OIG Audit Report

Independent Evaluation Pursuant to the Government Information Security Reform Act
Fiscal Year 2002

The United States Marshals Service's Warrant Information Network

Report No. 03-03
November 2002
Office of the Inspector General

APPENDIX II


	U.S. Department of Justice United States Marshals Service Office of the Director


	October 29, 2002




MEMORANDUM TO:	Glen A. Fine Inspector General

ATTN:	Guy K. Zimmerman Assistant Inspector General for Audit

FROM:	Benigno G. Reyna (original signed) Director

SUBJECT:	Draft Audit Report — The United States Marshals Service’s Warrant Information Network Independent Evaluation Pursuant to the Government Information Security Reform Act fiscal Year 2002

Attached is the U.S. Marshals Service response to the findings and recommendations contained in the referenced report. I appreciate the seriousness of the issues raised in the report and have directed appropriate staff to develop a plan of action to address them.

We are committed to developing an information technology system within the Department of Justice that meets established policies and regulations.

Attachment

Issue Recommendation USMS Response

1. Inappropriate Security Controls a. Conduct independent reviews when significant changes are implemented and completed.
b. Enhance and enforce USMS policies and procedures for identifying, tracking, and correcting vulnerabilities. Maintain a status report on corrective actions performed. c. Increase the number of trained IT security personnel in order to identify and correct system weaknesses in a timely manner.
The USMS currently conducts reviews of systems and applications on an ongoing basis in support of DOJ C&A requirements. This ongoing review process, as well as other independent reviews and audits, identified many of the same or related findings as included in the OIG WIN audit.

The USMS developed a corrective action plan to track and resolve IT security vulnerabilities identified in previous years’ financial audits. Periodic status reports (weekly and monthly) were provided to the UKW auditors as part of the FY 2001 financial audit. While some progress has been made, resolution of many of the system vulnerabilities requires additional security resources. The USMS has repeatedly sought more security funding and personnel, but to date, support for these requests has not been forthcoming from the Department.

2. Inadequate Systems Development Ensure that a documented and approved System Development Life Cycle (SDLC) methodology is applied when planning, implementing, or maintaining major applications or general support systems. The USMS has developed an Information Technology Investment Management (ITIM)/SDLC process. The USMS ITIM/SDLC process was approved by the DOJ CIO in August 2002. The process will be implemented in USMS in FY 2003.

3. Inadequate Documentation to Support Certification and Accreditation (C&A) a. Rescind the C&A and place WIN and MNET systems in an Interim Approval To Operate (IATO) status for no longer than 6 months while completing, at a minimum, the systems’ system test & evaluation plan (ST&E), contingency plan, and security plan.
b. Develop a corrective action plan establishing a schedule and milestones to complete the ST&E, contingency plan (including test of the contingency plan), and security plan within the 6 months IATO period. The USMS concurs with placing WIN and MNET in an IATO status for 6 months while completing the recertification and reaccreditation process for the systems. A corrective action plan will be established to complete the required C&A documents within the 6 month timeframe, including preparing the ST&E, contingency plan (with testing), and system security plan.

4. Inadequate System Security Plan a. Modify the WIN system security plan, USMS strategic plan, to include the “Planning for Security in the Life Cycle” section, as described in NIST SP 800-18.
b. Assign a group (or person) with the responsibility for correcting security vulnerabilities and analyzing those controls that are deemed critical by USMS to ensure WIN and MNET systems meet the requirements set forth in the upcoming/current C&A process and documenting all action taken. Finally, if the security controls are not strengthened, remove WIN and MNET from production until all critical functions are adequately secured. As part of the recertification and reaccreditation for WIN and MNET, the system security plan and required SDLC documents will be prepared or modified to comply with NIST requirements. ITS personnel will be assigned to implement necessary security controls. Corrective actions will be taken so that WIN and MNET are adequately secured as it is not feasible to take these systems out of production.

Operational Controls

5. Inadequate Separation of Duties Establish procedures to ensure a separation of duties between individuals responsible for developing the system and those responsible for system or security administration. The USMS has procedures in place requiring separation of duties between system developers and system administrators. However, IT staffing limitations have precluded the procedures from being effectively enforced. Support from the Department for USMS IT security budget requests would rectify this problem.

6. Inadequate Physical and Environmental Controls Implement Department’s physical security controls as described in DO3 Order 2640.2D. Enhancements were recently made to the USMS HQ Penthouse to improve physical and environmental controls for IT systems. All USMS production servers have been moved to the Penthouse, and further physical and environmental controls will be implemented as funding permits.

7. World-Writeable Files Review all world-writeable files and directories. For any files and directories not needed for proper functioning of the system, the file permission should not be world-writeable. Users’ files and directories permission settings should be set in a manner that is necessary for the user to fulfill job responsibilities no more. The USMS will review the status of all WIN files and directories on the WIN servers and will develop procedures for proper assignment of file permissions for users. A policy of “least privilege” system access will be implemented.

8. User Parameter Settings a. Define the “umask” settings so that only the owner can view or modify files,
b. Construct “path” variables so that no world-writeable directories are included in the path.
c. Ensure that all directories are searched appropriately in the “path” variable. The USMS will review the status of all WIN files and directories on the WIN servers and will develop procedures for proper assignment of user parameters.

9. Help Desk Policies and Procedures Do Not Exist Implement documented procedures for help desk personnel to follow when performing their daily responsibilities. The USMS agrees that written procedures need to be prepared to assist help desk personnel in responding to user problems. It should be noted, however, that help desk personnel are not responsible for resolving security problems (e.g., resetting user passwords). Rather, security issues are referred by help desk personnel to system administrators or security staff for resolution. Deployment of the Justice Consolidated Office Network (JCON) in USMS will facilitate help desk support and significantly improve security through implementation of a standard PC and server set-up and institution of rigorous configuration control.

10. Media Controls Establish documented procedures to control how and when media and other types of USMS data are transferred. An audit trail should also be maintained to evidence such events. Written media control procedures and audit trails will be established to protect and monitor access to sensitive USMS data.

11. No Documented Contingcncy Plan Exists Complete a contingency plan for MNET and its associated applications and conduct a realistic test of the plan and adjust as indicated by the results of the test. Once the test results have been incorporated into the plan, obtain approval of the plan. The USMS is in the process of preparing a contingency plan for MNET as part of the recertification and reaccreditation process. The plan will be tested and revisions made as appropriate.

12. Cisco Router Fault Tolerance is Inadequate Perform backups of the running configuration to the routers’ onboard memory. All changes made to the configuration should be immediately backed up on a separate device. Where appropriate, use backup systems to ensure system availability. Cisco hardware offers advanced backup capabilities in case of hardware or software failure. Mission critical routers (typically core routers) may be good candidates to take advantage of the Cisco backup capabilities. The USMS will institute policy and procedures to ensure all stable running router configuration files are archived. Additionally, the USMS is reviewing its current inventory of routers and service plans to ensure adequate fault tolerance/recovery is in place. Finally, the USMS will be implementing Cisco Works for router configuration management.

13. System Software Remove any software not required for business-related functions. The USMS concurs and will do this as part of the JCON deployment. JCON will preclude loading of software on PCs for non-business-related functions.

14. Inadequate Data Integrity, Validation Controls, and Virus Detection Controls Develop policies and procedures to ensure the installation and use of virus detection software and intrusion detection software and train individuals to use it properly. It should be noted that virus detection software is loaded on every Windows-based computer. Additionally, virus protection policies and procedures will be developed for use by trained IT personnel. The JCON platform will provide for automatic update of virus definition files.

15. Warning Banner Create a system-warning banner. The warning message should be reviewed and approved by the USMS’s General Counsel. A system warning banner has already been established for WIN as well as for USMS financial systems and the authentication server. OGC will be consulted as to any necessary changes to the existing language. Warning banners will be implemented on all all USMS systems as appropriate.

16. Cisco Router Policies Develop, as well as implement, policies and procedures for securing Cisco routers. The USMS concurs with developing and implementing policies and procedures for securing Cisco routers.

17. No “Rules of Behavior” Document Has Been Approved Inquire with the General Counsel to determine which segments of the proposed Rules of Behavior document are delaying the approval and work with the General Counsel to establish a set of rules that meets the Department’s requirements. ITS will work with General Counsel to finalize Rules of Behavior to comply with Department guidance.

18. Formal Incident Response Procedures Have Not Been Established Define responsibilities for incident response, and coordinate and finalize an agreement that clearly states who is responsible for incident response for USMS. A Computer Incident Response Plan was prepared in October 2002. The plan includes designation of incident response responsibilities.

Technical Controls

19. User Account Management Is Improperly Configured a. Enforce Department-wide identification and authentication policies and ensure that only authorized personnel can login to the system.
b. Establish a system administrator to ensure accounts do not remain inactive on the system and ensure active accounts are appropriate. The USMS concurs with enforcing Departmental identification and authentication polices, allowing only authorized personnel to login to the system, and ensuring proper activation of user accounts.

20. Password Controls Are Inadequate a. Review and update current policies so that they are in compliance with the Department’s policies,
b. Enforce Department-wide password policies and procedures and install security tools on all servers to enforce restrictions on passwords. The USMS will ensure its policies conform to DOJ guidance and will enforce them. Security tools will be installed on servers to enforce password restrictions.

21. Accounts and Privileged Groups Delete accounts that do not require access to a privileged group. The USMS will delete accounts that do not require access to a privileged group.

22. Logical Access Controls Develop, implement, and monitor procedures establishing specific security standards and settings for running vulnerable services and server configurations. The USMS will establish specific security standards and settings for running vulnerable services and server configuration through development, implementation, and monitoring of procedures.

23. Data Encryption Implement some level of encryption of WIN data before it is transferred across the network. The USMS will review what level of WIN data encryption is necessary and implement accordingly.

24. Cisco Router Access Controls are inadequate Create an appropriate access list for all routers, and set timeout values for an unattended console. The USMS will review our policies regarding access lists for routers and revise as appropriate. A 20 minute timeout will be set.

25. Cisco Router Traffic Filtering Ensure that USMS security management properly configure TCP intercept mode and add logging for specific access lists. The USMS will review its router configurations and adjust is appropriate, based on the policies and procedures developed in response to item #16.

26. Software Patches Implement and document procedures to require that the latest security patch from the system vendor is obtained and that it is properly installed and configured. Procedures will be developed and implemented to ensure software patches are obtained from system vendors in a timely manner and tested prior to installation.

27. Windows NT Systems Improperly Configured Develop, implement, and monitor document policy establishing specific password standards for server configurations. The USMS will establish, disseminate, and enforce password policies and standards.

28. Auditing, Logging, and Monitoring Are Not Sufficient Implement procedures to ensure that system log messages are reviewed on a regular basis and that system alerts are sent when problems arise. Responsibility will be assigned to USMS personnel to review system logs on a regular basis and transmit system alerts regarding identified problems.

Issue	Recommendation	USMS Response
1. Inappropriate Security Controls	a. Conduct independent reviews when significant changes are implemented and completed. b. Enhance and enforce USMS policies and procedures for identifying, tracking, and correcting vulnerabilities. Maintain a status report on corrective actions performed. c. Increase the number of trained IT security personnel in order to identify and correct system weaknesses in a timely manner.	The USMS currently conducts reviews of systems and applications on an ongoing basis in support of DOJ C&A requirements. This ongoing review process, as well as other independent reviews and audits, identified many of the same or related findings as included in the OIG WIN audit. The USMS developed a corrective action plan to track and resolve IT security vulnerabilities identified in previous years’ financial audits. Periodic status reports (weekly and monthly) were provided to the UKW auditors as part of the FY 2001 financial audit. While some progress has been made, resolution of many of the system vulnerabilities requires additional security resources. The USMS has repeatedly sought more security funding and personnel, but to date, support for these requests has not been forthcoming from the Department.
2. Inadequate Systems Development	Ensure that a documented and approved System Development Life Cycle (SDLC) methodology is applied when planning, implementing, or maintaining major applications or general support systems.	The USMS has developed an Information Technology Investment Management (ITIM)/SDLC process. The USMS ITIM/SDLC process was approved by the DOJ CIO in August 2002. The process will be implemented in USMS in FY 2003.
3. Inadequate Documentation to Support Certification and Accreditation (C&A)	a. Rescind the C&A and place WIN and MNET systems in an Interim Approval To Operate (IATO) status for no longer than 6 months while completing, at a minimum, the systems’ system test & evaluation plan (ST&E), contingency plan, and security plan. b. Develop a corrective action plan establishing a schedule and milestones to complete the ST&E, contingency plan (including test of the contingency plan), and security plan within the 6 months IATO period.	The USMS concurs with placing WIN and MNET in an IATO status for 6 months while completing the recertification and reaccreditation process for the systems. A corrective action plan will be established to complete the required C&A documents within the 6 month timeframe, including preparing the ST&E, contingency plan (with testing), and system security plan.
4. Inadequate System Security Plan	a. Modify the WIN system security plan, USMS strategic plan, to include the “Planning for Security in the Life Cycle” section, as described in NIST SP 800-18. b. Assign a group (or person) with the responsibility for correcting security vulnerabilities and analyzing those controls that are deemed critical by USMS to ensure WIN and MNET systems meet the requirements set forth in the upcoming/current C&A process and documenting all action taken. Finally, if the security controls are not strengthened, remove WIN and MNET from production until all critical functions are adequately secured.	As part of the recertification and reaccreditation for WIN and MNET, the system security plan and required SDLC documents will be prepared or modified to comply with NIST requirements. ITS personnel will be assigned to implement necessary security controls. Corrective actions will be taken so that WIN and MNET are adequately secured as it is not feasible to take these systems out of production.
Operational Controls
5. Inadequate Separation of Duties	Establish procedures to ensure a separation of duties between individuals responsible for developing the system and those responsible for system or security administration.	The USMS has procedures in place requiring separation of duties between system developers and system administrators. However, IT staffing limitations have precluded the procedures from being effectively enforced. Support from the Department for USMS IT security budget requests would rectify this problem.
6. Inadequate Physical and Environmental Controls	Implement Department’s physical security controls as described in DO3 Order 2640.2D.	Enhancements were recently made to the USMS HQ Penthouse to improve physical and environmental controls for IT systems. All USMS production servers have been moved to the Penthouse, and further physical and environmental controls will be implemented as funding permits.
7. World-Writeable Files	Review all world-writeable files and directories. For any files and directories not needed for proper functioning of the system, the file permission should not be world-writeable. Users’ files and directories permission settings should be set in a manner that is necessary for the user to fulfill job responsibilities no more.	The USMS will review the status of all WIN files and directories on the WIN servers and will develop procedures for proper assignment of file permissions for users. A policy of “least privilege” system access will be implemented.
8. User Parameter Settings	a. Define the “umask” settings so that only the owner can view or modify files, b. Construct “path” variables so that no world-writeable directories are included in the path. c. Ensure that all directories are searched appropriately in the “path” variable.	The USMS will review the status of all WIN files and directories on the WIN servers and will develop procedures for proper assignment of user parameters.
9. Help Desk Policies and Procedures Do Not Exist	Implement documented procedures for help desk personnel to follow when performing their daily responsibilities.	The USMS agrees that written procedures need to be prepared to assist help desk personnel in responding to user problems. It should be noted, however, that help desk personnel are not responsible for resolving security problems (e.g., resetting user passwords). Rather, security issues are referred by help desk personnel to system administrators or security staff for resolution. Deployment of the Justice Consolidated Office Network (JCON) in USMS will facilitate help desk support and significantly improve security through implementation of a standard PC and server set-up and institution of rigorous configuration control.
10. Media Controls	Establish documented procedures to control how and when media and other types of USMS data are transferred. An audit trail should also be maintained to evidence such events.	Written media control procedures and audit trails will be established to protect and monitor access to sensitive USMS data.
11. No Documented Contingcncy Plan Exists	Complete a contingency plan for MNET and its associated applications and conduct a realistic test of the plan and adjust as indicated by the results of the test. Once the test results have been incorporated into the plan, obtain approval of the plan.	The USMS is in the process of preparing a contingency plan for MNET as part of the recertification and reaccreditation process. The plan will be tested and revisions made as appropriate.
12. Cisco Router Fault Tolerance is Inadequate	Perform backups of the running configuration to the routers’ onboard memory. All changes made to the configuration should be immediately backed up on a separate device. Where appropriate, use backup systems to ensure system availability. Cisco hardware offers advanced backup capabilities in case of hardware or software failure. Mission critical routers (typically core routers) may be good candidates to take advantage of the Cisco backup capabilities.	The USMS will institute policy and procedures to ensure all stable running router configuration files are archived. Additionally, the USMS is reviewing its current inventory of routers and service plans to ensure adequate fault tolerance/recovery is in place. Finally, the USMS will be implementing Cisco Works for router configuration management.
13. System Software	Remove any software not required for business-related functions.	The USMS concurs and will do this as part of the JCON deployment. JCON will preclude loading of software on PCs for non-business-related functions.
14. Inadequate Data Integrity, Validation Controls, and Virus Detection Controls	Develop policies and procedures to ensure the installation and use of virus detection software and intrusion detection software and train individuals to use it properly.	It should be noted that virus detection software is loaded on every Windows-based computer. Additionally, virus protection policies and procedures will be developed for use by trained IT personnel. The JCON platform will provide for automatic update of virus definition files.
15. Warning Banner	Create a system-warning banner. The warning message should be reviewed and approved by the USMS’s General Counsel.	A system warning banner has already been established for WIN as well as for USMS financial systems and the authentication server. OGC will be consulted as to any necessary changes to the existing language. Warning banners will be implemented on all all USMS systems as appropriate.
16. Cisco Router Policies	Develop, as well as implement, policies and procedures for securing Cisco routers.	The USMS concurs with developing and implementing policies and procedures for securing Cisco routers.
17. No “Rules of Behavior” Document Has Been Approved	Inquire with the General Counsel to determine which segments of the proposed Rules of Behavior document are delaying the approval and work with the General Counsel to establish a set of rules that meets the Department’s requirements.	ITS will work with General Counsel to finalize Rules of Behavior to comply with Department guidance.
18. Formal Incident Response Procedures Have Not Been Established	Define responsibilities for incident response, and coordinate and finalize an agreement that clearly states who is responsible for incident response for USMS.	A Computer Incident Response Plan was prepared in October 2002. The plan includes designation of incident response responsibilities.
Technical Controls
19. User Account Management Is Improperly Configured	a. Enforce Department-wide identification and authentication policies and ensure that only authorized personnel can login to the system. b. Establish a system administrator to ensure accounts do not remain inactive on the system and ensure active accounts are appropriate.	The USMS concurs with enforcing Departmental identification and authentication polices, allowing only authorized personnel to login to the system, and ensuring proper activation of user accounts.
20. Password Controls Are Inadequate	a. Review and update current policies so that they are in compliance with the Department’s policies, b. Enforce Department-wide password policies and procedures and install security tools on all servers to enforce restrictions on passwords.	The USMS will ensure its policies conform to DOJ guidance and will enforce them. Security tools will be installed on servers to enforce password restrictions.
21. Accounts and Privileged Groups	Delete accounts that do not require access to a privileged group.	The USMS will delete accounts that do not require access to a privileged group.
22. Logical Access Controls	Develop, implement, and monitor procedures establishing specific security standards and settings for running vulnerable services and server configurations.	The USMS will establish specific security standards and settings for running vulnerable services and server configuration through development, implementation, and monitoring of procedures.
23. Data Encryption	Implement some level of encryption of WIN data before it is transferred across the network.	The USMS will review what level of WIN data encryption is necessary and implement accordingly.
24. Cisco Router Access Controls are inadequate	Create an appropriate access list for all routers, and set timeout values for an unattended console.	The USMS will review our policies regarding access lists for routers and revise as appropriate. A 20 minute timeout will be set.
25. Cisco Router Traffic Filtering	Ensure that USMS security management properly configure TCP intercept mode and add logging for specific access lists.	The USMS will review its router configurations and adjust is appropriate, based on the policies and procedures developed in response to item #16.
26. Software Patches	Implement and document procedures to require that the latest security patch from the system vendor is obtained and that it is properly installed and configured.	Procedures will be developed and implemented to ensure software patches are obtained from system vendors in a timely manner and tested prior to installation.
27. Windows NT Systems Improperly Configured	Develop, implement, and monitor document policy establishing specific password standards for server configurations.	The USMS will establish, disseminate, and enforce password policies and standards.
28. Auditing, Logging, and Monitoring Are Not Sufficient	Implement procedures to ensure that system log messages are reviewed on a regular basis and that system alerts are sent when problems arise.	Responsibility will be assigned to USMS personnel to review system logs on a regular basis and transmit system alerts regarding identified problems.