Independent Evaluation Pursuant to the Government Information Security Reform Act
Fiscal Year 2002

The Office of Justice Programs' Enterprise Network System

Report No. 03-01
October 2002
Office of the Inspector General

The fiscal year (FY) 2001 Defense Authorization Act (Public Law 106-398) includes Title X; subtitle G, "Government Information Security Reform Act" (GISRA). GISRA became effective on November 29, 2000, and amends the Paperwork Reduction Act of 1995 by enacting a new subchapter on "Information Security." It requires federal agencies to:

• Have an annual independent evaluation of their information security and practices performed.
• Ensure information security policies are founded on a continuous risk management cycle.
• Implement controls that assess information security risks.
• Promote continuing awareness of information security risks.
• Continually monitor and evaluate information security policy.
• Control effectiveness of information security practices.
• Provide a risk assessment and report on the security needs of the agencies' systems, and include the report in their budget request to the Office of Management and Budget (OMB).

The objective of the audit was to determine the U.S. Department of Justice's (Department) compliance with the GISRA requirements. The Enterprise Network System (ENS) was selected as one of the subset of systems to be tested to determine the effectiveness of the Department's overall security program for FY 2002. At the time of our audit, KPMG LLP (KPMG) was performing a significant portion of the information security work required by GISRA as part of the Department's financial statement audits. KPMG was contracted to perform this work under the supervision of the OIG.

In determining if the Department is compliant with GISRA requirements, we used the collective work of both KPMG and PricewaterhouseCoopers LLP (PwC) to determine whether adequate computer security controls existed to protect the ENS from unauthorized use, loss, or modification. Although this report contains security vulnerabilities, we are not prescribing recommendations. Instead, we are consolidating and reporting the recommendations in the OIG's financial statement FY 2002 report to simplify tracking of recommendations and corrective actions.

We interviewed the OJP management personnel, reviewed system documentation, and performed testing to determine compliance with the Office of Justice Programs (OJP) and Department security policies and procedures. We performed the audit in accordance with Government Auditing Standards and the audits took place from May through July 2002. We performed test work at the OJP Headquarters in Washington, D.C.

For the interviews conducted, we used the questionnaire contained in the National Institute of Standards and Technology (NIST) Special Publication 800-26 "Security Self-Assessment Guide for Information Technology Systems." This questionnaire contains specific control objectives and suggested techniques against which the security of a system or group of interconnected systems can be measured. The questionnaire contains 17 areas under 3 general controls (management, operational, and technical). The areas contain 36 critical elements and 225 supporting security control objectives and techniques (questions) about the system. The critical elements are derived primarily from OMB Circular A-130 and are integral to an effective IT security program. The control objectives and techniques support the critical elements. If a number of the control objectives and techniques are not implemented, the critical elements have not been met.

The audit approach was based on the General Accounting Office's Federal Information System Controls Audit Manual, the Chief Information Officer Council Framework, OMB Circular A-130, and guidance established by NIST. These authorities prescribe a review that evaluates the adequacy of management, operational, and technical controls over control areas listed in Appendix I.