Independent Evaluation Pursuant to the Government Information Security Reform Act
Fiscal Year 2002

The Office of Justice Programs' Enterprise Network System

Report No. 03-01
October 2002
Office of the Inspector General

We obtained audit evidence to determine whether adequate computer security controls existed to protect the OJP network from unauthorized use, loss, or modification. We assessed management, operational, and technical controls for 17 critical areas as a medium to high risk for the ENS. Our assessment disclosed vulnerabilities within 7 of the 17 areas. Two of the seven vulnerabilities were within technical controls and were identified as high risks to the protection of the OJP network. For the vulnerabilities noted in this report, we are not providing recommendations. Instead, we will consolidate and report the recommendations in the OIG's financial statement FY 2002 report to simplify tracking of recommendations and corrective actions.

We concluded that these vulnerabilities occurred because the OJP management did not fully develop, enforce, or formalize agency-wide policies in accordance with current Department policies and procedures. Additionally, the Department did not enforce its security policies and procedures in the Certification and Accreditation process to ensure the ENS network was protected from unauthorized use, loss, or modification. If not corrected, these security vulnerabilities threaten the ENS and its data with the potential for unauthorized use, loss, or modification.