Review of the United States Marshals Service's Prisoner Tracking System
Report No. 04-29
August 2004
Office of the Inspector General
| CONTROL AREAS |
VULNERABILITIES NOTED |
| Entity-wide Security Program Planning & Management | |
| Assess risks periodically | |
| Document an entity-wide security program plan | |
| Establish a security management structure and clearly assign security responsibilities | X |
| Implement effective security-related personnel policies | X |
| Monitor the security program’s effectiveness and make changes as needed | |
| Access Controls | |
| Classify information resources according to their criticality and sensitivity | |
| Maintain a current list of authorized users and ensure that their access is authorized | X |
| Establish physical and logical controls to prevent and detect unauthorized access | X |
| Monitor access, investigate apparent security violations, and take appropriate remedial action | |
| Application Software Development & Change Control | |
| Authorize processing features and modifications | X |
| Test and approve all new and revised software | |
| Control software libraries | |
| System Software | |
| Limit access to system software | |
| Monitor access to and use of system software | |
| Control system software changes | X |
| Segregation of Duties | |
| Segregate incompatible duties and establish related policies | X |
| Establish access controls to enforce segregation of duties | |
| Control personnel activities through formal operating procedures and supervision and review | X |
| Service Continuity | |
| Assess the criticality and sensitivity of computerized operations and identify supporting resources | X |
| Take steps to prevent and minimize potential damage and interruption | X |
| Develop and document a comprehensive contingency plan | |
| Test the contingency plan periodically and adjust it as appropriate | X |
| CONTROL AREAS |
VULNERABILITIES NOTED |
| Authorization Controls | |
| All data are authorized before entering the application system | X |
| Restrict data entry terminals to authorized users for authorized purposes | X |
| Master files and exception reporting help ensure all data are processed and are authorized | |
| Completeness Controls | |
| All authorized transactions are entered into and processed by the computer | X |
| Reconciliations are performed to verify data completeness | |
| Accuracy Controls | |
| Data entry design features contribute to data accuracy | |
| Data validation and editing are performed to identify erroneous data | |
| Erroneous data are captured, reported, investigated, and corrected | X |
| Output reports are reviewed to help maintain data accuracy and validity | X |
| Controls Over Integrity of Processing and Data Files | |
| Procedures ensure that the current version of production programs and data files are used during processing | |
| Programs include routines to verify that the proper version of the computer files is used during processing | |
| Programs include routines for checking internal file header labels before processing | |
| Mechanisms within the application protect against concurrent file updates | X |