|Return to the USDOJ/OIG Home Page|
Independent Evaluation Pursuant to the Government Information Security Reform Act
Fiscal Year 2002
The Federal Bureau of Prisons' Inmate Telephone System II
Report No. 03-04
Office of the Inspector General
The fiscal year (FY) 2001 Defense Authorization Act (Public Law 106-398) includes Title X; subtitle G, "Government Information Security Reform Act" (GISRA). GISRA became effective on November 29, 2000, and amends the Paperwork Reduction Act of 1995 by enacting a new subchapter on "Information Security." It requires federal agencies to:
The objective of the audit was to determine the Department of Justice's (Department) compliance with the requirements of GISRA. The Inmate Telephone System II (ITS II) was selected as one of the subset of systems to be tested to determine the effectiveness of the Department's overall security program for FY 2002. In determining if the Department is compliant with GISRA requirements, PricewaterhouseCoopers LLP (PwC) assessed whether adequate computer security controls existed to protect the ITS II from unauthorized use, loss, or modification.
Under the direction of the OIG and in accordance with Government Auditing Standards, PwC performed the audit of ITS II. The audit took place from May through July 2002. During our audit, we met with the Federal Bureau of Prisons (BOP) officials from the ITS II System Control Center. We reviewed documentation that included the BOP's information technology (IT) documents, organizational structures, OMB GISRA reporting information, and prior OIG and Department reports to assess the ITS II compliance with GISRA and related information security policies, procedures, standards, and guidelines. We performed test work at BOP Headquarters in Washington, D.C.
For the interviews conducted, we used the questionnaire contained in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-26, "Security Self-Assessment Guide for Information Technology Systems." This questionnaire contains specific control objectives and suggested techniques against which the security of a system or group of interconnected systems can be measured. The questionnaire contains 17 areas under 3 general controls (management, operational, and technical). The areas contain 36 critical elements and 225 supporting security control objectives and techniques (questions) about the system. The critical elements are derived primarily from OMB Circular A-130 and are integral to an effective IT security program. The control objectives and techniques support the critical elements. If a number of the control objectives and techniques are not implemented, the critical elements have not been met.
The audit approach was based on the General Accounting Office's Federal Information System Controls Audit Manual, the Chief Information Officer Council Framework, OMB Circular A-130, and guidance established by NIST. These authorities prescribe a review that evaluates the adequacy of management, operational, and technical controls over control areas listed in Appendix I.
INMATE TELEPHONE SYSTEM II (ITS II) NETWORK ENVIRONMENT
The ITS was developed in 1988. In an August 1999 review performed by the OIG, we found that a significant number of federal inmates use prison telephones to commit serious crimes while incarcerated - including murder, drug trafficking, and fraud. BOP management acknowledged the shortcomings of its inmate telephone system and indicated that a more sophisticated version of the inmate telephone system called (ITS II), was being developed to provide more options for restricting and controlling inmate access to prison telephones.
While the former inmate telephone system was self-contained at each institution and was incapable of sharing data through a central database, ITS II is designed to allow the BOP to access inmate telephone information from all BOP institutions simultaneously. ITS II provides the BOP with the ability to control their access, make records of the calls, adjust the inmates' commissary account, and bill inmates for the calls. ITS II also allows the BOP's Central Office to monitor and record telephone conversations of any inmate in the country.
ITS II provides wide-area network circuits, routers, Ethernet switches, and network management for ITS II computer systems and networking equipment. The ITS II consists of UNIX and Windows NT platforms.
SUMMARY RESULTS OF THE AUDIT
We obtained audit evidence to determine whether adequate computer security controls existed to protect ITS II from unauthorized use, loss, or modification. Our testing consisted of assessing management, operational, and technical controls for 17 critical areas for the ITS II. Our testing disclosed vulnerabilities within 13 of the 17 areas. Two of the 13 vulnerabilities were within technical controls and were identified as high risks to the protection of ITS II.
We concluded that these vulnerabilities occurred because ITS II management did not fully develop, document, or enforce agency-wide policies in accordance with current Department policies and procedures. Additionally, we believe the Department did not enforce their security policies and procedures to ensure ITS II is protected from unauthorized use, loss, or modification through its certification and accreditation process. If not corrected, these security vulnerabilities threaten ITS II and its data with the potential for unauthorized use, loss, or modification.