Commissioners Deanna Tanner Okun, Chairman Irving A. Williamson, Vice Chairman Charlotte R. Lane Daniel R. Pearson Shara L. Aranoff Dean A.



Similar documents
The Advantages Of An Effective Network Marketing Program (ATP)

Commissioners Irving A. Williamson, Chairman Deanna Tanner Okun Daniel R. Pearson Shara L. Aranoff Dean A. Pinkert David S.

Commissioners Meredith M. Broadbent, Chairman Dean A. Pinkert, Vice Chairman Irving Williamson David S. Johanson F. Scott Kieff Rhonda K.

Commissioners Deanna Tanner Okun, Chairman Charlotte R. Lane Daniel R. Pearson Shara L. Aranoff Irving A. Williamson Dean A.

Commissioners Irving A. Williamson, Chairman Daniel R. Pearson Shara L. Aranoff Dean A. Pinkert David S. Johanson Meredith M.

Commissioners Irving A. Williamson, Chairman Daniel R. Pearson Shara L. Aranoff Dean A. Pinkert David S. Johanson Meredith M.

Commissioners Deanna Tanner Okun, Chairman Irving A. Williamson, Vice Chairman Charlotte R. Lane Daniel R. Pearson Shara L. Aranoff Dean A.

PRIVACY IMPACT ASSESSMENT

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

Audit of the Board s Information Security Program

RSA Authentication Manager 7.1 Basic Exercises

CHIS, Inc. Privacy General Guidelines

Audit of Case Activity Tracking System Security Report No. OIG-AMR

Intel Entry Storage System SS4200-E Active Directory Implementation and Troubleshooting

BlackShield ID Agent for Terminal Services Web and Remote Desktop Web

DIGIPASS Authentication for GajShield GS Series

DIGIPASS Authentication for Citrix Access Gateway VPN Connections

Information Technology Branch Access Control Technical Standard

OFFICE OF INSPECTOR GENERAL. Information Collection on USITC Internet Servers. Inspection Report OIG-IR-02-01

BlackShield ID Agent for Remote Web Workplace

Agent Configuration Guide

HIPAA. considerations with LogMeIn

Instructions for Using Secure . (SMail) via Outlook Web Access. with an RSA Token

Allianz Global Investors Remote Access Guide

Active Directory Provider User s Guide

Smithsonian Enterprises

2. Each server or domain controller requires its own server certificate, DoD Root Certificates and enterprise validator installed.

Federal Communications Commission Office of Inspector General. FY 2003 Follow-up on the Audit of Web Presence Security

Access Control Policy

Keeping Tabs on the Top 5 Critical Changes in Active Directory with Netwrix Auditor

Privacy Impact Assessment Forest Service Computer Base Legacy

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft Internet Information Services (IIS)

The Essentials Series: Enterprise Identity and Access Management. Authentication. sponsored by. by Richard Siddaway

Free Multi-Factor Authentication. Using and SMS in Enterprise/Random Password Manager (E/RPM)

Office of Inspector General

Ulster University Standard Cover Sheet

Secure Access Portal. Getting Started Guide for using the Secure Access Portal. August Information Services

User Guide Remote PIV to VDI Using a PIV Card

UNITED STATES INTERNATIONAL TRADE COMMISSION WASHINGTON, DC 20436

NETWRIX IDENTITY MANAGEMENT SUITE

IIS, FTP Server and Windows

College of Education Computer Network Security Policy

Information Technology Security Procedures

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

Canadian Access Federation: Trust Assertion Document (TAD)

How To Secure An Rsa Authentication Agent

User Guide Remote Access to VDI/Workplace Using PIV

RSA Authentication Manager 7.1 Microsoft Active Directory Integration Guide

Entrust Managed Services PKI

Kerio VPN Client. User Guide. Kerio Technologies

Federal Information Security Management Act: Fiscal Year 2014 Evaluation

ROSS PHILO EXECUTIVE VICE PRESIDENT AND CHIEF INFORMATION OFFICER

LogMeIn HIPAA Considerations

e-governance Password Management Guidelines Draft 0.1

EMC Celerra Version 5.6 Technical Primer: Control Station Password Complexity Policy Technology Concepts and Business Considerations

RSA SECURID HEALTHCHECK

Endpoint Security VPN for Windows 32-bit/64-bit

Using Internet or Windows Explorer to Upload Your Site

A brief on Two-Factor Authentication

Multi-Factor Network Authentication

Office of Inspector General

Sage Nonprofit Online and Sage Virtual Services. Frequently Asked Questions

Department of Homeland Security Management Directive System MD Number: 4900 INDIVIDUAL USE AND OPERATION OF DHS INFORMATION SYSTEMS/ COMPUTERS

SchoolBooking SSO Integration Guide

FileCloud Security FAQ

VMware Virtual Desktop Manager User Authentication Guide

Strong Authentication for Microsoft TS Web / RD Web

Frequently Asked Questions (FAQs) SIPRNet Hardware Token

Recommendations for the PIA. Process for Enterprise Services Bus. Development

Using GhostPorts Two-Factor Authentication

U.S. DEPARTMENT OF COMMERCE UNITED STATES PATENT AND TRADEMARK OFFICE. Privacy Impact Assessment

National Identity Exchange Federation (NIEF) Trustmark Signing Certificate Policy. Version 1.1. February 2, 2016

Remote Access Policy

1.6 HOW-TO GUIDELINES

MIGRATING TO AVALANCHE 5.0 WITH MS SQL SERVER

Strong Authentication for Microsoft SharePoint

Policy on the Security of Informational Assets

University System of Maryland University of Maryland, College Park Division of Information Technology

Entrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates

Remote Access Password Tips

Using GhostPorts Multi-Factor Authentication

Miami University. Payment Card Data Security Policy

CLEO NED Active Directory Integration. Version 1.2.0

Integrating LANGuardian with Active Directory

Virtual Code Authentication User s Guide. June 25, 2015

GoldKey Software. User s Manual. Revision WideBand Corporation Copyright WideBand Corporation. All Rights Reserved.

U.S. Department of the Interior Office of Inspector General AUDIT REPORT

DIS VPN Service Client Documentation

POSTAL REGULATORY COMMISSION

Supplier IT Security Guide

EURECOM VPN SSL for students User s guide

Secure Global Desktop (SGD)

IT Security Procedure

SHC Client Remote Access User Guide for Citrix & F5 VPN Edge Client

Chapter 2 Security Table of Contents

Transcription:

The U.S. International Trade Commission is an independent, nonpartisan, quasi-judicial federal agency that provides trade expertise to both the legislative and executive branches of government, determines the impact of imports on U.S. industries, and directs actions against certain unfair trade practices, such as patent, trademark, and copyright infringement. USITC analysts and economists investigate and publish reports on U.S. industries and the global trends that affect them. The agency also maintains and publishes the Harmonized Tariff Schedule of the United States. Commissioners Deanna Tanner Okun, Chairman Irving A. Williamson, Vice Chairman Charlotte R. Lane Daniel R. Pearson Shara L. Aranoff Dean A. Pinkert

OFFICE OF INSPECTOR GENERAL UNITED STATES INTERNATIONAL TRADE COMMISSION WASHINGTON, DC 20436 VIA ELECTRONIC TRANSMISSION June 29, 2011 OIG-JJ-008 Chairman Okun: This memorandum transmits the Office of Inspector General s final report Audit of Account Management OIG-AR-11-11. In finalizing the report, we analyzed management s comments on our draft report and have included those comments in their entirety in Appendix A. This report contains eight recommendations for corrective action. In the next 30 days, please provide me with your management decisions describing the specific actions that you will take to implement each recommendation. Thank you for the courtesies extended to my staff during this audit. Sincerely, Philip M. Heneghan Inspector General

U.S. International Trade Commission Audit Report Table of Contents Results of Audit... 1 Areas for Improvement... 2 Area for Improvement 1: Data owners should maintain permissions to restrict access to data... 2 Area for Improvement 2: Consistently configure network accounts for contractors... 3 Area for Improvement 3: Reduce the number of authentication systems in use.... 4 Management Comments and Our Analysis... 5 Objective, Scope, and Methodology... 5 Appendix A: Management Comments on Draft Report... A -i-

U.S. International Trade Commission Audit Report Results of Audit The purpose of the audit was to answer the question: Does the Commission effectively limit network access? Yes, the Commission effectively limits network access. Organizations control access to data by limiting network access, typically by requiring the use of credentials that include something the user knows, such as a user name and a password. Organizations with stronger authentication requirements also require something users physically possess, such as an authentication device or Personal Identity Verification (PIV) card. When this information is entered into a system, an authentication system checks to see that an account with the user name exists, is enabled, and verifies the password. Once authenticated, the login process is allowed to continue, and the user receives access to the data they have been permitted to modify and view. Preventing access to the network by unauthorized users is the most important component of an account management program. The Commission prevented unauthorized access by: 1. Immediately disabling accounts when users are no longer authorized to access the network; 2. Requiring the use of a hardware device, a PIN, an active user account and a strong password to access the network externally; and 3. Requiring physical identification, an active user account and a password to access the network internally. Enabled accounts allow access to the network. When users leave, these accounts should be immediately disabled to prevent unauthorized access to the network. On January 13, 2011, we performed an analysis of user accounts on the ITCNet domain, and found that no user accounts were improperly enabled. The Commission has done an effective job of removing this important means of unauthorized network access. While the Commission effectively prevents unauthorized network access, we have identified some areas where it can further improve its security controls concerning users that are authorized to access the network. These areas include maintenance of permissions to better restrict access to data, improved consistency of contractor account data, and consolidation of authentication systems. OIG-AR-11-11 1

U.S. International Trade Commission Audit Report Areas for Improvement Area for Improvement 1: Data owners should maintain permissions to restrict access to data. Commission staff and contractors access data using a variety of means, primarily through the use of intranet sites and mapped network drives. Much of this data is grouped by office, where staff in those offices work on data specific to that office. In many offices, such as Human Resources, Finance, and Investigations, the permissions granted are intended to make data accessible only to the staff of those offices. We analyzed the permissions assigned to two users that had been recently reassigned to new, permanent positions in the Commission. We found that their permissions reflected the needs of their current positions, but also inappropriately provided them with officespecific access required by their previous positions. Because permissions are typically discovered using technical tools, the owners of data may not know or control who retains access to their data. Over time, as employees are reassigned to other roles within the organization, their permissions need to be updated to reflect these new roles. If permissions are not kept up-to-date, they become a historical record of all users or accounts that ever had access to that data, instead of identifying who currently has access to the data. Our analysis of the Commission s shared files and folders identified 260,545 variations in permissions for shared data, a large number, for an organization with less than 500 users. The Commission places the responsibility for maintaining these permissions on the Chief Information Officer (CIO), but only the owners of data actually know who should have access. The maintenance of correct permissions requires a concerted effort by the functions of contracts, human resources, personnel security, and program offices to provide the CIO with status updates as they relate to accounts and their access to data. For example, when an employee is detailed or reassigned, the new program office must notify the CIO that the employee has new responsibilities which require new permissions, and the original program office must define the permissions no longer required. If this process is not implemented, users will retain access to data that their jobs do not require, and the Commission s data will be subject to unnecessary risk. To maintain correct permissions for access to Commission data, the CIO should periodically provide clear reports to data owners detailing who has access to their data, and assist in the maintenance of these permissions. Recommendation 1: That the Commission develop and implement a program to have the functions of OIG-AR-11-11 2

U.S. International Trade Commission Audit Report contracts, human resources, personnel security, program, and other administrative offices notify the CIO when employee or contractor assignment status changes require the enabling or disabling of permissions. Recommendation 2: That the Commission identify the owner of all office and division-specific data. Recommendation 3: That the CIO perform a one-time cleanup of file and folder permissions. Recommendation 4: That the CIO provide a periodic listing of permissions to data owners. Recommendation 5: That the data owners review permissions on a periodic basis to verify that all users with access are authorized. Area for Improvement 2: Consistently configure network accounts for contractors. The Commission identifies contractor accounts through several means, such as including (Contractor) in the account description, and through membership in a special Contractors group. It also sets an automatic expiration date for these accounts that is tied to the final day of the contract. These conditions allow contractor accounts to be quickly recognized and insures that access to the network does not extend beyond the contract expiration date. While analyzing contractor accounts, we found: Some members identified in the Contractors group were in fact employees; Contractors were not always identified in the account description or through contractor group membership; and Some contractor accounts were missing the expiration date associated with their contract. OIG-AR-11-11 3

U.S. International Trade Commission Audit Report The Commission has not consistently implemented its procedures to identify Contractor accounts. Because of this, it is difficult to identify Contractor accounts, increasing the risk that these accounts might not be quickly disabled upon contract expiration. Recommendation 6: That the CIO update all contractor accounts to consistently identify these accounts and their contract expiration dates. Area for Improvement 3: Reduce the number of authentication systems in use. Authentication systems make it possible to have one username and password to access multiple systems, including workstations, fileservers, and email services. Centralized authentication systems eliminate the need for users to remember and maintain multiple accounts and passwords, and reduce the labor required to manage user accounts. The CIO has effectively limited the number of authentication systems for standard users of workstations and servers in the Active Directory domain; however, the CIO has not implemented a centralized authentication system for many servers or network infrastructure devices. Currently, each of these devices maintains its own authentication infrastructure, resulting in redundant user accounts, passwords, and inefficient account management. Recommendation 7: That the CIO identify all authentication systems in use within the Commission. Recommendation 8: That the CIO evaluate opportunities to reduce the number of authentication systems in use. OIG-AR-11-11 4

U.S. International Trade Commission Audit Report Management Comments and Our Analysis On June 21, 2011, Chairman Deanna Tanner Okun provided management comments on the draft audit report. The Chairman agreed with our assessment that the Commission is effectively limiting network access, and recognized that the Commission can further enhance its security by implementing the recommendations detailed in the three areas for improvement. The Chairman s response is provided in its entirety as Appendix A. Objective: Objective, Scope, and Methodology Does the Commission effectively limit network access? Scope: On January 13, 2011, we audited the enabled accounts on ITCNet. Operational staff provided us with the account policies and listings of enabled accounts for a range of other infrastructure devices including servers, RSA authentication, and permissions for domain users of shared drives. Methodology: a. Collect and analyze enabled accounts on the ITC domain. b. Collect data for users of systems not authenticated by the ITC domain. c. Analyze logs for secondary authentication systems (hardware tokens for remote access). d. Assess and attempt to quantify different authentication systems in use. e. Analyze permissions for commonly used file shares. f. Identify user permissions unrelated to current job functions. We conducted this performance audit in accordance with Generally Accepted Government Auditing Standards (GAGAS). Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. OIG-AR-11-11 5

U.S. International Trade Commission Appendix Appendix A: Management Comments on Draft Report A

Thacher s Calculating Instrument developed by Edwin Thacher in the late 1870s. It is a cylindrical, rotating slide rule able to perform complex mathematical calculations involving roots and powers quickly. The instrument was used by architects, engineers, and actuaries as a measuring device.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information