Report No. 03-01
Office of the Inspector General
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY GENERAL CONTROL AREAS
The review focused on evaluating the adequacy of management, operational, and technical controls over the following specific control areas:
- MANAGEMENT CONTROLS. Management controls focus on the management of the IT security system and the management of risk for a system. They are techniques and concerns that are normally addressed by management.
OPERATIONAL CONTROLS. Operational controls address security controls that are implemented and executed by people. These controls are put in place to improve the security of a particular system. They often require technical or specialized expertise and rely upon management activities as well as technical controls.
- Risk Management. Risk is the possibility of something adverse happening. Risk management is the process of assessing risk, taking steps to reduce risk to an acceptable level, and maintaining that level of risk. Assessing risk management involves evaluating OJP's efforts to complete the following critical procedures:
- Periodic performance of a system risk assessment had been performed.
- Program officials understand the risk to systems under their control and had determined the acceptable level of risk.
- Review of Security Controls. Routine evaluations and response to identified vulnerabilities are important elements of managing security controls of a system. Determining whether review of security controls had been adequately performed requires the auditor to assess if the following critical items were completed:
- A system security control review had been performed for both the ENS and interconnected systems.
- Management ensured effective implementation of corrective actions.
- Life Cycle. Like other aspects of an IT system, security is best managed if planned for throughout the IT system life cycle. There are many models for the IT system life cycle but most contain five basic phases: initiation, development/acquisition, implementation, operation, and disposal. Assessing a system's life cycle involves identifying if the following critical items are in place for the ENS:
- A system development life cycle methodology.
- System change controls as programs progress through testing to final approval.
- Authorize Processing (Certification and Accreditation). Authorize processing (also referred to as certification and accreditation) provides a form of assurance of the security of the system. To determine whether the ENS had been appropriately authorized to process data involves analyzing critical documents that identify whether:
- The system had been certified/recertified and authorized to process (accredited).
- The system is operating on an interim authority in accordance with specified agency procedures.
- System Security Plan. A system security plan provides an overview of the security requirements of the system and describes the controls in place or planned for meeting those requirements. The plan delineates responsibilities and expected behavior of all individuals who access the system. Assessing whether the ENS has an adequate system security plan requires identifying if the following critical elements were met:
- A system security plan had been documented for the system and all interconnected systems if the boundary controls are ineffective.
- The plan is kept current.
TECHNICAL CONTROLS. Technical controls focus on security controls that the computer system executes and depend upon the proper functioning of the system to be effective. Technical controls require significant operational considerations and should be consistent with the management of security within the organization.
- Personnel Security. Many important issues in computer security involve human users, designers, implementers, and managers. A broad range of security issues relates to how these individuals interact with computers and the access and authorities they need to do their jobs. Assessing personnel security involves evaluating the OJP efforts to complete the following critical procedures:
- Duties are separated to ensure least privilege and individual accountability.
- Appropriate background screening is completed.
- Physical and Environmental Protection. Physical security and environmental security are the measures taken to protect systems, buildings, and related supporting infrastructures against threats associated with their physical environment. Assessing physical and environmental protection involves evaluating OJP's efforts to complete the following critical procedures:
- Adequate physical security controls have been implemented and are commensurate with the risks of physical damage or access.
- Data is protected from interception.
- Mobile and portable systems are protected.
- Production, Input/Output Controls. There are many aspects to supporting IT operations. Topics range from a user help desk to procedures for storing, handling and destroying media. Assessing production, input/output controls involves evaluating the OJP efforts to complete the following critical procedures:
- User support is being provided to ENS users.
- Media controls are in place for the ENS.
- Contingency Planning. Contingency planning ensures continued operations by minimizing the risk of events that could disrupt normal operations and having an approach in place to respond to those events should they occur. Assessing contingency planning involves evaluating OJP's efforts to complete the following critical procedures:
- Identify the most critical and sensitive operations and their supporting computer resources.
- Develop and document a comprehensive contingency plan.
- Have tested contingency/disaster recovery plans in place.
- Hardware and System Software Maintenance. These are controls used to monitor the installation of, and updates to, hardware and software to ensure that the system functions as expected and that a historical record is maintained of changes. Some of these controls are also covered in the Life Cycle Section. Assessing hardware and system software maintenance involves evaluating OJP's efforts to complete the following critical procedures:
- Access is limited to system software and hardware.
- All new and revised hardware and software are authorized, tested, and approved before implementation.
- Systems are managed to reduce vulnerabilities.
- Data Integrity. Data integrity controls are used to protect data from accidental or malicious alteration or destruction and to provide assurance to the user that the information meets expectations about its quality and integrity. Assessing data integrity involves evaluating OJP's efforts to complete the following critical procedures:
- Virus detection and elimination software is installed and activated.
- Data integrity and validation controls are used to provide assurance that the information has not been altered and the system functions as intended.
- Documentation. The documentation contains descriptions of the hardware, software, policies, standards, procedures, and approvals related to the system and formalize the system's security controls. Assessing documentation involves evaluating OJP's efforts to complete the following critical procedures:
- There is sufficient documentation that explains how software/hardware is to be used.
- There are documented formal security and operational procedures.
- Security Awareness, Training, and Education. People are a crucial factor in ensuring the security of computer systems and valuable information resources. Security awareness, training, and education enhance security by improving awareness of the need to protect system resources. Additionally, training develops skills and knowledge so computer users can perform their jobs more securely and builds in-depth knowledge. Assessing security awareness, training, and education involves evaluating OJP's efforts to complete the following critical procedures:
- Employees have received adequate training to fulfill their security responsibilities.
- Incident Response Capability. Computer security incidents are an adverse event in a computer system or network. Such incidents are becoming more common and their impact is far-reaching. The following questions are organized according to two critical elements. Assessing incident response capability involves evaluating OJP's efforts to complete the following critical procedures:
- There is a capability to provide help to users when a security incident occurs in the system.
- Incident-related information is shared with appropriate organizations.
- Identification and Authentication. Identification and authentication is a technical measure that prevents unauthorized people or processes from entering an IT system. Access control usually requires that the system be able to identify and differentiate among users. Authentication is verification that a person's claimed identity is valid and it is usually implemented through the use of passwords. Assessing identification and authentication involves evaluating OJP's efforts to complete the following critical procedures:
- Users are individually authenticated via passwords and other devices.
- Access controls are enforcing segregation of duties.
- Logical Access Controls. Logical access controls are the system-based mechanisms used to designate who or what is to have access to a specific system resource and the type of transactions and functions that are permitted. Assessing logical access controls involves evaluating OJP's efforts to complete the following critical procedures:
- Logical access controls restrict users to authorized transactions and functions.
- There are logical controls over network access.
- There are controls implemented to protect the integrity of the application and the confidence of the public when the public accesses the system.
- Audit Trails. Audit trails maintain a record of system activity by system or application processes and by user activity. In conjunction with appropriate tools and procedures, audit trails can provide individual accountability, a means to reconstruct events, detect intrusions, and identify problems. Assessing audit trails involves evaluating OJP's efforts to complete the following critical procedures:
- Activity involving access to and modification of sensitive or critical files is logged, monitored, and possible security violations are investigated.