Independent Evaluation Pursuant to the Government Information Security Reform Act
Fiscal Year 2002
The United States Marshals Service's Warrant Information Network
Report No. 03-03
Office of the Inspector General
The fiscal year (FY) 2001 Defense Authorization Act (Public Law 106-398) includes Title X, subtitle G, "Government Information Security Reform Act" (GISRA). GISRA became effective on November 29, 2000, and amends the Paperwork Reduction Act of 1995 by enacting a new subchapter on "Information Security." It requires federal agencies to:
The objective of the audit was to determine the U.S. Department of Justice's (Department) compliance with the requirements of GISRA. The United States Marshals Service's (USMS) Warrant Information Network (WIN) was selected as one of the subset of systems to be tested to determine the effectiveness of the Department's overall security program for FY 2002. WIN is accessed by both USMS district offices and headquarters users through the Marshal Network (MNET). Because of WIN's dependence on MNET, audit work was expanded to include MNET.
Under the direction of the Office of the Inspector General (OIG), and in accordance with Government Auditing Standards, PricewaterhouseCoopers LLP (PwC) performed the audit of WIN and MNET systems. In determining if the Department is compliant with GISRA requirements, PwC assessed whether adequate computer security controls existed to protect WIN and MNET systems from unauthorized use, loss, or modification.
The audit took place from June through July 2002. In this audit, we met with USMS officials from the Information Technology Services staff. We also met with representatives from the Department's Justice Management Division and the Chief Information Officer. We reviewed documentation that included the USMS's IT documents, organizational structures, OMB GISRA reporting information, and prior OIG reports to assess the WIN network's compliance with GISRA and related information security policies, procedures, standards, and guidelines. We performed test work at the USMS headquarters in Arlington, Virginia.
The interviews were conducted using the questionnaire contained in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-26, "Security Self-Assessment Guide for Information Technology Systems." This questionnaire contains specific control objectives and suggested techniques against which the security of a system or group of interconnected systems can be measured. The questionnaire contains 17 areas under 3 general controls (management, operational, and technical). The areas contain 36 critical elements and 225 supporting security control objectives and techniques (questions) about the system. The critical elements are derived primarily from OMB Circular A-130 and are integral to an effective information technology (IT) security program. The control objectives and techniques support the critical elements. If a number of the control objectives and techniques are not implemented, the critical elements have not been met.
The audit approach was based on the General Accounting Office's Federal Information System Controls Audit Manual, the Chief Information Officer Council Framework, OMB Circular A-130, and guidance established by NIST. These authorities prescribe a review that evaluates the adequacy of management, operational, technical controls over control areas listed in Appendix I.
WIN contains the warrant, court records, internal correspondence related to the warrant, and other information on individuals for whom federal warrants have been issued. WIN is used to track the status of all federal warrants to aid in the investigations of all federal fugitives. It is also used to access the National Law Enforcement Telecommunication System (NLETS) and National Crime Information Center (NCIC) systems to obtain criminal record information from other federal, state, local and foreign law enforcement agencies participating in or cooperating with USMS fugitive investigations and apprehension efforts and to update the respective systems with new prisoner information.
WIN is accessed by both district offices and headquarters users through MNET, the backbone unclassified network for USMS operations. MNET is a sensitive but unclassified system that provides office automation tools to USMS personnel in carrying out their worldwide, mission-related functions. MNET is accessible from field sites and from certain other federal agencies and commercial organizations.
We tested to determine whether adequate computer security controls existed to protect WIN and MNET from unauthorized use, loss, or modification. Our testing consisted of assessing management, operational, and technical controls for 17 critical areas for WIN and MNET. Our testing disclosed vulnerabilities within 16 of the 17 areas. These vulnerabilities were identified as high risks to the protection of WIN and MNET. If not corrected, these security vulnerabilities threaten WIN's and MNET's data with the potential for unauthorized use, loss, or modification.
We concluded that these vulnerabilities occurred because WIN and MNET management did not fully develop, enforce, or formalize agency-wide policy in accordance with current Department policies and procedures. Additionally, we believe the Department did not enforce its security policies and procedures to ensure WIN and MNET were protected from unauthorized use, loss, or modification through its certification and accreditation process. Furthermore, we believe many of the vulnerabilities identified during this audit could have been prevented if USMS management had followed-up on corrective actions for similar vulnerabilities identified in previous years.