Report No. 98-CAO-13
November 12, 1998
I. INTRODUCTION
Background
Since September 1995, the Chief Administrative Officer
(CAO) has entered into cross-servicing agreements with the U.S. Geological
Survey (USGS) to implement and customize the USGS's Federal Financial System
(FFS) for the U.S. House of Representatives (House) and process the House's
financial data. FFS resides on a mainframe computer at the USGS Reston
Enterprise Data Services Center (EDSC), formerly known as the Reston General
Purpose Computer Center, located in Reston, Virginia. The application is
supported by the USGS, Washington Administrative Service Center (WASC).
Other services EDSC provides to the House are contingency planning, backup,
and disaster recovery (including hot-site restoration of FFS operations
within two business days), performance monitoring, and security administration.
To ensure the integrity and security of the House's financial information,
the House periodically assesses the adequacy of EDSC's data processing
environment. This audit report is the result of our latest assessment.
FFS was purchased by USGS in 1987 and subsequently implemented
in the Department of Interior’s (DOI) bureaus. The FFS license that USGS
has with American Management Systems, Inc. (AMS) allows the USGS to provide
cross-servicing to external Federal government agencies.
EDSC, which is government-owned and government-operated,
provides a broad spectrum of data processing support for numerous sensitive
major application systems, including FFS. To support FFS, the Center operates
a large-scale IBM 9672 mainframe computer running IBM's Multiple Virtual
Storage (MVS) Extended Systems Architecture (ESA) operating system, version
5.1. In late 1997, EDSC installed new access control security software
on the mainframe, IBM’s Resource Access Control Facility (RACF), replacing
Computer Associates’ Access Control Facility 2. The security software not
only controls user access to the FFS dedicated Customer Information Control
System1(CICS) applications,
but also access to the Time Sharing Option2
(TSO) facility and numerous vendor products. In addition to this standard
system-level security, FFS contains data base level security that controls
the actual system functions that a user
may invoke. Other system software,
such as data base management software, telecommunications software, and
specialized vendor software products, also reside on the mainframe computer.
Network and local communications support for both asynchronous
and synchronous protocols3
are provided, as well as local area network (LAN) connectivity via Ethernet4
and Transmission Control Protocol/Internet Protocol5.
Objectives, Scope, and Methodology
This review was initiated and led by the House Office
of Inspector General (OIG) and coordinated with the DOI/OIG. The primary
objective of this review was to evaluate the effectiveness of the general
controls environment surrounding FFS and House financial data processing
at EDSC. The review focused on evaluating the adequacy of management and
internal controls over the following general control areas:
The scope of this audit included a review of the integrity,
confidentiality, and availability of information resources for processing
House financial data. Evaluation of general controls focused on a number
of control issues, including (1) standards, policies, and procedures; (2)
user authentication; (3) protection of information and information systems
from unauthorized access, modification, or destruction; and (4) backup
and recoverability of information, systems, and telecommunications links
in the event of a disruption in operations. The assessment of business
continuity planning and ongoing operations also included the review of
the ability of EDSC’s hardware and software to function in the Year 2000.
We conducted our review in accordance with Government Auditing Standards issued by the Comptroller General of the United States. Our review covered the period of January 1997 through May 1998. Our audit work was performed during the period of April 10 through June 5, 1998, and consisted of the following specific tasks:
In addition, we applied computer and information systems
audit guidelines used by the Federal government and private industry computer
installations in evaluating the effectiveness of EDSC management and operations.
Internal Controls
We evaluated internal controls related to the integrity,
confidentiality, and availability of EDSC’s mainframe and other information
system environments, which could adversely affect the House FFS data and
FFS processing. Although notable improvements have been made in EDSC’s
mainframe operations, system software controls, and telecommunications
security controls since our 1996 audit, we identified significant internal
control weaknesses, including weaknesses that remain uncorrected. These
weaknesses involve EDSC's MVS libraries, overall security function and
administration, RACF security access controls, CICS sensitive transaction
controls, and business continuity planning, including Year 2000 readiness.
An overview of the internal control weaknesses identified are described
in the "Results of Review" section of this report and in Exhibit 1.
While we believe that the weaknesses identified are important
to the USGS and the House, we do not consider these weaknesses to constitute
a material internal control weakness under the Federal Managers'
Financial Integrity Act of 1982 materiality criteria
established by the Office of Management and Budget.
Prior Audit Coverage
One prior audit was performed by the House OIG, in conjunction
with DOI/OIG, which relates to the overall FFS application processing and
the general controls environment at EDSC. The audit results were reported
in two separate OIG reports: House OIG Report No. 96-CAO-09 and DOI/OIG
Report No. 97-I-98, both issued in late 1996. The reports are identified
below, followed by a synopsis of their contents.
Exhibit 2 provides a summary of the implementation status
of each of the recommendations in the above reports.
II. RESULTS OF REVIEW
The results of our evaluation of the general controls
environment surrounding FFS and House financial data processing at the
USGS showed marked improvement since our 1996 audit. For example, USGS:
USGS’s progress is clearly evident from the results of
our follow-up work on the 72 prior audit report recommendations aimed at
resolving 42 weaknesses identified in House OIG Report No. 96-CAO-09, entitled
Stronger Controls Needed Over The Data Processing Environment At The
U.S. Geological Survey, Reston General Purpose Computer Center, dated
December 17, 1996. (Of the 72 recommendations, only 2 recommendations related
to FFS administration and maintenance, and information protection weaknesses
were directed to the CAO for action, one of which required the CAO to work
jointly with USGS to resolve the weakness.) The results of our follow-up
work on the 72 prior audit recommendations showed that corrective
actions were completed7
for 39 recommendations. In addition, two recommendations were otherwise
resolved8 and
seven were superseded by new recommendations. Of the remaining 24 open
recommendations9,
substantial progress10
was made on 2, some progress11
was made on 8, limited progress12
was made on 6, and no actions were taken on 8. As these statistics indicate,
the majority of the report recommendations have been implemented and action
has been taken on most of the remaining recommendations, thereby improving
general controls over the FFS mainframe processing environment. (Exhibit
2 lists the 72 prior recommendations with comments on the recommendations
not completed including the corrective actions taken and/or planned, and
actions needed for closure.)
Notwithstanding these notable improvements in system software
controls, we identified 19 weaknesses that span the following 4 general
control areas: (1) data center management and operations; (2) mainframe
systems logical and physical security; (3) telecommunications security,
and (4) contingency planning, backup, and disaster recovery. In addressing
the fifth general control area (i.e., LAN protection), we evaluated USGS’s
progress in improving controls over this environment and found the risk
for uncompleted actions to be extremely low on an overall basis. LAN-related
issues were identified as part of three weaknesses under the data center
management and operations, mainframe systems logical and physical security,
and telecommunications security areas. However, from the House’s standpoint,
no House data is stored or transmitted through the DOI or USGS internal
LANs. While USGS management can benefit by fully implementing our prior
audit LAN-related recommendations, we are not reporting any additional
weaknesses in this area.
The 19 weaknesses include weaknesses originally identified
in our prior audit and new weaknesses that could have a significant adverse
impact on data processed at EDSC, if left unaddressed. Collectively, these
weaknesses increase the risk of unauthorized access and modifications to,
and disclosure of, House and other agency information processed on EDSC’s
mainframe computer. Additionally, some of the weaknesses increase the potential
for operational errors which can adversely affect service continuity. In
addition to the 13 prior audit recommendations still not fully implemented13,
we made 24 new recommendations for addressing the weaknesses and improving
the general controls environment at EDSC. (A detailed discussion of the
weaknesses and associated recommendations for each general controls area
are contained in Exhibit 1 of this report.)
The primary reasons for these deficiencies include, but
are not limited to, the following: lack of formal standards, policies,
and procedures; inappropriate practices and processes; inadequate security
review and monitoring of sensitive system and data access activities; noncompliance
with vendor guidelines for MVS integrity; and lack of a comprehensive data
security program.
Federal Government And Private Industry Data Security
And Internal Control Guidelines And Practices Are Well-Established
The Office of Management and Budget and the National Institute
of Standards and Technology (NIST) have issued numerous directives, policies,
and guidelines calling for Federal agencies to establish and implement
overall management and computer security controls to improve internal controls
over system software, and application programs and data in Executive Branch
agencies' computer systems. NIST has specifically prescribed guidelines
for achieving strong disciplines and a clearly defined approach to software
maintenance, including change management, to assure smooth operational
continuity. Additionally, Congress has enacted various laws, such as the
Privacy Act of 1974 and Computer Security Act of 1987, to improve the security
and privacy of sensitive information in computer systems by requiring the
Executive Branch to assure an adequate level of computer security and controls.
More recently, the 2nd Edition of COBIT:
Control Objectives For Information and Related Technology (published
by the Information Systems Audit and Control Association, April 1998) provides
guidelines and tools based on established best practices for managers in
both the public and private sector to establish controls for ensuring the
confidentiality, integrity, and availability of information as well as
the protection of other information technology resources. Such controls
normally encompass adequate change management processes, proper reporting
structure, segregation of duties, establishment of computer and data security
standards, policies, and procedures, risk analyses, application controls,
independent reviews, Year 2000 date impact compliance, and other control-related
mechanisms to ensure effective management and protection of sensitive information
and other information technology resources.
Additional controls are needed to ensure the effective
management and protection of sensitive information and other information
technology resources within EDSC's information systems environment. The
following is a summary of each of the four major general control areas,
highlighting key deficiencies identified during the course of the audit,
which are discussed in Exhibit 1.
Data Center Management And Operations
We noted deficiencies in the areas of data center management
and operations where controls should be improved to reduce unnecessary
risk to system integrity, confidentiality, and availability. Key deficiencies
include:
In this area, we made three new recommendations and referenced
five prior recommendations to address the deficiencies and improve data
center management and operations.
Mainframe Systems Logical And Physical Security
We found numerous instances where EDSC did not comply
with vendor guidelines, Federal directives and laws, and generally accepted
industry practices in administering and implementing operating system and
access security software controls on its mainframe computer. Key deficiencies
identified include:
In this area, we made 17 new recommendations and referenced
8 prior recommendations to address the deficiencies and improve the integrity
and security of mainframe physical and logical controls.
Telecommunications Security
We found that unrestricted user access to USGS through
the Internet still poses integrity and security exposures to the agency’s
internal systems (e.g., the mainframe computer and certain LANs), because
passwords are not encrypted in the network. In this area, we made one recommendation
to address the deficiency and eliminate the exposure associated with EDSC’s
telecommunications environment.
Contingency Planning, Backup, And Disaster Recovery
A large volume of House FFS data could be lost without
the ability to recover the lost data, except though its reentry. In addition,
EDSC’s contingency planning, backup, and disaster recovery procedures do
not provide reasonable assurance that the FFS mainframe processing environment
will be able to operate after Year 2000. Key deficiencies identified include:
In this area, we made four recommendations to address
the deficiencies and ensure that USGS and House personnel are sufficiently
prepared to quickly recover from unforeseen disruptions, such as a prolonged
outage or disasters.
Conclusion
Since the release of our prior audit report in November 1996, USGS has made significant progress in addressing weaknesses and recommendations identified in that report.
However, significant weaknesses related to mainframe systems
logical and physical security, and contingency planning, backup, and disaster
recovery still remain which require immediate attention. To a lesser extent,
we also identified weaknesses in data center management and telecommunications,
which also need to be addressed. Overall, while we consider all the weaknesses
as important to the USGS and the House, we do not believe that they constitute
a material internal control weakness under the Federal Managers’ Financial
Integrity Act of 1982 materiality criteria established by the Office of
Management and Budget.
Management Response
On October 5, 1998, the Chief Administrative Officer (CAO) verbally responded to a draft finding (i.e., Weakness 17), and fully concurred with the issue identified and the associated recommendation (i.e., Recommendation 17). In late June 1998, his office requested WASC to provide daily off-site storage of the House’s FFS application and database backup tapes. Accordingly, the CAO informed us that WASC implemented this procedure on August 27, 1998.
On October 15, 1998, the Office of the Director of USGS
generally concurred with the remaining 18 weaknesses and 24 recommendations
directed to them (see Appendix). According to the response, actions were
completed for 2 (i.e., Recommendations 6.C and 18.A) of the 24 recommendations
and included: (1) requiring that security noncompliance problems involving
EDSC users be elevated to the responsible department level security officials
to enforce compliance; and (2) establishing a Year 2000 Team to oversee
the Year 2000 compliance efforts for EDSC’s software and hardware.
The response also indicated that numerous other corrective
actions were underway or planned for addressing the remaining 22 recommendations.
These include: (1) developing and implementing change management procedures
for the LAN environment; (2) conducting an Overhead Rate Study/Review to
document and determine an appropriate rate to use in preparing subsequent
interagency agreements; (3) providing appropriate reports to support time
and charges billed to the House for WASC services; (4) revising the APF
library semi-annual review process to include documented justification
for systems programmer access in addition to management signoff; (5) logging
systems programmer access to APF libraries, and implementing procedures
for distributing reports to systems programming management for review;
(6) reviewing authorized changes based on change control documentation;
(7) revising the security review process to include contact with vendor
representatives to ensure the required software controls are available
and implemented: (8) establishing a policy to ensure security administration
has the responsibility to review and control all software product implementations
from a security perspective; (9) reviewing a specific RACF option and removing
the privilege or providing the necessary documentation to justify the requirement
where appropriate; (10) establishing guidelines for requesting/authorizing
application programmer access to production programs and data; (11) revising
RACF access rules based on review results; (12) implementing procedures
for security administration staff to periodically review and monitor access
controls implemented by all Security Coordinators; (13) reviewing and implementing
the password characteristics identified, and implementing the erase on
scratch once proper testing has been performed; (14) establishing a policy
to require the creation of RACF groups to meet specific access requirements;
(15) implementing appropriate features to eliminate the potential for eavesdropping
on USGS’s network; (16) requiring application programmers to use hardwire
connections when accessing House data; (17) revising the USGS Manual to
address a comprehensive Bureau-wide Security program that includes all
platforms; (18) reviewing for, and limiting, access to the use of a specific
CICS transaction; (19) developing and documenting procedures for periodic
reviews of data center physical access privileges; (20) developing a comprehensive
security program to protect the overall internal network; (21) coordinating
activities to identify and resolve all areas that would be affected by
the Year 2000 problem across the information system infrastructure within
EDSB; and (22) conducting and documenting a comprehensive disaster recovery
test associated with the House’s FFS processing requirements, and resolving
problems identified.
Office Of Inspector General Comments
The action taken by the CAO is responsive to the issue identified and satisfies the intent of the recommendation. We therefore consider Recommendation 17 closed.
Based on the actions completed by USGS, we consider Recommendations
6.C and 18.A closed. The actions taken and
planned for the remaining 22 recommendations are responsive to the issues
identified and, when fully implemented, should satisfy the intent of the
recommendations. Further, the milestone dates provided for completing these
actions appear reasonable.