Office of Inspector General



Similar documents
Office of Inspector General

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Evaluation Report. Office of Inspector General

Office of Inspector General

Office of Inspector General

Office of Inspector General

U.S. Chemical Safety and Hazard Investigation Board Should Determine the Cost Effectiveness of Performing Improper Payment Recovery Audits

How To Audit The Mint'S Information Technology

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Do Not Pay Business Center audit

Office of Inspector General

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

AUDIT REPORT Audit of Controls over GPO s Fleet Credit Card Program. September 28, 2012

Office of Inspector General

OIG. Improvements Are Needed for Information Technology Controls at the Las Vegas Finance Center. Audit Report OFFICE OF INSPECTOR GENERAL

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Financial Management Service. Privacy Impact Assessment

Audit of the Administrative and Loan Accounting Center, Austin, Texas

PROCUREMENT. Actions Needed to Enhance Training and Certification Requirements for Contracting Officer Representatives OIG-12-3

Memorandum. ACTION: Report on Computer Security Controls of Financial Management System, FTA FE May 23, 2000.

Office of Inspector General Office of Audit

AUDIT OF THE ACCOUNTS PAYABLE OPERATIONS IN WASHINGTON, D.C.

U.S. Department of Agriculture Office of Inspector General. Single-Family Housing Direct Loans Recovery Act Controls Phase II

Office of Inspector General Audit Report

How To Check If Nasa Can Protect Itself From Hackers

Audit Report. U.S. Department of Agriculture. Office of Homeland Security Allocation and Use of Homeland Security Funds

SUBJECT: Audit Report Disaster Recovery Capabilities of the Enterprise Payment Switch (Report Number IS-AR )

Department of Labor U.S. Office of Inspector General Office of Audit AUDIT OF WORKFORCE INVESTMENT ACT DATA VALIDATION FOR THE ADULT

Office of Inspector General

Office of Audits and Evaluations Report No. AUD The FDIC s Controls over Business Unit- Led Application Development Activities

UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL

January 2008 Report No. EVAL Evaluation of Contract Rationalization

September 8, Dr. Hobson Wildenthal, President ad interim Ms. Lisa Choate, Chair of the Institutional Audit Committee:

U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS. Final Audit Report

U.S. Department of Agriculture Office of Inspector General Financial and IT Operations Audit Report

Review of the SEC s Systems Certification and Accreditation Process

Department of Homeland Security

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

Office of Inspector General

United States Department of Agriculture. OFFICE OF INSPECTOR GENERAl

2014 Audit of the Board s Information Security Program

Office of Inspector General

Navy s Contract/Vendor Pay Process Was Not Auditable

Office of Inspector General

Office of Inspector General

AUDIT OF THE MILLENNIUM CHALLENGE CORPORATION S CONTRACT MANAGEMENT PROCESS

The Transportation Security Administration Does Not Properly Manage Its Airport Screening Equipment Maintenance Program

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

December 2014 Report No An Audit Report on The Telecommunications Managed Services Contract at the Health and Human Services Commission

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Final Audit Report -- CAUTION --

Audit of Controls over Government Property Provided under Federal Student Aid Contracts FINAL AUDIT REPORT

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL. Doug A. Ringler, C.P.A., C.I.A. AUDITOR GENERAL ENTERPRISE DATA WAREHOUSE

Controls Over EPA s Compass Financial System Need to Be Improved

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

EPA Can Better Assure Continued Operations at National Computer Center Through Complete and Up-to-Date Documentation for Contingency Planning

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Information Security Series: Security Practices. Integrated Contract Management System

Office of Inspector General

DODIG July 18, Navy Did Not Develop Processes in the Navy Enterprise Resource Planning System to Account for Military Equipment Assets

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

FISCAL PLAN RESPONSE TO THE AUDITOR GENERAL

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

OFFICE OF INSPECTOR GENERAL. Audit Report. Evaluation of the Railroad Retirement Board Medicare Contractor s Information Security

GOVERNANCE: Enhanced Controls Needed To Avoid Duplicate Payments

Audit Report. Office of Inspector General. Department of the Treasury

DoD Financial Management Regulation Volume 12, Chapter 5 September 1996 CHAPTER 5 GRANTS AND COOPERATIVE AGREEMENTS

Federal Communications Commission Office of Inspector General. FY 2003 Follow-up on the Audit of Web Presence Security

May 2011 Report No An Audit Report on Substance Abuse Program Contract Monitoring at the Department of State Health Services

Office of Inspector General

Audit of EPA s Fiscal Years 2015 and 2014 Consolidated Financial Statements

DoD Needs an Effective Process to Identify Cloud Computing Service Contracts

Metropolitan Community College s Administration of the Title IV Programs FINAL AUDIT REPORT

EPA Regional Offices Need to More Consistently Conduct Required Annual Reviews of Clean Water State Revolving Funds

AUDIT OF THE CORPORATION S PROCUREMENT AND TRAVEL CREDIT CARD PROGRAMS

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

INFORMATION SECURITY. Evaluation of GAO s Program and Practices for Fiscal Year 2012 OIG-13-2

School Council Funds Management Guide

Office of Inspector General Evaluation of the Consumer Financial Protection Bureau s Consumer Response Unit

SOCIAL SECURITY. July 19, 2004

FEDERAL ELECTION COMMISSION OFFICE OF INSPECTOR GENERAL

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

AUDIT OF AN SBA GUARANTEED LOAN TO. [ Exemption 6 ] DBA L & L LEGAL ASSISTANCE. San Francisco, California. Audit Report Number: 7-09

Final Audit Report. Report No. 4A-CI-OO

June 2008 Report No An Audit Report on The Department of Information Resources and the Consolidation of the State s Data Centers

Office of Inspector General Audit Report

Department of Homeland Security Office of Inspector General

Gwinnett County, Georgia, Generally Accounted for and Expended FEMA Public Assistance Grant Funds According to Federal Requirements

Audit Report. Natural Resources Conservation Service Water and Climate Information System Review of Application Controls Portland, Oregon

DoD Methodologies to Identify Improper Payments in the Military Health Benefits and Commercial Pay Programs Need Improvement

AUDIT REPORT PERFORMANCE AUDIT OF COMMUNITY HEALTH AUTOMATED MEDICAID PROCESSING SYSTEM (CHAMPS) CLAIMS EDITS

OFFICE OF INSPECTOR GENERAL. Audit Report

Recovering Student Loan Assets From Closed School

Office of Inspector General

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

INFORMATION TECHNOLOGY: Reservation System Infrastructure Updated, but Future System Sustainability Remains an Issue

Transcription:

Audit Report OIG-12-052 INFORMATION TECHNOLOGY: Financial Management Service Successfully Demonstrated Recovery Capability for Treasury Web Application Infrastructure May 11, 2012 Office of Inspector General Department of the Treasury

Contents Audit Report Results in Brief... 1 Background... 2 Findings and Recommendations... 4 GWA and SAM Did Not Fully Complete Reconstitution Test Objectives... 4 Recommendation... 5 TWAI Documentation Could Be Improved... 6 Recommendation... 7 Appendices Appendix 1: Objectives, Scope, and Methodology... 9 Appendix 2: Management Response... 10 Appendix 3: Major Contributors to This Report... 12 Appendix 4: Report Distribution... 13 Abbreviations DRE EROC FRB FMS GWA ITS NIST OIG SAM SRDF TD P TWAI Disaster Recovery Exercise East Rutherford Operations Center Federal Reserve Bank Financial Management Service Government-wide Accounting International Treasury Services National Institute of Standards and Technology Office of Inspector General Shared Accounting Module Symmetrix Remote Data Facility Treasury Directive Publication Treasury Web Application Infrastructure Financial Management Service Successfully Demonstrated Recovery Capability Page i

This Page Intentionally Left Blank Financial Management Service Successfully Demonstrated Recovery Capability Page ii

OIG The Department of the Treasury Office of Inspector General Audit Report May 11, 2012 Results in Brief David A. Lebryk Commissioner Financial Management Service The overall objective of this audit was to determine if the Financial Management Service (FMS) could successfully demonstrate its disaster recovery capability for the Treasury Web Application Infrastructure (TWAI). To accomplish our objective, we reviewed planning documentation for the disaster recovery exercise (DRE), observed the exercise held at the Federal Reserve Bank (FRB) of Dallas on February 12, 2011, performed a limited security assessment of the facility while on site, and reviewed the DRE results report afterward. We performed our fieldwork in the Washington, DC, metropolitan area and Dallas, Texas, from January 2011 through March 2012. The audit was conducted in accordance with generally accepted government auditing standards. Our objectives, scope, and methodology are described in more detail in appendix 1. We found that FMS successfully demonstrated its disaster recovery capability for TWAI. However, we found that two TWAI applications, Government-Wide Accounting 1 (GWA) and Shared Accounting Module 2 (SAM), did not complete 1 of 3 DRE reconstitution test objectives. Additionally, we found that TWAI documentation could be improved to include information required by the National Institute of Standards and Technology (NIST) and the Department. We are making two recommendations to the Commissioner of FMS to address these findings. 1 GWA uses web technology to simplify the reporting and reconciliation processes of Federal agencies. 2 SAM is a central repository for accounting business rules. These rules are used to validate data it receives from other programs and sends reports to GWA. Financial Management Service Successfully Demonstrated Recovery Capability Page 1

In a written response to a draft copy of this report, the Commissioner agreed with our findings and recommendations and provided plans for corrective actions (see appendix 2). With respect to GWA and SAM not completing 1 of 3 DRE reconstitution test objectives, FMS officials told us that the original issue has been fixed with the implementation of the latest software release on April 14, 2012. With regard to TWAI documentation needing improvement to include NIST and the Department s requirements, FMS management stated that they developed and issued an FMS TWAI Contingency Plan template and Contingency Plan Test Results template in the NIST suggested format in November 2011 and October 2011, respectively. FMS s corrective actions, if implemented as described, meet the intent of our recommendations. Background FMS provides central payment services to federal program agencies, operates the federal government's collections and deposit systems, and oversees a daily cash flow of $89 billion. FMS maintains multiple financial and information systems to help it process and reconcile monies disbursed and collected by government agencies. One such system is TWAI, a secure application infrastructure with internet and dedicated telecommunications connectivity. FMS has 14 computer applications that rely on TWAI for common infrastructure services. Eight of those applications are hosted in the FRB facility in East Rutherford, New Jersey known as the East Rutherford Operations Center (EROC), and six are hosted in the FRB facility in Dallas, Texas. The eight applications hosted in EROC use Dallas as their alternate processing site in the event of a disaster, and those hosted in Dallas use EROC as their alternate processing site. On February 12, 2011, FMS ran a DRE to verify that the eight TWAI applications hosted in EROC could be recovered to perform their functions at the alternate processing site in Dallas, and then return to their primary site. Financial Management Service Successfully Demonstrated Recovery Capability Page 2

The eight TWAI applications tested as part of this DRE were: Cash Track Web This application supports several cash management activities for Treasury. GWA This application uses web technology to simplify the reporting and reconciliation processes of federal agencies. Intra-Governmental Payment and Collections This application provides a standard interagency fund transfer mechanism for federal program agencies. Internet Payment Platform This application provides a centralized electronic invoicing and payment information portal to agencies, payment recipients, and FMS. International Treasury Services (ITS) This application is a portal for government international payments and collections. SAM This is application is a central repository for accounting business rules, used to classify and validate data provided by feeder systems and report to GWA. Treasury General Account Deposit Reporting Network This application allows agency personnel to prepare electronic deposit reports and provides financial institutions and FRBs with the ability to confirm deposits, create adjustments, and submit confirmed deposits and adjustments. Treasury Tax and Loan Plus This application provides financial institutions and federal agencies with the ability to download forms and reports, enter federal tax deposits, make changes to existing financial information, upload files, and receive messages. Each application team has its own contingency plan to follow in the event of a disaster. After recovering to the alternate site in response to a disaster, applications reconstitute at their primary site to resume normal operations. Part of each application s contingency plan test was a reconstitution phase consisting of three objectives: (1) Symmetrix Remote Data Facility (SRDF) to Financial Management Service Successfully Demonstrated Recovery Capability Page 3

Primary, (2) Sorry Page Reconstitution, and (3) EROC Primary Application. The three objectives were not dependent on one another for their individual success. The goal of the SRDF to Primary objective was to replicate data from the contingency site to the primary site. The Sorry Page Reconstitution objective was to ensure that users are redirected to a sorry page if the application is unavailable. Lastly, the objective of EROC Primary Application was to verify that the application was working correctly at EROC, the primary processing site. We reviewed the Information Technology Contingency Plans 3 for each of the eight applications being tested, as well as the TWAI Information Technology Contingency Plan for completeness. Each contingency plan we reviewed contained information on recovering its particular information system s operation from EROC to Dallas. We also reviewed the DRE results report, East Rutherford Operations Center to Dallas Disaster Recovery Exercise Results (March 2011). The results report contained a narrative description of the DRE, metrics describing how long each application took to achieve particular goals, action items, and lessons learned. Findings and Recommendations Finding 1 GWA and SAM Did Not Fully Complete Reconstitution Test Objectives Although FMS successfully demonstrated its disaster recovery capability for TWAI, we found that GWA and SAM did not complete 1 of 3 DRE reconstitution test objectives. Specifically, the SRDF to Primary test objective was aborted for GWA and SAM during the exercise. The goal of the SRDF to Primary objective was to replicate data from the alternate processing site in Dallas to the primary site in EROC. For GWA and SAM, part of this objective was to transfer a file from GWA to SAM. The file transfer was unsuccessful. During the DRE, FMS management was unable to determine the cause of the file transfer error. Therefore, FMS management made a risk-based decision to abort the test objective 3 A contingency plan for an information system provides established procedures for the assessment and recovery of a system following a disruption. Financial Management Service Successfully Demonstrated Recovery Capability Page 4

and open a trouble ticket to investigate the error after the DRE ended. According to the TWAI East Rutherford Operations Center to Dallas Contingency Disaster Recovery Exercise Objectives (January 25, 2011), Recovery/Reconstitution is the reconstitution method for both GWA and SAM. This means that for GWA and SAM to be considered fully successful in meeting their DRE objectives, each application must complete data replication from the alternate processing site to the primary site. FMS management ultimately attributed the cause for the file transfer error to an improperly formatted database command. At the time of the DRE, the cause of the file transfer error was not apparent. After the DRE, an FMS investigation found the database command that was entered at the primary site was missing a pair of quote marks, 4 resulting in the file transfer error. The only data validation procedure in place at the time was to have a second person review the input. When the data was entered, neither the operator nor the reviewer caught the missing quote marks. As a result, the incorrectly formatted data caused an error with two applications, GWA and SAM, which prompted FMS management to abort the objective. If the file transfer had succeeded, GWA and SAM would have successfully reconstituted in EROC and met the SRDF to Primary test objective. In a real disaster, this error would have delayed reconstitution in the primary processing site while the problem was investigated and fixed. Recommendation We recommend that the Commissioner of FMS, in a timely manner, identify a solution to remedy the cause of the file transfer error identified by FMS s investigation for GWA and SAM, and test and implement that solution. 4 The command entered was SET AGNCY_ID=072, and it should have been SET AGNCY_ID= 072. Financial Management Service Successfully Demonstrated Recovery Capability Page 5

Management Response FMS officials stated that the original issue has been fixed with the implementation of the latest software release on April 14, 2012. OIG Comment Management s corrective action, if implemented as described, meets the intent of our recommendation. Finding 2 TWAI Documentation Could Be Improved Based on our review of the DRE documents, we found that the TWAI documentation could be improved. Specifically, we found that the TWAI and ITS contingency plans, and the DRE results report were missing information required by NIST and the Department. For example, we found that the TWAI contingency plan did not have information on potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster. Additionally, the ITS contingency plan did not include metrics to measure recovery objectives. Also, the ITS contingency plan did not make the purpose of the changes clear in its change log. Finally, the DRE results report did not include a testing point of contact and did not include a description of the DRE including expected and actual results. These elements are required by NIST Special Publication 800-53A 5 and Treasury Directive Publication (TD P) 85-01. 6 FMS management stated that NIST Special Publication 800-34, Revision 1, Contingency Planning Guide for Federal Information Systems (May 2010), was followed for contingency plans and DRE testing documentation. However, the documentation was not fully compliant with NIST Special Publication 800-53A and TD P 85-01 requirements even though FMS management was aware of them. 5 NIST Special Publication 800-53A, Revision 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations (June 2010) 6 TD P 85-01, Vol. 1, Treasury Information Technology Security Program (Nov. 2006) Financial Management Service Successfully Demonstrated Recovery Capability Page 6

Recommendation We recommend that the Commissioner of FMS take action to ensure that all FMS TWAI DRE documentation fully complies with NIST Special Publication 800-53A and TD P 85-01 requirements. Management Response FMS officials stated NIST allows for flexibility in implementing the guidance in its Special Publications and that FMS has taken the following corrective actions to ensure their documentation is consistent with NIST guidance: Developed and issued a required FMS TWAI Contingency Plan template for all TWAI applications in November 2011, and conducted compliance reviews against the template. Developed and issued a Contingency Plan Test Results template in October 2011 to ensure that the format for all contingency plan test results is consistent and follows the suggested NIST format, and conducted compliance reviews against the template. OIG Comment Management s corrective actions, if implemented as described, meet the intent of our recommendation. Financial Management Service Successfully Demonstrated Recovery Capability Page 7

* * * * * * I would like to extend my appreciation to the Commissioner of FMS and his staff for the cooperation and courtesies extended to my staff during the audit. If you have any questions, please contact me at (202) 927-5171 or Abdirahman Salah, Information Technology Audit Manager, at (202) 927-5763. Major contributors to this report are listed in appendix 3. /s/ Tram Jacquelyn Dang Director of Information Technology Audits Financial Management Service Successfully Demonstrated Recovery Capability Page 8

Appendix 1 Objectives, Scope, and Methodology The overall objective of this audit was to determine if the Financial Management Service (FMS) could successfully demonstrate its disaster recovery capability for the Treasury Web Application Infrastructure (TWAI). This audit was included in the Office of Inspector General Annual Plan for 2011. To accomplish our objective, we reviewed planning documentation related to TWAI applications and disaster recovery exercise (DRE) objectives, observed the DRE exercise held on February 12, 2011 at the Federal Reserve Bank in Dallas, Texas, performed a limited physical security assessment while on site, including walkthroughs, personnel interviews, and policy reviews, and reviewed the DRE results report prepared by FMS in March 2011. We reviewed the DRE for adherence to applicable criteria including National Institute of Standards and Technology special publications and Treasury policies to determine if the disaster recovery had been successfully demonstrated. We performed our fieldwork in the Washington, DC, metropolitan area and Dallas, Texas, from January 2011 through March 2012. We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Financial Management Service Successfully Demonstrated Recovery Capability Page 9

Appendix 2 Management Response Financial Management Service Successfully Demonstrated Recovery Capability Page 10

Appendix 2 Management Response Financial Management Service Successfully Demonstrated Recovery Capability Page 11

Appendix 3 Major Contributors to This Report Office of Information Technology (IT) Audits Tram J. Dang, Audit Director Abdirahman Salah, IT Audit Manager Dan Jensen, IT Specialist Timothy Cargill, Referencer Financial Management Service Successfully Demonstrated Recovery Capability Page 12

Appendix 4 Report Distribution Financial Management Service Commissioner Department of the Treasury Office of the Chief Information Officer Office of Strategic Planning and Performance Management Office of the Deputy Chief Financial Officer, Risk and Control Group Office of Management and Budget Office of Inspector General Budget Examiner Financial Management Service Successfully Demonstrated Recovery Capability Page 13

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information