II. COMPUTER SECURITY MANAGEMENT

DEA's computer security management was inadequate because: (1) personnel were not properly cleared, authorized, and trained for access to sensitive resources; (2) computer equipment was not properly controlled and safeguarded; (3) risk analyses and contingency plans were not always performed and tested; and (4) visitor access and lock combination changes were inadequate to restrict access to sensitive resources. Without adequate computer security management controls, unauthorized personnel can intentionally or unintentionally access, alter, steal, or destroy sensitive information and equipment.

Personnel Security Controls

Personnel security controls identify for investigation those employees having access to sensitive resources. DOJ Order 2610.2, Personnel Security Regulations, requires an initial full-field background check for all employees in sensitive positions, and a periodic reinvestigation every 5 years while the employee is with the agency.

A prior OIG audit report issued in 1989, "DEA's ADP General Controls," also disclosed that periodic background reinvestigations were not performed. Reinvestigations are essential in helping to ensure that access to sensitive data is not provided to individuals of questionable character. The GAO audit report also disclosed that security personnel in DEA field locations had not completed background investigations on contract employees working in its facilities. During our current audit, DEA personnel stated background investigations are currently backlogged a minimum of 3 years.

To determine whether these weaknesses still existed, we extracted information from DEA's automated employee data base for 71 DEA employees and 153 contractor employees at four DEA locations. Some of these employees in our sample performed tasks such as data control or had the programming skills and knowledge that could enable them to abuse, misuse, or otherwise manipulate data. Our review of the automated employee data base records disclosed that:

• Background investigations for 30 of 71 DEA employees (42 percent) and 98 of 153 contractor employees (64 percent) were assigned "pending" status. Included in this category were two employees who entered on duty in 1970. According to personnel in DEA's Office of Security Programs, a "pending" status indicated that data, such as dates of the completed background investigations, were not entered or a background investigation was initiated but not yet adjudicated.

• Background investigations for 2 of 71 DEA employees (3 percent) and 26 of 153 contractor employees (17 percent) contained "blank" fields which indicated that data were not entered or a background investigation was not initiated. Included in this category were two contractor employees who are now inactive.

• Periodic background reinvestigations for 17 of 71 DEA employees (24 percent) contained "blank" fields which indicated that data were not entered or a periodic background reinvestigation was not initiated. Included in this category was a DEA employee who showed an initial background investigation dated 1968.

Because of the significant number of employee records with either "pending" status or "blank" fields, we believe that DEA should immediately validate information in its automated employee data base and update data base records as appropriate.

Recommendations

We recommend the Administrator, DEA:

9. Validate information in the automated employee data base and update data base records as appropriate.

10. Conduct full-field background investigations for all employees with access to sensitive information.

11. Conduct periodic background reinvestigations every five years for all employees with access to sensitive information.

The above recommendations are resolved, but not closed. See Appendices III and IV for resolution activity and the actions necessary to close the recommendations.

Individual Access Controls

Individual access controls utilize a combination of user identifications and passwords. A user identification is a series of alphanumeric characters that uniquely identifies a user to the system. A password is a private character string used to authenticate an individual user's identity. DOJ Order 2640.2C states that user identification and password systems support the minimum requirements of access control. One way to support the minimum requirements of access control, as stated in DOJ Order 2640.2C, is to require that each user have a unique user identification and password. We examined the following areas at 26 DEA sites to determine whether access controls were adequate for assigning user identifications and passwords, changing passwords, and deleting inactive user identifications and passwords.

Assigning User Identifications and Passwords - DOJ Order 2640.2C requires security safeguards to ensure each person having access to a computer system is individually accountable for his/her actions on the system. Individual access cannot be monitored or audited without unique user identifications and passwords.

The GAO audit report disclosed many instances of DEA personnel sharing passwords. The Department's response, on behalf of DEA, stated DEA's Office of Security Programs had written and revised the security policy for personal computers to include DEA's overall microcomputer policy requiring features such as unique user identification and use of audit trails.

We found DEA personnel still sharing user identifications and passwords during our current review. Our review of 26 sites disclosed shared user identifications and passwords at three sites. For example:

• At one site, two system managers shared the same logon user identification and password.

• At another site, four system managers shared the same logon user identification and password.

• At a third site, the majority of office personnel shared the same logon user identification and password. This logon granted administrative tools that should normally be limited to system managers. These tools are used to perform backups, create and modify configuration files, monitor memory and disk space usage, monitor cluster [workstation] and network activity, and start applications. The logons also permitted unlimited access to certain directories and files that allow a user unauthorized access to sensitive data. According to the system manager, the logons were assigned by a previous system manager.

DEA's Office Automation operating system is old technology and does not allow for unique user identifications and passwords for system management responsibilities. As a result, the system manager and his/her backup must share passwords.

Recommendation

We recommend the Administrator, DEA:

12. Restrict administrative functions to only the system managers.

The above recommendation is resolved, but not closed. See Appendices III and IV for resolution activity and the actions necessary to close the recommendation.

Changing Passwords - To ensure effectiveness, passwords must be changed periodically to ensure only persons with a valid "need to know" gain access to sensitive information. Without proper password controls, unauthorized persons could gain access to sensitive information and modify or destroy data. DEA's Office Automation Security Procedures requires that passwords be changed every six months.

Our prior audit report disclosed that passwords were not periodically changed. The Department's response to the GAO audit report stated that all system managers would, on a continual basis, receive lists of randomly generated passwords for the local area network and utilize the lists to change all passwords every 6 months.

We found this weakness still existed during our current audit. Our review disclosed that passwords were not changed every 6 months for local area network users at 26 of 67 Office Automation workstations, located at 13 of 25 sites. The users could not recall if, or when, passwords had been changed by the system manager.

Recommendation

We recommend the Administrator, DEA:

13. Require system managers to change local area network passwords at least every 6 months.

The above recommendation is closed. See Appendices III and IV for resolution activity.

Deleting Inactive User Identifications and Passwords - Our prior audit report disclosed that passwords were not always deactivated upon an employee's departure from DEA. At that time, DEA attributed this oversight to the fact they were not routinely made aware of employee separations. A high risk still exists that unauthorized personnel could access and compromise DEA's sensitive information processed at the Justice Data Center and on DEA's local area networks.

DEA uses the Office Automation system to process sensitive information and, through the Time Sharing Option (TSO) and Conversational Monitoring System (CMS), to access other sensitive data base systems, such as DEA's Narcotics and Dangerous Drug Information System (NADDIS). These data base systems are stored on mainframe computers at the Justice Data Center and are linked to Office Automation workstations and other computers in DEA offices through DEA's Network Control Center.

Our review of active Time Sharing Option and Conversational Monitoring System user identifications and passwords disclosed that 31 of 189 TSO and 32 of 155 CMS user identifications and passwords had not been used for 1 year or more and had not been deleted. Time Sharing Option and Conversational Monitoring System users have the knowledge and ability to access data base systems that could compromise sensitive information and could cause accidental or intentional destruction, modification, or misuse of data. To determine whether these users could also access DEA's data base environment, we selected for further review 3 of the 31 unused Time Sharing Option and 6 of the 32 unused Conversational Monitoring System user identifications.

We found that two of the three Time Sharing Option users also had access to DEA's data base environment. Further review disclosed that one of the two users had retired. We notified DEA personnel who immediately suspended access for this individual. Further, five of six Conversational Monitoring System users could also access DEA's data base environment. One of the five users had not used the system since January 1994. We notified DEA personnel who immediately suspended the user identification for this individual. We also found that, for one field office, a contractor's local area network user identification and password were not deleted upon reassignment. User identification and password deactivation for separated employees can be effectively accomplished if computer accesses, such as Time Sharing Option and Conversational Monitoring System, are removed at the time an employee departs from the agency.

Recommendations

We recommend the Administrator, DEA:

14. Remove all inactive Time Sharing Option, Conversational Monitoring System, and local area network user identifications and passwords.

15. Add an element to the "Employee Exit Procedures," for the system manager to assure the removal of all Time Sharing Option, Conversational Monitoring System, and local area network user identifications and passwords at the time an employee is reassigned or is terminated.

The above recommendations are resolved, but not closed. See Appendices III and IV for resolution activity and the actions necessary to close the recommendations.

Administrative Security Controls

Administrative security controls consist of the policies, procedures, and standards necessary for a facility to function properly and to support the mission of the organization. Administrative security controls can include inventory control, implementing security awareness training, assigning security responsibilities, and maintaining appropriate documentation.

Inventory Control - The GAO audit report disclosed that DEA had been unable to develop an accurate and complete inventory of the several thousand microcomputers that its personnel use to process sensitive data. These problems were longstanding and remained unresolved despite being first reported by DEA internal inspectors in July 1988. The report further stated that, without an accurate inventory of computers, DEA cannot track the computers' use to ensure appropriate safeguards are in place to protect the sensitive information processed. Moreover, DEA may not be aware of the loss or theft of computers containing sensitive information.

The Department's response stated that DEA had done much to reconcile its inventory in its field office and to improve its ability to track and identify all of its equipment. DEA had expanded its automated system, which tracks the number of personal computers in DEA's inventory, to give a more detailed description of the equipment as well as its locations in the field.

In order to determine the accuracy of the automated inventory system, we physically inventoried 112 selected computers at 21 of 26 sites visited. For each computer, we compared the uniquely assigned "DEA Number" with the automated inventory records for each location. Our review showed that 6 "DEA Numbers" reconciled to the automated inventory records for 3 of the 21 sites. At the remaining 18 sites, 69 of 106 "DEA Numbers" did not match the automated inventory records.

An internal memorandum dated February 23, 1996, from DEA's Office of Information Systems stated it was virtually impossible to reconcile an inventory with any degree of accuracy using the current automated inventory system. The memorandum further stated the automated inventory system is less than 50 percent accurate and, in some cases, as much as 66 percent of the equipment is not listed in the system. The internal memorandum also stated that with the proliferation of computer equipment, the use and movement of this equipment is so mobile it is difficult to keep track of it.

Recommendation

We recommend the Administrator, DEA:

16. Perform a comprehensive physical inventory of computer equipment at all locations and reconcile the physical inventory with the computer inventory records.

The above recommendation is resolved, but not closed. See Appendices III and IV for resolution activity and the actions necessary to close the recommendation.

Computer Security Awareness Training - The Computer Security Act of 1987 requires each organization to provide periodic training for computer security awareness and that a record of the training be maintained. If not, DEA cannot ensure that personnel are aware of individual security responsibilities for protecting DEA information processed on computers.

The GAO audit report stated that the effectiveness of DEA's computer security awareness training was questionable. The Department's response stated that DEA's Office of Security Programs had undertaken measures to identify those employees who had not been trained or were in need of a refresher course. The response further stated that appropriate training was provided for these employees and that new employees and others who had missed the training would receive computer security awareness training on an individual or small group basis.

We found this weakness still existed during our current audit. Our review disclosed computer security awareness training was inadequate at 14 of 26 sites. For example:

• At 13 sites, computer security awareness training was either not provided on a periodic basis or not documented. For example, at 2 sites, computer security awareness training had not been provided since May 1989, and at 3 sites, training had not been provided within the past 2 years.

• At 1 site, personnel could not recall whether computer security awareness training had ever been provided.

During our audit, DEA compiled a computer security awareness briefing package with pamphlets and a video that was sent to all DEA divisional offices. This package will then be forwarded to district, resident, and post of duty field offices.

Recommendation

We recommend the Administrator, DEA:

17. On a periodic basis, provide and document computer security awareness training.

The above recommendation is resolved, but not closed. See Appendices III and IV for resolution activity and the actions necessary to close the recommendation.

System Manager Training - DOJ Order 2640.2C requires computer security training for all persons involved in the management, use, or operation of systems that process sensitive information. The GAO audit report noted that system managers did not monitor computer security because they were unaware of security responsibilities, had too many other duties, and had little or no training and computer-related experience. The Department's response stated that DEA was providing training to equip the system managers with the necessary skills.

We found this weakness still existed during our current audit. At 6 of 26 sites, system managers indicated they had received no formal system manager training. Further, training had not been provided to some system managers since 1988. System managers' responsibilities at 22 of the 26 sites were collateral duties and the functional duties varied from secretary, to administrative support specialist, to criminal investigator. We also found system managers at 2 sites had not received any system training for the new Office Automation Network (Firebird). According to DEA personnel, system manager training was previously offered and presented to those individuals who had been designated with this collateral duty; however, training had not been offered since 1992.

Without proper training, system managers will be unable to fully use the administrative tools needed to maintain, monitor, and troubleshoot the local area networks. In effect, this could leave the system vulnerable to unauthorized or undetected access to sensitive data.

Recommendation

We recommend the Administrator, DEA:

18. Provide system training to all system managers.

The above recommendation is resolved, but not closed. See Appendices III and IV for resolution activity and the actions necessary to close the recommendation.

Computer Security Policies and Procedures - The GAO audit report disclosed DEA personnel were unaware of computer security responsibilities because computer security guidance had been inadequate or poorly communicated. The Department's response stated that training and dissemination of information to DEA personnel is an ongoing process. The response further stated that DEA's Office of Security Programs had sent all information pertaining to security regulations and requirements to the system managers in the field. However, we found this weakness still existed during our current audit. Our review disclosed the following:

• System managers at four sites stated that DEA Headquarters did not provide a booklet of compiled computer security memoranda which included computer security policies and procedures.

• System managers at three sites stated that DEA Headquarters did not provide the Office Automation Security Procedures. These procedures included password procedures, file protection, protocols for adding and deleting users, and security for deactivating, relocating, and securing workstations. According to documentation reviewed at DEA Headquarters, these procedures were forwarded to all Assistant Special Agents-in-Charge on August 23, 1993.

• System managers at five sites told us that DEA Headquarters did not provide the DEA's Planning and Inspection Manual. This manual establishes policy and implementing procedures for general management and administration of DEA programs and includes specific security sections on personnel, administrative, physical, and computer security.

 

Recommendation

We recommend the Administrator, DEA:

19. Distribute appropriate security guidance to personnel at all DEA offices.

The above recommendation is resolved, but not closed. See Appendices III and IV for resolution activity and the actions necessary to close the recommendation.

• Two sites did not develop and submit to DEA Headquarters, Occupant Emergency Plans, as required by DEA's Planning and Inspection Manual. This plan is developed in order to minimize danger to life and property arising from the effects of natural or man-made disasters.

 

Recommendation

We recommend the Administrator, DEA:

20. Develop and submit Occupant Emergency Plans to Headquarters.

The above recommendation is closed. See Appendices III and IV for resolution activity.

Virus Detection - A computer virus is computer code that copies itself onto other executable programs by adding to or overwriting an existing program and thereby damaging the program. The computer virus can intentionally alter, without the user's knowledge, the way the computer operates; it can also modify the programs and data stored on the computer. Whenever an infected program is executed, the virus program is executed first. Consequently, the virus continues infecting other programs. To prevent a computer virus, DOJ Order 2640.2C states that virus prevention measures should be employed to ensure the integrity of the software. Our review disclosed that:

• For all 48 file servers, virus detection software was not being utilized.

• For all 67 Office Automation workstations connected to the 48 file servers, virus detection software was not being utilized.

The Department's response to the GAO audit report stated virus prevention methods would be employed to help ensure that computers processing sensitive information were protected. Because the operating system is old technology, virus detection software is unavailable for either the file servers or workstations. Our review disclosed no instances of computer viruses affecting the Office Automation operating system or its programs.

Recommendation

We recommend the Administrator, DEA:

21. Notify the Department's Security Officer regarding an alternative course of action, if virus detection software cannot be found for the file servers and workstations.

The above recommendation is closed. See Appendices III and IV for resolution activity.

Monitoring File Server Usage - We reviewed the hard disks of 48 file servers to determine whether system managers were monitoring disk space usage and user files stored on the file servers. Our tests established that:

• The amount of disk space used was over 75 percent for 19 of 48 file servers. A high percentage of disk space usage could slow system performance and may ultimately cause the system to crash. For example, audit tests indicated three file servers whose disk space usage exceeded 90 percent, and 12 file servers whose disk space usage exceeded 80 percent. Certain automated administrative tools are available to system managers to monitor disk space usage; however, we found system managers were not periodically monitoring the disk space usage because of other duties.

• According to DEA's System Manager manual, certain capabilities and functions of the local area network commands are available to the systems manager to perform maintenance of user files, including deletion of user files. In addition, DEA's Office Automation Security Procedures states the local area network offers a variety of commands and procedures for deleting files from the hard disks. Too many user files add to the high percentage of disk space usage and could increase the risk of a system crash.

Our review indicated 30 of 48 file servers had a high percentage of user files stored on the hard disk. For example, one file server contained user files dated 1991. Other file servers contained user data files with dates ranging from 1992 to 1995.

Recommendations

We recommend the Administrator, DEA:

22. Require system managers to periodically monitor disk space usage.

23. Require system managers to periodically monitor and delete user files that are no longer needed.

The above recommendations are closed. See Appendices III and IV for resolution activity.

Labeling Computer Equipment - DOJ Order 2640.2C requires that all computer system storage media or products containing sensitive or classified information must be marked in accordance with the appropriate DOJ orders. Further, DEA's Planning and Inspection Manual requires the protection of sensitive information from unauthorized or inadvertent disclosure. Information protection includes safeguards for proper storage of both hard copy and electronically stored data.

The Department's response to the GAO audit report stated that DEA's Office of Security Programs had provided guidance on the proper labeling of personal computers. However, our current audit found 19 of 48 file servers and 46 of 100 workstations reviewed did not have external labels denoting the highest level of information permitted to be processed. DEA personnel stated labels can be requested from DEA Headquarters or a user can create labels with the appropriate markings indicating the type of data authorized to be processed on a computer.

System managers indicated that labels were either not received from DEA Headquarters or labels would fall off and not be replaced. Considering the type of sensitive data that is processed by DEA, there is a high probability and risk that: (1) a user may not be aware of what equipment is authorized to process a specific type of data, and (2) sensitive or classified information may be processed on a computer to which disclosure of that information to unauthorized individuals would compromise the confidentiality of the data and individuals to which the data may refer.

Recommendation

We recommend the Administrator, DEA:

24. Appropriately label file servers and workstations as to the type of information processed.

The above recommendation is resolved, but not closed. See Appendices III and IV for resolution activity and the actions necessary to close the recommendation.

Risk Management

Risk management is the overall methodology for identifying, controlling, and eliminating or minimizing uncertain events that may affect system resources. The risk management function covers the entire spectrum from initial identification of risk potential to implementing safeguards to protect the system and its assets. Risk analysis and contingency planning are two functions of a risk management program.

As an organization becomes increasingly dependent on its computer resources to support mission accomplishment, the need to protect these resources takes on a greater degree of importance. Uncertain events must be planned for by information processing management to ensure the organization's mission is neither interfered with nor interrupted. Management must know and understand the kinds of events that could happen, the vulnerability of the mission to an occurrence of those events, and the overall uncertainty faced by the mission when operating in the threat environment.

Risk Analysis - OMB Circular A-130 requires that agencies establish and maintain a program to conduct periodic risk analyses at each installation to ensure that appropriate, cost effective safeguards are incorporated into existing and new installations. DOJ Order 2640.2C requires that risk analyses be conducted and copies forwarded to JMD.

A risk analysis is particularly important because DEA's computer systems contain mission critical, sensitive information. Although a risk analysis alone does not enhance security, it does provide cost-effective security recommendations for management consideration and is a fundamental step in protecting facilities and applications. The GAO audit report recommended DEA conduct thorough risk analyses and correct any identified weaknesses to adequately protect its sensitive computer facilities. Our review disclosed the following:

• To its credit, DEA developed and completed a risk analysis in 1993 for the Office Automation Network. The Office Automation Network supports Continental United States (CONUS) operations networked primarily through seven host computers or switches, located at: (1) DEA Headquarters; (2) Miami; (3) Chicago; (4) Dallas; (5) Atlanta; (6) Los Angeles; and (7) the Justice Data Center. These host switches are monitored by the Network Control Center located at DEA Headquarters and configured as wide area networks. These are the communication links used to direct Office Automation local area network traffic to the Network Control Center.

The Network Control Center functions as DEA's single point through which all of the agency's sensitive and national security data transmissions are handled. DEA's network users access data base applications stored on the Justice Data Center's mainframe computers through the Network Control Center. If services at the Network Control Center are destroyed or disrupted for a prolonged period, DEA would lose the data processing needed to support its ongoing operations. For example, our physical inspection of the Network Control Center disclosed that protective equipment covers were not available for the computer equipment in the event of an emergency. It is good security practice for equipment covers to be available due to the threat of water damage from a fire. Without protection from water damage, expensive hardware could be damaged or destroyed. We found, however, that a risk analysis was not conducted for DEA Headquarters' Network Control Center.

• A risk analysis was not completed for the new Office Automation system (Firebird).

Recommendations

We recommend the Administrator, DEA:

25. Conduct a risk analysis of the Network Control Center facility.

26. Complete the risk analysis for the new Office Automation Network (Firebird).

27. Submit copies of the completed risk analyses to JMD.

The above recommendations are resolved, but not closed. See Appendices III and IV for resolution activity and the actions necessary to close the recommendations.

Contingency Planning - OMB Circular A-130 requires that agencies establish policies and assign responsibilities to assure that appropriate contingency plans are developed and maintained by end users of information technology applications. Both OMB Circular A-130 and DOJ Order 2640.2C require that contingency plans be developed, maintained, and periodically reviewed and tested. Without the necessary contingency plans, DEA users could be denied access to systems and applications in the event of an emergency.

The GAO audit report noted that DEA lacked adequate backup and recovery measures to ensure the continuation of critical services provided by the DEA's Network Control Center. As a result, DEA had no assurance mission needs could be met by recovering data and processing data within a reasonable period of time if prolonged interruption of service were to occur.

The Federal Information Processing Standards Publication 87, Guidelines for ADP Contingency Planning, recommends that risk analyses be used as part of the orderly process needed to develop a contingency plan. Until the risk analysis is completed, it is difficult to know the critical systems that must be maintained and the demands for resources to support these critical systems. Our review disclosed the following:

• A contingency plan for the Network Control Center had been developed prior to completion of a risk analysis, but had not yet been tested.

• A contingency plan had not been developed nor tested for the new Office Automation Network (Firebird).

Recommendations

We recommend the Administrator, DEA:

28. Once the risk analysis is completed for the Network Control Center, develop and test the contingency plan.

29. Develop and test contingency plans for the new Office Automation Network (Firebird).

30. Submit results of the contingency plans to the Justice Management Division.

The above recommendations are resolved, but not closed. See Appendices III and IV for resolution activity and the actions necessary to close the recommendations.

Physical and Environmental Security Controls

Physical and environmental security controls provide protection against external acts directed toward equipment, personnel, or data, through measures such as locks, guards, and detection systems. To underline the importance of enhanced physical security at all federal buildings, a security upgrade for all federal buildings was mandated by order of the President because of the lack of adequate physical security in the New York World Trade Center and the Oklahoma City bombings. At the time of our review, 15 of the 26 sites visited had security guards assigned to control the entry security of the building.

We examined the following areas at the 26 DEA sites to determine whether physical and environmental requirements were adequate for visitor access and lock combination changes.

Visitor Access - DOJ Order 2640.2C requires sensitive computer system facilities be secured in a manner commensurate with the highest sensitivity of information contained in the systems. To accomplish this, we believe each visitor should sign a register before accessing the workplace where sensitive ADP systems are located.

• Two sites did not require visitor identification upon entry to DEA's interior space.

• Three sites requested and validated visitor identification but did not record the access.

 

Recommendation

We recommend the Administrator, DEA:

31. Require visitor access to DEA's interior space be secured in a manner commensurate with the highest sensitivity of information contained in the systems.

The above recommendation is resolved, but not closed. See Appendices III and IV for resolution activity and the actions necessary to close the recommendation.

Lock Combination Changes - DEA's Planning and Inspection Manual states that lock combinations on doors should be changed at least once a year or whenever there has been a possible compromise. Having a locked room limits access to only those individuals who should have access. Our review disclosed that lock combinations were not changed at two of 26 sites. For example:

• At one site, lock combinations had not been changed in two years.

• At another site, the system manager indicated that lock combinations were not changed upon the termination of the special agent who had responsibility for physical security.

 

Recommendation

We recommend the Administrator, DEA:

32. Change lock combinations annually or following any possible security compromise.

The above recommendation is closed. See Appendices III and IV for resolution activity.

#####