The Department of Justice’s Victim Notification System

Audit Report 08-04
January 2008
Office of the Inspector General

Appendix XIII
Office of the Inspector General Analysis and
Summary of Actions Necessary to Close the Report

In its response to our draft audit report, EOUSA concurred with our recommendations. This appendix provides our analyses of EOUSA’s responses, including the actions needed to close each recommendation.

Status of Recommendations

  1. Resolved. In its response to our draft report recommendation to develop a written plan for archiving VNS data or acquiring new equipment to resolve the capacity issue, EOUSA stated that it installed new equipment on October 20, 2007. EOUSA stated that replacing the old equipment has alleviated storage space issues for the projected lifespan of the new equipment. EOUSA further stated that it would address data archiving in the next VNS contract.

    2. To close this recommendation, please provide us with a copy of the next VNS contract, including information regarding the archiving of VNS data.

  2. Resolved. In response to our recommendation to ensure that it utilizes the newer version of Tracker software for Call Center/Help Desk functions, EOUSA stated that Tracker was replaced with Front Range on July 5, 2007. EOUSA further stated that in a future release to the VNS, it plans to implement the Front Range e-mail function that surveys individuals upon the closing of a “ticket” regarding customer satisfaction with the Help Desk.

    3. To close this recommendation, please provide evidence that EOUSA has replaced Tracker with Front Range. Additionally, please provide evidence that EOUSA has implemented the Front Range feature for surveying individuals upon closing of a “ticket.”

  3. Resolved. EOUSA is in agreement with our recommendation to develop a universal interface for federal investigative agencies to upload data directly to the VNS. EOUSA stated that it plans to proceed with the universal interface when funding is made available by the OVC.

    4. To close this recommendation, please provide us with evidence that the universal interface has been developed and is being utilized by federal investigative agencies to upload data directly to the VNS.

  4. Resolved. In its response to the draft report, EOUSA advised that it and the Administrative Office of the U.S. Courts (AOUSC) have agreed to develop the ability to connect individual district courts to the VNS. Further, EOUSA stated that development is underway and the project is expected to be completed in late March 2008. However, EOUSA noted that it cannot ensure that all district courts are connected because the Courts, as part of the Judicial Branch, are not part of DOJ.

    5. To close this recommendation, please provide us, when available, evidence that the technical development of an EOUSA/AOUSC interface is complete. Further, please provide us, when developed, with a copy of the plan to promote the connection of the individual district courts to the VNS. Finally, once the plans are complete, please provide us with evidence of individual district courts that agree to be connected to the VNS.

  5. Resolved. In its response to our recommendation to work with VNS-participating agencies to develop and implement procedures for federal VNS users to ensure that victims’ contact information is current and updated, EOUSA agreed that it is essential that the VNS contain current and accurate victim-contact information. According to EOUSA, though, it will work with VNS-participating agencies to develop and implement additional procedures to ensure that victim contact information is as up-to-date and accurate as possible.

    6. To close this recommendation, please provide us with evidence of your efforts to work with VNS-participating agencies to develop and implement additional procedures to ensure that victim contact information is as up-to-date and accurate as possible.

  6. Resolved. EOUSA provided information, by specific area, in response to our recommendation to develop long-range plans for the VNS and its management.

    7. To close this recommendation, please provide us with: (1) a copy of the next VNS contract, when available, which includes a plan for periodic replacement of hardware and software; (2) evidence of how ideas that came out of the September 2007 meeting have been used to plan for the future; and (3) a copy of EOUSA’s written succession plan for VNS program management.

  7. Resolved. In its response to our draft report, EOUSA concurred with our recommendation to work with VNS-participating agencies to develop and implement a nationwide procedure for addressing undeliverable correspondence and e‑mail.

    8. To close this recommendation, please provide us the portion of the next VNS contract, when available, containing a technical solution to the issue of returned e-mail notices. Additionally, please provide evidence of how EOUSA is working with other agencies to develop a nationwide policy regarding returned mail.

  8. Resolved. EOUSA agreed with our recommendation to improve Call Center automated assistance to allow callers to reach an operator at any point during a call. Further, EOUSA stated that an engineering change to allow this access will be considered for a future release to the VNS.

    9. To close this recommendation, please provide evidence of the engineering change to the VNS, which will allow callers to reach an operator at any point during a call to the VNS Call Center.

  9. Resolved. In its response to our recommendation to follow up with its contractor to fulfill its requirement to have a Spanish-speaking operator available during all hours of operation, EOUSA stated that the VNS Project Manager has discussed this issue with its contractor. EOUSA further advised that it has developed an interim plan that makes use of another department of the contractor that provides Spanish translations. EOUSA stated this is a temporary solution until additional Spanish-speaking operators can be hired.

    10. To close this recommendation, please provide us with evidence of the steps the contractor is taking to recruit Spanish speakers and, when it occurs, evidence that these employees have been hired.

  10. Resolved. EOUSA concurred with our recommendation to work with the United States Marshals Service (USMS) to ensure that the accurate custody status of defendants is available to victims utilizing the VNS. Moreover, EOUSA stated that it is in contact with the USMS regarding this issue and plans to have VNS ready to accept USMS data by March 2008.

    11. To close this recommendation, please provide us with evidence that the interface between the VNS and the USMS that will allow the VNS to accept USMS custody status data has been developed and is functioning.

  11. Resolved. In its response to our draft report, EOUSA stated that it will review the VIS regarding the consistency of restitution information and availability.

    12. To close this recommendation, please provide evidence of EOUSA’s review of restitution information available in the VIS. This review should provide details of EOUSA’s review, including an examination of the consistency of the information and directions provided.

  12. Resolved. EOUSA concurred with our recommendation to work with VNS-participating agencies to develop a requirement for federal VNS users to record a reason for opting a victim out of the VNS.

    13. To close this recommendation, please provide us, once developed, with documentation of the engineering change request that will require users to select one of the opt-out reasons when electing to stop notifications to a registered victim. Additionally, please provide us evidence that this function has been implemented.

  13. Resolved. EOUSA concurred with our recommendation and is in the process of implementing data integrity checks and encryption procedures to ensure that transmitted data from the BOP and FBI are complete and accurate, as required by Department policy.

    14. To close this recommendation, please provide evidence (e.g., screen shots and approved change control sheets) that data integrity checks and encryption of transmitted BOP and FBI data files are being performed for the VNS.

  14. Resolved. EOUSA concurred with our recommendation and stated that it has updated the VNS’s system security plan to include accurate user identification and authentication security information.

    15. To close this recommendation, please provide us a copy of the updated system security plan.

  15. Resolved. EOUSA concurred with our recommendation and plans to ensure that a disclaimer notification is developed for the VIS application to notify users when they are about to visit a third-party website through a hyperlink.

    16. To close this recommendation, please provide evidence (such as screen shots and approved change control sheets) that this disclaimer notification has been implemented for the VIS.

  16. Resolved. EOUSA concurred with our recommendation to modify the VIS application to protect against common web attacks. EOUSA plans to assess the VIS application with a leading commercial web application vulnerability assessment tool and implement corrective actions as appropriate.

    17. To close this recommendation, please provide EOUSA’s VIS vulnerability assessment results and evidence that corrective actions have been implemented.

  17. Resolved. In response to our recommendation, EOUSA stated that is has completed actions to terminate unnecessary or vulnerable services identified on the VNS servers.

    18. To close this recommendation, please provide evidence that these actions have been completed.

  18. Resolved. EOUSA concurred with our recommendation and stated that application and server patches are applied timely. However, EOUSA indicated that not all patches are applied due to technical and business considerations. Furthermore, EOUSA plans to continue to apply selected patches in accordance with documented VNS configuration management processes.

    19. To close this recommendation, please provide evidence that application and server patches are applied in a timely manner in accordance with Department policies. EOUSA should ensure that approved waivers from the Department are maintained for those patches that are not applied. Additionally, the risks associated with the vulnerabilities for failure to apply the patches should be approved and documented within the VNS’s risk assessment.

  19. Resolved. EOUSA concurred with our recommendation to adequately secure network devices and server configurations. As a result, EOUSA also plans to regularly assess the VNS’s infrastructure using the Department’s standard assessment tool. Furthermore, EOUSA indicated that some vulnerabilities listed in Appendix X are now identified by their officials as being false positive. However, EOUSA was presented with the vulnerability assessment results performed by our auditors during the course of the audit, but did not identify any of the vulnerabilities as being false positive.

    20. To close this recommendation, please provide evidence that EOUSA has adequately secured network devices and server configurations for vulnerabilities identified in Appendix X. EOUSA should also provide evidence of the compensating controls used for those vulnerabilities listed in Appendix X that EOUSA has recently identified as false positive.


« Previous Table of Contents Next »