The Status of Enterprise Architecture and Information Technology
Investment Management in the Department of Justice

Audit Report 06-02
November 2005
Office of the Inspector General

Appendix 8

Prior Reports


We identified eight IT-related reports issued since May 2000 by the GAO and the OIG that are relevant to this audit. In May 2000, the GAO reported that although almost all federal agencies had created some type of ITIM process, none had yet implemented stable processes addressing all three phases of the select-control-evaluate approach.16 According to the GAO, one barrier to implementing reliable ITIM has been the lack of specific guidance on the required processes.

In February 2002, the GAO reported that the federal government as a whole had not reached a mature state of Enterprise Architecture management.17 In particular, about 52 percent of federal agencies reported having at least the management foundation that is needed to begin successfully developing, implementing, and maintaining an Enterprise Architecture, but about 48 percent of agencies had not yet advanced to this basic stage of maturity. In November 2003, the GAO updated its 2002 report and concluded that little progress had occurred in agencies' Enterprise Architecture management.18

In April 2002, pursuant to the FY 2001 Government Information Security Reform Act, the OIG issued a report on JMD's Rockville and Dallas Data Centers IT system. The report identified vulnerabilities with management, operational, and technical controls. The report noted significant vulnerabilities in the following areas:

  • security policies and procedures,

  • authorization of software changes,

  • contingency planning,

  • password management,

  • logon management,

  • account integrity management, and

  • system auditing management.

The report stated that these vulnerabilities occurred because JMD lacked sufficient guidance, adequate security polices, and effective enforcement of policies.

In December 2002, the OIG issued a report on the FBI's Management of IT Investments. The OIG reported that the FBI did not have a fully developed enterprise architecture. Also, the FBI was not effectively selecting, controlling, and evaluating its IT investments because it had not fully implemented any of the critical processes necessary for successful ITIM.

In May 2003, also pursuant to the FY 2001 Government Information Security Reform Act, the OIG issued a report on JMD's Justice Communications Network IT system. The report identified vulnerabilities with the IT system including management, operational, and technical controls. The report noted significant vulnerabilities in the following areas:

  • review of security controls,

  • personnel security,

  • contingency planning,

  • hardware and system software maintenance,

  • documentation,

  • identification and authentication, and

  • logical access controls.

The report stated that these vulnerabilities occurred because JMD had not implemented Department policies or updated security information and procedures.

In June 2004, pursuant to the Federal Information Security Management Act, the OIG issued an oversight and information systems consolidated report. The report identified JMD vulnerabilities in the following areas:

  • vulnerability tracking capability and documented structured compliance evaluation procedures,

  • oversight,

  • creating specific goals,

  • components documenting systems configuration management process for their systems,

  • components adequately developing and distributing Rules of Behavior to all employees and contractors prior to the gaining access to the systems, and

  • components reporting computer security incidents to the Department of Justice Computer.

In September 2004, the OIG issued a report on the Drug Enforcement Administration's Management of Enterprise Architecture and IT Investments. The OIG found that the Drug Enforcement Administration had completed nearly 90 percent of the Enterprise Architecture Management Framework criteria for meeting the second of five levels of maturity. Also, the Drug Enforcement Administration had attained Stage 2 of the five maturity stages outlined in the GAO ITIM Framework.


Footnotes

  1. The report is entitled Information Technology Investment Management: An
    Overview of GAO's Assessment Framework     (GAO/AIMD-00-155), dated May 2000.

  2. The report is entitled Information Technology, Enterprise Architecture Use Across
    the Federal Government Can Be Improved     (GAO-02-6), dated February 2002.

  3. The report is entitled Information Technology, Leadership Remains Key to
    Agencies Making Progress on Enterprise Architecture Efforts     (GAO-04-40), dated November
    2003.


Previous Page Back to Table of Contents Next Page