International Trade Administration



Similar documents
United States Patent and Trademark Office

U.S. Census Bureau. FY 2009 FISMA Assessment of the Field Data Collection Automation System (CEN22)

How To Review The Security Plans Of Noaa

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

INSPECTION U.S. DEPARTMENT OF THE INTERIOR WEB HOSTING SERVICES

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

Review of the SEC s Systems Certification and Accreditation Process

POSTAL REGULATORY COMMISSION

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

Compliance Risk Management IT Governance Assurance

Fiscal Year 2014 Federal Information Security Management Act Report: Status of EPA s Computer Security Program

Office of Inspector General

How To Check If Nasa Can Protect Itself From Hackers

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT

2014 Audit of the Board s Information Security Program

VA Office of Inspector General

U.S. DEPARTMENT OF THE INTERIOR OFFICE OF INSPECTOR GENERAL Verification of Previous Office of Inspector General Recommendations September 2009

OFFICE OF INSPECTOR GENERAL

NARA s Information Security Program. OIG Audit Report No October 27, 2014

U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS. Final Audit Report

Final Audit Report. Report No. 4A-CI-OO

2014 Audit of the CFPB s Information Security Program

INTERNATIONAL TRADE ADMINISTRATION Improvements Are Needed to Strengthen ITA s Information Technology Security Program

Information Security Series: Security Practices. Integrated Contract Management System

NIST A: Guide for Assessing the Security Controls in Federal Information Systems. Samuel R. Ashmore Margarita Castillo Barry Gavrich

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

VA Office of Inspector General

Final Audit Report -- CAUTION --

CTR System Report FISMA

Report of Evaluation OFFICE OF INSPECTOR GENERAL E Tammy Rapp Auditor-in-Charge FARM CREDIT ADMINISTRATION

INFORMATION SECURITY. Evaluation of GAO s Program and Practices for Fiscal Year 2012 OIG-13-2

FEDERAL HOUSING FINANCE AGENCY OFFICE OF INSPECTOR GENERAL

NUMBER OF MATERIAL WEAKNESSES

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Office of Inspector General

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report

How To Audit The Mint'S Information Technology

How To Improve Nasa'S Security

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

Audit Report. The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013

Complying with the Federal Information Security Management Act. Parallels with Sarbanes-Oxley Compliance

REPORT ON FY 2006 FISMA AUDIT OF THE SMITHSONIAN INSTITUTION S INFORMATION SECURITY PROGRAM

Evaluation of DHS' Information Security Program for Fiscal Year 2014

EPA Could Improve Its Information Security by Strengthening Verification and Validation Processes

Security Controls Assessment for Federal Information Systems

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS

Department of Homeland Security Office of Inspector General

Privacy Impact Assessment (PIA) for the. Certification & Accreditation (C&A) Web (SBU)

CMS SYSTEM SECURITY PLAN (SSP) PROCEDURE

How To Audit The National Security System

Appendix 10 IT Security Implementation Guide. For. Information Management and Communication Support (IMCS)

Audit of the Department of State Information Security Program

Department of Homeland Security

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

2012 FISMA Executive Summary Report

VA Office of Inspector General

Audit of the Board s Information Security Program

In Brief. Smithsonian Institution Office of the Inspector General

NEIAF June 18, IS Auditing 101

HARPER, RAINS, KNIGHT & COMPANY, P.A. CERTIFIED PUBLIC ACCOUNTANTS & CONSULTANTS RIDGELAND, MISSISSIPPI

Briefing Report: Improvements Needed in EPA s Information Security Program

REVIEW OF MEDICARE CONTRACTOR INFORMATION SECURITY PROGRAM EVALUATIONS FOR FISCAL YEAR 2013

ACSAC NOAA/NESDIS Case Study. December, 2006

Lots of Updates! Where do we start?

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections

Cybersecurity Risk Management Activities Instructions Fiscal Year 2015

UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL

Product Summary RADIUS Servers

Final Audit Report FEDERAL INFORMATION SECURITY MANAGEMENT ACT AUDIT FY Report No. 4A-CI

GAO INFORMATION SECURITY. Federal Guidance Needed to Address Control Issues with Implementing Cloud Computing. Report to Congressional Requesters

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

Privacy Impact Assessment. For Person Authentication Service (PAS) Date: January 9, 2015

EPA s Computer Security Self-Assessment Process Needs Improvement

TSA audit - How Well Does It Measure Network Security?

EPA Classification No.: CIO P-04.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: Review Date: 08/06/2015

FY 2015 Inspector General Federal Information Security Modernization Act Reporting Metrics V1.2

Evaluation of DHS' Information Security Program for Fiscal Year 2015

Department of Veterans Affairs

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL. September 22, 20 14

Report of Evaluation OFFICE OF INSPECTOR GENERAL. OIG 2014 Evaluation of the Farm Credit OIG 2014 Administration s. Management Act.

REDACTED FOR PUBLIC RELEASE

Security Control Standard

OFFICIAL USE ONLY. Department of Energy. DATE: January 31, 2007 Audit Report Number: OAS-L-07-06

OFFICE OF INSPECTOR GENERAL

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

SSL Certificate Based VPN

HARPER, RAINS, KNIGHT & COMPANY, P.A. CERTIFIED PUBLIC ACCOUNTANTS RIDGELAND, MISSISSIPPI

Department of Homeland Security Office of Inspector General. DHS Needs to Improve the Security Posture of Its Cybersecurity Program Systems

Hanh Do, Director, Information System Audit Division, GAA. SUBJECT: Review of HUD s Information Technology Contingency Planning and Preparedness

Federal Communications Commission Office of Inspector General. FY 2003 Follow-up on the Audit of Web Presence Security

Mission Assurance and Security Services

Systems Evaluation of the Agencywide Document Access and Management System. OIG-04-A-21 September 30, 2004 REDACTED FOR PUBLIC RELEASE

Audit Report. Natural Resources Conservation Service Water and Climate Information System Review of Application Controls Portland, Oregon

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections. Evaluation Report

AR Office of Inspector General

Project Delays Prevent EPA from Implementing an Agency-wide Information Security Vulnerability Management Program

Audit of Case Activity Tracking System Security Report No. OIG-AMR

Transcription:

U.S. DEPARTMENT OF COMMERCE Office of Inspector General International Trade Administration FY 2007 FISMA Assessment of Core Network General Support System (ITA-012) Final Inspection Report No. OSE-18840/September 2007 PUBLIC RELEASE Office of Systems Evaluation

Listing of Abbreviated Terms & Acronyms C&A Certification and accreditation IT Information technology ISA Internet Security Acceleration OMB Office of Management and Budget FISMA Federal Information Security Management Act of 2002 PIX Private Internet Exchange RADIUS Remote Authentication Dial-in User Server SSL Secure Sockets Layer VPN Virtual Private Network Synopsis of Findings Both Positive and Requiring Management Attention Effective assessment process provides a clear understanding of remaining vulnerabilities and status of system security controls. Components outside of the accreditation boundary that provide security controls for the system were not evaluated. System contingency plan and contingency testing are inadequate. Conclusions Certification testing adequately assessed the required security controls. Certification activities provided sufficient basis for authorizing official to make a credible, risk-based decision to approve system operation. Summary of ITA s Response and OIG Comments ITA concurred with all of our recommendations and identified actions it has taken or plans to take to address them. The actions described are responsive to our recommendations. ITA s written response is included in its entirety as appendix B of this report. Page 1

Findings and Recommendations 1. Effective Assessment Process Provides A Clear Understanding of Remaining Vulnerabilities and Status of System Security Controls. The assessment of ITA security controls was based on well defined procedures and expected results. Clear assessment results were provided for each assessment procedure. o Clarity and credibility of results is greatly enhanced because results data was provided for controls that were assessed by examination or manual testing. o Identification of the individual interviewed and summary of their response demonstrated that assessments based on interview involved the correct system owner staff and asked relevant and appropriate questions. By clearly defining assessment procedures and expected results, and thoroughly documenting assessment results the certification agent could accurately determine which security controls are implemented correctly, recommend specific corrective actions, and clearly present to the authorizing official the risks associated with the remaining vulnerabilities. Well documented test results assist in effective vulnerability mitigation because the system owner has a clear record of specific system vulnerabilities. ITA had no comments on this finding. Page 2

2. Components Outside of The Accreditation Boundary that Provide Security Controls For the System Were Not Evaluated. The system security plan and the security test and evaluation report describe the following security controls and components that are outside the accreditation boundary: o AC-2 (Account Management): RADIUS is the centralized mechanism for managing system administrator accounts for the edge router and PIX firewall. o AC-13 (Supervision and Review): The external switch is protected by other boundary devices at a higher level in the network general support system. o AC-20 (Personally Owned Information Systems): Authorized users access the ITA network remotely via a Juniper SSL VPN appliance and system administrators access the ITA network via a Microsoft ISA server. During a follow-up meeting, ITA explained that the components are part of the ITA Network Security general support system, which was currently undergoing C&A and had not been tested at the time the ITA Core Network was undergoing C&A. NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems, defines the application of security controls from one system to another as common controls. The results from the assessment of common controls can be used to support the security C&A processes of the system where that control has been applied. However, because the devices providing these security controls had not been assessed, there are no assessment results to support the use of that control in the ITA Core Network. Recommendation ITA should ensure that all components that implement security controls for a system are assessed prior to or during certification and accreditation. ITA s Response ITA concurred with this recommendation and stated that it will ensure that any components that are not a part of an information system s accreditation boundary are assessed prior to completing the certification and accreditation for that system. ITA also stated that controls AC-2 (Account Management) and AC-20 (Personally Owned Information Systems) have been implemented and tested for all of its information systems. OIG Comment ITA s corrective actions are responsive to our recommendation. Page 3

3. System Contingency Plan and Contingency Testing are Inadequate An annual test of the contingency plan was not conducted. o Certification test results indicate that the last test of the system contingency plan was conducted in June 2006 and note that the contingency test results can not be found. o The certification test results also indicate that the contingency plan was not used as the basis to assess system contingency readiness. Instead, the assessment was conducted using Federal Emergency Management Agency defined tests and exercise scenarios. The contingency plan does not address the procedures and activities required to restore operations after a disruption or failure as required by Department policy and NIST SP 800-53. o The contingency plan was created in January 2007 and addresses ITA s Enterprise Network system, which includes the Core Network system. o System recovery procedures are referenced, but not included in the plan. ITA subsequently provided the OIG a document titled Network Shutdown Procedures and Network Restore Procedures. However, the document only addressed procedures for network shutdown and restart but does not provide other important procedures to restore operations after a disruption or failure. o The contingency plan also fails to specify the emergency scenarios that require annual testing. Recommendations ITA should ensure that: 1. Procedures and activities to restore operations after a failure or disruption are incorporated into the system contingency plan in accordance with Department policy. 2. ITA conducts annual contingency plan testing in accordance with Department policy and that contingency test documentation contains detailed information regarding the scope, test procedures, test scenarios, and a summary of the results. ITA s Response ITA concurred with these recommendations and stated that it is developing procedures to restore operations after a failure or disruption of its systems and that changes to operations are being instituted to ensure that network operations can be restored after a failure or disruption. ITA noted that the test of its Enterprise Network Contingency Plan will be completed by the end of calendar year 2007 and will include detailed agency-defined test scenarios and a summary of all test results. OIG Comment ITA s corrective actions are responsive to our recommendation. Page 4

Appendix A: Objectives, Scope, and Methodology To meet the FY 2007 FISMA reporting requirements, we evaluated ITA s certification and accreditation for the core network general support system (ITA-012). Security certification and accreditation packages contain three elements, which form the basis of an authorizing official s decision to accredit a system. The system security plan describes the system, the requirements for security controls, and the details of how the requirements are being met. As such, the security plan provides a basis for assessing security controls. Per Department policy, the security plan also includes other documents such as the system risk assessment and contingency plan. The security assessment report presents the results of the security assessment and recommendations for correcting control deficiencies or mitigating identified vulnerabilities. This report is prepared by the certification agent. The plan of action & milestones is based on the results of the security assessment. It documents actions taken or planned to address remaining vulnerabilities in the system. Commerce s IT Security Program Policy and Minimum Implementation Standards requires that C&A packages contain a certification documentation package of supporting evidence of the adequacy of the security assessment. Two important components of this documentation are: The certification test plan, which documents the scope and procedures for testing (assessing) the system s ability to meet control requirements. The certification test results, which is the raw data collected during the assessment. To evaluate the C&A package, we reviewed all components of the package and interviewed ITA staff to clarify any apparent omissions or discrepancies in the documentation and gain further insight on the extent of the security assessment. We give substantial weight to the evidence that supports the rigor of the security assessment when reporting our findings to OMB. We used the following review criteria: Federal Information Security Management Act of 2002 (FISMA) U.S. Department of Commerce, IT Security Program Policy and Minimum Implementation Standards NIST s Federal Information Processing Standards (FIPS) o Publication 199, Standards for Security Categorization of Federal Information and Information Systems o Publication 200, Minimum Security Requirements for Federal Information and Information Systems NIST Special Publications: o 800-18, Guide for Developing Security Plans for Information Technology Systems o 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems o 800-42, Guideline on Network Security Testing o 800-53, Recommended Security Controls for Federal Information Systems o 800-70, Security Configuration Checklists Program for IT Products We conducted our evaluation in accordance with the Inspector General Act of 1978, as amended, and the Quality Standards for Inspections issued by the President s Council on Integrity and Efficiency in January 2005. Page 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information