OIG Audit Report 03-01

Independent Evaluation Pursuant to the Government Information Security Reform Act
Fiscal Year 2002

The Office of Justice Programs' Enterprise Network System

Report No. 03-01
October 2002
Office of the Inspector General

COMMENTARY AND SUMMARY

The Office of Justice Programs (OJP) is a federal agency within the Department of Justice (Department). Specifically, the OJP’s mission is to develop the nation's capacity to prevent and control crime, improve the criminal and juvenile justice systems, increase knowledge about crime and related issues, and assist crime victims. The OJP's senior management team is comprised of the Assistant Attorney General (AAG), the Deputy Assistant Attorney General (DAAG), and five bureau heads.

The Enterprise Network System (ENS) is the overall general support system that provides enterprise-wide information infrastructure services in support of the OJP mission. The ENS provides storage, processing, and transmission of a large variety of the OJP accounting and administrative information. Mission and administrative support functions of the OJP rely extensively on the availability of the ENS and the access it provides to facilitate the OJP program participation and efficient financial management operations. All information on the ENS is considered sensitive but unclassified.

The Office of the Inspector General (OIG) selected the OJP as one of five sensitive but unclassified systems to review pursuant to the Government Information Security Reform Act (GISRA) for the fiscal year (FY) 2002. The OIG was required by GISRA to perform an independent evaluation of the Department’s information security program and practices. This report contains the results of the ENS audit. Separate reports will be issued for each of the other systems evaluated pursuant to GISRA, including three systems that process classified information.

Under the direction of the OIG and in accordance with Government Auditing Standards, PricewaterhouseCoopers LLP (PwC) was selected to perform the ENS audit. The audit took place from May through July 2002 and consisted of interviews, on-site observations, and reviews of Department and component documentation to assess the ENS’s compliance with GISRA and related information security policies, procedures, standards, and guidelines.¹

During our review of the ENS, KPMG LLP (KPMG) was performing an audit of the ENS security controls in support of the fiscal year 2002 financial statement audit. GISRA mandates (as part of the Paperwork Reduction Act) that the OIG and its contractors rely whenever possible on work performed by other reviewers for its GISRA audits, so as not to duplicate efforts. To avoid duplication, PwC limited its role to reviewing management and operational controls and relied on the testing of technical controls performed by KPMG.

PwC’s testing did not identify any areas where additional work was required or where there appeared to be any inconsistency with the conclusions reached by KPMG. Therefore, for the vulnerabilities noted in this report, we² are not providing recommendations. Instead, we are consolidating and reporting the recommendations in the OIG's financial statement FY 2002 report to simplify tracking of recommendations and corrective actions.³

Based on PwC’s and KPMG’s assessments, we assessed management, operational, and technical controls at a medium to high risk to the protection of the ENS from unauthorized use, loss, or modification. Specifically, the auditors identified vulnerabilities in 7 of the 17 control areas. Two of the seven vulnerabilities were identified as high risks to the protection of the ENS as indicated in the following chart.

CONTROL AREAS⁴	VULNERABILITIES NOTED
Management Controls
1. Risk Management
2. Review of Security Controls
3. Life Cycle	X
4. Authorize Processing (Certification and Accreditation)
5. System Security Plan	X
Operational Controls
6. Personnel Security	X
7. Physical and Environmental Protection
8. Production, Input/Output Controls
9. Contingency Planning	X
10. Hardware and Systems Software Maintenance
11. Data Integrity
12. Documentation
13. Security Awareness, Training, and Education	X
14. Incident Response Capability
Technical Controls
15. Identification and Authentication	X*
16. Logical Access Controls	X*
17. Audit Trails

Source: The OIG’s FY 2002 GISRA audit of ENS
X*	Significant vulnerability in which risk was noted as high. A high-risk vulnerability is defined as one where extremely grave circumstances can occur by allowing a remote or local attacker to violate the security protection of a system through user or root account access, gaining complete control of a system and compromising critical information.

As a result of this audit, we identified the following vulnerabilities:

Service request (SR) changes were made without proper management review.

System security plans, operating procedure guides, the organizational chart, and system configuration management guides were not updated to reflect current conditions.

User authentication policies and procedures were not effectively enforced.

The contingency plan was not updated or tested.

ENS personnel were not always trained on emergency procedures and the procedures were not always distributed to staff.

Password security controls were not enforced because of ineffective communication of the OJP policies and procedures.

Workstation area security was inadequate.

We concluded that these vulnerabilities occurred because the OJP management did not fully develop, enforce, or formalize agency-wide policies in accordance with current Department policies and procedures. Additionally, the Department did not enforce its security policies and procedures in the certification and accreditation process to ensure the ENS is protected from unauthorized use, loss, or modification. If not corrected, these security vulnerabilities threaten the ENS and its data with the potential for unauthorized use, loss, or modification.

Footnotes

In a September 1997 audit, report number 97-26, the OIG recommended that the Department develop effective computer security program guidance. The Department then revised its policy and released DOJ Order 2640.2D, "Information Technology Security," in July 2001, which was used in the analysis of this year's review.

In this report, "we" refers either to the OIG or to PwC working under the direction of the OIG. With respect to the discussion of technical controls, "we" also encompasses the work performed by KPMG under the direction of the OIG.

At the time of our audit, the financial statement audit report had not been issued.

Control Areas as described in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-26 "Security Self- Assessment Guide for Information Technology Systems."