Objectives

The primary objectives of this audit were to determine whether the Department has effectively implemented its plans for: 1) mitigating risks; 2) managing emergencies; 3) coordinating resources with other agencies; 4) meeting its resource and organizational requirements; and 5) recruiting, educating, and maintaining awareness relating to protecting its critical cyber-based infrastructures.

Scope and Methodology

The audit was performed in accordance with Government Auditing Standards, and included tests and procedures necessary to accomplish the audit objectives. We conducted work at the offices of JMD's Information Management and Security Staff located in Washington, D.C.

Our audit began July 22, 2002. To perform our audit, we conducted interviews with officials from JMD. Justice Management Division officials were from the IMSS, CSS, SEPS, and Budget Staff. Additionally, we reviewed documents related to CIP management policies and procedures, project management guidance, strategic plans, IT systems certification and accreditation, budget documentation, organizational structures, Congressional testimony, and prior GAO and OIG reports.

To determine whether the IMSS was effectively managing the CIP program, we followed guidance issued by the PCIE and ECIE Audit Committee. See Appendix 7 for description of PCIE/ECIE.

We compared the evidence collected from documents reviewed and interviews to the practices defined in the Department's CIP Plan; PDD 63; and The Practices for Securing Critical Information Technology Assets, issued by the CIAO's office. Additionally, we followed up on recommendations from our prior audit report, entitled "Department Critical Infrastructure - Planning for the Protection of Computer Based Infrastructure Report," issued November 2000. In assessing the status of the Department's effort to close the recommendations, we assessed the adequacy of: 1) the development of the MEI, particularly after the 9/11 terrorist attacks, 2) the vulnerability assessment, and 3) the multi-year funding plan.

To determine whether the Department had adequately implemented its Risk Mitigation Plan for vulnerabilities identified in the vulnerability assessment, we reviewed the vulnerability assessment, tabulated the vulnerabilities identified, tracked the status of the IMSS's efforts in monitoring mitigation activities, and noted variances. Additionally, based on comments by IMSS officials, we assessed whether resources were adequate to fund the risk mitigating activities and whether risk mitigation activities would be completed by May 2003.

In assessing the Department's implementation of their emergency management program, IMSS staff provided a description of the emergency management program. We examined the Department's management policy for: 1) indications and warnings; 2) incident collection, reporting, and analysis; 3) response and 4) contingency plans. Additionally, we attempted to verify whether these functions were adequately tested.

Our assessment of interagency coordination included a review of the methodology that the IMSS used to determine the critical support other entities' assets provide to the Department and that the Department provides to other agencies. We assessed the Infrastructure Asset Evaluation Surveys completed by Department components. Additionally, we determined the status of the development of a list of liaisons and interagency relationships as it relates to CIP.

We evaluated the Department's comparison of its organizational requirements to existing resources and the status of corrective actions or plans to correct the variances identified. We reviewed independent studies completed to analyze current organizational makeup, identify needed skills in the IT security staff, identify gaps, and propose organizational and staffing changes.

We evaluated the IMSS's current recruitment efforts and the generic criteria used to recruit IT security professionals. We reviewed resource needs identified through other reviews and, as it pertained to CIP, evaluated whether variances had been corrected.

We evaluated education and training for computer security professionals. We reviewed the generic requirements for the GS-2210, Computer Specialist, job series and evaluated the specific IMSS training requirements. We further assessed awareness policy, the purpose of which is to sensitize workers regarding the importance of security.