AUDIT OF SBA S EMAIL SYSTEM AUDIT REPORT NUMBER 4-42 SEPTEMBER 10, 2004



Similar documents
U.S. SMALL BUSINESS ADMINISTRATION OFFICE OF INSPECTOR GENERAL WASHINGTON, D.C

ADVISORY MEMORANDUM REPORT ON DEVELOPMENT OF THE LOAN MONITORING SYSTEM ADVISORY REPORT NUMBER A1-03 FEBRUARY 23, 2001

AUDIT OF SBA S COMPLIANCE WITH JOINT FINANCIAL MANAGEMENT IMPROVEMENT PROGRAM PROPERTY MANAGEMENT SYSTEM REQUIREMENTS AUDIT REPORT NUMBER 3-34

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

AUDIT REPORT. Federal Energy Regulatory Commission's Fiscal Year 2014 Financial Statement Audit

AUDIT REPORT. Federal Energy Regulatory Commission s Unclassified Cybersecurity Program 2015

March 17, 2015 OIG-15-43

REPORT ON INDEPENDENT EVALUATION AND ASSESSMENT OF INTERNAL CONTROL FOR CONTRACT OVERSIGHT

Department of Homeland Security

AUDIT OF DEFICIENCIES IN OFA s PURCHASE REVIEW PROCESS FOR BACKLOGGED LOANS. Audit Report Number: 6-35

AUDIT OF AN SBA GUARANTEED LOAN TO IROM CNC MACHINING, INC. AND IROM IMAGING, INC. Report Number: 7-17

Management Advisory Report. PLP Processing Restrictions for Paying off Existing SBA Debt in a Change of Ownership Transaction

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

ASSESSMENT REPORT GPO WORKERS COMPENSATION PROGRAM. September 30, 2009

INTERNATIONAL BUSINESS COLLEGE'S ADMINISTRATION OF TITLE IV STUDENT FINANCIAL ASSISTANCE PROGRAMS

In Brief. Smithsonian Institution Office of the Inspector General

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

Controls Over EPA s Compass Financial System Need to Be Improved

Federal Communications Commission Office of Inspector General. FY 2003 Follow-up on the Audit of Web Presence Security

Department of Defense INSTRUCTION. SUBJECT: Government Accountability Office (GAO) Reviews and Reports

Department of Homeland Security Office of Inspector General

Final Audit Report -- CAUTION --

CHIEF POSTAL INSPECTOR. Management Alert Watch Desk Notifications (Report Number HR-MA )

) ) ) ) ) ) ) ) ) ) )

Office of Inspector General

How To Audit The Mint'S Information Technology

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report

MEMORANDUM OF UNDERSTANDING Between Defense Contract Audit Agency and Department of Homeland Security

Review of U.S. Coast Guard's FY 2014 Drug Control Performance Summary Report

AUDIT REPORT Audit of Controls over GPO s Fleet Credit Card Program. September 28, 2012

Report of Audit. FCA s Student Loan Repayment Program A OFFICE OF INSPECTOR GENERAL. Auditor in Charge Tammy Rapp. Issued September 23, 2013

Department of Homeland Security Office of Inspector General

SECURITY WEAKNESSES IN DOT S COMMON OPERATING ENVIRONMENT EXPOSE ITS SYSTEMS AND DATA TO COMPROMISE

Audit of Case Activity Tracking System Security Report No. OIG-AMR

United States Department of Agriculture Office of Inspector General

Performance Audit Report

Department of Homeland Security

NATIONAL OCEANIC AND ATMOSPHERIC ADMINISTRATION. Opportunities to Strengthen Internal Controls Over Improper Payments PUBLIC RELEASE

INTERNATIONAL TRADE ADMINISTRATION Improvements Are Needed to Strengthen ITA s Information Technology Security Program

Final Audit Report. Report No. 4A-CI-OO

UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL 400 MARYLAND AVENUE, S.W. WASHINGTON, DC

Transcription:

AUDIT OF SBA S EMAIL SYSTEM AUDIT REPORT NUMBER 4-42 SEPTEMBER 10, 2004 This report may contain proprietary information subject to the provisions of 18 USC 1905 and must not be released to the public or another agency without permission of the Office of Inspector General.

U.S. SMALL BUSINESS ADMINISTRATION OFFICE OF INSPECTOR GENERAL WASHINGTON, D.C. 20416 AUDIT REPORT Issue Date: September 10, 2004 Number: 4-42 To: Stephen D. Galvan Chief Information Officer From: Subject: Robert G. Seabrooks, Assistant Inspector General for Auditing Audit of SBA s Email System Attached is the public version of the audit report on SBA s Exchange Email system issued by Cotton & Company LLP. The report was issued as LIMITED-OFFICIAL-USE. Distribution of the full report requires specific authorization by the SBA Office of Chief Information Officer (OCIO) or SBA Office of the Inspector General (OIG). The auditors reviewed the SBA s Exchange Email System settings and configurations against standards issued by the National Security Administration (NSA) specifically for Microsoft Exchange email systems. The auditors concluded that SBA s Exchange Email system server was vulnerable [FOIA Ex. 2]. SBA was in general agreement with the findings and recommendations, but did not provide a written response to the draft audit report. Actions to address the finding and recommendations will be evaluated during the audit resolution process. The findings in this report are based on the auditors conclusions and the report recommendations are subject to review, management decision and action by your office in accordance with existing Agency procedures for follow-up and resolution. Please provide us your proposed management decisions by October 31, 2004 on the attached SBA Forms 1824, Recommendation Action Sheet. If you disagree with the recommendations, please provide your reasons in writing.

Should you or your staff have any questions, please contact Jeffrey R. Brindle, Director, Information Technology and Financial Management Group at (202) 205-[FOIA Ex. 2]. Attachments

September 9, 2004 Subject: Audit of SBA s E-Mail System at the U.S. Small Business Administration We were engaged to conduct a performance audit of the Exchange E-Mail System at the U.S. Small Business Administration (SBA). We utilized the NSA Guide to the Secure Configuration and Administration of Microsoft Exchange 5.x as criteria for this project. The objective of our work was not to provide assurance on overall internal control. Consequently, we do not provide an opinion on internal control. This report is intended solely for the information and use of SBA management. We would like to express our appreciation to the SBA representatives who assisted us in completing our work. They were always courteous, helpful, and professional. If you have any questions or comments about this report, please contact me at your convenience. Thank you. Very truly yours, COTTON & COMPANY LLP /S/ Loren Schwartz, CPA, CISA

PERFORMANCE AUDIT OF THE EXCHANGE E-MAIL SYSTEM AT U.S. SMALL BUSINESS ADMINISTRATION HEADQUARTERS BACKGROUND EXECUTIVE SUMMARY Cotton & Company LLP was engaged by the Office of the Inspector General, U.S. Small Business Administration (SBA), to conduct an audit of certain components of SBA s general support system. This report specifically covers our review of the SBA Exchange E-Mail System at SBA headquarters. The Exchange E-Mail System is deemed critical to the SBA s operations. OBJECTIVE, SCOPE, AND METHODOLOGY The overall objective of our audit was to review existing information security controls and identify weaknesses impacting certain components of the Exchange E-Mail System. Our review was not intended to result in the issuance of an opinion, and we do not issue an opinion as defined by the American Institute of Certified Public Accountants. We reviewed the configurable settings, management controls, and policies and procedures surrounding the email exchange server at SBA headquarters. We used the following criteria for our review: NSA Guide to the Secure Configuration and Administration of Microsoft Exchange 5.x. We conducted this review in accordance with Generally Accepted Government Auditing Standards for Performance Audits and accordingly, we performed such tests and other auditing procedures as necessary to meet the review objective. A review of the entire internal control structure was not required for the scope of this audit. We performed fieldwork from March through June 2004 at SBA headquarters located in Washington, D.C., and at Cotton & Company s Alexandria, Virginia, office. SUMMARY OF FINDINGS AND RECOMMENDATIONS [FOIA Ex. 2]. We recommend that SBA take actions to minimize the risk of security deficiencies by correcting the deficiencies disclosed in this report. Specific recommendations are detailed in the results section of this report.

ATTACHMENT A PUBLIC REPORT DISTRIBUTION Recipient Copies Associate Deputy Administrator for Management & Administration 1 General Counsel 3 Government Accountability Office 1 Office of the Chief Financial Officer Attention: Jeff Brown 1

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information