Summary of the Independent Evaluation Pursuant to the
Government Information Security Reform Act Fiscal Year 2001
Sensitive But Unclassified Systems
Report No. 02-18
Office of the Inspector General
The fiscal year 2001 Defense Authorization Act (Public Law 106-398) includes Title X, subtitle G, "Government Information Security Reform Act" (GISRA). GISRA became effective on November 29, 2000, and amends the Paperwork Reduction Act of 1995 by enacting a new subchapter on "Information Security." It requires federal agencies to:
In June 2001, the OMB issued "Reporting Instructions for the Government Information Security Reform Act," requiring the submission of an executive summary and a section characterizing the results of the OIG independent evaluation, by September 10, 2001. 1 The OIG coordinated GISRA work with the Department to promote communication and avoid duplication as the Department concurrently conducted program reviews to fulfill its GISRA obligations. The OIG also held briefings to keep Department and component management apprised of the audit results.
The OIG contracted with PricewaterhouseCoopers LLP to conduct the assessment of the overall computer security program and practices for the Department's sensitive but unclassified (SBU) systems. The objective was to determine the Department's compliance with the requirements of GISRA. To accomplish this objective, individual audits were performed on five SBU systems chosen by the OIG in consultation with Department management: the Drug Enforcement Administration's Firebird and El Paso Intelligence Center Information System, the Federal Bureau of Prisons Network, the Executive Office for U.S. Attorneys' Justice Consolidated Office Network II, and the Justice Management Division's Rockville and Dallas Data Centers.
The auditors reviewed management, operational, and technical controls by interviewing component management personnel, reviewing system documentation, and performing testing. The audits were performed in accordance with Government Auditing Standards and were conducted between April and August 2001. The audit approach was based on the General Accounting Office's Federal Information System Control Audit Manual, the Chief Information Officer Council Framework, and guidance established by the National Institute of Standards and Technology.
The OIG has routinely performed computer information security audits within Department components. Since 1996, the OIG also reviewed computer security program requirements annually as part of the financial statement audit process. For the GISRA audits, special emphasis was placed on reviewing vulnerabilities previously identified and verifying that appropriate corrective measures were implemented.
The GISRA audits of SBU systems revealed vulnerabilities with management, operational, and technical controls. The auditors assessed these vulnerabilities at a high to low risk to the protection of each system from unauthorized use, loss, or modification. Vulnerability assessments 2 were used to assess operational and technical controls of the SBU systems and identified serious deficiencies including weak password controls, inappropriate user privileges, improper intruder detection settings, and ineffective system auditing. Since technical controls prevent unauthorized access to system resources by restricting, controlling, and monitoring system access, we concluded that these vulnerabilities were the most significant.
The Department's Justice Management Division Information Management and Security Staff (IMSS) is responsible for providing guidance on security issues related to the Department's SBU systems. This includes monitoring components' compliance with the provisions of the Department's security policy and applicable Federal statutes, policies, and regulations as they apply to SBU computer systems. The IMSS has conducted network security penetration testing of SBU systems at Department components for the past four years.
A summary of the individual audit results previously reported is detailed in the Findings section of this report. Appendices I and II provide background on the systems selected and the objective, scope, and methodology for the audit.