Department Critical Infrastructure Protection Implementing Plans to Protect Cyber-Based Infrastructure

Report No. 04-05
November 2003
Office of the Inspector General

Table of Contents

EXECUTIVE SUMMARY

BACKGROUND
 
  1. The Department's Management of Critical Information Technology Assets
  2. Framework for Assessing Adequacy of CIP Program
  3. Prior Office of the Inspector General Reports
  4. General Accounting Office Reports
FINDINGS AND RECOMMENDATIONS
FINDING 1: ESTABLISHING A RISK MITIGATION PROGRAM
 
  1. Vulnerability Assessments and Risk Mitigation
  2. Progress Toward Mitigating Program Vulnerabilities
  3. Progress Toward Mitigating Critical IT Asset Vulnerabilities
  4. Conclusions
  5. Recommendations
FINDING 2: ESTABLISHING AN EMERGENCY MANAGEMENT PROGRAM
 
  1. Department Efforts to Establish an Emergency Management Program for the Protection of Critical Infrastructure Assets
  2. Implementation of the Emergency Management Program
  3. Overall Causes for and Effect of Not Fully Implementing an Emergency Management Plan
  4. Conclusions
  5. Recommendations
FINDING 3: ESTABLISHING AN EFFECTIVE INTERAGENCY COORDINATION PROGRAM
 
  1. Importance of Establishing an Effective Interagency Coordination Program
  2. CIP Plan Requirements for Establishing an Effective Interagency Coordination Program
  3. An Interagency Coordination Program as Envisioned in the CIP Plan Was Not Implemented
  4. Reasons Why an Effective Interagency Coordination Program Was Never Established
  5. Conclusions
  6. Recommendations
FINDING 4: MEETING DEPARTMENT RESOURCE AND ORGANIZATIONAL REQUIREMENTS
 
  1. Requirement in the CIP Plan
  2. Implementation of the CIP Plan for Resource and Organizational Requirements
  3. Recommendation
FINDING 5: ESTABLISHING EFFECTIVE RECRUITING, EDUCATING AND AWARENESS PROGRAMS
 
  1. Planned Programs
  2. Recruitment
  3. Education and Training
  4. Awareness
  5. Recommendation
FINDING 6: FOLLOW-UP ON THE PRIOR OIG AUDIT OF DEPARTMENT CRITICAL INFRASTRUCTURE PLANNING FOR THE PROTECTION OF COMPUTER BASED INFRASTRUCTURE
 
  1. Inventory the Department's MEI
  2. Complete Vulnerability Assessments of the Department's MEI
    by December 31, 2000
  3. Remedial Plans to Address Weaknesses Identified by the Vulnerability Assessments
  4. Multi-Year Funding Plan for the Remediation of Vulnerabilities
APPENDIX 1 OBJECTIVES, SCOPE, AND METHODOLOGY
APPENDIX 2 ABBREVIATIONS AND ACRONYMS
APPENDIX 3 STATEMENT ON COMPLIANCE WITH LAWS AND REGULATIONS
APPENDIX 4 STATEMENT ON MANAGEMENT CONTROLS
APPENDIX 5 DEPARTMENT OF JUSTICE'S COMPUTER-BASED MINIMUM ESSENTIAL INFRASTRUCTURES
APPENDIX 6 CRITICAL ASSET DESCRIPTIONS
APPENDIX 7 PCIE/ECIE DESCRIPTION
APPENDIX 8 THE TWELVE CRITICAL IT ASSET VULNERABILITIES
APPENDIX 9 FLOW OF INFORMATION WITH THE DEPARTMENT OF STATE AND US CUSTOMS
APPENDIX 10 DEPARTMENT ENTITIES THAT HAD CIP TASK FORCE MEMBERS
APPENDIX 11 JMD'S RESPONSE TO THE DRAFT REPORT
APPENDIX 12 OIG, AUDIT DIVISION ANALYSES AND SUMMARY OF ACTIONS NECESSARY TO CLOSE REPORT