Federal Communications Commission Office of Inspector General



Similar documents
Federal Communications Commission Office of Inspector General. FY 2003 Follow-up on the Audit of Web Presence Security

Office of Inspector General

POSTAL REGULATORY COMMISSION

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report

Audit of Case Activity Tracking System Security Report No. OIG-AMR

Audit Report. The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013

U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS. Final Audit Report

Final Audit Report. Report No. 4A-CI-OO

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

EPA s Computer Security Self-Assessment Process Needs Improvement

OFFICE OF INSPECTOR GENERAL

How To Audit The Mint'S Information Technology

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

Audit of the Department of State Information Security Program

OFFICIAL USE ONLY. Department of Energy. DATE: January 31, 2007 Audit Report Number: OAS-L-07-06

EXECUTIVE OFFICE OF THE PRESIDENT OFFICE OF MANAGEMENT AND BUDGET WASHINGTON, D.C

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

March 17, 2015 OIG-15-43

NUMBER OF MATERIAL WEAKNESSES

May 2, 2016 OIG-16-69

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

How To Check If Nasa Can Protect Itself From Hackers

Information Security Series: Security Practices. Integrated Contract Management System

The FDIC s Data Submissions through the Governmentwide Financial Report System as of September 30, 2015

Department of Homeland Security Office of Inspector General. Audit of Application Controls for FEMA's Individual Assistance Payment Application

Department of Homeland Security

Final Audit Report -- CAUTION --

CTR System Report FISMA

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

for Kimberly F. Benoit Deputy Assistant Inspector General for Information Technology and Data Analysis

OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

Office of Inspector General

Review of the SEC s Systems Certification and Accreditation Process

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections

Office of Inspector General

REVIEW OF MEDICARE CONTRACTOR INFORMATION SECURITY PROGRAM EVALUATIONS FOR FISCAL YEAR 2013

GAO INFORMATION SYSTEMS. The Status of Computer Security at the Department of Veterans Affairs. Report to the Secretary of Veterans Affairs

Privacy Impact Assessment (PIA) for the. Certification & Accreditation (C&A) Web (SBU)

Fiscal Year 2007 Federal Information Security Management Act Report

EPA Could Improve Its Information Security by Strengthening Verification and Validation Processes

Improved Security Planning Needed for the Customer Technology Solutions Project

Security Self-Assessment Guide for Information Technology Systems Marianne Swanson

GAO Information Security Issues

Agency Security - What Are the Advantages and Disadvantages

PROCESSING CLASSIFIED INFORMATION ON PORTABLE COMPUTERS IN THE DEPARTMENT OF JUSTICE

Memorandum. ACTION: Report on Computer Security Controls of Financial Management System, FTA FE May 23, 2000.

OIG. Improvements Are Needed for Information Technology Controls at the Las Vegas Finance Center. Audit Report OFFICE OF INSPECTOR GENERAL

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

U.S. ENVIRONMENTAL PROTECTION AGENCY OFFICE OF INSPECTOR GENERAL

January 9, 2009 MEMORANDUM FOR THE HEADS OF EXECUTIVE DEPARTMENTS AND ESTABLISHMENTS, CHIEF FINANCIAL OFFICERS, AND INSPECTORS GENERAL

Department of Veterans Affairs

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections. Evaluation Report

2014 Audit of the Board s Information Security Program

Information System Security

2014 Audit of the CFPB s Information Security Program

Evaluation of DHS' Information Security Program for Fiscal Year 2014

GOVERNMENT INFORMATION SECURITY REFORM ACT STATUS OF EPA S COMPUTER SECURITY PROGRAM

Audit Report. Management of Naval Reactors' Cyber Security Program

GAO. INFORMATION SECURITY Persistent Weaknesses Highlight Need for Further Improvement

NARA s Information Security Program. OIG Audit Report No October 27, 2014

FY 2001 Report to Congress on Federal Government Information Security Reform

Office of Inspector General

a GAO GAO INFORMATION SECURITY Department of Homeland Security Needs to Fully Implement Its Security Program

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Project Delays Prevent EPA from Implementing an Agency-wide Information Security Vulnerability Management Program

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS

July 6, Mr. Michael L. Joseph Chairman of the Board Roswell Park Cancer Institute Elm & Carlton Streets Buffalo, NY 14263

Department of Homeland Security

Information Assurance. and Critical Infrastructure Protection

TITLE III INFORMATION SECURITY

FEDERAL HOUSING FINANCE AGENCY OFFICE OF INSPECTOR GENERAL

Information Technology/ Information Management

MEMORANDUM FOR: Vickers B. Meadows, Assistant Secretary for Administration/Chief Information Officer, A

Legislative Language

Information Security for Managers

U.S. SECURITIES & EXCHANGE COMMISSION

INFORMATION SECURITY. Evaluation of GAO s Program and Practices for Fiscal Year 2012 OIG-13-2

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

U.S. Department of Energy Washington, D.C.

UNITED STATES COMMISSION ON CIVIL RIGHTS. Fiscal Year 2012 Federal Information Security Management Act Evaluation

OFFICE OF INSPECTOR GENERAL. Audit Report. Evaluation of the Railroad Retirement Board Medicare Contractor s Information Security

Cloud Computing Contract Clauses

FEDERAL COMMUNICATIONS COMMISSION

NIST A: Guide for Assessing the Security Controls in Federal Information Systems. Samuel R. Ashmore Margarita Castillo Barry Gavrich

Evaluation of DHS' Information Security Program for Fiscal Year 2015

United States Antarctic Program Information Resource Management Directive The USAP Information Security Program

Audit of the Board s Information Security Program

GAO INFORMATION SECURITY. Weak Controls Place Interior s Financial and Other Data at Risk. Report to the Secretary of the Interior

I. U.S. Government Privacy Laws

STATEMENT BY JOHNNIE E. FRAZIER INSPECTOR GENERAL U.S. DEPARTMENT OF COMMERCE

AUDIT OF SBA S LOAN APPLICATION TRACKING SYSTEM AUDIT REPORT NUMBER 4-18 APRIL 5, 2004

Department of Homeland Security Office of Inspector General. DHS Needs to Improve the Security Posture of Its Cybersecurity Program Systems

Vulnerability Management. Information Technology Audit. For the Period July 2010 to July 2011

Report of Evaluation OFFICE OF INSPECTOR GENERAL E Tammy Rapp Auditor-in-Charge FARM CREDIT ADMINISTRATION

Audit Report. Management and Security of Office of the Chief Economist Information Technology Resources. U.S. Department of Agriculture

Information Security Awareness Training and Phishing

OFFICE OF INSPECTOR GENERAL. Audit Report

Transcription:

Federal Communications Commission Office of Inspector General Report on Government Information Security Reform Act Evaluation - Findings and Recommendations Report No. 01-AUD-11-43 November 29, 2001

Executive Summary The Government Information Security Reform Act (Security Act), passed as part of the FY 2001 Defense Authorization Act (P.L. 106-398), focuses on the program management, implementation, and evaluation aspects of agency security systems. A key provision of the Security Act requires that the Inspector General (IG) perform an annual independent evaluation of the information security program of the Federal Communications Commission (FCC). The Security Act also permits the IG to select an independent evaluator to perform this evaluation. The IG contracted with KPMG, LLP to perform the independent evaluation. The objective of this independent evaluation was to examine the Commission s security program and practices. The examination included testing the effectiveness of security controls for an appropriate subset of the Commission s applications. As part of the examination, we selected the Consolidated Database System (CDBS) application for review. CDBS is a major application operated by the Commission s Mass Media Bureau (MMB). We also used the Security Act assessment tool to evaluate the effectiveness of the Commission s information security program and assess risk for each component of the program. On September 5, 2001, we issued a report, entitled FY 2001 Government Information Security Reform Act Evaluation, summarizing the results of our independent evaluation. On September 10, 2001, our report, comprised of an executive summary and an independent evaluation, was included in a package of information provided by the Commission to the Office of Management and Budget (OMB). As a result of the independent evaluation, we concluded that the Commission has a generally effective information security program with acceptable practices for managing and safeguarding the Federal Communications Commission s (FCC s) information technology assets. The purpose of this report is to communicate these findings and recommendations to FCC management. A byproduct of our Security Act evaluation, this report details the findings and provides recommendations that, when implemented, will strengthen the Commission s information security program. During the independent evaluation, we identified areas for improvement in the Commission s information security program. Specifically, we identified sixteen (16) findings in the areas of management, operational, and technical controls. Three (3) of the findings were determined to be high-risk 1 and thirteen (13) were determined to be medium risk. We recommend that the problems we identified be corrected to strengthen the agency s security program and practices. Our recommendations will correct present problems and minimize the risk that future security problems will occur. 1 Each finding was evaluated to determine its degree of exposure based on the following risk ratings. High: Security risk can cause a business disruption, if exploited. Medium: Security risk in conjunction with other events can cause a business disruption, if exploited. Low: Security risk may cause operational annoyances, if exploited. 1

On October 10, 2001, we issued a draft report summarizing the results of our audit. In that draft document, we requested that the Office of the Managing Director (OMD) and the Mass Media Bureau (MMB) respond to the findings and recommendations presented in our report. In a response dated November 9, 2001, OMD indicated concurrence with each with each of the findings and recommendations. OMD also attached a Program-Level Plan of Action and Milestones, prepared by the Information Technology Center, which resolves each finding and recommendation and identifies corrective action that has been or will be taken. We have included a copy of the response from ITC in its entirety as Appendix C to this report. In a response dated November 19, 2001, MMB agreed with each with the findings and recommendations. We have included a copy of the response from MMB in its entirety as Appendix D to this report. Because of the sensitive nature of the information contained in the appendices, we have marked them all Non-Public For Internal Use Only and have limited distribution. Those persons receiving this report are requested not to photocopy or otherwise distribute this material. Background The Government Information Security Reform Act (Security Act), passed last year as part of the FY 2001 Defense Authorization Act (P.L. 106-398), amended the Paperwork Reduction Act of 1995 (PRA) by adding a new subchapter on information security. The Security Act focuses on the program management, implementation, and evaluation aspects of the security of unclassified and national security systems. Generally, the Security Act codifies existing Office of Management and Budget (OMB) security policies, Circular A-130, Appendix III, and reiterates security responsibilities outlined in the Computer Security Act of 1987, the PRA, and the Clinger-Cohen Act of 1996. In addition, the Security Act requires annual agency program reviews and annual independent evaluations for both unclassified and national security programs. A key provision of the Security Act requires that the Inspector General (IG) perform an annual independent evaluation of the information security program of the Federal Communications Commission (FCC). The Security Act also permits the IG to select an independent evaluator to perform this evaluation. The IG contracted with KPMG, LLP to perform the independent evaluation as required by the Security Act. The purpose of this review was to perform the independent evaluation of FCC s information security program and practices to ensure proper management and security for the information resources supporting the agency s operations and assets as required by the act. 2

To perform this independent evaluation, we followed the guidance as described in OMB Memorandum M-01-08, entitled Guidance on Implementing the Government Information Security Reform Act and dated January 16, 2001. Also relevant to this evaluation was guidance from OMB Memorandum M-01-24, entitled Reporting on the Government Information Security Reform Act and dated June 22, 2001. OMB M-01-24 provided the topics/questions that were required to be addressed in the IG s independent evaluation of the FCC s information security program and practices. The independent evaluation, which includes the responses to topics/questions 2 through 13, was issued as an OIG report on September 5, 2001. This document transmits the specific findings that were developed during the independent evaluation. Evaluation Objective The objective of the independent evaluation was to examine the Commission s security program and practices. The examination included testing the effectiveness of security controls for an appropriate subset of the Commission s systems. The evaluation objective also included a review of the Commission s security policies, security architecture, business continuity, security capital planning, critical infrastructure, and security program planning and management. This review was part of the Government Information Security Reform Act (Security Act) effort. The Security Act required the Inspector General (IG) to perform an annual independent evaluation of the information security program of the Federal Communications Commission (FCC). The IG contracted with KPMG, LLP to perform the independent evaluation. This report transmits the findings that were developed during the Security Act evaluation. The specific objectives of the evaluation were to: Obtain an understanding of the Commission s Information Technology (IT) infrastructure; Obtain an understanding of the Commission s information security program and practices; Use the Security Act assessment tool to evaluate the effectiveness of the Commission s information security program and assess risk for each component of the program. At a minimum, the assessment should include an identification and ranking of the critical information security threats to the FCC IT infrastructure on a risk vulnerability basis; and Prepare the annual submission in accordance with the reporting requirements mandated under the Security Act for Fiscal Year 2001. This was completed as a separate review on September 5, 2001. 3

Provide a detailed report that will (1) identify and rank the critical security risk factors and (2) contain observations and recommendations for improvements, if any. Evaluation Scope The evaluation approach consisted of reviewing documentation that included previous special reviews and audits, by conducting interviews, attending meetings, and by observations. Our procedures were designed to comply with applicable auditing standards and guidelines. These included AICPA Professional Standards, Generally Accepted Government Auditing Standards (GAGAS) as well as GAO s Federal Information Systems Control Audit Methodology (FISCAM); however, this review was intended to be a risk assessment and not a general controls review; FISCAM was used as appropriate to assess management, operational and technical controls. The scope of the evaluation included the security infrastructure managed by the Office of Managing Director s Information Technology Center (ITC) and the Auctions Automation Branch of the Wireless Telecommunications Bureau (WTB). In addition, the scope included selecting an appropriate subset of the Commission s business applications. As part of our evaluation of the FCC s Computer Security Program, we selected the Consolidated Database System (CDBS) application for review. CDBS is a major application operated by the Commission s Mass Media Bureau. The evaluation methodology used was the NIST Self-Assessment Guide questionnaire (National Institute of Standards and Technology Systems (NIST) Self-Assessment Guide for Information Technology Systems). The final NIST Self-Assessment Guide was not available until September, 2001, therefore, the draft Self-Assessment Guide was used. Our observations are organized according to NIST control areas: management controls, operational controls, technical controls. Within each control area, specific control objectives are addressed. Management Controls - Management controls focus on the management of the IT security system and the management of risk for a system. They are techniques and concerns that are normally addressed by management. The specific management control objectives addressed are: Risk Management Review of Security Controls Life Cycle Authorize Processing (Certification & Accreditation) System Security Plan Operational Controls - The operational controls address security methods focusing on mechanisms primarily implemented and executed by people (as opposed to systems). 4

These controls are put in place to improve the security of a particular system (or group of systems). They often require technical or specialized expertise and often rely upon management activities as well as technical controls. The specific operational control objectives addressed are: Personnel Security Physical and Environmental Protection Production, Input/Output Controls Contingency Planning Hardware and System Software Maintenance Data Integrity Documentation Security Awareness, Training and Education Incident Response Capability Technical Controls - Technical controls focus on security controls that the computer system executes. The controls can provide automated protection for unauthorized access or misuse, facilitate detection of security violations, and support security requirements for applications and data. The specific technical control objectives addressed are: Identification and Authentication Audit Trails Logical Access Controls Observations Our review found that the FCC has a generally effective information security program with acceptable practices for managing and safeguarding the FCC s information technology assets. Although the Commission has implemented numerous controls, we identified sixteen (16) findings that impact the effectiveness of the Commission s program. These findings occurred in the areas of management, operational, and technical controls. We recommend that the problems we identified be corrected to strengthen the agency s security program and practices. Our recommendations will correct present problems and minimize the risk that future security problems will occur. Appendix A of the report, entitled Summary of Findings, provides a summary of the findings from this review and Appendix B, entitled Detailed Findings and Recommendations, provides detailed information on the conditions identified, criteria used to evaluate the condition, effect, and recommendation(s). On October 10, 2001, we issued a draft report summarizing the results of our audit. In that draft document, we requested that the Office of the Managing Director (OMD) and the Mass Media Bureau (MMB) respond to the findings and recommendations presented in our report. 5

In a response dated November 9, 2001, OMD indicated concurrence with each with each of the findings and recommendations. OMD also attached a Program-Level Plan of Action and Milestones, prepared by the Information Technology Center, which resolves each finding and recommendation and identifies corrective action that has been or will be taken. We have included a copy of the response from ITC in its entirety as Appendix C to this report. MMB also responded to these findings. In a response dated November 19, 2001, MMB indicated concurrence with each with each of the findings and recommendations. We have included a copy of the response from MMB in its entirety as Appendix D to this report. In accordance with the Commission s directive on the management of non-public information, we have classified all appendices as Non-Public For Internal Use Only. Those persons receiving this report are expected to follow the established policies and procedures for managing and safeguarding this report in accordance with Commission directive. 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information