The United States Marshals Service (USMS) is responsible for housing federal prisoners awaiting trial in federal courts. On any given day, the USMS maintains custody of approximately 40,000 federal prisoners in local jails, contract facilities, and federal Bureau of Prisons (BOP) facilities throughout the country. Depending upon the length of a prisoner's court trial, time spent in USMS custody may run from several days to several years.

The USMS uses the Prisoner Tracking System (PTS) application to maintain tracking information for federal prisoners in USMS custody. The PTS contains information that is specific to each individual prisoner, including the prisoner's personal data, property, medical information, criminal information, and location. Additionally, the USMS uses the application as an informational and scheduling tool to assist USMS personnel in locating prisoners for court appearances. Prisoners' records are created using information obtained from key source documents, and this information is entered into the PTS. The PTS information is critical to processing and transporting prisoners because the USMS relies on the confidentiality, availability, and integrity of this information to ensure the safety of both the prisoners and the law enforcement officers charged with their care.

The objectives of this audit were to assess the effectiveness of select general controls for the PTS at the entity-wide level, review PTS's application controls, and perform data integrity testing. The Office of the Inspector General (OIG) performed this audit in accordance with the Government Auditing Standards. We used the Federal Information System Controls Audit Manual (FISCAM), Department of Justice (Department) policies and procedures, National Institute of Standards and Technology (NIST) Special Publications (SP), Office of Management and Budget (OMB) Guidelines, and the USMS's policies for prisoner processing and cellblock operations as criteria for this audit.¹ Specific details of our audit objectives, scope, and methodology appear in Appendix 1.

The USMS divides its operations into four regions with 94 district offices (DOs). To gain a nationwide representation of PTS operational activities, we elected to review DOs in each of the four USMS regions. We judgmentally selected the following sites: Alexandria, Virginia; Washington, D.C.; New York, New York; Houston, Texas; Philadelphia, Pennsylvania; Chicago, Illinois; Miami, Florida; and Phoenix, Arizona.

During our audit, we reviewed select general controls designed to protect the PTS application against unauthorized use, loss, or modification of its data.² Additionally, we reviewed application controls within the PTS that are used to ensure the validity, proper authorization, and completeness of transactions when entering prisoners' data into the PTS. We also tested output reports from the PTS application against source documents contained in prisoner file folders to assess the data integrity within the PTS.

SUMMARY RESULTS OF THE AUDIT

Select General Controls

Our review of the PTS identified weaknesses within each of the six general control categories designed to protect the PTS's system environment. Specifically, we found deficiencies within PTS's entity-wide security program planning and management, access controls, application software development and change control, system software, segregation of duties, and service continuity controls.

Following the chart below we summarize each vulnerability.

Entity-wide Security Program Planning and Management

Within the area of entity-wide security program planning and management, a security manager for the PTS application was not appointed and employees lacked adequate training and expertise. These deficiencies could negatively impact the USMS's ability to assess risks and provide protection for sensitive PTS data.

Access Controls

The USMS did not properly maintain the PTS authorized user list and allowed accounts to remain on the list for employees who no longer required access. Active but invalid accounts could enable an unauthorized user to gain access to sensitive information. Ineffective access controls diminish the reliability of data and subject the system to unauthorized use, loss, or modification.

Additionally, the USMS did not enforce physical access controls to protect data entry terminals from access by unauthorized users. Physical access to computer facilities that house data entry terminals could allow unauthorized individuals to obtain confidential printed reports, view sensitive data displayed on computer screens, and steal or damage equipment.

Application Software Development and Change Control

Interviews conducted during our site visits disclosed that program modifications were not properly authorized. Application users are generally responsible for requesting and authorizing system changes. However, we found that the PTS application end-users were either unfamiliar with or unaware of the process for requesting changes to the application. Inadequacies with controls that protect application software from unauthorized changes could result in the USMS allowing unauthorized modifications to be made to the PTS application.

System Software

The effectiveness of the PTS's system software controls were jeopardized because the USMS is using outdated programming and database management software to support the application. The use of such outdated software prevents the USMS from implementing new security enhancements that are designed to protect the application. This deficiency also increases the risk that without timely software updates that enhance functionality and security, data could be improperly processed by the application or insufficiently protected.

Segregation of Duties

Policies and procedures are not in place to segregate incompatible duties for personnel performing critical functions, such as prisoner intake and record creation processes. Compounding this problem, the USMS has no formal procedures to guide personnel performing activities that directly affect the reliability of the PTS data. Without the segregation of duties, and in the absence of formal procedures, the USMS cannot ensure the confidentiality, integrity, and availability of PTS data during the prisoner processing cycle.

Service Continuity

Backup tapes were not being rotated off-site, and the contingency plan for the PTS had not been tested. We also found that key personnel responsible for emergency response activities lacked sufficient training and expertise. System administrators were not familiar with the current version of the software supporting the PTS application or the location of their local DOs database files. Consequently, the USMS may lose the capability to restore the PTS's application software and data because it is relying on insufficient preventative measures to mitigate service disruptions. Moreover, the USMS is depending on inadequately trained individuals to respond appropriately in the case of an emergency and to assist in restoring the application software and data files of this mission critical operation.

Application Controls

In addition to the general controls findings previously mentioned, our review of the PTS identified deficiencies within each of the four application control areas we tested. Following the chart below is a summary of each vulnerability indicated in the chart.

Authorization Controls

We found problems with authorization controls that ensure the validity of transactions. The USMS has not formally established baseline requirements for key source documents used to create prisoner records in the PTS or for the proper authorization of source documents. This lack of standards from the USMS headquarters for key source documents resulted in inconsistent data collection, record creation, and file maintenance practices throughout the USMS sites audited. Formal standards would help to ensure, at a minimum, that each prisoner file folder contains photographs, medical information, and fingerprint cards. Also, such standards would help to ensure that critical identifying information is collected from a reliable source. These standards could also provide reasonable assurance against the misidentification or mishandling of a prisoner due to inaccurate, unauthorized, or unreliable data.

Additionally, supervisory or independent reviews to ensure the proper authorization of source documents and transactions were not being performed prior to the data being entered into the PTS. This occurred because the USMS has not implemented adequate authorization standards for source documents or required that supervisory reviews be performed on a consistent basis. This precautionary measure would help ensure that transactions are properly authorized and supported by a reliable source document that has been signed. It would also assist with the prevention of unauthorized, inappropriate, or incorrect transactions from being entered that could negatively impact the integrity of data within the PTS.

Controls for ensuring that data entry terminals are used for authorized purposes, such as audit logs, were weak. Audit logs that help to recreate events and track user activity were not being maintained for the PTS application. The USMS management does not require that audit logs be maintained for the PTS to track the occurrence of unauthorized activities. In our opinion, this condition increases the risk to the USMS that covert activity by a user, such as entering an unauthorized transaction resulting in the early release of a prisoner, may go undetected. The risks to the safety of the USMS personnel who process and transport prisoners and the general public are increased when coupled with weak authorization controls over source documents and the lack of supervisory reviews of transactions.

Completeness Controls

The PTS application does not effectively use a completeness control known as computer sequence checking to automatically perform global database searches. Computer sequence checking would identify or prevent the assignment of multiple USMS numbers to the same prisoner.³ At present, each of the 94 DOs maintains a local PTS database and the application is only programmed to automatically perform searches for existing name and USMS number information within a user's own local database. The current configuration does not provide assurance that the prisoner does not have an existing USMS number in any one of the other 93 local USMS databases. Without the capability to perform global searches of all existing databases, the USMS cannot ensure that it complies with its own policies prohibiting the multiple assignment of USMS numbers to the same prisoner.

Accuracy Controls

Within the area of accuracy controls, we found that the USMS management does not have an effective means of determining the existence of erroneous data, such as uncorrected errors, or the severity of errors in data entered into or processed by the application. Information regarding erroneous data was not collected and reported back to the USMS management for investigation or correction. This occurred because the USMS did not require that information regarding such data be collected. This type of oversight could negatively impact the reliability of the PTS's data through the propagation of undetected errors throughout the application.

We also found that the PTS's accuracy controls were impacted because the USMS did not adequately control the production and distribution of sensitive PTS output reports. Specifically, authorized users of the PTS print sensitive output reports to shared network printers used by non-authorized employees. This practice exposes sensitive system data at a level above that which employees are required to perform their duties. Without adequate controls over the distribution of output reports, unauthorized individuals may inadvertently gain access to output reports and divulge sensitive and confidential information.

Controls Over Integrity of Processing and Data Files

Controls over integrity of processing and data files for the PTS application were deficient. This was due to the USMS not ensuring that each installation of the PTS application at the 94 DOs nationwide protects against simultaneous updates. We observed that the application allowed two users to update the same file concurrently, which raises doubt as to which user's information was accurately recorded and processed by the application. This type of system malfunction could negatively impact the reliability of data within the PTS application.

Data Integrity

In addition to the deficiencies discovered within PTS's general and application controls, our audit disclosed weaknesses within PTS's data integrity. We tested the two factors that contribute to data integrity: completeness of prisoner records and accuracy of information. Our review discovered weaknesses within both areas tested. A summary of each vulnerability follows the chart.

Completeness of Information

Our findings revealed deficiencies in the completeness of prisoner records. Many of the prisoner file folders we reviewed were missing key source documents used to validate data entry transactions and to substantiate the actions taken by USMS personnel.⁴ This occurred because the USMS did not establish and implement standards regarding data collection in order to comply with federal records retention requirements. Incomplete prisoner file folders pose a significant risk to the USMS's ability to validate the PTS transactions, verify information, and justify the actions of its employees. Additionally, maintaining adequate and proper documentation of program activities enables the USMS to protect the federal government's legal and financial interests.

Accuracy of Information

Reviews of output reports produced by the PTS application disclosed discrepancies in the accuracy of information. Output reports help to maintain the accuracy and validity of data within a system and determine the completeness of processing. We found that prisoner identifying information, such as a prisoner's date of birth, appearing on the PTS output reports did not match source documents contained in the prisoner's file folder. Additionally, critical dates, such as a prisoner's custody date, did not correlate with dates on source documents in the prisoner's file folder. Inaccurate PTS information could result in the overpayment of jail bills, the untimely release of a prisoner, or the misidentification of a prisoner requiring special handling within the prisoner population.

CONCLUSION AND RECOMMENDATIONS

We consider our findings in the areas of select general controls, application controls, and data integrity to be major weaknesses. We further conclude that the state of the PTS's existing controls poses a high risk to the protection of its data from unauthorized use, loss, or modification.⁵

We conclude that these weaknesses occurred because the USMS did not fully comply with current Department policies and procedures, NIST standards, OMB guidelines, or its own procedures for prisoner processing and cellblock operations. If not corrected, these security vulnerabilities could impair the USMS's ability to fully ensure the integrity, confidentiality, and availability of data within the PTS.

This report contains 20 recommendations for improving select general controls, application controls, and the integrity of data for the PTS. In general, we recommend that the USMS:

• Appoint a security manager responsible for the PTS application;

• Develop a training program to ensure that PTS users receive specialized training before being granted access to the application and ensure that system administrators are trained in their responsibilities;

• Review access authorizations for the PTS application and update the PTS authorized user list in a timely manner;

• Ensure that existing measures, such as door locks, are used to provide protection against unauthorized access to sensitive areas;

• Inform users regarding policies and procedures for requesting changes to the application and update the PTS's production environment by replacing outdated software with current software;

• Develop and enforce policies and procedures to segregate duties among staff performing critical PTS functions;

• Identify and train employees involved in emergency response procedures in their roles and responsibilities; maintain emergency contact lists on-site; rotate and store backup tapes off-site; and test the PTS contingency plan annually;

• Standardize the record creation process throughout the USMS for the PTS and establish key source document requirements for data collection;

• Implement a control, such as requiring the supervisory authorization of data, to ensure that before information is entered into the system, transactions are supported by properly authorized source documents;

• Maintain and review audit trails for the PTS application;

• Modify PTS to perform automatic global database searches to assist with the prevention of assigning multiple USMS numbers to the same prisoner, report erroneous data to the PTS users department for investigation and correction, and protect the PTS output reports containing sensitive privacy information from access by unauthorized persons;

• Ensure each installation of the PTS application protects against simultaneous updates of the same record by more than one end-user; and

• Maintain adequate source documents in prisoners' file folders to substantiate employee activities and implement quality control measures to ensure data integrity.

1. The General Accounting Office's (GAO) FISCAM provides a methodology for guiding auditors in evaluating general and application controls used by information systems to protect the integrity, confidentiality, and availability of data. Descriptions of the FISCAM select general control and application control areas tested during this audit can be found in Appendix 3.
2. General controls are entity-wide controls used to protect a system's environment. The PTS application can only be accessed via the USMS's Marshals Network (MNET); therefore, MNET serves as the PTS application's system environment. We reviewed the select general controls recommended by the FISCAM for evaluating and testing application controls because general controls for MNET were assessed during the OIG's January 2004 Federal Information Security Management Act (FISMA) review. The results of this assessment can be found in the OIG's Audit Report No. 04-11.
3. Computer sequence checking helps identify missing or duplicate numbers in a series. USMS numbers are assigned sequentially to prisoners processed by a DO; however, database searches are conducted by prisoner name rather than USMS number.
4. The GAO defines a source document as any form of information that serves as the basis for entry of data into a computer system.
5. NIST SP 800-18 defines risk as the possibility of harm or loss to any software, information, hardware, administrative, physical, communications, or personnel resource within an automated information system or activity. Additionally, NIST categorizes the requirements for protecting the confidentiality, integrity, and availability of system information into three basic categories - high, medium, and low - according to the system's sensitivity level. Specifically, a high risk is considered a critical concern of the system.