Independent Evaluation Pursuant to the Government Information Security Reform Act
Fiscal Year 2002

The United States Marshals Service's Warrant Information Network

Report No. 03-03
November 2002
Office of the Inspector General

APPENDIX III

OFFICE OF THE INSPECTOR GENERAL, AUDIT DIVISION
ANALYSIS AND SUMMARY OF ACTIONS NECESSARY TO CLOSE REPORT

Recommendation Number:

  1. Resolved. The USMS agreed with the need for appropriate security controls and stated that while some progress has been made, resolution of many of the system vulnerabilities requires additional security resources. To close this recommendation, the USMS needs to provide the OIG evidence of the USMS's corrective action plan to track and resolve IT security vulnerabilities.

  2. Resolved. The USMS agreed with the need to implement a System Development Life Cycle (SDLC). To close this recommendation, the USMS needs to provide the OIG with evidence that the Information Technology Investment Management/SDLC methodology was approved and implemented.

  3. Resolved. The USMS agreed to place WIN and MNET in an Interim Approval To Operate (IATO) status for six months. To close this recommendation, the USMS needs to provide the OIG evidence that an IATO is obtained and a corrective action plan is established within the six month timeframe, including preparing the ST&E, contingency plan (with testing), and a system security plan.

  4. Resolved. The USMS agreed with the need for an adequate WIN system security plan. To close this recommendation, the USMS needs to provide the OIG with evidence that the system security complies with NIST requirements and that corrective actions were taken to ensure WIN and MNET systems meet the requirements set forth in the C&A process.

  5. Resolved. The USMS agreed with the need for proper separation of duties and stated that procedures are in place requiring separation of duties. To close this recommendation, the USMS needs to provide the OIG with the procedures requiring separation of duties between system developers and system administrators.

  6. Resolved. The USMS agreed with the need for adequate physical and environmental controls and indicated all USMS production servers had been moved to a new location. To close this recommendation, the USMS needs to provide the OIG evidence that the new location's physical and environmental controls were implemented as described in DOJ Order 2640.2D.

  7. Resolved. The USMS agreed with the need to review world-writeable files. To close this recommendation, the USMS needs to provide the OIG evidence that the (a) WIN files and directories were reviewed, (b) procedures were developed for proper assignment of file permissions for users, and (c) the policy of "least privilege" was implemented.

  8. Resolved. The USMS agreed with the need to review the use of parameter settings. To close this recommendation, the USMS needs to provide the OIG evidence that the user parameter settings were reviewed for proper assignment of user parameters.

  9. Resolved. The USMS agreed that written procedures need to be prepared to assist help desk personnel in performing their daily responsibilities. To close this recommendation, the USMS needs to provide the OIG evidence that written procedures are in place to assist help desk personnel in responding to user problems.

  10. Resolved. The USMS agreed that written media control procedures and audit trails need to be established. To close this recommendation, the USMS needs to provide the OIG evidence once documented procedures are established to control how and when media and other types of USMS data are transferred. In addition, please provide documentation showing how audit trails will be maintained to evidence such events.

  11. Resolved. The USMS agreed that a documented MNET contingency plan is needed. To close this recommendation, the USMS needs to provide the OIG evidence that a contingency plan is approved and tested.

  12. Resolved. The USMS agreed that Cisco router fault tolerance is inadequate. To close this recommendation, the USMS needs to provide the OIG evidence that policies and procedures are implemented to ensure all stable runner router configuration files are archived.

  13. Resolved. The USMS agreed with the need to remove system software that is not required. To close this recommendation, the USMS needs to provide the OIG evidence once the Justice Consolidated Office Network (JCON) deployment has been performed showing the removal of any software not required for business-related functions.

  14. Resolved. The USMS agreed with the need to develop policies and procedures for virus and intrusion detection. To close this recommendation, the USMS needs to provide the OIG the policies and procedures developed to ensure the installation and use of virus detection software and intrusion detection software. In addition, please provide evidence that IT personnel are receiving training to use the software properly.

  15. Resolved. The USMS agreed with the need to create a system-warning banner. To close this recommendation, the USMS needs to provide the OIG evidence showing creation of a system-warning banner that was reviewed and approved by the USMS's Office of General Counsel (OGC).

  16. Resolved. The USMS agreed with the need to develop and implement policies and procedures for securing Cisco routers. To close this recommendation, the USMS needs to provide the OIG evidence that policies and procedures are developed and implemented.

  17. Resolved. The USMS agreed with the need to establish Rules of Behavior. To close this recommendation, the USMS needs to provide the OIG evidence that the OGC was contacted and the Rules of Behavior finalized to comply with Department guidance.

  18. Resolved. The USMS stated in their response that a Computer Incident Response Plan, including designation of incident response responsibilities, was prepared in October 2002. To close this recommendation, the USMS needs to provide the OIG with a copy of the Computer Incident Response Plan.

  19. Resolved. The USMS concurred with enforcing Department-wide identification and authentication policies. To close this recommendation, the USMS needs to provide the OIG evidence that a process is established to enforce the Department-wide policies and a system administrator is established to ensure accounts do not remain inactive on the system and active accounts are appropriate.

  20. Resolved. The USMS concurred that password controls are inadequate. To close this recommendation, the USMS needs to provide the OIG evidence that the password policies were updated in compliance with Department's policies. In addition, please provide the OIG evidence that security tools are installed on servers to enforce password restrictions.

  21. Resolved. The USMS agreed to delete accounts that do not require access to a privileged group. To close this recommendation, the USMS needs to provide the OIG evidence that the accounts were deleted.

  22. Resolved. The USMS agreed to establish security standards and settings for running vulnerable services and server configuration. To close this recommendation, the USMS needs to provide the OIG with the security standards and settings that are established.

  23. Resolved. The USMS agreed to review the level of WIN data encryption. To close this recommendation, the USMS needs to provide the OIG evidence of the level of encryption implemented before data is transferred across the network.

  24. Resolved. The USMS agreed to review Cisco router access controls. To close this recommendation, the USMS needs to provide the OIG with the an updated access list for all routers and documentation showing that a 20 minute timeout is set for an unattended console.

  25. Resolved. The USMS agreed to review and incorporate changes to its router configurations. To close this recommendation, the USMS needs to provide the OIG with evidence that procedures include properly configuring TCP intercept mode and logging for specific access lists.

  26. Resolved. The USMS agreed to develop and implement procedures for security patches. To close this recommendation, the USMS needs to provide the OIG evidence that the security patch is obtained from the vendor in a timely manner and tested prior to installation.

  27. Resolved. The USMS agreed to establish, disseminate, and enforce password policies and standards. To close this recommendation, the USMS needs to provide the OIG evidence that the USMS developed, disseminated, and monitors its password policies and standards.

  28. Resolved. The USMS agreed to assign a person to review system logs on a regular basis and transmit system alert when problems arise. To close this recommendation, the USMS needs to provide the OIG with the USMS personnel assigned responsibility for reviewing system logs. In addition, the USMS needs to provide the OIG with the procedures implemented to ensure that system logs messages are reviewed on a regular basis and that system alerts are sent when problems arise.