Summary of the Independent Evaluation Pursuant to the
Government Information Security Reform Act Fiscal Year 2001
Sensitive But Unclassified Systems

Report No. 02-18
April 2002
Office of the Inspector General

The fiscal year 2001 Defense Authorization Act (Public Law 106-398) includes Title X, subtitle G, "Government Information Security Reform Act" (GISRA). GISRA became effective on November 29, 2000, and amends the Paperwork Reduction Act of 1995 by enacting a new subchapter on "Information Security." It requires federal agencies to:

• Have an annual independent evaluation of their information security program and practices performed.

• Ensure information security policy is founded on a continuous risk management cycle.

• Implement controls that assess information security risks.

• Promote continuing awareness of information security risks.

• Continually monitor and evaluate information security policy.

• Control effectiveness of information security practices.

• Provide a risk assessment and report on the security needs of the agencies' systems, and include the report in their budget request to the Office of Management and Budget (OMB).

In June 2001, the OMB issued "Reporting Instructions for the Government Information Security Reform Act," requiring the submission of an executive summary and a section characterizing the results of the OIG independent evaluation, by September 10, 2001. ¹ The OIG coordinated GISRA work with the Department to promote communication and avoid duplication as the Department concurrently conducted program reviews to fulfill its GISRA obligations. The OIG also held briefings to keep Department and component management apprised of the audit results.

The OIG contracted with PricewaterhouseCoopers LLP to conduct the assessment of the overall computer security program and practices for the Department's sensitive but unclassified (SBU) systems. The objective was to determine the Department's compliance with the requirements of GISRA. To accomplish this objective, individual audits were performed on five SBU systems chosen by the OIG in consultation with Department management: the Drug Enforcement Administration's Firebird and El Paso Intelligence Center Information System, the Federal Bureau of Prisons Network, the Executive Office for U.S. Attorneys' Justice Consolidated Office Network II, and the Justice Management Division's Rockville and Dallas Data Centers.

The auditors reviewed management, operational, and technical controls by interviewing component management personnel, reviewing system documentation, and performing testing. The audits were performed in accordance with Government Auditing Standards and were conducted between April and August 2001. The audit approach was based on the General Accounting Office's Federal Information System Control Audit Manual, the Chief Information Officer Council Framework, and guidance established by the National Institute of Standards and Technology.

The OIG has routinely performed computer information security audits within Department components. Since 1996, the OIG also reviewed computer security program requirements annually as part of the financial statement audit process. For the GISRA audits, special emphasis was placed on reviewing vulnerabilities previously identified and verifying that appropriate corrective measures were implemented.

The GISRA audits of SBU systems revealed vulnerabilities with management, operational, and technical controls. The auditors assessed these vulnerabilities at a high to low risk to the protection of each system from unauthorized use, loss, or modification. Vulnerability assessments ² were used to assess operational and technical controls of the SBU systems and identified serious deficiencies including weak password controls, inappropriate user privileges, improper intruder detection settings, and ineffective system auditing. Since technical controls prevent unauthorized access to system resources by restricting, controlling, and monitoring system access, we concluded that these vulnerabilities were the most significant.

The Department's Justice Management Division Information Management and Security Staff (IMSS) is responsible for providing guidance on security issues related to the Department's SBU systems. This includes monitoring components' compliance with the provisions of the Department's security policy and applicable Federal statutes, policies, and regulations as they apply to SBU computer systems. The IMSS has conducted network security penetration testing of SBU systems at Department components for the past four years.

A summary of the individual audit results previously reported is detailed in the Findings section of this report. Appendices I and II provide background on the systems selected and the objective, scope, and methodology for the audit.

1. The OIG began the GISRA audits in April 2001, prior to the availability of OMB's GISRA reporting instructions. Therefore, our audits did not specifically address, and we do not report on, all of the instruction's 13 requested questions. However, we expect to include all 13 questions in the scope of our 2002 GISRA reviews.
2. A vulnerability assessment is a security test in which evaluators analyze system settings and security features, based upon their understanding of the system design and implementation. A determination is then made as to whether the system is optimally configured and appropriate security controls are in place. Unlike penetration testing, vulnerability tests do not attempt to circumvent the security features of a system and gain entry.