OIG Audit Report 05-32

Processing Classified Information on Portable Computers in the Department of Justice

Audit Report 05-32
July 2005
Office of the Inspector General

Appendix I

Objectives, Scope, and Methodology

Our audit objectives were to: (1) review the Department’s policies and practices concerning the storage of classified information on portable computers, and (2) determine whether more effective practices could be adopted by the Department to enhance the ability to process classified information on portable computers while adequately safeguarding the information.
Our audit was performed in accordance with the Government Auditing Standards issued by the Comptroller General of the United States and included such tests as necessary using the performance auditing standards to accomplish the audit objectives stated above.
The scope of our audit included reviewing the DOJ Chief Information Officer’s 18 Information Technology Security Standards; the DOJ’s Security Program Operating Manual; Executive Orders 12333, 12958, and 13231; DOJ Orders 2640.2E and 2620.7; applicable sections of the Federal Information Security Management Act of 2002; applicable sections of the Clinger Cohen Act; NIST Publications 800-37 and 800-59; applicable sections of the National Information Assurance Certification and Accreditation Process (NIACAP); Director of Central Intelligence Directives, DCIDs 6/3 and 6/9; Federal Information Processing Standards Publication 197; Office of Management and Budget Circular A-130; 5 CFR Part 930; and 18 U.S.C. 2510.
During our initial discussions with the Department’s Deputy Chief Information Officer and the Assistant Director of the Security and Emergency Planning Staff, they identified DOJ components that process classified information using portable computers. Based on their recommendations of components that process classified information, we selected the Drug Enforcement Administration, the Federal Bureau of Investigation, and the Executive Office for United States Attorneys to discuss the use of portable computers for processing classified information.
We extended our interviews beyond the DOJ in order to determine how other federal agencies address the storing and processing of classified information using portable computers. Based on meetings with staff from SEPS and the Chief Information Officer’s office, we interviewed IT and security personnel from the National Security Agency, the Central Intelligence Agency, and the Department of Energy. While conducting our interviews with staff at the Central Intelligence Agency, they recommended we also contact the National Reconnaissance Office within the Department of Defense.