|Return to the USDOJ/OIG Home Page|
Select Application Controls Review of the Federal Bureau of Prisons's Sentry Database System
Report No. 03-25
Office of the Inspector General
SENTRY is the Federal Bureau of Prisons's (BOP) primary mission support database. The system collects, maintains, and tracks critical inmate information, including inmate location, medical history, behavior history, and release data. SENTRY processes over 1 million transactions each day and tracks more than 165,000 inmates. Roughly 85 percent of these inmates are housed within the BOP facilities, with the remaining inmates confined in other government facilities (state or local) or privately operated facilities through contracts with the BOP. As of March 2003, over 24,000 personal computers at approximately 200 facilities could access SENTRY.
The purpose of this audit was to assess the application controls for the BOP's SENTRY database to determine whether inmate data entered in SENTRY is valid, properly authorized, and completely and accurately processed.1 Our criteria for conducting the review was the Federal Information System Controls Audit Manual (FISCAM).2 We reviewed the accuracy and timeliness of SENTRY's input, processing, and output controls and judgmentally selected 3 of the BOP's 29 Community Corrections Offices (CCO) to conduct onsite reviews of their operational workflow (Annapolis Junction, Maryland; Philadelphia, Pennsylvania; and Chicago, Illinois). These sites were selected because they process large volumes of inmate data into SENTRY.
Our application review of SENTRY identified weaknesses in 4 of the 27 FISCAM control areas that we tested. We do not consider our findings in these areas to be major weaknesses and assessed SENTRY overall at a low risk to the protection of its data from unauthorized use, loss, or modification.3 Our findings were in the following four areas:
Specifically, we identified data input errors resulting in incorrect inmate offense/charge codes, incorrect inmate's commitment date, incorrect date of offense, and offense fines not entered into SENTRY. We also found that the BOP did not adequately monitor audit log exception reports. Moreover, our review of SENTRY's access controls disclosed that the combination of authorization profiles and terminal access authority did not function as required because users with limited access profiles were able to process transactions above their level of access when logged onto terminals designated for users with higher authorization. We also tested completeness controls and found that the BOP's SENTRY General Use Manual failed to include a required step while updating inmate information.
We concluded that these weaknesses occurred because BOP management did not fully develop, document, or enforce the BOP policies in accordance with current Department of Justice (Department) policies and procedures. If not corrected, these security vulnerabilities could impair the BOP's ability to fully ensure the integrity, confidentiality, and availability of data contained in SENTRY.
This report contains recommendations for improving application controls for SENTRY in the Findings and Recommendations section. In general, we recommend that BOP management ensure that:
The details of our work are contained in the Findings and Recommendations section of the report. Our objectives, scope, and methodology appear in Appendix I.