Summary of the Independent Evaluation Pursuant to the
Government Information Security Reform Act Fiscal Year 2001
Sensitive But Unclassified Systems
Report No. 02-18
Office of the Inspector General
PricewaterhouseCoopers LLP conducted the assessment of the overall computer security program and practices for the Department's sensitive but unclassified (SBU) systems by performing individual audits on five systems: the Federal Bureau of Prisons Network (BOPNet); the Drug Enforcement Administration's Firebird and El Paso Intelligence Center Information System (EIS); the Executive Office for U.S. Attorneys' Justice Consolidated Office Network II (JCONII); and the Justice Management Division's Rockville and Dallas Data Centers (JDCs).
The Federal Bureau of Prisons (BOP)
The mission of the BOP is to protect society by confining offenders in the controlled environments of prisons and community-based facilities that are safe, humane, and appropriately secure, and providing work and other self-improvement opportunities to assist offenders in becoming law-abiding citizens. The BOP employs approximately 33,000 employees in its central office, six regional offices, and approximately 29 community correction management offices and 105 correctional facilities.
To fulfill its mission, the BOP uses automated information systems. One of its more critical information systems is the BOP Network (BOPNet). BOPNet is a SBU client/server-based network that interconnects the BOP central offices and nationwide facilities' workstations. BOPNet uses Novell Netware and Windows NT Server operating systems and provides users access to office automation software and BOP specific applications such as SENTRY. The BOP uses SENTRY to track its more than 158,300 prisoners.
The Drug Enforcement Administration (DEA)
The mission of the DEA is to enforce controlled substances laws and regulations of the United States and investigate organizations and individuals that grow, manufacture, or distribute controlled substances. The DEA also recommends and supports non-enforcement programs that are designed to reduce the availability of illicit controlled substances worldwide.
Firebird is a SBU system that provides office automation tools, e-mail communications, on-line case file database access, and other information resources to DEA administrative, investigative, analytical, and technical support personnel. Because of the sensitive nature of the data processed on Firebird, a compromise of the system could jeopardize the confidentiality of investigations and agent safety. Firebird is a client/server-based system using Windows NT and UNIX operating systems.
The El Paso Intelligence Center (EPIC) is located on Biggs Army Airfield, an extension of Fort Bliss, in El Paso, Texas. Biggs Army Airfield is a controlled access United States Army military installation. Organizationally, EPIC is under the direct line authority of the DEA. EPIC management is comprised of senior law enforcement representatives from several states and 15 federal agencies. Overall coordination of EPIC activities is the responsibility of the EPIC Director. EPIC's mission is to support United States law enforcement and interdiction components through the timely analysis and dissemination of intelligence on illicit drug and alien movements and the criminal organizations responsible for these illegal activities.
The EPIC Information System (EIS) processes data types, ranging in classification from law enforcement sensitive to secret high 4, that encompass historical intelligence, tactical, administrative, and office automation data. The EIS is a mission critical operation that select EPIC personnel access 24 hours a day, seven-days a week, with classified and unclassified sections operating separately. This report summarizes the audit results of the unclassified EIS section.
The EIS was designed to collect, process, and disseminate intelligence information concerning the movement of illicit drugs and currency, alien smuggling, weapons trafficking, and other illegal related activities. The primary repository of the unclassified intelligence data is the EPIC Internal Database (EID). The EID is an Oracle database accessed through a combination of custom developed and commercial-off-the-shelf software. The EID stores suspect and tracking files on people, organizations, vehicles, vessels, aircraft, and associated events for all unclassified intelligence collected at EPIC.
The Executive Office for U.S. Attorneys (EOUSA)
The mission of the EOUSA is to provide the 94 United States Attorney Offices located throughout the 50 states, the District of Columbia, Guam, the Marianas Islands, Puerto Rico, and the U.S. Virgin Islands with general executive assistance, operational and administrative support, and coordination with Department of Justice components and other federal agencies.
The Justice Consolidated Office Network II (JCONII) is a SBU system designed to be the office automation system for the Department's management, litigating, and related legal components.
Administrative support is facilitated through the use of commercial-off-the-shelf applications residing on EOUSA's JCONII. United States Attorneys use JCONII to access legal applications and EOUSA proprietary software. The JCONII system is a client/server-based network using both Windows NT and UNIX platforms.
The Justice Management Division (JMD)
The JMD Information Management and Security Staff's (IMSS) mission is to be the principal point of coordination in DOJ for compliance with federal agency requirements under information technology (IT) laws and directives. IMSS develops and implements policies, procedures, and guidance for IT architecture and strategic planning, IT investment management, and the security of the Department's SBU information systems.
The Department of Justice maintains legacy 5 systems housed on mainframe platforms at data centers in Rockville, Maryland and Dallas, Texas. The Rockville and Dallas data centers (JDCs) exist to provide secure information technology facilities, computing platforms, and support services for the bureaus, offices, boards, and divisions within the Department. Since the JDCs are managed as one unit, they were audited as a combined entity.