|Return to the USDOJ/OIG Home Page|
Select Application Controls Review of the Federal Bureau of Prisons's Sentry Database System
Report No. 03-25
Office of the Inspector General
U.S. Department of Justice
Federal Bureau of Prisons
|Office of the Director||
Washington, DC 20534
June 24, 2003
|MEMORANDUM FOR||GUY K. ZIMMERMAN
ASSISTANT INSPECTOR GENERAL
Harley G. Lapp, Director (original signed)
Federal Bureau of Prisons
|SUBJECT:||Response to the Office of the Inspector General's (OIG) Draft Audit Report: Select Application Control Review of the Federal Bureau of Prisons' SENTRY Database System|
The Bureau of Prisons (BOP) appreciates the opportunity to respond to the recommendations from the OIG's draft report entitled Select Application Control Review of the Federal Bureau of Prisons' SENTRY Database System.
Our comments to Recommendations 1, 4, 5, 6, and 7 are provided below.
Recommendation #1 - OIG recommends the BOP Director ensure that BOP management: Enforce the BOP (PS) 5100.07, which states that all CCO's are to use the BP-337 for inputting initial inmate data as the sole source document.
Response: The Bureau agrees with the recommendation. By July 1, 2003, all community corrections officers will be notified of the requirement, as outlined in PS 5100.07, that the BP-S337.051 form is the mandatory and sole data input form used during the designation process.
Recommendation #4 - OIG recommends the BOP Director ensure that BOP management: Update the BOP's "SENTRY System Security Guide," dated June 23, 2000, to require the routine generation and review of exception reports.
Response: The Bureau agrees with the recommendation. The Bureau will update the SENTRY System Security Guide by December 12, 2003, to require the routine generation and review of exception reports.
Recommendation #5 - OIG recommends the BOP Director ensure that BOP management: Provide the Information Security Officer with the exception reports generated from the audit logs in the time period specified by the BOP's "SENTRY System Security Guide."
Response: The Bureau agrees with the recommendation. Once the SENTRY System Security Guide is revised, the Bureau will begin creating and forwarding the exception reports to the Information Security Officer on at least a weekly basis. These exception reports will include attempts by users to execute transactions from unauthorized terminals as well as attempts to view or update information that they are not authorized to access. Target date for completion is October 1, 2003.
Recommendation #6 - OIG recommends the BOP Director ensure that BOP management: Enforce the BOP's existing access control policy by properly configuring SENTRY's workstation controls to ensure that users with system authorization are restricted to areas of the system that they have been authorized to access, and no more.
Response: The Bureau agrees with the recommendation. The Bureau's SENTRY system cannot currently restrict access to transactions based upon a person's UserID. We are in the initial stages of porting SENTRY to a Web architecture. As part of this port, we will be augmenting our current terminal id based security to include security pased upon UserID. This will mean that an authorized user must also be at an authorized workstation in order to perform any restricted transactions. This is a level of security beyond what the OIG is requesting. This port of SENTRY is projected to be completed by FY 2005.
Recommendation #7 - OIG recommends the BOP Director ensure that BOP management: Update SENTRY's General Use Manual to reflect proper procedures for entering initial inmate records into SENTRY.
Response: The Bureau agrees with the recommendation. The Bureau is currently preparing a complete revision of the SENTRY General Use Manual. This revision will include converting the document to HTML, adding extensive search capabilities, links to additional information as well as updates to reflect the current working state of the SENTRY system. This revision will be completed by December 5, 2003, and will include the instructions for the correct loading of initial inmate data.
We have not provided a response to Recommendations 2 and 3, as we have some disagreements with their implementation. We did not address these disagreements at the exit conference as the "owners" of this program were not represented. Mike Garrett has discussed this matter with Norm Hammonds, and we respectfully request an informal meeting with OIG to address these issues prior to providing an official response. Mr. Hammonds has relayed to Mr. Garrett that this approach is acceptable.
If you have any questions regarding this response, please contact Michael W. Garrett, Senior Deputy Assistant Director, Program Review Division, at (202) 616-2099.