Summary of the Independent Evaluation Pursuant to the
Government Information Security Reform Act Fiscal Year 2001
Sensitive But Unclassified Systems

Report No. 02-18
April 2002
Office of the Inspector General

OBJECTIVE, SCOPE, AND METHODOLOGY

The objective of the audits was to determine the Department's compliance with the requirements of the Government Information Security Reform Act. In doing so, the OIG assessed whether adequate computer security controls existed to protect Department systems from unauthorized use, loss, or modification. To accomplish the objective, the OIG reviewed management, operational, and technical controls for a subset of Department systems. This report summarizes the audit results of the five SBU systems reviewed.

We interviewed component and system management personnel, reviewed system documentation, and performed testing to determine compliance with Department and component security policies and procedures. The audits were performed in accordance with Government Auditing Standards and took place from April through August 2001. The effectiveness of security controls was assessed by using commercial-off-the-shelf and proprietary software to conduct vulnerability assessments of the system.

The audit approach was based on the General Accounting Office's Federal Information System Controls Audit Manual, the Chief Information Officer Council Framework, OMB Circular A-130, and guidance established by the National Institute of Standards and Technology.