Summary of the Independent Evaluation Pursuant to the
Government Information Security Reform Act Fiscal Year 2001
Sensitive But Unclassified Systems

Report No. 02-18
April 2002
Office of the Inspector General



We recommend that the Acting Assistant Attorney General for Administration (AAG/A):

  1. Establish a Department Information Technology (IT) Central Security Compliance Office for classified and sensitive but unclassified systems with the responsibility for:

    1. Monitoring security-related activities by testing controls at each component having classified systems (i.e. performing penetration tests and providing those results to the affected components).

    2. Reviewing the number and types of security deficiencies identified in each component's periodic reports.

    3. Evaluating each component's compliance with Department security policies especially in areas of reported weaknesses and establishing processes and procedures to enforce existing policy such as passwords, account lockout, and system auditing management.

    4. Assisting component Security Program Managers in assessing security risks, identifying hardware/software security deficiencies, and providing policy and procedural guidance as needed.

  2. Charge the Department IT Central Security Compliance Office with ensuring that all components have current, documented, and tested contingency plans.

  3. Charge the Department IT Central Security Compliance Office with developing a comprehensive corrective action plan to fully and timely address all Department-wide IT control weaknesses previously identified in security reviews and audits. Additionally, measures should be prescribed and oversight provided to ensure that component corrective action plans are prepared and that vulnerabilities are corrected. Eliminating repeat findings should be a priority.

  4. Require each component Security Program Manager to:

    1. Have full knowledge of and familiarization with current Department information technology security policies and procedures, including DOJ Order 2640.2D and other departmental policies related to classified and unclassified systems.

    2. Report component compliance with Department security policy requirements.

    3. Ensure a security administrator is designated within each component for reviewing system security posture in accordance with Department security policy. In the case of multiple platforms or operating systems supporting component systems, an administrator should be designated to represent each unique platform.

    4. Ensure periodic computer security training is provided for each platform supported and require attendance by the designated security administrators.

    5. Develop and enforce security policies or apply industry best practices, to assess and counter evolving computer security vulnerabilities.

  5. Require each component Security Program Manager to periodically report to the Department IT Central Security Compliance Office on the compliance of individual systems within their component relative to requirements outlined in Department security policies and procedures. Upon its review of the reports, the Department IT Central Security Compliance Office should bring areas of concern to the attention of the AAG/A.

  6. Establish and implement guidance to ensure systems' security is monitored sufficiently, efficiently, and consistently. Specific areas that need to be immediately addressed include:

    1. automated monitoring of security policy compliance;

    2. automated logging, auditing, review and notification of security relevant events;

    3. requiring intrusion detection testing; and

    4. requiring application and operating system patches be kept current.

    (Note: According to JMD, they began addressing some of the above areas after the audits were completed.)

    Although DOJ Order 2640.2D addresses many areas of identified system security vulnerabilities, it still lacks sufficient guidance in several areas. The policy should be specific to each operating system (Windows NT, Novell, and UNIX) so that the requirements are not misunderstood or inappropriately applied (i.e. some procedures may apply to Windows NT systems but not to UNIX systems). Further, procedures need to be developed to provide more specific guidance when necessary.

    Therefore, we recommend that the AAG/A:

  7. Require periodic updates that supplement DOJ Order 2640.2D based on observed component needs, the evolving computer security environment, and industry best practices. We recommend that the AAG/A promptly review the adequacy of guidance for the following areas:

    1. password management (including task versus user accounts);

    2. accountability and audit trails;

    3. access controls;

    4. account integrity management, including monitoring of account disposition (dormant accounts);

    5. logon management;

    6. service accounts - changing the default password;

    7. assignment of user rights and advanced user rights;

    8. renaming guest and administrative accounts; and

    9. backup procedures.


  1. These recommendations are presented in our GISRA summary report for classified systems. Corrective action will be tracked as part of the follow-up process for that report. See Appendix IV.