Audit Report

DEA's Narcotics and Dangerous Drug Information System (NADDIS) and other large data base systems are stored on mainframe computers at the Justice Data Center. Nearly all these data base systems are support and intelligence systems designed to assist DEA investigative personnel in the performance of official duties. DEA uses the Office Automation system to process sensitive information and, through communications software, to access these applications.

The Justice Data Center, in its capacity as custodian of users' information, is responsible for the administration of security and other computerized controls for the protection of sensitive information as specified by the Justice Data Center users. To accomplish this, the Justice Data Center provides access control to the mainframe computers through the use of security software. The security software is designed to enforce access control based on the identity and authorized privileges of the requesting user. Therefore, if implemented properly, the security software prompts users to change passwords at a specified time and, will not allow unauthorized users, either directly or by remote connection to a computer system, to read, copy, change, destroy, or use information.

The Department's response to the GAO audit report stated DEA was in contact with the Justice Data Center to discuss the enhancement of security for DEA's mainframe applications through full use of all of the security features of the security software package. According to the response, the security software was to provide added protection through full password encryption, elimination of multiple access points to data (which means everyone must come through the top layer of security), and increase default protection (assuring that users can only retrieve information to which they have been granted access).

Our review disclosed that DEA's data base applications at the Justice Data Center were not yet under the control of the security software because the current version of the data base management system is incompatible with the security software. According to DEA personnel, the data base vendor has attempted to obtain a "fix" to enable the data base to work with the security software.

Currently, DEA's data base management system software provides a measure of protection that utilizes the software's security subsystem facility. This facility tracks a user's activity such as delete or modify, as well as the date and time of activity. Once this facility is combined with the Justice Data Center's security software, a comprehensive security capability for DEA's data bases should be provided. DEA personnel concurred with this finding and will install and test a new version of the data base management system which they believe will rectify the incompatibility problem.

33. Install and test the new version of the software to ensure that DEA's large data base applications are under the control of the security software.

The above recommendation is resolved, but not closed. See Appendices III and IV for resolution activity and the actions necessary to close the recommendation.

In planning and performing our audit of computer security management at DEA, we considered DEA's internal control structure for the purpose of determining our auditing procedures. We did not review internal controls in order to express an opinion on the internal control structure. The design and implementation of the internal control structure applicable to computer security is the responsibility of DEA management. Accordingly, our assessment, made for the purposes described in the audit scope paragraph, would not necessarily disclose all weaknesses in the internal control structure of DEA taken as a whole.

However, there are certain matters involving the internal control structure that we consider to be reportable conditions under the generally accepted government auditing standards. Reportable conditions involve matters coming to our attention relating to significant deficiencies in the design or operation of the internal control structure that, in our judgment, could adversely affect the ability of the DEA to protect its sensitive data. We found the following internal control deficiencies:

We are not expressing an opinion on DEA's internal control structure. This statement is intended solely for the information and use of DEA management in monitoring computer security. This restriction is not intended to limit the distribution of this report, which is public record.

We have audited DEA's computer security policies and associated operational procedures. The audit was conducted in accordance with generally accepted government auditing standards. In connection with the audit, and as required by the standards, we tested transactions and records to obtain reasonable assurance on compliance with laws and regulations that, if not complied with, we believe could have a material effect on the mission of the DEA. Compliance with laws and regulations applicable to computer security management is the responsibility of DEA management.

Our audit included examining, on a test basis, evidence concerning compliance with laws and regulations. The specific laws and regulations against which we conducted our tests were: (1) the Computer Security Act of 1987 (Public Law 100-235) and (2) OMB Circular A-130, Management of Federal Information Resources. The results of our tests indicated that for the Headquarters and field offices tested, DEA did not comply with the laws and regulations referred to above in the following areas:

Because of the materiality of noncompliance noted in this report, we cannot provide assurance that DEA complied with the above cited laws and regulations with respect to those offices not tested.

The objectives of the audit were to: (1) determine whether security system software controls protect the computer systems from unauthorized access, (2) evaluate the adequacy of DEA's computer security management of sensitive data, and (3) determine whether security software was used to protect DEA's data bases processed at the Justice Data Center.

The audit was performed in accordance with generally accepted government auditing standards and included tests and procedures necessary to accomplish our audit objectives. To perform the audit, we: (1) reviewed laws, policies, regulations, manuals, and memoranda; (2) interviewed responsible personnel; and (3) performed technical tests of system software controls and security software.

Our audit included reviews of 25 field offices and the Network Control Center located at DEA's Headquarters (see Appendix II). The reviews focused on system software control and over 400 tests were performed. In addition, we interviewed almost 50 personnel at the field offices and Headquarters.

Finally, prior to the issuance of this report, we discussed the findings and recommendations with DEA personnel, and actions DEA has or will take on the recommendations.

DEA is the leading federal agency in drug law enforcement. It was created in July 1973 by a Reorganization Plan that merged four separate drug law enforcement agencies. The overall mission of DEA includes enforcing provisions of the controlled substances and chemical diversion and trafficking laws and regulations of the United States. DEA creates, manages, and supports enforcement-related programs, both domestically and internationally.

To carry out its mission and administrative functions, DEA relies heavily on computer systems to collect, process, store, and transmit a variety of sensitive information. Therefore, it is important for DEA to implement the proper safeguards to protect the data processed on its computer systems as well as its investment in information technology.

DEA is an organization of over 7,000 employees, about half of whom are Special Agents operating in domestic offices or foreign countries. DEA currently has 20 Domestic Field Divisions, over 100 Resident Offices, 19 District Offices, and field installations in almost 50 foreign countries. All field offices have similar law enforcement functional responsibilities, although the workload varies. Many of these offices have suboffices in other cities for which they have jurisdictional responsibility and where additional federal, state, and local authorities are located.

Responsibilities for the development, implementation, and administration of computer security policies and procedures are distributed among Headquarters and field offices. At the Headquarters level, the Office of Information Systems and the Office of Security Programs are responsible for developing and implementing policies and procedures. At the field office level, a system manager is responsible for administering these policies and procedures as well as controlling and monitoring access to ADP systems and performing such tasks as backing up files. Out of the 26 sites where we performed tests, duties of 22 of the 26 system managers were collateral to other full-time duties.

Location	Office Location
Headquarters - Network Control Center	Arlington, VA
Montgomery Post of Duty	Montgomery, AL
Phoenix Division Office	Phoenix, AZ
San Diego Division Office	National City, CA
Southwest Laboratory	National City, CA
San Ysidro Resident Office	San Ysidro, CA
Colorado Springs Resident Office	Colorado Springs, CO
Denver Division Office	Englewood, CO
Mid-Atlantic Laboratory	Washington, DC
Washington Division Office (WDO)	Washington, DC
Miami Division Office	Miami, FL
Atlanta Division Office	Atlanta, GA
Columbus Resident Office	Columbus, GA
Honolulu Resident Office	Honolulu, HI
Chicago Division Office	Chicago, IL
North Central Laboratory	Chicago, IL
New Orleans Division Office	New Orleans, LA
Baltimore District Office	Baltimore, MD
Washington/Baltimore High Intensity Drug Trafficking Area (HIDTA) Office	Greenbelt, MD
New York Division Office	New York, NY
Northeast Laboratory	New York, NY
Philadelphia Division Office	Philadelphia, PA
Dallas Division Office	Dallas, TX
Aviation Operations Center	Ft. Worth, TX
Annandale HIDTA Office	Annandale, VA
Richmond Resident Office	Richmond, VA

OFFICE OF THE INSPECTOR GENERAL, AUDIT DIVISION
ANALYSIS AND SUMMARY OF ACTIONS TAKEN TO CLOSE REPORT

The DEA response to the audit (Appendix III) included detailed documentation addressing each of the recommendations, either in the response or the attachments to the response. Subsequent to discussing the working draft of this report, DEA management provided documentation evidencing actions taken to close recommendations 20 and 32, and to resolve recommendations 9 through 11, 14 through 19, 24 through 31, and 33. Our statements below and on the following pages are based on our analysis of the documentation provided.

1. Closed. DEA management sent a teletype to all DEA offices requiring system managers to assign unique passwords for the "SysDirectoryPassword" parameter.

2. Closed. DEA management sent a teletype to all DEA offices requiring system managers to assign a protection level of at least "5" for all files stored in the system directory.

3. Closed. DEA management sent a teletype to all DEA offices requiring system managers to assign a value of "YES" for the "ProtectSysDirectory" parameter.

4. Closed. DEA management sent a teletype to all DEA offices requiring system managers to assign a "ClusterTimeOut" setting of 30 seconds.

5. Closed. DEA management sent a teletype to all DEA offices requiring system managers to assign a "ScreenTimeOut" setting of 5 minutes.

6. Closed. DEA management sent a teletype to all DEA offices requiring system managers to assign a "DiskLogThreshold" setting of "3."

7. Closed. DEA management provided documentation setting the "MaxConcurrentTerm" parameter to "15" for Office Automation workstations and to "30" for Personal Computer workstations networked to an Office Automation cluster.

8. Resolved. The DEA management stated it will take steps to comply with security concerns addressed in the waiver granted by the Department's Security Officer regarding an audit trail capability that cannot be implemented for the file servers. This recommendation can be closed when we receive documentation showing results of this effort.

9. Resolved. DEA management stated it will establish milestones to validate and update the automated employee data base. This recommendation can be closed when we receive documentation showing the milestones established, and when completed, a copy of the results.

10. Resolved. DEA management stated it will conduct full-field background investigations as required. This recommendation can be closed when we receive documentation showing the number of full-field background investigations to be conducted, the time frame for completing them, and progress towards completion.

11. Resolved. DEA management stated it will conduct periodic background reinvestigations as required. This recommendation can be closed when we receive documentation showing the number of reinvestigations to be conducted, the time frame for completing them, and progress towards completion.

12. Resolved. DEA management stated that a teletype will be sent to the field offices to restrict the system manager's administrative functions. This recommendation can be closed when we receive documentation showing results of this effort.

13. Closed. DEA management sent a teletype to all DEA offices requiring system managers to change local area network passwords at least every 6 months.

14. Resolved. DEA management stated the Department of Justice (DOJ) controls the Time Sharing Option and Conversational Monitoring passwords, and will implement action to assist the DOJ in identifying and removing personnel system access, as appropriate. This recommendation can be closed when we receive documentation showing results of this effort.

15. Resolved. DEA management stated it will take action to assure all Time Sharing Option, Conversational Monitoring System, and local area network passwords are removed at the time an employee is reassigned or departs from the agency. This recommendation can be closed when we receive documentation showing results of this effort.

16. Resolved. DEA management initiated an effort in August 1996 to reconcile the approximately 25,000 pieces of computer equipment. The reconciliation should be completed during FY 1997. This recommendation can be closed when we receive documentation showing results of this effort.

17. Resolved. DEA management stated it will issue additional guidance requiring field offices to conduct and document computer security awareness training on a periodic basis. In addition, its Office of Internal Inspections will conduct periodic reviews to ensure compliance. This recommendation can be closed when we receive documentation showing results of this effort.

18. Resolved. DEA management stated it will assess the specific requirements and needs for providing system training to all system managers. Once this assessment has been completed, DEA will develop an appropriate program to administer system training. This recommendation can be closed when we receive documentation showing results of this effort.

19. Resolved. DEA management stated it will implement procedures to ensure that appropriate security guidance is distributed to management at all DEA offices. This recommendation can be closed when we receive documentation showing results of this effort.

20. Closed. DEA management provided documentation showing an Occupant Emergency Plan had been developed and submitted for the first site while DEA was not the responsible agency for the second site.

21. Closed. DEA management requested the Department's Security Officer waive the requirement for Office Automation virus software because of the old technology.

22. Closed. DEA management sent a teletype to all DEA offices requiring system managers to periodically monitor space usage.

23. Closed. DEA management sent a teletype to all DEA offices requiring system managers to periodically monitor and delete user files which are no longer needed.

24. Resolved. DEA management stated it will implement procedures to ensure file servers and workstations are appropriately labeled. This recommendation can be closed when we receive documentation showing results of this effort.

25. Resolved. DEA management stated it will contact the Justice Management Division to determine whether this effort could be covered under the task order for conducting the Firebird risk analysis. If not, a risk analysis will be conducted. This recommendation can be closed when we receive documentation showing the completed risk analysis.

26. Resolved. DEA stated it completed a risk analysis for the Firebird system. This recommendation can be closed when we receive documentation showing the completed risk analysis.

27. Resolved. DEA management stated it will submit copies of the risk analyses to the Justice Management Division. This recommendation can be closed when we receive documentation showing results of this effort.

28. Resolved. Prior to issuance of the draft report, DEA management requested the Justice Management Division waive the requirement to test the Network Control Center contingency plan because of the cost. This recommendation can be closed when we receive documentation showing results of this effort.

29. Resolved. DEA management stated it will establish milestones for developing and testing contingency plans. This recommendation can be closed when we receive documentation showing the milestones established, and when completed, a copy of the results of the contingency plan.

30. Resolved. DEA management stated it will submit copies of the contingency plans to the Justice Management Division. This recommendation can be closed when we receive documentation showing results of this effort.

31. Resolved. DEA management stated it will reemphasize procedures requiring visitor access to DEA’s interior space be secured in a manner commensurate with the highest sensitivity of information contained in the systems. This recommendation can be closed when we receive documentation showing results of this effort.

32. Closed. DEA management provided documentation showing distribution of guidance for changing lock combinations to all field offices.

33. Resolved. DEA management stated it will soon install and test the new version of the software. This recommendation can be closed when we receive documentation showing results of this effort.