Review of the United States Marshals Service's Prisoner Tracking System
Report No. 04-29
Office of the Inspector General
USMS Response to Draft Audit Report on the
Appoint a security manager responsible for the PTS application and ensure the appointment is documented.
Response: (Agree.) An Information Systems Security Officer (ISSO) for PTS was designated by memorandum dated April 30, 2004. (See Attachment A.)
Develop a training program to ensure that PTS users receive specialized training before being granted access to the application.
Response: (Agree.) The future Justice Detainee Information System (JDIS), a merging of PTS with other USMS systems, will include a training module designed to teach a new user the application before he/she begins actually utilizing the application.
Ensure that individuals performing system administrator duties are properly trained in their responsibilities.
Response: (Additional Information Requested.) The report states that "some system administrators were unfamiliar with their hardware and software environment and lacked specific knowledge.,.". Accordingly, we will work with the OIG to identify which system administrators lacked the adequate knowledge and expertise. During the exit interview, the OIG stated their finding was based on the auditors speaking to Administrative Officers and/or personnel with collateral IT duties in the Eastern District of Virginia, not to ITS system administrators, who do have adequate training and expertise. If this was the only instance then we will ask that the finding he deleted from the audit report or at a minimum correct the report to reflect the above.
Ensure that access authorizations for the PTS are reviewed and that USMS Headquarters update its authorized PTS users list in a timely manner to incorporate changes from the District Offices.
Response: (Agree in Part.) There is no known DOJ or federal security requirement that states that both local offices and Headquarters must maintain user lists. However, the USMS recognizes the need for establishing internal controls to ensure the integrity of authorized access for PTS. Therefore, the OSMS will ensure that our internal audits conducted by USMS Program Review include a review of the districts' lists for accuracy.
Ensure that existing measures, such as door locks, are used to provide protection against unauthorized access to sensitive areas.
Response: (Additional Information Requested.) The audit report states, "physical access controls were adequately enforced at seven of the eight sites visited." It would appear this situation is an aberration versus a systemic problem that justifies categorization as a vulnerability in the report. During the exit interview the USMS requested the site where the locks were not engaged, but to date this information has not been received from the OIG. The USMS would require the location be provided in order to take corrective measures.
Ensure PTS users are informed of the policies and procedures for requesting changes to the application.
Response: (Disagree.) The OIG states that, "PTS application end-users were either unfamiliar with or unaware of the process for requesting changes to the application." As acknowledged in the report the USMS does have a Systems Development Life Cycle (SDLC) process in place that contains system change request instructions. The SDLC policy is published on the USMS Intranet (making it available to all USMS information technology users). USMS personnel were informed of the new procedures by e-mail at the time of its issuance and provided specialized training. Cumulatively, these measures seem reasonable and adequate to ensure end-users are aware of the necessary process. Moreover, because there is nothing in the audit report text to substantiate that the potential vulnerability noted in the last paragraph of page 12 exists at USMS, we ask that consideration be given to excluding this item as a noted vulnerability.
Remove outdated version of the PTS's application programming software and database management system from the production environment and replace with current versions that are supported by the vendor.
Response: (Agree.) The USMS concurs with the OIG finding on pages iv and 13-14 of the report. The USMS has already taken steps through the development of JDIS to address this problem.
Ensure policies and procedures for segregating duties are developed and enforced to provide assurance that district functions are performed by different individuals and that no individual has complete control over the PTS's processing functions.
Response: (Agree in Pan, Additional Information Requested.) To the extent feasible with existing IT staffing resources, the USMS has segregated duties to minimize functional incompatibility. On April 30, 2004, the USMS Chief of IT Security issued memoranda designating specified individuals as Information Systems Security Officers (including for PTS) and delineated their duties. The memorandum is consistent with DOJ policy requirements and should resolve the noted vulnerability.
With regard to the lack of formal policies and procedures for the record creation process. as noted in the last two paragraphs on page 16 of the audit report, we have asked for clarification from the auditors, The formal policy and procedures are outlined in the P15 Users Manual and the \Veb Based Policy Directive 9.2 (Attachment B).
Ensure the PTS's backup tapes arc property rotated and stored at an off-site location.
Response: (Additional Information Requested.) As stated in the audit report there is established USMS IT policy that requires rotation and off-site storage of backup tapes. The USMS would request that the OIG provides details as to the specific sites where backup tapes are not being periodically rotated in order to take corrective action. In addition, ITS will require this be reinforced by USMS Program Review team when they are conducting on site audits of the district offices.
Perform annual testing of the PTS contingency plan as required by the Department.
The PTS contingency plan will be tested annually in accordance with DOJ IT security policy.
Develop policies and procedures to:
Response: (Agree in Part).
Implement a control, such as requiring the supervisory authorization of data, to ensure that before information is entered into the system, transactions are supported by properly authorized source documents.
Response: (Agree in Part.) The recommendation calls for a supervisor to sign off on a handwritten USM-129/312. In addition, the OIG also suggests that supervisors oversee data entry by checking each entry against the printed version of the USM-l29/3 12 and checking each transaction against a source document. In our view, unless a prisoner is re-interviewed by the supervisor, there would be little that could be achieved on verification of information, the district can ensure data fields are completed when applicable. Therefore, without creating layers of redundant work, the USMS will notify district managers to perform a periodic spot check of PTS transactions to ensure integrity of information, limited resources will preclude implementation of supervisory verification to the extent OIG suggests.
Maintain and review audit trails for the PTS application as required by the Department.
Response: (Agree in Part.) The Authorization Controls vulnerability (2nd checked item vulnerability) noted on page vi is inconsistent with the text supporting it on pages vii and 27 of the audit report. It would appear that the text supports the noted Completeness Controls vulnerability, but should be eliminated as a vulnerability under Authorization Controls. It should also be noted that while the USMS does agree that adequate audit logs do not currently exist on the PTS system, this is due to the age of the system software (as addressed previously in our response to Recommendation 7), not because "USMS management does not require that audit logs be maintained" (as stated on page vii of the audit report). The JDIS initiative underway will rectify the audit log problem.
Ensure that the PTS application is modified to perform automatic global database searches of all its district offices' databases to prevent the assignment of more than one USMS number to the same prisoner.
Response: (Agree.) Through JDIS, global searches will be possible, and enhanced reporting capability will be provided to assist districts/PSD in the identification of erroneous data.
Ensure erroneous data is collected and reported back to USMS management for investigation and Correction.
Response: (Agree.) PSD already performs periodic spot cheeks of records via reports that are written for jail utilization and population projections. PSD is currently in the process of performing a "records clean-up" in anticipation of the release of a new version of PTS.
Ensure that PTS output reports containing sensitive privacy information are protected from unauthorized persons.
Response: (Disagree.) The USMS position on this recommendation is that there is no "unauthorized" employee. All USMS employees a background investigation before beginning employment, and receive the appropriate clearance level for this type of information. In addition, all USMS employees will undergo computer security training. Unfortunately, networked printers are a requirement due to limited resources.
Ensure that each installation of the application protects against simultaneous updates of the same record by more than one end-user.
Response: (Additional Information Requested.) USMS/ITS was unable to replicate the OIG-described situation of concurrent updates of the same PTS record. We ask that OIG provide backup details, so that we can respond to this finding/recommendation.
Ensure that adequate and proper source documents are maintained in prisoner file folders to substantiate employee activities.
Response: (Agree.) Through policy revisions and memoranda, districts will be specifically instructed as to what information should be contained in the prisoner folder. (Also see our response to Recommendation 12 a).
Ensure that data integrity assurances and quality control measures are developed and implemented to:
Response. (Agree.) Please refer to our responses to Recommendations 13, 16, and 19, as this recommendation is closely related. We will remind the district offices to keep clean and accurate prisoner folders.
OIG Note: Additional attachments to the consolidated response were too voluminous to incorporate into this report. The attachments may be obtained by contacting the United States Marshals Service.