AIR FORCE AUDIT AGENCY AIR FORCE PORTAL ACCESS AND RIGHTS MANAGEMENT AUDIT REPORT

Similar documents
AIR FORCE AUDIT AGENCY AIRCRAFT CONFIGURATION MANAGEMENT AUDIT REPORT

AIR FORCE AUDIT AGENCY CANCELLED IRAQ RECONSTRUCTION PROGRAM TASK ORDERS AUDIT REPORT

Report No. D May 14, Selected Controls for Information Assurance at the Defense Threat Reduction Agency

COMPLIANCE WITH THIS PUBLICATION IS MANDATORY. NOTICE: This publication is available digitally on the AFDPO WWW site at:

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

Report No. D March 6, Air Force Management of the U.S. Government Aviation Into-Plane Reimbursement Card Program

Office of Inspector General

INSTALLATION REPORT OF AUDIT

COMPLIANCE WITH THIS PUBLICATION IS MANDATORY

COMPLIANCE WITH THIS PUBLICATION IS MANDATORY

AIR FORCE AUDIT AGENCY 44* COMPUTER NETWORK INCIDENT RESPONSE AND REPORTING AUDIT REPORT

Department of Defense INSTRUCTION. SUBJECT: Information Assurance (IA) in the Defense Acquisition System

INSTALLATION REPORT OF AUDIT

ort Office of the Inspector General Department of Defense YEAR 2000 COMPLIANCE OF THE STANDARD ARMY MAINTENANCE SYSTEM-REHOST Report Number

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

SUBJECT: Privileged Access to Army Information Systems and Networks. a. Army Regulation (AR) 25-2, Information Assurance (IA), 23 March 2009.

This revision replaces AF Form 40A with AF Form 1289 in Attachment 3. A bar ( ) indicates a revision from the previous version.

COMPLIANCE WITH THIS PUBLICATION IS MANDATORY

Department of Defense

COMPLIANCE WITH THIS PUBLICATION IS MANDATORY

COMPLIANCE WITH THIS PUBLICATION IS MANDATORY

Information Technology

COMPLIANCE WITH THIS PUBLICATION IS MANDATORY

SUMMARY: The Office of the Secretary of Defense proposes to. alter a system of records notice DPFPA 02, entitled Pentagon

COMPLIANCE WITH THIS PUBLICATION IS MANDATORY

April 19, Human Capital. DoD Security Clearance Process at Requesting Activities (D ) Department of Defense Office of Inspector General

The Cost and Economic Analysis Program

Information Technology

COMPLIANCE WITH THIS PUBLICATION IS MANDATORY

SUMMARY: The Office of the Secretary of Defense proposes to. alter a system of records notice DA&M 01, entitled Civil

How To Check If Nasa Can Protect Itself From Hackers

Army Regulation Product Assurance. Army Quality Program. Headquarters Department of the Army Washington, DC 25 February 2014 UNCLASSIFIED

Report No. D February 5, Contingency Planning for DoD Mission-Critical Information Systems

COMPLIANCE WITH THIS PUBLICATION IS MANDATORY

Information System Security

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

U.S. Air Force Active Directory and Exchange Migration

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

COMPLIANCE WITH THIS PUBLICATION IS MANDATORY

COMPLIANCE WITH THIS PUBLICATION IS MANDATORY

Physical Access Control System

Office of Inspector General

AFA Salutes 2015 Outstanding Airmen of the Year

DODIG July 18, Navy Did Not Develop Processes in the Navy Enterprise Resource Planning System to Account for Military Equipment Assets

Report No. D June 18, Internal Controls Over Government Property in the Possession of Contractors at Two Army Locations

Air Force Fitness Management System II (AFFMS II) User s Guide 18 March 2015

DoD Needs an Effective Process to Identify Cloud Computing Service Contracts

COMPLIANCE WITH THIS PUBLICATION IS MANDATORY

Funding Invoices to Expedite the Closure of Contracts Before Transitioning to a New DoD Payment System (D )

Audit of the Transfer of DoD Service Treatment Records to the Department of Veterans Affairs

COMPLIANCE WITH THIS PUBLICATION IS MANDATORY

Allegations of the Defense Contract Management Agency s Performance in Administrating Selected Weapon Systems Contracts (D )

COMPLIANCE WITH THIS PUBLICATION IS MANDATORY

CASE MATTER MANAGEMENT TRACKING SYSTEM

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL. Doug A. Ringler, C.P.A., C.I.A. AUDITOR GENERAL ENTERPRISE DATA WAREHOUSE

Privacy Impact Assessment (PIA) for the. Certification & Accreditation (C&A) Web (SBU)

AUDIT REPORT. Materials System Inventory Management Practices at Washington River Protection Solutions

Acquisition. Controls for the DoD Aviation Into-Plane Reimbursement Card (D ) October 3, 2002

SMITHSONIAN INSTITUTION

Review of the SEC s Systems Certification and Accreditation Process

Compliance Risk Management IT Governance Assurance

Federal Communications Commission Office of Inspector General. FY 2003 Follow-up on the Audit of Web Presence Security

Air Force Officials Did Not Consistently Comply With Requirements for Assessing Contractor Performance

The U.S. Coast Guard Travel to Obtain Health Care Program Needs Improved Policies and Better Oversight

DoD Methodologies to Identify Improper Payments in the Military Health Benefits and Commercial Pay Programs Need Improvement

COMPLIANCE WITH THIS PUBLICATION IS MANDATORY

SUMMARY: The National Guard Bureau proposes to add a new system. of records, INGB 005, entitled Special Investigation Reports

COMPLIANCE WITH THIS PUBLICATION IS MANDATORY

Report No. D September 29, Financial Management of International Military Education and Training Funds

Delinquent Medical Service Accounts at Landstuhl Regional Medical Center Need Additional Management Oversight

PERFORMANCE WORK STATEMENT. for. United States Air Forces in Europe (USAFE)/ Air Forces Africa (AFAFRICA)

Office of the Inspector General Department of Defense

MICHIGAN AUDIT REPORT PERFORMANCE AUDIT OF THE QUALIFIED VOTER FILE AND DIGITAL DRIVER'S LICENSE SYSTEMS

Department of Defense INSTRUCTION. SUBJECT: Public Key Infrastructure (PKI) and Public Key (PK) Enabling

BY ORDER OF THE COMMANDER USTRANSCOM INSTRUCTION 33-3 UNITED STATES TRANSPORTATION COMMAND 5 DECEMBER 2011

ATTACHMENT V5 AIR FORCE TRANSPORTATION ACCOUNT CODES (TACS)

An Unreliable Chart of Accounts Affected Auditability of Defense Enterprise Accounting and Management System Financial Data

Department of Defense DIRECTIVE

COMPLIANCE WITH THIS PUBLICATION IS MANDATORY. Section A Camouflage, Concealment, and Deception (CCD) Program

Report No. D

The Army s Information Technology Contracts Awarded Without Competition Were Generally Justified

COMPLIANCE WITH THIS PUBLICATION IS MANDATORY

Frequently Asked Questions About Using The GRE Search Service

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

Department of Homeland Security Office of Inspector General

Complying with the Federal Information Security Management Act. Parallels with Sarbanes-Oxley Compliance

valuation eport INFORMATION ASSURANCE AT CENTRAL DESIGN ACTIVITIES Report No. D February 7, 2001

AUDIT REPORT. The Department of Energy's Implementation of Voice over Internet Protocol Telecommunications Networks

Defense Acquisition Review Journal

COMPLIANCE WITH THIS PUBLICATION IS MANDATORY

GAO ELECTRONIC GOVERNMENT ACT. Agencies Have Implemented Most Provisions, but Key Areas of Attention Remain

Information Security Series: Security Practices. Integrated Contract Management System

PERFORMANCE WORK STATEMENT (PWS) 3 Aug 15 EXECUTIVE SUMMARY FOR AFAEMS / AFVEC / AI PORTAL HELPDESK SUPPORT AIR FORCE ACQUSITION TRAINING OFFICE

This publication is available digitally on the AFDPO WWW site at:

OAIG-AUD (ATTN: AFTS Audit Suggestions) Inspector General, Department of Defense 400 Army Navy Drive (Room 801) Arlington, VA

COMPLIANCE WITH THIS PUBLICATION IS MANDATORY

PRIVACY IMPACT ASSESSMENT (PIA) For the

How To Rate Plan On A Credit Card With A Credit Union

AUDIT OF SBA S COMPLIANCE WITH JOINT FINANCIAL MANAGEMENT IMPROVEMENT PROGRAM PROPERTY MANAGEMENT SYSTEM REQUIREMENTS AUDIT REPORT NUMBER 3-34

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS

Transcription:

AIR FORCE AUDIT AGENCY AIR FORCE PORTAL ACCESS AND RIGHTS MANAGEMENT AUDIT REPORT F2008-0003-FB4000 22 February 2008

Executive Summary INTRODUCTION OBJECTIVES CONCLUSIONS The Air Force Portal (AFP) provides authorized Air Force users with essential online access to timely, accurate, and trusted information and information technology services over a secured network. The AFP serves as the entry point to the Air Force s worldwide Intranet using a standard web browser. It is available to users anytime and anywhere an Internet connection is available from.com or.mil connections. Access, based on duty status, allows entry into the AFP while rights, based on assigned duties and responsibilities, define the nature and extent of access. Therefore, AFP administrators may grant elevated rights to personnel with information management responsibilities in the AFP. As of 1 June 2007, the AFP had over 906,000 registered users. We audited AFP access and rights because their effective management is essential to the security of Global Combat Support System-Air Force (GCSS-AF) and Air Force information. Our objective was to determine whether the Air Force effectively controlled user access and rights to the AFP. Specifically, we determined whether AFP access and rights were restricted to appropriate personnel. The Air Force could improve management and control of AFP user access and rights. Specifically: Major command (MAJCOM) and installation administrators did not effectively maintain access control over the AFP. Access must be controlled to protect the confidentiality, integrity, and availability of sensitive and critical information. (Tab A, page 1) The AFP Designated Approving Authority (DAA) did not develop a role-based access scheme for assigning rights to the AFP. Our limited assessment of users with elevated rights did not identify any individuals with rights incompatible with their assigned roles and responsibilities; however, a documented rolebased access scheme helps to ensure appropriate security measures are in place to limit AFP user ii

access to only the information and information technology resources they need to accomplish their assigned duties. (Tab B, page 5) RECOMMENDATIONS MANAGEMENT S RESPONSE FEDERAL INFORMATION SECURITY MANAGEMENT ACT We made five recommendations to improve controls over, and management of, AFP user access and rights. (Reference the individual Tabs for specific recommendations.) Management concurred with the audit results, and actions taken corrected the issues identified. The Federal Information Security Management Act (FISMA), as codified in Title III of the E-Government Act of 2002, Public Law 107-347, requires each Chief Information Officer to report material weaknesses in policies, procedures, or practices annually to the Office of Management and Budget. Recommendations A.1, A.2, A.3, and B.1 in this report address corrective actions needed to improve the effectiveness of information security controls. In our opinion, the material weaknesses identified meet the requirement for establishing an Air Force Plan of Action and Milestone. In addition, we will consider these weaknesses for inclusion in our annual FISMA input to the Secretary of the Air Force and to the DoD Inspector General. DERRICK D. H. WONG Associate Director (Information Systems Security and Communications Division) JUDITH L. SIMON Assistant Auditor General (Financial and Systems Audits)

Table of Contents Page EXECUTIVE SUMMARY i TAB A Access Controls 1 B Rights Management 5 APPENDIX I Background Information 7 II Audit Scope and Prior Audit Coverage 9 III Locations Audited/Reports Issued 11 IV Points of Contact 15 V Final Report Distribution 17

Tab A Access Controls BACKGROUND Access controls help ensure information is accessed and changed by only authorized personnel. Information in the AFP must be restricted to authorized users who have an official need. Therefore, policies and procedures must be established to manage user accounts in Air Force information systems. The DAA, 1 along with functional system owners and system developers, must ensure systems comply with access control requirements in Air Force Manual (AFMAN) 33-223, Identification and Authentication, 29 July 2005. AFMAN 33-223 requires DAAs to: Disable and delete all user accounts from an information system whenever the user is permanently transferred to another location or terminates employment. Ensure procedures are in place to notify Network Control Center, workgroup manager, and system administrator when an employee (military, civilian, or contractor) transfers, retires, separates, or is terminated. Disable all accounts, excluding web applications and single sign on accounts, inactive over 45 days. DAAs must delete all disabled accounts 90 days from the date they were disabled. The GCSS-AF Integration Framework System Security Authorization Agreement (SSAA), Appendix E, Information System Security Policy (Final), April 2005, requires explicitly authorized user access by an official or implicit authorization derived from either official duty assignments or responsibilities. Therefore, MAJCOM and/or installation AFP administrators should monitor changes in user status (retirement, separation, or termination) and deactivate accounts when appropriate. AUDIT RESULTS 1 ACCESS CONTROLS Condition. MAJCOM and installation administrators did not effectively maintain access control over the AFP. Specifically, administrators did not deactivate AFP user and administrator accounts of personnel who retired, separated, or were terminated. Reconciling all active user accounts as of 20 November 2006 against personnel data retrievals 2 of retired, separated, or terminated Air Force military and civilian 1 The Deputy Director, Warfighter Systems Integration and Deployment (SAF/XCD-2), serves as the AFP DAA. 2 We retrieved data for retired, separated, and terminated civilian and military employees, including National Guard and Reserves, from the Military Personnel Data System (MILPDS) and Defense Civilian Personnel Data System (DCPDS) databases. 1

Tab A Access Controls personnel identified accounts remained active for: 85,863 (57 percent) of 150,626 retired or separated active duty personnel. 21,921 (31 percent) of 70,745 retired, separated, or terminated civilian personnel. 13, 635 (18 percent) of 76,872 retired or separated National Guard and Reserve personnel. Validating 3 the duty status of individuals for all 109 administrator accounts at 19 judgmentally selected installations identified 77 (71 percent) administrator accounts were no longer valid. The individuals had retired, transferred, separated, or were terminated and no longer associated with the Air Force, or performing duties requiring privileged access to the system (Table 1). Installation Reviewed Retired, Transferred, Terminated Currently Employed Aviano Air Base (AB) 5 5 0 Cannon Air Force Base (AFB) 3 3 0 Davis-Monthan AFB 5 5 0 Elmendorf AFB 9 8 1 Fairchild AFB 3 1 2 F. E. Warren AFB 2 2 0 Hickam AFB 3 3 0 Hurlburt Field 6 2 4 Lackland AFB 7 3 4 Martin State Airport (Arpt) 1 0 1 Maxwell AFB Gunter Annex 21 12 9 Moody AFB 1 1 0 National Capital Region 5 5 0 Peterson AFB 5 3 2 Pittsburgh Arpt/Air Reserve Station (ARS) 1 1 0 Ramstein AB 5 5 0 Randolph AFB 9 3 6 Scott AFB 10 8 2 Wright-Patterson AFB 8 7 1 TOTALS 109 77 32 Table 1. Administrators Duty Status Validation Cause. This condition occurred because the AFP system program office (SPO) did not provide MAJCOM and installation administrators with procedures or effective tools to monitor and deactivate AFP accounts. Consequently, administrators were not aware they were responsible for monitoring and deactivating accounts. Specifically: The AFP Tiered Administration User s Guide did not provide specific procedures 3 There were 135 administrator accounts at the 19 judgmentally selected installations. We confirmed duty status by interviewing assigned personnel at the former administrator s unit of record. However, we were able to validate the status of only 109 administrator accounts because, in certain instances, assigned personnel could not confirm the administrator s duty status. 2

Tab A Access Controls to monitor changes in user status (retirement, separation, or termination) and deactivate accounts when needed. For example, unit out-processing checklists at 17 (89 percent) of 19 installations did not include instructions to deactivate AFP user accounts when duty status changes. The Web Portal Manager tool provided to administrators was not capable of extracting user account data to monitor and ensure inactive accounts were disabled after 45 days and deleted 90 days thereafter. Impact. As a result, 49 (64 percent) of 77 administrators continued to log onto the system using their administrator accounts even after they separated or retired. Access must be controlled to protect the confidentiality, integrity, and availability of sensitive and critical information. Recommendation A.1. The Chief, Warfighting Integration and Chief Information Officer (SAF/XC) should direct the AFP SPO to immediately deactivate the accounts of the retired, separated, and terminated users (121,419) and administrators (77) cited in this report. Management Comments A.1. SAF/XC concurred and stated: The AFP SPO has deactivated the accounts of retired, separated, and terminated users (121,419) and administrators (77) cited in this report. CLOSED. Recommendation A.2. SAF/XC should direct the AFP SPO to revise the AFP Tiered Administration User s Guide to include procedures for monitoring changes in AFP user status and deactivating or deleting user accounts as required by AFM 33-223. The procedures should require MAJCOM and installation AFP administrators to: a. Periodically monitor changes in user status (retired, separated, or terminated) to identify dormant accounts. We suggest developing an automated process to periodically reconcile user accounts with the Air Force Personnel Center (AFPC) or other personnel database. b. Deactivate or delete accounts after specific periods of inactivity. c. Include a requirement to deactivate or delete user accounts in unit out processing checklists. Management Comments A.2. SAF/XC concurred and stated: The AFP SPO has revised the AFP Tiered Administration User s Guide to include procedures for monitoring changes in AFP user status and deactivating or deleting user accounts required by AFMAN 33-223. CLOSED. Recommendation A.3. SAF/XC should direct the AFP SPO provide MAJCOM and installation administrators a tool to monitor and identify inactive user accounts. 3

Tab A Access Controls Management Comments A.3. SAF/XC concurred and stated: The AFP SPO has provided MAJCOM and installation administrators a tool to monitor and identify inactive used accounts. CLOSED. Evaluation of Management Comments. Management comments addressed the issues raised in the findings, and management actions taken should correct the problems identified. 4

Tab B Rights Management BACKGROUND National Institute of Standards and Technology Draft Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems, June 2007, requires system administrators to enforce the most restrictive set of rights 4 or access users need to perform specific tasks. The DAA (or the Information Assurance Manager [IAM], if delegated) must develop and implement a role-based access scheme to account for all privileged access rights, and implement the principles of least privilege and separation of duties. Under the least privilege principle, users with elevated rights are only granted access to (a) data; (b) control information, software, hardware, and firmware for which they are authorized and have a need-to-know; and (c) those roles and privileges they are authorized based on their functional duties. The DAA must also maintain visibility over all individuals assigned privileged user rights to ensure they comply with separation of duties and personnel security requirements. Privileged users are individuals with rights and capabilities beyond read 5 in an information system. For example, a privileged user assigned content publisher rights can typically read, write, add, modify, or delete files, while those assigned content manager rights can also grant publishing and management rights to other users. AUDIT RESULTS 2 RIGHTS MANAGEMENT Condition. The AFP DAA did not develop a role-based access scheme for assigning rights to the AFP. Specifically, although AFP security policy 6 requires explicitly authorizing and assigning rights (no access by default ), the DAA did not define the specific access rights and roles authorized or identify the responsible approval authority. 7 For example, AFP SPO personnel were provided elevated rights such as database and system administrators, and MAJCOM personnel were provided content publisher and manager rights. However, the security policy did not explicitly authorize these rights, or define the corresponding duties and responsibilities. Further, rights were provided by default since approval authority was not officially designated. To illustrate, MAJCOMs 4 The privileges a user or role has on an information system. 5 In computer terminology, read means transferring information from one storage medium or device to another. For example, data is read from disk to a computer screen. 6 GCSS-AF Integration Framework System Security Authorization Agreement (SSAA), Appendix E, Information System Security Policy (Final), April 2005. 7 The recently released draft AFI 33-394, Web and Air Force Portal Management and Internet Use, did not assign a specific office the responsibility and authority to grant privileged access on the GCSS-AF/AFP. 5 FOR OFFICIAL USE ONLY

Tab B Rights Management assigned content manager and publisher rights by simply notifying the AFP SPO project manager through SAF/XC Exploitation Branch contractor personnel. Cause. This condition occurred because neither the AFP IAM 8 nor the SPO project manager, who were delegated to prepare and maintain the security policy, were aware the policy needed to include a role-based access scheme. Impact. A limited review of users with elevated rights did not reveal any individuals with rights incompatible with their assigned role and responsibilities. However, a documented role-based access scheme helps to ensure appropriate security measures are in place limiting AFP user access to only the information and information technology resources they need to accomplish their assigned duties. Recommendation B.1. SAF/XC should direct the AFP DAA to document a role-based access scheme for the AFP in the AFP security policy. As a minimum, the scheme should identify the types and levels of user access authorized in relation to the user s roles, tasks, duties and responsibilities, and the approval authority for granting each type of access. Management Comments B.1. SAF/XC concurred and stated: The AFP DAA has revised AFP security policy to document a role-based access scheme. The role-based access scheme in the policy identifies types and levels of user access authorized in relation to the user s roles, tasks, duties and responsibilities, and approval authority for granting each type of access. CLOSED. Recommendation B.2. SAF/XC should require the IAM and/or the SPO project manager to re-validate rights currently granted users against the role-based access scheme and adjust rights accordingly. Management Comments B.2. SAF/XC concurred and stated: The IAM and the SPO project manager have re-validated and adjusted privileged access rights granted users against the role-based access scheme. CLOSED. Evaluation of Management Comments. Management comments addressed the issues raised in the findings, and management actions taken should correct the problems identified. 8 The IAM is a contractor assigned to the 643d Electronic Systems Squadron based at Gunter Annex, Maxwell AFB AL. 6 FOR OFFICIAL USE ONLY

Background Information THE AIR FORCE PORTAL A portal is an Internet website that acts as a starting point with links to many other websites. In December 2002, the Air Force launched the AFP to provide the primary means for accessing and presenting timely, accurate, and trusted information and information technology services to all personnel supporting the Air Force mission. The AFP provides self-service information access to any Air Force user through a standard web browser. The AFP is the GCSS-AF presentation layer 9 that provides core enterprise services to all applications, thus reducing the cost of developing and integrating applications, while promoting security and interoperability standards. Access to sensitive data residing on the AFP should be restricted to authorized users who have an official need for the information. SAF/XC oversees the AFP and establishes policy and guidance for website content, publications, and forms. INFORMATION ASSURANCE The DoD defines information assurance as information operations protecting information and information systems by ensuring their confidentiality, integrity, authentication, availability, and nonrepudiation. Confidentiality. Information is seen and accessed only by intended recipients. Confidentiality is created primarily by using protocols that use encryption. Integrity. Information received is the same information transmitted by the originator. Authentication. Identifying an individual or computer to ensure access to information is authorized. Authentication goes hand-in-hand with confidentiality and integrity. Availability. Information (voice, video, and data) and supporting service resources (server, local networking infrastructures and transport medium) are up and running when needed. Nonrepudiation. Individual cannot deny sending or receiving information. 9 The presentation layer is the sixth of the 7-layer open systems interconnect (OSI) reference model. The sixth layer is concerned with protocols for network security, file transfers, and format functions. FOR OFFICIAL USE ONLY 7 Appendix I

This Page Intentionally Left Blank 8

Audit Scope and Prior Audit Coverage AUDIT SCOPE Audit Coverage. We performed audit work at 19 judgmentally selected installations. We accomplished the work from July 2006 to June 2007 using documents (AFP user listing, AFPC database, security policy, system printouts, and outprocessing checklists) dated from 1 November 1991 through 4 April 2007. We provided a draft report to management in November 2007. To accomplish the audit objectives we performed the following tests: Access Control. We reconciled all 882,592 AFP user accounts as of 20 November 2006 by comparing accounts in the AFP database against the user s duty status in the MILPDS and DCPDS databases. In addition, at the judgmentally selected installations, we validated the duty status of all system administrators through interviews and reviewing the functional duties they performed. Finally, we reviewed procedures and guidance administrators used to manage user accounts. Rights Management. We reviewed AFP security policy and other documentation to determine the specific rights and permissions authorized. Further, we interviewed SAF/XC, SPO, and Defense Information Systems Agency personnel concerning roles and privileges granted. Finally, we compared elevated rights authorized for the AFP against those assigned to administrators. Sampling Methodology. We used the following sampling concepts and Computer- Assisted Auditing Tools and Techniques (CAATTs) to complete this audit: Sampling. We judgmentally selected for review Headquarters Air Force and two installations from each of the eight MAJCOMs and Air National Guard with the highest number of administrators. CAATTS. We used Microsoft ACCESS to convert text files from the AFP active user account database (as of 20 November 2006), and personnel retirement, separation, and termination data from the MILPDS and DCPDS databases. We used the ACCESS merge, sort, query, and filter functions to compare and analyze the active user account data against the personnel data. Data Reliability. We relied on computer-processed data to perform this audit. Specifically, we used computer-generated data obtained from Tivoli Access Manager, MILPDS, and DCPDS personnel systems. To establish data reliability, we validated the duty status of a judgmental sample of administrators with personnel from the administrators unit of record. Based on these tests, we determined the data were sufficiently reliable to support audit conclusions. 9 Appendix II

Audit Scope and Prior Audit Coverage Auditing Standards. We conducted audit work in accordance with generally accepted government auditing standards, and, accordingly, included tests of key internal controls associated with maintaining, deactivating, and deleting AFP accounts; approving administrator and privileged access rights; and granting roles in the AFP. PRIOR AUDIT COVERAGE We did not identify any Air Force Audit Agency, DoD Inspector General, or Government Accountability Office reports issued within the past 5 years that addressed the same or similar objectives as this audit. Appendix II 10

Locations Audited/ Reports Issued Organization/Location Installation-Level Reports Issued Headquarters Air Force (HAF) AF/A4 Washington DC SAF/FM Washington DC Air Force Financial Systems Operations F2007-0041-FDD000 Maxwell AFB Gunter Annex AL 10 May 2007 844th Communications Group Bolling AFB DC Air Combat Command 27th Fighter Wing Cannon AFB NM 355th Wing Davis-Monthan AFB AZ Air Education and Training Command (AETC) HQ AETC Randolph AFB TX Air Force Personnel Center Randolph AFB TX 12th Flying Training Wing Randolph AFB TX FREEDOM OF INFORMATION ACT The disclosure/denial authority prescribed in AFPD 65-3 will make all decisions relative to the release of this report to the public. 11 Appendix III

Locations Audited/ Reports Issued Organization/Location Installation-Level Reports Issued Air Education and Training Command (AETC) (Cont d) 37th Training Wing Lackland AFB TX 42d Air Base Wing Maxwell AFB AL - Gunter Annex Air Force Materiel Command (AFMC) HQ AFMC Wright-Patterson AFB OH Aeronautical Systems Center Wright-Patterson AFB OH 643d Electronic Systems Squadron F2007-0052-FDD000 Maxwell AFB - Gunter Annex AL 13 June 2007 754th Electronic Systems Group F2007-0055-FDD000 Maxwell AFB - Gunter Annex AL 18 June 2007 Air Force Space Command 21st Space Wing Peterson AFB CO 90th Space Wing F. E. Warren AFB WY Air Force Special Operations Command (AFSOC) HQ AFSOC F2007-0068-FDD000 Hurlburt Field FL 24 July 2007 1st Special Operations Wing Hurlburt Field FL 23d Wing F2007-0023-FCR000 Moody AFB GA 25 May 2007 Appendix III 12

Locations Audited/ Reports Issued Organization/Location Installation-Level Reports Issued Air Mobility Command (AMC) HQ AMC Scott AFB IL 92d Air Refueling Wing Fairchild AFB WA 375th Airlift Wing Scott AFB IL Air National Guard 171st Air Refueling Wing Pittsburgh Airport PA 175th Wing Martin State Airport MD Field Operating Agencies Air Force Communications Agency Scott AFB IL Pacific Air Forces 3d Wing Elmendorf AFB AK 15th Air Wing Hickam AFB HI 611th Air Operations Wing Elmendorf AFB AK FREEDOM OF INFORMATION ACT The disclosure/denial authority prescribed in AFPD 65-3 will make all decisions relative to the release of this report to the public. 13 Appendix III

Locations Audited/ Reports Issued Organization/Location Installation-Level Reports Issued United States Air Forces in Europe 31st Fighter Wing Aviano AB, Italy 86th Airlift Wing Ramstein AB, Germany Appendix III 14

Points of Contact Information Systems Security and Communications Division (AFAA/FSS) Financial and Systems Audits Directorate 5023 4th Street March ARB CA 92518-1852 Derrick D. H. Wong, Associate Director DSN 447-4929 Commercial (951) 655-4929 Ronald P. Saclolo, Program Manager Ramesh Bharania, Audit Manager We accomplished this audit under project number F2006-FB4000-0067.000. 15 Appendix IV

This Page Intentionally Left Blank 16

Final Report Distribution SAF/AA SAF/OS SAF/US SAF/FM SAF/IG SAF/LL SAF/PA SAF/XC, AF/A6 AF/CC AF/CV AF/CVA AF/A3/5 AF/A8 AF/RE AF/XP NGB/CF ACC AETC AFMC AFMIA AFNETOPS AFRC AFSOC AFSPC AIA AMC ANG PACAF USAFA USAFE Units/Orgs Audited AU Library DoD Comptroller OMB FREEDOM OF INFORMATION ACT The disclosure/denial authority prescribed in AFPD 65-3 will make all decisions relative to the release of this report to the public. 17 Appendix V

This Page Intentionally Left Blank 18

To request copies of this report or to suggest audit topics for future audits, contact the Operations Directorate at (703) 696-7913 (DSN 426-7913) or E-mail to reports@pentagon.af.mil. Certain government users may download copies of audit reports from our home page at www.afaa.hq.af.mil/. Finally, you may mail requests to: Air Force Audit Agency Operations Directorate 1126 Air Force Pentagon Washington DC 20330-1126

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information