Summary of the Independent Evaluation Pursuant to the
Government Information Security Reform Act Fiscal Year 2001
Sensitive But Unclassified Systems
Report No. 02-18
April 2002
Office of the Inspector General
The Government Information Security Reform Act (GISRA) required the Office of the Inspector General (OIG) to perform an independent evaluation of the U.S. Department of Justice's (Department's) information security program and practices. This report summarizes the results of the evaluation for the Department's sensitive but unclassified (SBU) systems for FY 2001. Separate reports were issued for each of the individual systems evaluated. The OIG is also issuing a report summarizing the results of the Department's classified systems.
The OIG took an ambitious approach to fulfill the GISRA requirement by performing individual audits on a subset of Department systems. The OIG, in conjunction with Department management, selected four classified and five SBU systems to audit from the universe of Department systems for fiscal year 2001. Systems selected were mission critical and representative of differing system configurations (both client/server and mainframe) and operating systems (UNIX, Novell, Windows NT, and OS/390).
Under the direction of the OIG and in accordance with Government Auditing Standards, PricewaterhouseCoopers LLP conducted the assessment of the Department's overall computer security program and practices for the SBU systems by performing individual audits of five systems maintained by the Federal Bureau of Prisons (BOP), Drug Enforcement Administration (DEA), Executive Office for U.S. Attorneys (EOUSA), and Justice Management Division (JMD).
SBU Systems Selected for Audit
| Component | System |
|---|---|
| BOP | BOP Network (BOPNet) |
| DEA | El Paso Intelligence Center Information System (EIS) |
| DEA | Firebird |
| EOUSA | Justice Consolidated Office Network II (JCONII) |
| JMD | Rockville and Dallas Data Centers (JDC) |
The audits consisted of interviews, on-site observations, and reviews of Department and component documentation to assess the system and component compliance with GISRA and related information security policies, procedures, standards, and guidelines. Commercial-off-the-shelf and proprietary software were used to conduct security tests and analyses of significant operating system integrity and security concerns.
The audits of the SBU systems revealed vulnerabilities with management (M), operational (O), and technical (T) controls. The auditors assessed these vulnerabilities at a high to low risk to the protection of each system and the data stored on it from unauthorized use, loss, or modification. Specifically, vulnerabilities were noted in the following areas:
Audit Results of SBU Systems
| Areas of Vulnerability | Control Type | BOPNet | EIS | Firebird | JCONII | JDC |
|---|---|---|---|---|---|---|
| Security Policies and Procedures | M | X | X | X | X | X |
| Authorization of Software Changes | M | X | ||||
| Risk Assessment Reporting | M | X | X | X | ||
| Contingency Planning | O | X | X | X | ||
| System Backup Procedures | O | X | X | |||
| System Configuration | O | X | X | X | ||
| Password Management | T | X | X | X | X | X |
| Logon Management | T | X | X | X | X | X |
| Account Integrity Management | T | X | X | X | X | |
| System Auditing Management | T | X | X | X | X |
Overall, the GISRA audits found that Department-level and component security policies and procedures were either insufficient or unenforced. The auditors concluded the Department did not provide timely and effective oversight to ensure implementation of its security policies. For example, the Department took nearly four years to revise its overall security policy, DOJ Order 2640.2D "Information Technology Security," after reporting it as ineffective in September 1997. In several areas of identified vulnerabilities, broadly stated or minimally imposed standards allowed system security managers too much latitude in establishing system settings, and consequently systems were not fully secured.
To address these deficiencies, we recommend granting responsibility to a single point of contact in the office of the Assistant Attorney General for Administration to oversee, standardize, implement, and maintain strict baseline Department-wide security controls over both SBU and classified systems. This contact also would serve as a liaison between the Information Management and Security Staff, the Security and Emergency Planning Staff, and the Assistant Attorney General for Administration. Among our recommendations are: