CONCLUSIONS

Since the comprehensive House audit in July 1995, the U.S. House of Representative (House) has made progress toward improving controls over the integrity, confidentiality, and availability of information and systems. The House re-established its information systems security function under the House Information Resources (HIR) organization during the first half of Calendar Year 1996. The new security staff led by an experienced security manager has developed and is continuing to develop a number of initiatives designed to improve security controls over House information technology and information resources. Examples of these initiatives include: (1) preparing an information security policy for the House; (2) developing requirements for personnel security background checks and clearances; (3) developing security policies over voice and data systems; (4) establishing a secure dial-in modem bank; (5) assessing physical security control requirements over equipment and facilities; (6) performing security reviews; and (7) instituting penetration testing procedures.

The Communications Group has security responsibilities with respect to the House Campus Network, Internet "firewall," and telephone system. This Group has also implemented corrective actions to improve security resulting in better physical controls over the Network Control Center (NCC) and access controls over the House's connection to CapNet.

Notwithstanding the progress made thus far, significant efforts are needed to improve security controls over the integrity, confidentiality, and availability of information and systems at the House. Security weaknesses were noted in certain areas of the House telecommunications environments, posing risk of unauthorized access, modification, and destruction of telecommunications and information resources at the House. Several of the security weaknesses identified can greatly impact the effectiveness of HIR Security staff's and the Communications Group's abilities to carry out security responsibilities and activities as intended by the House. Without effective security controls, the House cannot be assured that information resources are protected from fraud, waste, abuse, and unauthorized use.

Since the House's telecommunications system is an integral component of Member, Committee, and other House office information and computer operations, this report not only addresses telecommunications security issues but also focuses on information systems-related security weaknesses that affect telecommunications security. The security weaknesses identified encompassed the areas of information systems security architecture; security staffing, tools, and training requirements; security administration; computer and telecommunications security training and awareness; dial-in security; logical security access; Private Branch Exchange (PBX) security; telecommunications physical security; Committee and Subcommittee room wiring infrastructures; and Internet-related procedures. The following is a high level synopsis of security weaknesses included in this report:

The House lacks a well defined information systems security architecture, including policies and procedures, that outlines a minimum baseline to operate from. Part of this missing baseline includes security plans, a data classification/ownership policy, and risk assessments to identify sensitive or critical data for protection.

Although the House re-established its information systems security function within HIR in January 1996, security reviews have not been performed in sufficient quantity and on a frequent enough basis to adequately cover the most vulnerable areas and prevent or detect unauthorized access or intrusions. HIR Security does not have security analysis software to perform detailed testing of office systems for compliance with House security standards. Further, the day-to-day operational security responsibilities and duties are diverse, leaving little time for proactive security activities.

HIR Security functions involving mainframe access security software is inappropriate for controlling information resources. Non-security personnel, such as systems administrators within the Enterprise Computing Group, are allowed to perform critical access security functions, such as writing rules and reviewing audit trails. These capabilities provide non-security personnel the ability to access, view, or modify House data on the mainframe without leaving an audit trail.

• Computer security training available to House offices needs improvement. Computer security training is required for all offices when they are initially connected to the Internet. However, all employees in those offices are not required to attend the training. Therefore, according to the HIR Security Manager, at a minimum, only the office managers and systems administrators attend the training. In addition, computer security training is not mandatory for those offices not connected to the Internet. Furthermore, there are no requirements for employees to receive appropriate follow-up training in, and awareness of, accepted computer security practices. Similarly, House employees have not received sufficient training and awareness on the secure use of House telephone services in accordance with established policies and procedures.

• Remote access security is inconsistent within the House which creates a security exposure.

• Mainframe logical access controls are not sufficiently administered to restrict users from gaining access to House network resources (i.e., certain communications and teleprocessing monitors). For example, many HIR support staff have unnecessarily broad access privileges which provide them the ability to access these network resources beyond the scope of their authorized duties and responsibilities.

• PBX system security needs improvement to reduce the potential for toll abuse at the House. HIR relies heavily on telecommunications service providers to monitor toll fraud abuse. Allowing others to monitor for toll fraud at the House increases the risk of unauthorized toll use and abuse.

• Physical security controls are inadequate to properly safeguard various telecommunications facilities within the House. (These control deficiencies were also disclosed in HIR Security's September 1996 report entitled A Report of the Communications Closets of the U.S. House of Representatives.)

• The current wiring policy for voice, data, and video wiring in House Committee, subcommittee, and other event rooms is unmanageable and provides little assurance of security. Individual broadcasters have been allowed to unilaterally install and/or make arrangements with telecommunications service providers to install and provide cabling and specialized circuits for any given event without coordinating with HIR. This, in turn, has greatly impacted the House's ability to maintain control over its telecommunications wires and cables when a media event occurs in a Committee, Subcommittee, or any other room in the House complex.

At the request of the Committee on House Oversight, audit work also included an assessment of the Communications Group's Committee and Event Room Wiring Proposal. Based on our review, we recommend its approval by the Committee.

• During the telecommunications audit, we performed limited penetration tests of the House firewall and were unable to penetrate it. From this perspective, the Communications Group should be commended on their efforts and commitment for ensuring that House information is properly protected. However, in reviewing the strength of the Internet security environment, we noted that HIR could strengthen its Internet administration functions by providing well-designed and tested procedures for ensuring that the Communications Group and Security staff quickly respond to penetration attempts or security violations.

RECOMMENDATIONS

We made a total of 33 recommendations to the Chief Administrative Officer to strengthen security controls over the House's telecommunications and information resources.

MANAGEMENT RESPONSE

On January 21, 1997, the Acting CAO fully concurred with the findings and all 33 recommen-dations in this report. According to the response, numerous actions were completed or are planned to significantly strengthen telecommunications and information systems security at the House.

OFFICE OF INSPECTOR GENERAL COMMENTS

The Acting CAO's completed and planned actions are responsive to the issues we identified and, when fully implemented, should satisfy the intent of our recommendations. Further, the milestone dates provided for completing the planned actions appear reasonable.

However, we are requesting that the Acting CAO provide us milestone dates for certain recommendations that did not contain milestone dates by April 25, 1997.