Office ofinspector General. Independent Evaluation Report

Transcription

1 AR * Oice onspector General ndependent Evaluation Report./ o. --r-; - - Review o Federal Trade Commission mplementation o the Federal normation Security Management Act For Fiscal Year 2008 September 30,2008 NON PUBLC REPORT

2 Chainnan Kovacic: UNTED STATES OF AMERCA FEDERAL TRADE COMMSSON WASHNGTON. D.C. ZOS80 September 30, 2008 The Oice o nspector General (OG) or the Federal Trade Commission engaged Allied Technology, nc~ to independently evaluate its inormation security or compliance with requirements contained in the Federal nonnation Security Management Act (FSMA) o This report provides the resultsothat evaluation. The objectives were to evaluate the adequacy o the FTC's inonnation security program and its procedures or identiying and protecting Personally dentiiable normation (Pl) and other Privacy Act concerns. This inonnation is provided to senior management and others to enable them to determine the eectiveness o overajl security programs, to ensure the conidentiality and integrity o data entrusted to the FTC, and to develop strat.::gieslbest practices or cost eectively improving inonnation security. The OG reviewed the FTC's security policies, procedures, and practices and conducted an assessmentosecurity controls in the ollowing areas: REDACTED This evaluation was conducted rom June through September 2008 and ollowed standards and requirements or ederal government agencies such as those provided through FSMA, National nstitute o Standards and Technology and the Otlice o Management and Budget memorandums. The FTC s(."curity environment is strone: and robust and continues to evolve to expand its coverage. REDACTED REDACTED REDACTED Tb~ normation and Technology Management oice (TM) took actions that address~ REDACTED recommendations at Headquarters an1 REDACTED!.ecommendations at the REDACTED The

3 - i i -, Ola analysis o the current FTC security/privacy control indi{'l!~ at J..REDA"CTED lieneraliy, tnt: recommendations addressed two area.. RWACTED Respectully submitted, &s:~ nspector General environment irttmtiiptu? REDACTED The major eort or TM nex.t year will h~ '''''o~c-u-s-o-n--~c;-:-'''''---'------;;red~a;-;cted:;;;';.. - Ola commrnds TM on its eorts to assure a secure T environment at the FTC and to thank: TM management or the cooperation and assistance it provided to the OG during our review. it<:,

4 AR Oice o nspector General ndependent Evaluation Report Review ofederal Trade Commission mplementation othe Federal normation Security Management Act For Fiscal Year 2008 September 30, 2008 NON PUBLC REPORT

5 Federal Trade Commission Evaluation othe Federal normation Security Mana ement Act o2002 Submitted to: The Federal Trade Commission Oice othe nspector General 600 Pennsylvania. Avenue, N.w. Washington, DC ATN:John Seeba nspector General Submitted by: Allied Technology Group, nc Research Boulevard Rockville, Maryland Contract Number: GS-35F-0079J Task Order Number: FTC-07-G-7114 This document contains nonpublic normation. Access, mantenance, use, disclosure, removal, and disposal are subject to ederal laws, regulations, orders and policies, including the Federal normation Security Management Act, Federal Records Act, Privacy Act o 1974, FTC Act, and/or other restrictions, where applicable. Violations may result n criminal, civil or disciplinary action, including ines, penalties or imprisonment. FOR OFFCAL USE ONLY

6 TABLE OF CONTENTS EXECUTVE SUMMARY BACKGROUND SCOPE OBJECTVE(S) METHODOLOGY GENERAL OVERVEW FlNDNGS AND RECOMMENDATONS STATUS OFFSCAL YEAR2007 RECOMMENDATONS SUMMARY OF FNDNGS AND RECOMMENDATONS 35 Table ofigures Figure 1: Comparison orevised FTC Policy with NST Requirements 11 Figure 2: e-authentication Filters 14 Figure 3: FTC Systems Summary 14 Figure 4: FSMA Assignment osecurity Responsibility 17 Figure 5: BPD Scanning Tests 19 FOR OFFCAL USE ONLY

7 EXECUTVE SUMMARY Results in Brie The Federal Trade Commission (FTC) is an independent agency responsible or the administration oa variety ostatutes that are designed to promote competition and to protect the public rom unair and deceptive acts and practices in the advertising and marketing ogoods and services. These responsibilities oten result in the accumulation ovast quantities orecords, some o which contain sensitive inormation. Automated inormation systems have been developed or acquired to assist FTC stain conducting their law enorcement and management eorts. This includes collection oinormation rom commercial organizations and the general public. normation in these systems and systems unctionality is made available to FTC employees based on their organizational role. Access to selected inormation is available to the public on a read-only basis via the nternet. The agency also relies on automated iles and records to pay its employees and vendors, process personnel transactions, and perorm other "housekeeping" unctions. The normation and Technology Management (TM) Oice is responsible or the technological inrastructure and the oice systems that provide the FTC with the tools and the inormation needed to conduct and manage its consumer protection and competition missions. Responsibility or establishing and maintaining the FTC inormation assurance/security program is assigned to the Chienormation Security Oicer who reports to the Chienormation Oicer. Responsibility or the FTC Privacy Program is assigned to the ChiePrivacy Oicer who reports to the FTC ChieoSta. The Federal normation Security Management Act o2002 (FSMA) provides a comprehensive ramework or ensuring the eectiveness otechnical, administrative, and physical security controls over inormation resources that support Federal operations and assets. FSMA requires an annual assessment ocompliance with requirements and related inormation security policies, procedures, standards, and guidelines. The assessments are meant to provide agency senior management and others with the needed inormation to determine the eectiveness ooverall security programs, ensure the conidentiality and integrity odata entrusted to the FTC, and to develop strategies/best practices or cost eectively improving inormation security. A critical component othe FSMA inormation assurance program monitoring requirements is an independent assessment oprogram eectiveness by the nspector General (G) othe respective ederal agency. This assessment is intended to identiy weaknesses in agency programs, provide recommendations or corrective actions, and monitor agency success in maintaining the security oagency inormation assets (hardware, sotware, data, and system availability). n its FY 2008 FSMA reporting guidance, OMB expanded the scope othe annual FSMA assessment to include evaluation oagency policies and procedures or collecting, storing, and protecting privacy inormation. 11 FOR OFFCAL USE ONLY

8 The Oice onspector General (OG) reviewed FTC security policies, procedures, and practices and conducted detailed assessmentsoftc security and privacy controls in the ollowing areas: This report provides the results othe independent evaluation othe FTC inormation security environment by the Oice othe nspector General (OG). The results are current as o September 30,2008 and provide the evaluation othe adequacy othe FTC's inormation security program and practices or Fiscal Year 2008 (FY 2008). Findings in Brie TheFC security environment is strong and robust and continues to evolve to expand its coverage and to address changing threats and requirements. FTC management recognizes that continued vigilance, and resource investment is required to protect the data entrusted to its care and secure the availability and integrity othe inormation technology (T) systems that are critical to the agency's ability to successully complete its missions. The FTC Oice onormation Technology Management (TM) is continuing its eort to update its security policies and procedures. This eort is integrated with the FTC Privacy Program. ntegration othe FTC normation and Privacy programs will result in stronger protection than independent program eorts. The OG analysis othe current FTC securi privacy control environment identiied indings. The indings related t 1! The ollowing table lists the indings and recommendations developed through this FY 2008 FSMA evaluation. JlJ FOR OFFCAL USE ONLY 1 i

9 , V FOR OFFCAL USE ONLY i [! i! i

10 i! v FOR OFFCAL USE ONLY!

11 1.0 BACKGROUND The Federal Trade Commission (FTC) is an independent agencyresponsible or the administration oa variety ostatutes that are designed to promote competition and to protect the public rom unair and deceptive acts and practices in the advertising and marketing ogoods and services. These responsibilities oten result in the accumulation ovast quantities orecords, some owhich contain sensitive inormation. Automated inormation systems have been developed to assist FTC stain conducting their law enorcement and management eorts. DACTE Access to selected m ormaton S aval a e to e pu C on a rea -on y ass Va the nternet. The agency also relies on automated.iles and records to pay its employees and vendors, process personnel transactions, and perorm other "housekeeping" unctions ormally perormed manually. n the past ew years, the FTC has expanded its use othe nternet to support publicocused missions such as establishment othe "Do Not Call Registry" and collecting complaints regarding companies, business practices, identity thet, and episodes o violence in the media. The implementation othese mission-support systems increased the need or the FTC to establish and maintain an inormation security environment that both protects inormation assets (hardware, sotware, data) without being so restrictive that it limits intended use by the general public. The normation and Technology Management OTM) Oice, in the Oice othe Executive Director, is responsible or the technological inrastructure and the oice systems that provide the FTC with the tools and the inormation needed to conduct and manage its consumer protection and competition missions. The Federal normation Security Management Act o2002 (FSMA) provides a comprehensive ramework or ensuring the eectiveness otechnical, administrative, and physical security controls over inormation resources that support Federal operations and assets. FSMA requires an annual assessment ocompliance with requirements and related inormation security policies, procedures, standards, and guidelines. The assessments are meant to provide agency senior management and others with the inormation needed to determine the eectiveness ooverall security programs, ensure the conidentiality and integrityodata entrusted to the FTC, and to develop strategieslbest practices or cost eectively improving inormation security. The Oice omanagement and Budget (OMB) through Circular A-130, Management o Federal normation Resources, Appendix ll, provides guidance to ederal agencies regarding the implementation ofsma requirements. OMB Circular A-130 emphasizes that, under FSMA, Agencies are required to implement, maintain, and enhance an automated inormation assurance program, including the preparation opolicies, 1 FOR OFFCAL USE ONLY 1,! i

12 standards, and procedures or providing inormation security and monitoring program eectiveness. Establishing and maintaining an eective inormation security program is an important managerial responsibility. The OMB also provides guidance regarding the scope and inormation to be reported through the annual FSMA assessments. n 2008, OMB guidance expanded the scope othe annual FSMA assessments to address concerns regarding the protection aorded inormation related to individuals (i.e., privacy data). A critical component othe FSMA inormation assurance program monitoring requirements is an independent assessment oprogram eectiveness by the nspector General (G) othe respective ederal agency. This assessment is intended to identiy weaknesses in agency programs, provide recommendations or corrective actions, and monitor agency success in maintaining the security oagency inormation assets (hardware, sotware, data, and system availability). An independent assessment is especially critical because threats to ederal inormation assets are continuously changing as technology evolves and the number and complexity oattacks on ederal systems is increasing. The independent assessment provides an opportunity to examine security controls and security planning and ensure that the controls are addressing the changed security environment and the increased ocus on protecting inormation related to individual privacy. This report provides the results othe independent evaluation othe FTC inormation security environment by the Oice othe nspector General (OG). The results are current as oseptember 30,2008 and provide the evaluation othe adequacy othe FTC's inormation security program and practices or iscal year 2008 (FY 2008)., ~! t 2 FOR OFFCAL USE ONLY

13 . 2.0 SCOPE To accomplish this FSMA evaluation, the ora reviewed F'C security policies, procedures, and practices and conducted an assessment oftc security controls in the ollowing areas: This assessment ocused on the F'C procedures and practices used to maintain and evolve its inonnation security controls. This approach provides an assessment othe capability to maintain eective security as well as a "snapshot" othe status othe F'C security environment.!! i 3 FOR OFFCAL USE ONLY l 1

14 3.0 OBJECTlVE(S) The objectives othis evaluation are to provide- All analyses were perormed in accordance with the ollowing guidance: l. Oice omanagement and Budget (OMB) Memorandum M-05-15, Reporting nstructions or the Federal normation Security Management Act, June 13, 2005; 2. DMB M-06-20, FY2006Reportinglnstructionsor the Federal normation Security Management Act andagency Privacy Management, July 27,2007; 3. OMB M-08-09, New FSMA Privacy Reporting Requirementsor FY2008, January 18, 2008; 4. OMB M-08-21, FY 2008 Reporting nstructions or the Federal normation Security Management Act and Agency Privacy Management, July 14, 2008; 5. FTC policies and procedures 6. National nstitute ostandards and Technology (NS) Special Publication (SP) , Guideor Developing Security Plansor normation Technology Systems, December 1998; 7. NSTSP , Risk Management Guideor normation Technology Systems, July 2004; 8. NSTSP , Contingency Planning Guideor normation Technology Systems, June 2002; 9. NST SP , Guideor the Security Certiication andaccreditation o Federal normation S:vstems, May 2004; 4 FOR OFFCAL USE ONLY ; ; 1., r

15 10. NSTSP , Recommended Security Controls or Federal normation Systems, Rev. 1, Dec 2006; 11. NSTSP A, Guideor Assessing the Security Controls in Federal normation Systems, June 2008; 12. Federal nonnation Processing Standards (FPS) Publication (PUB) 199, Standards or Security Categorization ofederal normation andnormation Systems, February 2004; 13. Small Agency Council Memorandum SACCO-05-l; 14. Quality Standards or nspection issued by the President's Council on ntegrity and Eiciency; 15. GAO, Federal normation System Controls Audit Manual, Volume : Financial Statement Audits, January 1999; 16. FTC/OG guidance; 17.0MB Memorandum M-03-22, Guidanceor mplementing Privacy Provisions o the E-Government Act o2002; and 18.0MB Guidance M-04-15, Guidanceor Development ohomeland Security Directive (HSPD) - 7 Critical nrastructure Protection Plans to Protect Federal nrastructure and Key Resources. This evaluation was conducted rom June, 2008 through September, FOR OFFCAL USE ONLY ~.

16 4.0 Methodology This evaluation constitutes the annual evaluation required by the OMB and conorms to the requirements and guidance provided by the National nstitute ostandards and Technology (NST) through Federal normation Processing Standards (e.g., FPS 199 and 200) and series 800 Special Publications (e.g., SP , A). The ollowing methodology was used to conduct the overall security control evaluation. Planned the Evaluation - Developed a project plan that delineated the evaluation approach and areas oconcern or the FY 2008 assessment; Collected available published data - Documents containing data relevant to the evaluation was collected. This included: e mtent 0 S an YSS was to denh changes in FTC security practices and procedures implemented since the completion othe FY 2007 FSMA assessment; nterviewed FTC sta- Conducted interviews oftc stato validate documentation, discuss identiied concerns, and evaluate the level osenior management involvement with security planning and perormance. The FTC sta interviewed included the Chienormation Oicer (CO), the Chienonnation Security Oicer (CrSO), ChiePrivacy Oicer (CPO) and members othe TM; 6 FOR OFFCAL USE ONLY

17 Developed preliminary indings - Evaluated the data collected and discussed indings and recommendations with FTC sta. This ensured the accuracy o indings and viability orecommendations; and Prepared FY 2008 FSMA report - The inormation collected and the associated indings and recommendations were used to prepare this FY 2008 FC FSMA report.! 1 it ~ 7 FOR OFFCAL USE ONLY!,.,! j ~

18 5.0 GENERAL OVERVEW n general, the FTC security program is strong and robust. ~ REDACTED REDACTED The level oawareness osecurity issues and e concern or protecting assets S igh. There are procedures in place to monitor program perormance and to quickly respond to identiied vulnerabilities and opportunities or pro am enhancement. For example, during the course o evaluation,/. REDACTED D The FTC inormation security ard privacy programs need to continue to evolve and enhance their control environments. FSMA expanded the security coverage rom a ocus on computer system security to a ocus on inormation security. The expansion othe scopeothe FSMA evaluations was urther exparded this year with the additionoareas oconcern speciic to protection opersona dentiiable normation (pm. This. " - REDACTED contmumg expanson) REDACTED i! t 8 FOR OFFCAL USE ONLY! ~ t

19 1 The FTC is perceived as a ocus osecurity inonnation by the general public. The public looks to the FTC to provide inormation as to how to protect its inormation assets rom threats such as identity thet and to protect their privacy through activities such as the Do Not Call Registry. This perception is crucial to the FTC's ability to obtain the inonnation and public support it needs to eectively complete its missions. Public conidence in the FTC's ability to protect inonnation requires a continuing ocus on security and privacy. The FTC management's continuing emphasis on providing a secure computing environment shows that it recognizes the importance osecurity and privacy controls to the successul completion oits missions. j j 9 FOR OFFCAL USE ONLY, i i j 1 t[,

20 6.0 Findings and Recommendations This section presents indings and recommendations developed through the FY 2008 FSMA evaluation. i j t! 10 FOR OFFCAL USE ONLY!

21 1 t r 11 FOR OFFCAL USE ONLY! r j ~.

22 ! i!,! 12 FOR OFFCAL USE ONLY 1 ;

23 Cb)6-) REDACTED 13 FOR OFFCAL USE ONLY

24 14 FOR OFFCAL USE ONiY!! i t 1!

25 S FOR OFFCAL USE ONLY

26 i Recommendation: None. Agency Response: No response required. l! t 16 FOR OFFCAL USE ONLY [ ~ t

27 17 FOR OFFCAL USE ONLY,, t

28 Agency Response: 18 FOR OFFCAL USE ONLY

29 ![ i l 1, r t 1 1i 19 FOR OFFCAL USE ONLY i

30 i!!i i 20 FOR OFFCAL USE ONLY J!

31 l j 21 FOR OFFCAL USE ONLY, i 1! t

32 i j! REDACTED 22 FOR OFFCrAL USE ONLY!! t! ;

33 23 FOR OFFCAL USE ONLY

34 3 FAR case FOR OFFCAL USE ONLY i

35 7.0 STATUS OF FSCALYEAR 2007 RECOMMENDATONS n its FY 2007 FSMA report, the OG ide r.... ~~~::: environment. j 25 FOR OFFCAL USE ONLY

36 j j i!t 1 26 FOR OFFCAL USE ONLY! i. i

37 i t l 27 FOR OFFCAL USE ONLY!

38 28 FOR OFFCAL USE ONLY!!! ~, '

39 29 FOR OFFCAL USE ONLY

40 30 FOR OFFCAL USE ONLY i 1 1 i r

41 31 FOR OFFCAL USE ONLY J!! 1t!

42 32 FOR OFFCAL USE ONLY

43 ! r 1! 33 FOR OFFCAL USE ONLY 1 1 j :

44 i! t t 34 FOR OFFCAL USE ONLY t

45 8.0 SUMMARY OF FNDNGS AND RECOMMENDATONS The FC security environment is robust an i i! FOR OFFCAL USE ONLY ; 1 t r

46 36 FOR OFFCAL USE ONLY

47 !,! 37 FOR OFFCAL USE ONLY t