CONCLUSIONS
Since the comprehensive House audit in July 1995, the U.S. House
of Representative (House) has made progress toward improving controls
over the integrity, confidentiality, and availability of information
and systems. The House re-established its information systems
security function under the House Information Resources (HIR)
organization during the first half of Calendar Year 1996. The
new security staff led by an experienced security manager has
developed and is continuing to develop a number of initiatives
designed to improve security controls over House information technology
and information resources. Examples of these initiatives include:
(1) preparing an information security policy for the House;
(2) developing requirements for personnel security background
checks and clearances; (3) developing security policies over voice
and data systems; (4) establishing a secure dial-in modem bank;
(5) assessing physical security control requirements over equipment
and facilities; (6) performing security reviews; and (7) instituting
penetration testing procedures.
The Communications Group has security responsibilities with respect
to the House Campus Network, Internet "firewall," and
telephone system. This Group has also implemented corrective actions
to improve security resulting in better physical controls over
the Network Control Center (NCC) and access controls over the
House's connection to CapNet.
Notwithstanding the progress made thus far, significant efforts
are needed to improve security controls over the integrity, confidentiality,
and availability of information and systems at the House. Security
weaknesses were noted in certain areas of the House telecommunications
environments, posing risk of unauthorized access, modification,
and destruction of telecommunications and information resources
at the House. Several of the security weaknesses identified can
greatly impact the effectiveness of HIR Security staff's and the
Communications Group's abilities to carry out security responsibilities
and activities as intended by the House. Without effective security
controls, the House cannot be assured that information resources
are protected from fraud, waste, abuse, and unauthorized use.
Since the House's telecommunications system is an integral component
of Member, Committee, and other House office information and computer
operations, this report not only addresses telecommunications
security issues but also focuses on information systems-related
security weaknesses that affect telecommunications security. The
security weaknesses identified encompassed the areas of information
systems security architecture; security staffing, tools, and training
requirements; security administration; computer and telecommunications
security training and awareness; dial-in security; logical security
access; Private Branch Exchange (PBX) security; telecommunications
physical security; Committee and Subcommittee room wiring infrastructures;
and Internet-related procedures. The following is a high level
synopsis of security weaknesses included in this report:
The House lacks a well defined information systems security architecture,
including policies and procedures, that outlines a minimum baseline
to operate from. Part of this missing baseline includes security
plans, a data classification/ownership policy, and risk assessments
to identify sensitive or critical data for protection.
Although the House re-established its information systems security
function within HIR in January 1996, security reviews have not
been performed in sufficient quantity and on a frequent enough
basis to adequately cover the most vulnerable areas and prevent
or detect unauthorized access or intrusions. HIR Security does
not have security analysis software to perform detailed testing
of office systems for compliance with House security standards.
Further, the day-to-day operational security responsibilities
and duties are diverse, leaving little time for proactive security
activities.
HIR Security functions involving mainframe access security software
is inappropriate for controlling information resources. Non-security
personnel, such as systems administrators within the Enterprise
Computing Group, are allowed to perform critical access security
functions, such as writing rules and reviewing audit trails. These
capabilities provide non-security personnel the ability to access,
view, or modify House data on the mainframe without leaving an
audit trail.
At the request of the Committee on House Oversight, audit work
also included an assessment of the Communications Group's Committee
and Event Room Wiring Proposal. Based on our review, we recommend
its approval by the Committee.
RECOMMENDATIONS
We made a total of 33 recommendations to the Chief Administrative Officer to strengthen security controls over the House's telecommunications and information resources.
MANAGEMENT RESPONSE
On January 21, 1997, the Acting CAO fully concurred with the findings
and all 33 recommen-dations in this report.
According to the response, numerous actions were completed
or are planned to significantly strengthen telecommunications
and information systems security at the House.
OFFICE OF INSPECTOR GENERAL COMMENTS
The Acting CAO's completed and planned actions are responsive to the issues we identified and, when fully implemented, should satisfy the intent of our recommendations. Further, the milestone dates provided for completing the planned actions appear reasonable.
However, we are requesting that the Acting CAO provide us milestone dates for certain recommendations that did not contain milestone dates by April 25, 1997.