Independent Evaluation Pursuant to the Government Information Security Reform Act
Fiscal Year 2002
The Office of Justice Programs' Enterprise Network System
Report No. 03-01
Office of the Inspector General
The Office of Justice Programs (OJP) is a federal agency within the Department of Justice (Department). Specifically, the OJP’s mission is to develop the nation's capacity to prevent and control crime, improve the criminal and juvenile justice systems, increase knowledge about crime and related issues, and assist crime victims. The OJP's senior management team is comprised of the Assistant Attorney General (AAG), the Deputy Assistant Attorney General (DAAG), and five bureau heads.
The Enterprise Network System (ENS) is the overall general support system that provides enterprise-wide information infrastructure services in support of the OJP mission. The ENS provides storage, processing, and transmission of a large variety of the OJP accounting and administrative information. Mission and administrative support functions of the OJP rely extensively on the availability of the ENS and the access it provides to facilitate the OJP program participation and efficient financial management operations. All information on the ENS is considered sensitive but unclassified.
The Office of the Inspector General (OIG) selected the OJP as one of five sensitive but unclassified systems to review pursuant to the Government Information Security Reform Act (GISRA) for the fiscal year (FY) 2002. The OIG was required by GISRA to perform an independent evaluation of the Department’s information security program and practices. This report contains the results of the ENS audit. Separate reports will be issued for each of the other systems evaluated pursuant to GISRA, including three systems that process classified information.
Under the direction of the OIG and in accordance with Government Auditing Standards, PricewaterhouseCoopers LLP (PwC) was selected to perform the ENS audit. The audit took place from May through July 2002 and consisted of interviews, on-site observations, and reviews of Department and component documentation to assess the ENS’s compliance with GISRA and related information security policies, procedures, standards, and guidelines.1
During our review of the ENS, KPMG LLP (KPMG) was performing an audit of the ENS security controls in support of the fiscal year 2002 financial statement audit. GISRA mandates (as part of the Paperwork Reduction Act) that the OIG and its contractors rely whenever possible on work performed by other reviewers for its GISRA audits, so as not to duplicate efforts. To avoid duplication, PwC limited its role to reviewing management and operational controls and relied on the testing of technical controls performed by KPMG.
PwC’s testing did not identify any areas where additional work was required or where there appeared to be any inconsistency with the conclusions reached by KPMG. Therefore, for the vulnerabilities noted in this report, we2 are not providing recommendations. Instead, we are consolidating and reporting the recommendations in the OIG's financial statement FY 2002 report to simplify tracking of recommendations and corrective actions.3
Based on PwC’s and KPMG’s assessments, we assessed management, operational, and technical controls at a medium to high risk to the protection of the ENS from unauthorized use, loss, or modification. Specifically, the auditors identified vulnerabilities in 7 of the 17 control areas. Two of the seven vulnerabilities were identified as high risks to the protection of the ENS as indicated in the following chart.
|1. Risk Management|
|2. Review of Security Controls|
|3. Life Cycle||X|
|4. Authorize Processing
(Certification and Accreditation)
|5. System Security Plan||X|
|6. Personnel Security||X|
|7. Physical and Environmental Protection|
|8. Production, Input/Output Controls|
|9. Contingency Planning||X|
|10. Hardware and Systems Software Maintenance|
|11. Data Integrity|
|13. Security Awareness, Training, and Education||X|
|14. Incident Response Capability|
|15. Identification and Authentication||X*|
|16. Logical Access Controls||X*|
|17. Audit Trails|
|Source: The OIG’s FY 2002 GISRA audit of ENS|
|X*||Significant vulnerability in which risk was noted as high. A high-risk vulnerability is defined as one where extremely grave circumstances can occur by allowing a remote or local attacker to violate the security protection of a system through user or root account access, gaining complete control of a system and compromising critical information.|
As a result of this audit, we identified the following vulnerabilities:
We concluded that these vulnerabilities occurred because the OJP management did not fully develop, enforce, or formalize agency-wide policies in accordance with current Department policies and procedures. Additionally, the Department did not enforce its security policies and procedures in the certification and accreditation process to ensure the ENS is protected from unauthorized use, loss, or modification. If not corrected, these security vulnerabilities threaten the ENS and its data with the potential for unauthorized use, loss, or modification.