, adjust inmates' commissary account, and bill for the calls.

The Office of the Inspector General (OIG) selected ITS II as one of five sensitive but unclassified (SBU) systems to review pursuant to the Government Information Security Reform Act (GISRA) for the fiscal year (FY) 2002. The OIG is required by GISRA to perform an independent evaluation of the Department of Justice's (Department) information security program and practices. This report contains the results of the ITS II audit. Separate reports will be issued for each of the other systems evaluated pursuant to GISRA, including three systems that process classified information.

Under the direction of the OIG and in accordance with Government Auditing Standards, PricewaterhouseCoopers LLP (PwC) performed the audit of ITS II. The audit took place from May through July 2002 and consisted of interviews, on-site observations, and reviews of Department and component documentation to assess ITS II's compliance with GISRA and related information security policies, procedures, standards, and guidelines.1 We2 used commercial-off-the-shelf and proprietary tools to conduct vulnerability tests and analyses of significant operating system integrity and security controls.

During the course of our work for this review, we found improvements or satisfactory operations within the ITS II information security controls that are being reported. Specifically:

Despite these improvements, we assessed management, operational, and technical controls at a medium to high risk to the protection of the ITS II from unauthorized use, loss, or modification. Specifically, we identified vulnerabilities in 13 of the 17 control areas. Two of the 13 vulnerabilities were identified as high risks to the protection of ITS II as indicated in the following chart.

CONTROL AREAS3 VULNERABILITIES
NOTED
Management Controls  
1. Risk Management  
2. Review of Security Controls  
3. Life Cycle X
4. Authorize Processing
(Certification and Accreditation)
X
5. System Security Plan X
Operational Controls  
6. Personnel Security X
7. Physical and Environmental Protection X
8. Production, Input/Output Controls X
9. Contingency Planning X
10. Hardware and Systems Software Maintenance X
11. Data Integrity X
12.  Documentation  
13.  Security Awareness, Training, and Education  
14. Incident Response Capability X
Technical Controls  
15. Identification and Authentication   X*
16. Logical Access Controls   X*
17. Audit Trails X
Source:  The OIG’s FY 2002 GISRA audit of ITS II.
X* Significant vulnerability in which risk was noted as high.  A high-risk vulnerability is defined as one where extremely grave circumstances can occur by allowing a remote or local attacker to violate the security protection of a system through user or root account access, gaining complete control of a system and compromising critical information.

As a result of the findings identified in this report, we are providing 28 recommendations for improving ITS II to ensure that BOP management:

We concluded that these vulnerabilities occurred because BOP management did not fully develop, document, or enforce agency-wide policies in accordance with current Department policies and procedures. Additionally, we believe the Department did not enforce their security policies and procedures to ensure ITS II is protected from unauthorized use, loss, or modification through its certification and accreditation process. If not corrected, these security vulnerabilities threaten ITS II and its data with the potential for unauthorized use, loss, or modification.


Footnotes

  1. In a September 1997 audit, report number 97-26, the OIG recommended that the Department develop effective computer security program guidance. The Department then revised its policy and released DOJ Order 2640.2D, "Information Technology Security" in July 2001, which was used in the analysis of this year's review.
  2. In this report, "we" refers either to the OIG or to PwC working under the direction of the OIG.
  3. Control Areas as described in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-26, "Security Self-Assessment Guide for Information Technology Systems."