[Audit Report on Mainframe Computer Policies and Procedures, Administrative Service Center, Bureau of Reclamation] [From the U.S. Government Printing Office, www.gpo.gov] Report No. 97-I-683 Title: Audit Report on Mainframe Computer Policies and Procedures, Administrative Service Center, Bureau of Reclamation Date: March 31, 1997 **********DISCLAIMER********** This file contains an ASCII representation of an OIG report. No attempt has been made to display graphic images or illustrations. Some tables may be included, but may not resemble those in the printed version. A printed copy of this report may be obtained by referring to the PDF file or by calling the Office of Inspector General, Division of Acquisition and Management Operations at (202) 208-4599. GLOSSARY Asynchronous Protocol. Refers to a set of conventions used to start and stop transmissions that occur without a regular or predictable time relationship to a specific event. Synchronous protocol refers to a set of conventions used for transmissions that occur regularly or predictably with respect to a specific event. Customer Information Control System (CICS). This is an IBM software product that serves as a teleprocessing monitor for the MVS operating system on the Service Center's mainframe computers, which enables transactions entered at remote computer terminals to be processed concurrently and is designed to control execution of application programs in an interactive on-line environment. Data Structure. How the data are physically laid out within a computer system (for example, the fields in a record). Ethernet. A networking scheme that allows microcomputers to be connected to a network. It physically consists of cabling, which connects all the machines on a network. Multiple Virtual Storage/Enterprise Systems Architecture (MVWESA). An operating system that runs on IBM mainframe computers and increases virtual memory capability to 16 terabytes (trillion bytes), Resource Access Control Facility (RACF). An IBM-licensed product that provides for access control by identifying and verifying users to the system, authorizing access to protected resources, logging detected unauthorized attempts to enter the system, and logging detected accesses to protected resources. Time Sharing Option (TSO). A system software product that serves as the session manager on the mainframe computers whereby terminal users can submit jobs on-line. Time sharing allows a number of users to execute programs concurrently and to interact with the programs during execution. Transmission Control Protocol/Internet Protocol. The system that networks use to communicate with each other by allowing traffic to be routed from one network to another. The Internet Protocol is a set of conventions used to pass packets (that is, a cluster of data) from one network to another. A-IN-BOR-001-96 United States Department of the Interior OFFICE OF INSPECTOR GENERAL Washington, D.C. 20240 AUDIT REPORT Memorandum Subject: Audit Report on Mainframe Computer Policies and Procedures, Administrative Service Center, Bureau of Reclamation (No. 97-I-683) INTRODUCTION This report presents the results of our audit of mainframe computer policies and procedures at the Bureau of Reclamation's Administrative Service Center. The objective of the audit was to evaluate the adequacy of the management and internal controls of the Service Center's mainframe computer system and its processing environment. Specifically, the audit focused on management and internal controls over the following areas: computer center management and operations; telecommunications and local area network (LAN) security; application systems access; mainframe computer system physical and logical security; and contingency planning, backup, and disaster recovery. BACKGROUND The Bureau of Reclamation's Administrative Service Center in Denver, Colorado, provides: (1) consolidated payroll and personnel services for about 106,000 employees in the Department of the Interior and five other Federal agencies and (2) Government accounting, integrated budgeting, and reporting services through the Federal Financial System (FFS) to five Departmental and five other Federal agencies. At the time of our review, payroll and personnel services were provided through the Payroll/Personnel System (PAY/PERS). However, the Service Center was developing a new personnel/payroll system, the Federal Personnel Payroll System (FPPS). The first phase of the new system, which has been implemented, is the SF-52 System (an SF-52 form is entitled "Request for Personnel Action"). The second phase, which consists of personnel actions and payroll processing, is scheduled for implementation beginning in September 1997. The Service Center was also to provide payroll and personnel services to an additional 65,000 Social Security Administration employees beginning in October 1997. The Service Center's ADP Services Division is responsible for managing the computer center that provides the various services. To assist the Division in carrying out its functions, the Service Center has contracted Tri-Cor to provide staff to assist in operating and maintaining the computer systems software, communications, and LANs. The computer center provides data processing support for the computer center operates an IBM mainframe computer that runs Multiple Virtual Storage (MVS) Extended Systems Architecture operating system to manage the processing work load. The access control security software installed on the mainframe computer is the Resource Access Control Facility (RACF), which controls user access not only to the application systems, such as the Customer Information Control System applications, but also to the Time Sharing Option (TSO) facility. The FFS contains application level security that controls the action a user may invoke. Other system software, such as other data base management software, telecommunications software, and specialized vendor software products, also resides on the mainframe computers. Network and local communications support for both asynchronous and synchronous protocols are provided, as well as LAN connectivity, through Ethernet and Transmission Control Protocol/Internet Protocol. (The specific computer system software and network communications cited are detailed in the Glossary.) SCOPE OF AUDIT To accomplish our objective, we interviewed Service Center and Tri-Cor personnel, reviewed systems documentation, observed and became familiar with computer center operations and data structures, analyzed system security, and observed a disaster recovery test. In addition, we reviewed the software maintenance procedures. Because our review was limited to evaluating the adequacy of internal controls at the Service Center, we did not test the effectiveness of the internal controls at the various bureaus and agencies serviced by the Service Center. Our audit, which was conducted during June through October 1996, was made in accordance with the "Government Auditing Standards," issued by the Comptroller General of the United States. Accordingly, we included such tests of records and other auditing procedures that were considered necessary under the circumstances. As part of our audit, we evaluated the Service Center's system of internal controls over its mainframe computer system that could adversely affect the data processing environment, The control weaknesses that we found are discussed in the Results of Audit section and in Appendix 1 of this report. If implemented, our recommendations should improve the management and internal controls in the areas cited. any information, the loss, misuse, or unauthorized access to or modification of which could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under the Privacy Act, but which has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept secret in the interest of national defense or foreign policy." 2 PRIOR AUDIT COVERAGE During the past 5 years, the General Accounting Office has not issued any reports related to the scope of this audit. However, in March 1994, the Office of Inspector General issued the report "Compliance With the Computer Security Act of 1987, Denver Administrative Service Center, Bureau of Reclamation" (No. 94-I-357). The report stated that the Service Center generally complied with requirements of the Computer Security Act of 1987 but that improvements were needed in the areas of security and operations. Since the Service Center was addressing all of the deficiencies identified, no recommendations were made. However, deficiencies in performing a risk analysis of the Service Center's LANs and in the separation of duties within RACF software still existed during our review. These issues are discussed in the Results of Audit section and in Appendix 1 of this report. RESULTS OF AUDIT The Bureau of Reclamation's Administrative Service Center has weaknesses in management and internal controls in five major areas: (1) computer center management and operations; (2) LAN protection; (3) FFS application; (4) computer mainframe system physical and logical security; and (5) contingency planning, backup, and disaster recovery. Office of Management and Budget Circular A- 130, "Management of Federal Information Systems," and the National Institute of Standards and Technology Federal Information Processing Standards Publications require Federal agencies to establish and implement computer security and management and internal controls to improve the protection of sensitive information in the computer systems of `executive branch agencies. Additionally, the Congress enacted laws, such as the Privacy Act of 1974 and the Computer Security Act of 1987, to improve the security and privacy of sensitive information in computer systems by requiring executive branch agencies to ensure that the level of computer security and controls is adequate. However, the Service Center has not complied with these criteria in that it did not document formal policies, standards, and procedures; follow proper practices and processes; segregate duties; comply with key software vendor guidelines for MVS integrity; and develop a formal, up-to-date, comprehensive data security program. These weaknesses increase the risk of unauthorized access and modifications to and disclosure of client-sensitive data supported by the Service Center's mainframe computer; theft or destruction of hardware, software, and sensitive information; and the loss of critical systems and functions in the event of a disaster. Overall, we identified 15 weaknesses and made 24 recommendations for improving management and internal controls at the Service Center. The weaknesses within the five major areas are provided below, and specific details of the weaknesses and our respective recommendations to improve these weaknesses are in Appendix 1. Computer Center Management and Operations We found that contractor employees in critical positiorx did not have proper background clearances, Without knowledge of security-related background information on contractor personnel, the risk is increased for Service Center's sensitive systems to be compromised. We made one recommendation to address this weakness. LAN Protection We found that the Service Center could improve controls in administering and managing its LAN. Improved controls were needed in the areas of intruder detection lockout settings, disaster recovery, and user access. Because of the weak controls, the risk is increased for Service Center personnel to have unauthorized access to the mainframe computer and thus to sensitive payroll and accounting data. We made five recommendations to address these weaknesses. FFS Application We found that access controls in the FFS application software would not prevent Service Center users from generating unauthorized disbursements. Specifically, several users had access to vendor tables, which could result in the tables being changed and disbursing documents being affected. We made one recommendation to correct this weakness, Mainframe Computer System Physical and Logical Security We found that the Service Center did not always comply with Circular A- 130 or the Department of the Interior's "Information System Security Handbook." Also, the Service Center did not implement controls recommended in software vendor guidelines and generally accepted information system industry practices in administering and implementing operating system and access security software on its mainframe computers. These weaknesses were in the areas of physical security, password settings, System Management Facility (SMF) logs, multiple user identification (ID) codes, ADP access levels, separation of duties in the use of RACF security controls, and computer security plans. As a result, sensitive data maintained on the Service Center's computer were vulnerable to unauthorized access and change. We made 14 recommendations to address weaknesses in these areas. Contingency Planning, Backup, and Disaster Recovery We found weaknesses in the Service Center's contingency planning, backup, and disaster recovery for its sensitive systems and mainframe computing environment. Specifically, rather than relying on documented procedures, the Service Center relied upon individuals' knowledge. We also found that the Service Center did not have a documented comprehensive business recovery plan. As a result, in 4 the event of a disaster, the Service Center may not be able to recover critical systems and business functions. We made three recommendations to address these weaknesses. Bureau of Reclamation Response and Office of Inspector General Reply In the March 24, 1997, response (Appendix 2) from the Commissioner, Bureau of Reclamation, to our draft report, the Bureau generally concurred with 23 of our 24 recommendations. Based on the 0.1 resolved but not implemented; and Recommendation L. 1 unresolved. Accordingly, the unimplemented recommendations will be referred to the Assistant Secretary for Policy, Management and Budget for tracking of implementation, and the Bureau is requested to reconsider the unresolved recommendation (see Appendix 3). While the Bureau's response generally concurred with the recommendations, except for Recommendation L. 1, the response did take issue with several statements regarding our recommendations, which we have addressed as follows: - Recommendation L.1. The Bureau said that it "disagree[d]" with the recommendation and that it "question[ed] any adverse effect as well as any benefit from retroactively requiring additional documentation [to ensure that Decentralized Security Administration Facility records are updated for oral access adjustments]. While we did not question the validity of oral requests for access to the mainframe computer systems, we did recommend that these requests and approvals be documented in Facility records to allow reconciliation between access requested and access allowed to ensure that access is assigned at the appropriate level. Accordingly, the Bureau should reconsider its response to this recommendation. - Recommendation F.1. While the Bureau said that it has complied with the recommendation, it stated that the problem was "currency of documentation" and not a problem of physical security because two levels of security control occur before personnel are allowed entry into the computer rooms. We agree that two levels of security control had to be passed through to enter the computer room. However, the Service Center had "generic" key cards that were issued to and used by vendors and building management personnel for access to the computer rooms. Thus there was little assurance that only specific people had use of the key card to gain access to the computer rooms. - Recommendation G.2. While the Bureau said that it concurred with the intent of the recommendation, it stated in its response that the 180-day password interval for RACF security applied to only one application, the Automated SF 52 System. The Bureau stated that the "extended interval" was requested by the users and approved by the Bureau's Security Ma.nager. It further disagreed with our assertion that "not all mainframe applications have access security." We disagree with these statements. First, the Automated SF 52 System is not the only application residing on the mainframe. The mainframe also houses the PAY/PERS and the Federal Financial System, both sensitive applications. Further, at the time the Service Center received approval for the 180-day password interval in June 1994, the PAY/PERS was not residing on the mainframe. Second, the PAY/PERS does not have adequate security within the application; thus it relies exclusively on 5 RACF security to control access. As such, by default, users to the mainframe applications have 180- day password settings. - Recommendation K.1. While the Bureau concurred with the recommendation, it disagreed that the condition was caused by the limited number of staff assigned to the group for monitoring security. The Bureau stated, "This information does not represent the ASC [Administrative Service Center] position." During our review, we found that the group did not have an adequate number of staff or that the work load was distributed to ensure that the segregation of duties was adequate. - Recommendation N.1. While the Bureau concurred with the recommendation, it stated that "this condition should have been more appropriately stated as a currency of documentation issue" because the Administrative Service Center "has addressed recovery of the Federal Financial System and telecommunications although not formally documented." We disagree. By not including the Federal Financial System and telecommunications in the Continuity of Operations Plans, there is little assurance that the Federal Financial System and telecommunications would be addressed and recovered during the testing of the plan or in the event of a disaster. Further, during our review of a disaster recovery test, the Federal Financial System was not included in any of the tests performed by the Service Center. Additional Comments on Audit Report In its response, the Bureau disagreed with our use of "generally accepted industry and information system standards" as acceptable criteria, stating that "a conclusive set of standards were not available and the auditors were not aware as to whether these standards had ever been issued as official Government-wide policy." The Bureau further stated that the Department's Office of Information Resources Management had likewise advised that it was unaware of these standards and of their applicability to Departmental organizations, However, computer and information system audit guidelines that were used by the auditors in performing the audit are those that are also used by other Federal Government and private industry auditors and computer installation staff in evaluating the effectiveness of computer center management and operations, The audit guidelines refer to numerous directives, policies, and guidelines issued by the Office of Management and Budget and the National Institute of Standards and Technology and, by reference, to non-Federal standard-setting organizations such as the Information Systems Control Foundation, the Institute of Internal Auditors Research Foundation, and the American Institute of Certified Public Accountants. Further, the Office of Management and Budget and the National Institute of Standards and Technology, by reference, include and recognize not only these non-Federal standard-setting organizations but also the British Standards Institute, as well as: (1) periodicals such as the Auerbach Publishers newsletters and articles (EDP Audit and Control Newsletter), LAN Times, and Infosecurity News; (2) symposiums and conferences held by the Institute of Electrical and Electronic Engineers Computer Society, the National Computer Security, and UNIX; and (3) individuals who are considered experts in information systems such as the Inspector General for the U.S. House of Representatives. While guidelines and standards issued 6 by these organizations, publishers, and individuals may not have been issued as "official Governmentwide policy," they promulgate industrywide standards and are the bases for many Governmental directives, policies, and guidelines issued that are related to information systems. In addition, many of the Federal Government policies, directives, and guidelines state that the requirements therein are "minimum" requirements, which implies that additional requirements or standards such as those defined by the information systems industry can and should be used. The Bureau also questioned certain recommendations in terms of their consistency with Office of Management and Budget policies, in particular, with policies of Circulars A-123 and A-l 30. In this regard, the Bureau said that we did not consider cost as an "important consideration" when addressing "adequate" computer security controls. Regarding the "costs" of our recommendations, we are not responsible for performing cost-benefit analyses of the computer controls needed for the Bureau's automated information systems. Rather, the Bureau is responsible for conducting an adequate review of the risks and associated costs when it determines the controls needed in its computer systems, The auditors are responsible for determining whether the analyses were adequate for the circumstances. During our review, the Bureau could not provide us with any such analyses of cost versus risk. While the Bureau stated that armed guard service was on-site at the Service Center 24 hours a day, we did not see a guard on-site during normal duty hours at any time during our audit. We agree that the security measures identified in the Bureau's response reduce the risk of physical damage to the Facility and thus to computers. However, our audit was not limited to reviewing only the physical access to and the security of the Facility. It also included a review of physical access to computer hardware and software. As stated in our report, physical access to the computer rooms was not controlled or limited to only those personnel who required access to perform their day-to-day duties. As required by the Departmental Manual (360 DM 5.3) please provide us with your written comments to this report by June 3, 1997. The response should provide the information requested in Appendix 3, The legislation, as amended, creating the Office of Inspector General requires semiannual reporting to the Congress on all audit reports issued, actions taken to implement audit recommendations, and identification of each significant recommendation on which corrective action has not been taken. We appreciate the assistance of Bureau Administrative Service Center personnel in the conduct of our audit. 7 APPENDIX 1 Page 1 of 20 DETAILS OF WEAKNESSES AND RECOMMENDATIONS COMPUTER CENTER MANAGEMENT AND OPERATIONS A. Background Clearances Condition: Critical contractor personnel, such as the RACF administrator and software management personnel, did not have documented clearances. Criteria: Office of Management and Budget Circular A-130, Appendix III, requires agencies to establish and manage personnel security policies, standards, and procedures that include requirements for screening individuals who: (1) participate in the design, development, operation, or maintenance of sensitive applications or (2) have access to sensitive data. Cause: While Federal employees are required to have background clearances, the Service Center did not apply this requirement to contractors. Effect: Without proper personnel screening, managers had limited knowledge of the suitability of contractor personnel, from a security standpoint, for their respective jobs. Without this assurance, the risk is increased for the Service Center's sensitive systems to be compromised. Recommendation: We recommend that the Director, Administrative Service Center, require all contractor employees to have the proper background clearances. 8 B. LAN Monitoring APPENDIX 1 Page 2 of 20 LAN PROTECTION Condition: Four file servers at the Service Center had minimal lockout settings. For example, current lockout procedures provide for only a 15-minute lockout after three or four unsuccessful log-in attempts. We believe that these lockout settings would not adequately identify unauthorized access. The NetWare operating system software supports an "intruder detection/lockout feature," which aids in the prevention of unauthorized access to the system. The system will suspend a user account when a predefined number of unsuccessful access attempts occurs in a predetermined amount of time. The time that an account is suspended may also be defined. Criteria: The Privacy Act of 1974 and the Computer Security Act of 1987 require implementation of minimally acceptable security practices for improving the security and privacy of sensitive information in Federal computer systems. Office of Management and Budget Circular A-l 30 requires agencies to establish controls to ensure adequate security for all information processed, transmitted, or stored in Federal automated information systems. Also, the Circular requires agencies to ensure that appropriate safeguards exist in general support systems (for example, LANs and the data processing center, including the operating system and utilities). In addition, industry standards recommend a lockout period of 7 days. Cause: Service Center officials stated that the 15-minute lockout met the Bureau of Reclamation's LAN standards. However, the Bureau's LAN implementation guidelines recognize that the minimum settings for intruder lockout parameters may be unacceptable to many offices. We believe, given the sensitivity of data at the Service Center, that minimum settings are unacceptable to ensure protection from unauthorized access to sensitive data. Effect: The minimum level of security set for the LAN increases the risk that unauthorized access to the Service Center's LAN resources will not be detected timely. Recommendation: We recommend that the Director, Administrative Service Center, enhance the intruder detection settings above the Bureau of Reclamation's policy to suspend a user account, after unsuccessful access attempts, for a period of time long enough to ensure that the user will have to contact an administrator to have the user ID reset. For example, the user ID could be suspended for 24 hours after three incorrect attempts occurred in a 24-hour period. 9 APPENDIX 1 Page 3 of 20 LAN PROTECTION C. LAN Disaster Recovery Plan Condition: The Service Center did not have a documented disaster recovery plan for its LAN. This weakness was identified in a March 1994 Office of Inspector General audit risk analysis (the first step in developing a disaster recovery plan) on its LAN. Criteria: Office of Management and Budget Circular A- 130, Appendix III, requires agencies to establish controls to ensure adequate security for all information processed, transmitted, or stored in Federal automated information systems. Specifically, agencies should establish a contingency plan and periodically test the capability of the plan to perform the function in the event that its automated systems fail Cause: Because no risk analysis has been performed on the LAN, no disaster recovery plan has been developed by the Service Center. Effect: The lack of a disaster recovery plan increases the risk that offices will not be able to resume processing on a timely basis after a disaster occurs. Recommendation: We recommend that the Director, Administrative Service Center, develop and periodically update a disaster recovery plan for the LAN. 10 APPENDIX I Page 4 of 20 LAN PROTECTION D. User Access Control Condition: The security settings that provide access to the file servers were not controlled. We identified weaknesses in the way user profiles had been established. In NetWare, established user profiles superseded the file server default restrictions. As such, some users had a required password change interval greater than 90 days, had concurrent multiple or unlimited connections, and were not required to use unique passwords. In addition, the "SECURE CONSOLE" command was not used on any of the file servers we reviewed. The "SECURE CONSOLE" command is designed to prevent users from gaining access to the file server console by removing DOS from the system memory when the operating system is powered down. Also, the "SET ALLOW UNENCRYPTED PASSWORD = ON" was found on two of the file servers reviewed. This designation allows passwords to be UNENCRYPTED, thereby increasing the risk for passwords to be obtained and used by unauthorized users. Criteria: Office of Management and Budget Circular A- 130, Appendix III, requires agencies to establish controls to ensure adequate security for all information processed, transmitted, or stored in Federal automated information systems, It also requires agencies to implement and maintain a program to ensure that adequate security is provided for all agency information collected, processed, transmitted, stored, or disseminated in general support systems and major applications. The Circular mrther defines "adequate security" as "security commensurate with the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information." Cause: Service Center procedures were not followed or were not in place to ensure that controls were adequate to safeguard the LANs. Effect: The minimum security settings for the Service Center's LAN increase the risk for unauthorized access to network systems, which could result in the loss of data and in unauthorized individuals gaining access to sensitive data files through DOS by bringing down the file server. 11 APPENDIX 1 Page 5 of 20 LAN PROTECTION Recommendations: We recommend that the Director, Administrative Service Center: 1. Ensure that LAN security and password features are implemented, which will require all users to change passwords every 90 days, enforce unique password use, and limit concurrent multiple or unlimited connections to one per user and grant additional connections on an as-needed basis. 2. Include the "SECURE CONSOLE" command in the AUTOEXEC.NCF file on all file servers to prevent users from gaining access to the system files in DOS mode. 3. Ensure that the command "SET ALLOW UNENCRYPTED PASSWORD=ON" is not 12 APPENDIX 1 Page 6 of 20 FFS APPLICATION E. Access Security Controls Condition: FFS security access controls were not adequate. We identified 15 users, who were Service Center employees, who could update and modify the application vendor table of one of the Service Center's clients, as well as initiate disbursement documents. This access could result in the vendor table being changed and in an unauthorized disbursing document being entered. Criteria: Office of Management and Budget Circular A-130, Appendix III, requires that security controls for personnel include such controls as individual accountability, "least privileged," and separation of duties. "Least privileged" is the practice of restricting users' access (to data files, to processing capability, or to peripherals) or type of access (read, write, execute, or delete) to the minimum necessary for the users to perform their jobs. Separation of duties is the practice of dividing the steps in a critical function among different individuals. Cause: Although the Service Center provided payment services to its client, the Service Center had not ensured that security controls in the FFS application prevented unauthorized payments. Service Center officials stated that the client was responsible for establishing the application security. Effect: Without the applicable security access controls, the risk is increased for unauthorized payments to be disbursed. Recommendation: We recommend that the Director, Administrative Service Center, coordinate with the client to limit Service Center users' access to the "least privileged" in the FFS application; that is, assurance should be provided that any user authorized to enter or change the vendor table does not also have access to disbursing documents. 13 APPENDIX 1 Page 7 of 20 MAINFRAME SYSTEM PHYSICAL AND LOGICAL SECURITY F. Physical Security Condition: Although access to the Service Center facilities was controlled, the Service Center could not identify all individuals who had card key access to the computer rooms, which house the mainframe and LAN. In addition, some Service Center visitors (for example, maintenance personnel, janitorial staff, and vendors) were not monitored when they were inside the computer room. Criteria: Cause: Effect: The Department of the Interior Automated Information System Handbook, when addressing the control for personnel access to computer facilities, states, "Access by visitors, equipment personnel, and other individuals not directly involved with managing or operating a sensitive automated information system installation will be controlled by individual authorization." The Handbook further states that it is recognized that different procedures and restrictions will be required for various categories of visitors but that all access by other than assigned personnel will be monitored. The Service Center's informal procedures provided for vendors, as well as for the building management company, to be issued card keys to these sensitive areas without identifying the individuals receiving the cards and without requiring formal access request forms. Also, current practices allow certain visitors to be unmonitored when they are in the sensitive areas, The Service Center cannot specifically identify all those individuals who have access to and/or are accessing the computer rooms. Furthermore, by not monitoring all visitors, the risk is increased for the Service Center's sensitive data and resources to be stolen or destroyed. 14 APPENDIX 1 Page 8 of 20 MAINFRAME SYSTEM PHYSICAL AND LOGICAL SECURITY Recommendations: We recommend that the Director, Administrative Service Center: 1. Document procedures for the issuance of key cards and require that the procedures be instituted for vendors in addition to contractors and Federal employees. 2. Evaluate the need for individuals outside of the ADP Services Division to be issued permanent card keys because such access should be limited to those individuals performing their day-to-day duties. 3, Document procedures to ensure the Service Center's compliance with the Department of the Interior Automated Information Systems Handbook regarding visitor (such as maintenance personnel, janitorial staff, and vendors) monitoring. 15 APPENDIX 1 Page 9 of 20 MAINFRAME SYSTEM PHYSICAL AND LOGICAL SECURITY Condition: In RACF, general client user passwords for access to the mainframe were not prompted for change until after 180 days, and user ID codes were not automatically revoked until 180 days of inactivity. Criteria: The Department of the Interior Automated Information Systems Security Handbook recommends that passwords be changed every 90 days. Also, generally accepted industry standards indicate that password change intervals should be from 60 to 90 days for users who do not have sensitive privileges and every 30 days for users who do have sensitive privileges because passwords may be guessed, copied, overheard, or recorded and played back. Cause: To make access to the mainframe applications more convenient for Service Center clients who use the mainframe applications only occasionally, notably the SF-52 System users, the Service Center increased the password interval to 180 days in 1994 after receiving approval from the Bureau of Reclamation's Security Administrator. However, this approval recommended that the Service Center change the password parameters, such as requiring a numeric or special character as part of the password, set in RACF security software. Service Center officials stated that the 180-day interval was acceptable because of security available within the mainframe applications. However, not all of the mainframe applications have access security. Effect: The current password settings reduce the effectiveness of the password as a control, thereby increasing the risk for unauthorized access to sensitive information through password disclosure. Recommendations: We recommend that the Director, Administrative Service Center: 1. Evaluate the feasibility of setting the parameters in RACF security software to require one numeric or special character as part of the password, as recommended by the Bureau of Reclamation's Security Administrator. 2. Reevaluate the standard RACF password change intervals and revocation settings to ensure that the level of risk associated with the mainframe applications and the current password settings is 16 APPENDIX 1 Page 10 of 20 acceptable to the Service Center, as well as to its clients and the Department, and address these results in a current risk assessment. 17 APPENDIX 1 MAINFRAME SYSTEM PHYSICAL AND LOGICAL SECURITY H. SMF Logs Condition: At least 27 Service Center user ID codes that were allowed access to the TSO software had "alter" access to the "SYSl .MAN%" dataset. The SYSl.MAN% dataset contains the SMF logs that record all system activity, thereby providing a system audit trail. In addition, a critical SMF record type, record type 60, was not active. Criteria: Office of Management and Budget Circular A-130 recommends that adequate audit trails exist so that an adverse impact on general support systems is prevented or detected. Also, Federal Information Processing Publication 41, "Computer Security Guidelines for Implementing the Privacy Act of 1974," provides guidelines for system security and addresses the importance of having audit trails of all system activity. Cause: The Service Center had insufficient policies and procedures surrounding the protection of the SYS1.MAN% datasets. Also, SMF record type 60 was not active because Service Center officials said that they believed another software product INFOPAC (report generation software) created too many records. They said, therefore, that to reduce the amount of storage needed for SMF logs, record type 60 was not activated. Effect: By allowing users "alter" access to these logs, the risk is increased for the SMF logs to be inaccurate. Furthermore, because record type 60 is not active, no system audit trail exists to determine whether the changes to sensitive datasets by authorized individuals are appropriate. Specifically, because the PAY/PERS application has no internal security to monitor access and changes to its datasets, the Service Center relies only on RACF security. The active SMF record types identified only security violations and did not record changes made to datasets. Therefore, in the PAY/PERS application, there was no system audit trail available to monitor and evaluate changes made to PAY/PERS sensitive data. 18 APPENDIX 1 Page 12 of 20 MAINFRAME SYSTEM PHYSICAL AND LOGICAL SECURITY Recommendations: We recommend that the Director, Administrative Service Center : 1. Evaluate the feasibility of limiting the number of Service Center users who have access authority to alter SMF logs. 2. Ensure that the SMF record type 60 logging is active or RACF settings are adjusted to specifically audit critical datasets maintained on the mainframe computers and to therefore provide an audit trail of system activity. 19 APPENDIX 1 Page 13 of 20 MAINFRAME COMPUTER PHYSICAL AND LOGICAL SECURITY I. "OPERATIONS" Attribute Condition: The Service Center gave access to all of the operating system resources by assigning the "OPERATIONS" attribute to 85 active Service Center user IDS without logging the activities of these users. Through this access, users could make unauthorized changes to the mainframe computer operating system and sensitive application datasets without being detected by routine security controls. Criteria: The RACF Auditor's Guide states that "the OPERATIONS attribute allows a user access to almost all resources" and that the "group-OPERATIONS attribute allows a user access to almost all resources within the scope of the group and its subgroups." The "OPERATIONS" attribute, with some exceptions, provides the user with full control over datasets. Further, the RACF Security Administrator's Guide recommends that the "OPERATIONS" attribute be assigned to a minimum number of people and that the activities of the users be logged. RACF allows the use of more restrictive authorities, such as DASDVOL authority, when routine maintenance operations are performed. RACF security software also provides the option to log activities of users with the "OPERATIONS" attribute by activating the OPERAUDIT option. Cause: The Service Center had not assigned more restrictive authorities to individuals who performed routine system maintenance tasks because the Service Center had not evaluated the system access authority needed for individual users in performing their day-to-day functions. Also, the Service Center had not implemented the OPERAUDIT security feature in RACF that would log user activities as a result of the "OPERATIONS" attribute. Effect: Because the OPERAUDIT security feature had not been activated, any resource on the mainframe computer could be accessed using the "OPERATIONS" attribute without recording the user's access. This setting, along with the lack of system audit trails that would be produced by the SMF 60 record type, increases the risk for intentional or accidental unauthorized system actions to occur and not be detected. 20 APPENDIX 1 Page 14 of 20 MAINFRAME SYSTEM PHYSICAL AND LOGICAL SECURITY Recommendations: We recommend that the Director, Administrative Service Center: 1. Evaluate the extent to which the "OPERATIONS" attribute should be available to Service Center user IDS. Specifically, the use of other more restrictive RACF authorities (such as DASDVOL authority) should be considered where possible. 2. Activate the security feature RACF OPERAUDIT and ensure that security personnel perform periodic reviews of the resultant logs to identify unauthorized activity. 21 APPENDIX I Page 15 of 20 MAINFRAME COMPUTER PHYSICAL AND LOGICAL SECURITY J. ADP Access Levels Condition: Criteria: Cause: Effect: Users in the Service Center's ADP Services Division had significant access levels. For example, 28 user IDS had RACF authority to emulate the master console, even though the authority to issue operator commands through the TSO was not given to these individuals. In addition, 28 user IDS had "alter" access to the system parameter libraries (for example, the SYSl .PARMLIB) through the TSO. Office of Management and Budget Circular A-130 requires, at a minimum, that agency programs incorporate controls such as "separation of duties, least privileged, and individual accountability" within their major applications. Because of other Service Center priorities, the group responsible for monitoring security had not performed an audit of user access levels and therefore had not identified the required necessary changes and had not ensured that user access was at the authorized level. In addition, the ADP Services Division had not implemented procedures to ensure that "least privileged" access controls and appropriate separation of duties were in place. By allowing significant access levels to critical functions, the risk is increased for datasets to be altered without authorization and for the alteration to go undetected by normal operating controls. Without periodic review of user access levels, the risk is increased that the access given to a user will exceed that which is necessary to perform the user's daily job. Recommendations: We recommend that the Director, Administrative Service Center: 1. Ensure that the group responsible for monitoring security performs periodic reviews of user access levels to identity required necessary changes and to ensure that user access levels are authorized. 2. Institute a policy of "least privileged" access levels to ensure that access to resources and data is limited to those users who require such access. 22 APPENDIX 1 Page 16 of 20 MAINFRAME COMPUTER PHYSICAL AND LOGICAL SECURITY K. RACF Software Internal Controls Condition: Criteria: Cause: Effect: Responsibilities of the RACF security administrator (assigned the SPECIAL attribute within RACF) had been combined with the responsibilities of the RACF auditor (assigned the AUDITOR attribute within RACF). In addition, seven user IDS within the Service Center had these combined attributes. This weakness was previously identified in a March 1994 Office of Inspector General audit report (No. 94-I-357). The RACF Auditor's Guide addresses the importance of the separation of duties between the security administrator and the auditor. The Guide states, "The separation of powers is necessary because it is the security administrator's job to establish RACF controls, and it is the auditor's function to test the adequacy and effectiveness of these controls. " Service Center officials stated that RACF security administrator and RACF auditor functions were performed by the same individual because of the limited number of staff assigned to the group responsible for monitoring security. They further stated that the Service Center had a limited number of individuals who had expertise in the area of RACF administration, The control over the RACF security administrator function is lost because there was no systematic monitoring of this powerful function. Therefore, the risk exists for accidental or intentional unauthorized actions that could disrupt information system operations and threaten the integrity of the sensitive information. Recommendation: We recommend that the Director, Administrative Service Center, evaluate the staffing requirements of the group responsible for monitoring security to ensure the separation of duties within RACF. 23 APPENDIX 1 Page 17 of 20 MAINFRAME COMPUTER PHYSICAL AND LOGICAL SECURITY Condition: Mainframe access given to users as assigned in RACF was not always supported by a formal request or was not recorded in the Service Center's Decentralized Security Administration Facility. Criteria: The Service Center's policy is for formal authorization requests to be obtained from the designated security point of contact before users are permitted to access sensitive data on the mainframe computer. In addition, the point of contact can orally notify the Service Center for adjustments to the users' access requirements. Also, generally accepted industry standards recommend that reconciliations exist between what has been formally requested and what access level was actually granted to ensure that mishandling, alterations, and misunderstandings are reduced. Cause: Orally requested access level adjustments that were approved were not always recorded in the access request system because the Service Center did not always enforce the procedures to record approved access level adjustments. Effect: By not updating Decentralized Security Administration Facility records for adjustments to accesses requested, the system administrator cannot reconcile the formal authorization and the Decentralized Security Administration Facility records with the RACF access levels assigned to users and thus ensure that access is assigned at the appropriate level. Recommendation: We recommend that the Director, Administrative Service Center, document and implement procedures to ensure that Decentralized Security Administration Facility records are updated for oral access adjustments to allow for the reconciliation of access requested with access allowed. 24 APPENDIX 1 Page 18 of 20 MAINFRAME COMPUTER PHYSICAL AND LOGICAL SECURITY M. Computer Security Plan/Report Condition: The Service Center had not developed a security plan for fiscal year 1996 Criteria: The Computer Security Act of 1987 requires that all agencies improve the security and privacy of sensitive information in Federal computer systems. Specifically, the Act requires that security plans be developed for all sensitive computer systems. A computer security plan is designed to assist agencies in addressing the protection of general support systems and major applications that contain sensitive information to help ensure the system's integrity, availability, and confidentiality. In addition, Office of Management and Budget Circular A-130, Appendix III, states that agencies without adequate security plans should consider classifying this as a material weakness in their annual Federal Managers' Financial Integrity Act report to the Congress. Cause: A computer security plan was not prepared for fiscal year 1996 because of limited staffing in the group responsible for monitoring security. Effect: Without this plan, the Service Center did not have adequate assurance that data in its sensitive systems were adequately protected. In addition, the Service Center had a material weakness, which should be reported in its annual Federal Managers' Financial Integrity Act report to the Congress. Recommendation: We recommend that the Director, Administrative Service Center, provide resources to ensure the development of a computer security plan for the sensitive systems in accordance with the Computer Security Act and Circular A-130, Appendix III. 25 APPENDIX 1 Page 19 of 20 CONTINGENCY PLANNING, BACKUP, AND DISASTER RECOVERY N. Continuity of Operations Plan Condition: Criteria: Cause: Effect: The Service Center's Continuity of Operations Plan (dated December 28,1995) did not address recovery of one of the sensitive systems, the FFS; the LAN; and critical telecommunications links. Also, the Plan had not been updated to reflect all tests of the Plan completed in 1996. Additionally, the risk analysis, upon which the Plan is to be based, had not been updated since July 1990. Office of Management and Budget Circular A- 130 requires agencies to establish a comprehensive contingency plan and periodically test the capability to perform the agency function supported by the application, as well as critical telecommunications links, in the event of a disaster or system failure. In order to accurately and successfully test the disaster recovery capabilities, the disaster recovery plans need to be updated as changes occur. In addition, the Circular states that "manual procedures are generally NOT [emphasis in original] a viable back-up option." Service Center officials said that update of the risk analysis and continuity of operations plan had low priorities. In addition, Service Center officials stated that the FFS application was not included in the Plan as a result of Service Center clients agreeing that FFS services could be delayed for 30 days because processing could be performed manually. However, we found no documentation of such agreements. If the Continuity of Operations Plan is incorrect (such as by not including all sensitive systems) or is outdated, personnel required to perform the disaster recovery procedures may not be able to recover critical systems in the event of a disaster or system failure. Recommendations: We recommend that the Director, Administrative Service Center: 1. Perform a risk analysis of the Service Center's computer center and its applications. 2. Update the existing Continuity of Operations Plan for the mainframe, sensitive applications, and telecommunications links so that the current operating environment is documented. 26 APPENDIX 1 Page 20 of 20 CONTINGENCY PLANNING, BACKUP, AND DISASTER RECOVERY Condition: Criteria: Cause: Effect: No comprehensive business recovery plan had been developed for the Service Center. The only plan in existence at the Service Center was the Continuity of Operations Plan, which addressed only the recovery of the systems environment. The Plan did not address business and user operations that need to be in effect for the Service Center to support its clients in the event of a disaster or system failure. Of&e of Management and Budget Circular A-l 30 requires agencies to establish controls to ensure adequate security for all information processed, transmitted, or stored in Federal automated information systems. In addition, generally accepted information systems standards recognize that a comprehensive business recovery plan is necessary to ensure the timely recovery of all business functions and of the systems environment, both of which are critical for day-to-day operations, and to minimize down time. The Service Center's emphasis was on the restoration of the mainframe environment rather than on the recovery of business operations. If a disaster or system failure occurs, the Service Center may not be able to recover all business functions and systems necessary for the continued long-term operations of the organization. Recommendation: We recommend that the Director, Administrative Service Center, develop a comprehensive business recovery plan, which includes procedures for its business functions. 27 APPENDIX 2 Page 1 of 26 United States Department of the Interior BUREAU OF RECLAMATION Washington. D.C. 20240 IS REPLYREFERTO D-5010 ADM-8.00 MEMORANDUM To: Office of Inspector General Attention: Acting Assistant Inspector General for Audits - From: Subject: Draft Audit Report on Mainframe Computer Policies and Procedures The Bureau of Reclamation appreciates the opportunity to comment on the subject report. Reclamation concurs or has complied with 23 of the 24 of the audit recommendations and we fully recognize the importance of computer security and that our policies and procedures can be improved. However, we believe the Administrative Service Center (ASC) has in place an adequate security program and are concerned with certain aspects of the report as outlined below. The report identified physical security as a weakness, We believe extensive physical security measures are in place at the ASC. The computer and related hardware (such as mainframe computer, direct access storage devices, tape devices, telecommunications equipment, large volume printers, etc.) are located in a locked computer room controlled for authorized access only. In addition, the computer room is located in a secure building where all outside doors are locked and require an individual access card for authorized entry. ASC security also includes on- site armed guard service 24 hours a day, 7 days a week. Following the Oklahoma City bombing, the Justice Department was directed by the President to conduct a Vulnerability Assessment of Federal Facilities. This assessment recognized five levels of security for Federal facilities based upon perceived threat and established security standards for each of the live levels. Based on this criteria, the ASC was deemed a Level III facility. The GSA participated in a review of ASC security and concluded the ASC exceeded Level III security requirements. The audit report identified areas to reduce security risks and recommended specific actions to reduce those risks. Both OMB Circulars A-123 and A-130 recognize cost as an important consideration and require that agencies implement cost effective management and internal controls. For instance, OMB Circular A-130 recognizes both risk and cost in addressing "adequate security." Yet, discussions with the auditors confirmed that cost was not considered in recommending these specific actions to reduce risk. 28 APPENDIX 2 Page 2 of 26 2 The audit report referred to "generally accepted industry and information systems standards" and reported the ASC as noncompliant in several instances. Discussions with the auditors confirmed that a conclusive set of these "standards" was not available and the auditors were not aware as to whether these "standards" had ever been issued as official Government-wide policy. The Department of the Interior's Office of Information Resources Management likewise advised that they were unaware of these "standards" and their applicability to Interior organizations. Again, we appreciate the opportunity to comment on the subject report. Attached are our specific comments for each recommendation. If you have any questions or require additional information, please contact Luis Maez at (303) 236-3289, extension 245. Attachment cc: Assistant Secretary - Water and Science, Attention: Margaret Carpenter (w/attachment) 29 APPENDIX 2 Page 3 of 26 COMPUTER CENTER MANAGEMENT AND OPERATIONS A. Background Clearances Condition: Critical contractor personnel, such as the RACF administrator and software management personnel, did not have documented clearances. Criteria: to establish and manage personnel security policies, standards, and procedures that include requirements for screening individuals who: (1) participate in the design, development, operation, or maintenance of sensitive applications or (2) have access to sensitive data. Cause: While Federal employees are required to have background clearances, the Service Center did not apply this requirement to contractors. Effect: Without proper personnel screening, managers had limited knowledge of the suitability of contractor personnel, from a security standpoint, for their respective jobs. Without this assurance, the risk is increased for the Service Center's sensitive systems to be compromised. Recommendation We recommend that the Director, Administrative Service Center, require all contractor employees to have the proper background clearances. Response Complied. All ADP contractor employees, including RACF administrators and systems software management personnel, are required to have background clearances. The Statement of Work for the GSA T&Part Contract (which ADP Services Division uses) contained a Level 3, critical-sensitive requirement, but this provision was not previously enforced. Also, at our request, the Colorado Bureau of Investigation has completed background investigations on all ADP contractor personnel. This is also a continuing requirement for all new-hire contractor personnel. 30 APPENDIX 2 Page 4 of 26 LAN PROTECTION B. LAN Monitoring Condition: Four file servers at the Service Center had minimal lockout settings. For example, current lockout procedures provide for only a I5-minute lockout after three or four unsuccessful log-in attempts We believe that these lockout settings would not adequately identify unauthorized access. The NetWare operating system software supports an "intruder detection/lockout feature," which aids in the prevention of unauthorized access to the system. The system will suspend a user account when a predefined number ofunsuccessM access attempts occurs in a predetermined amount of time. The time that an account is suspended may also be defined. Criteria: The Privacy Act of 1974 and the Computer Security Act of 1987 require implementation of minimally acceptable security practices for improving the security and privacy of sensitive information in Federal computer systems. Office of Management and Budget Circular A-130 requires agencies to establish controls to ensure adequate security for all information processed, transmitted, or stored in Federal automated information systems. Also, the Circular requires agencies to ensure that appropriate safeguards exist in general support systems (for example, LANs and the data processing center, including the operating system and utilities). In addition, industry standards recommend a lockout period of 7 days. Cause: Reclamation's LAN standards. IIowever, the Bureau's LAN implementation guidelines recognize that the minimum settings for intruder lockout parameters may be unacceptable to many offices. We believe, given the sensitivity of data at the Service Center, that minimum settings are unacceptable to ensure protection from unauthorized access to sensitive data. Effect: The minimum level of security set for the LAN increases the risk that unauthorized access to the Service Center's LAN resources will not be detected timely. Recommendation We recommend that the Director, Administrative Service Center, enhance the intruder detection settings above the Bureau of Reclamation's policy to suspend a user account, after unsuccessful access attempts, for a period of time long enough to ensure that the user will have to contact an administrator to have the user ID reset. For example, the user ID could be suspended for 24 hours after three incorrect attempts occurred in a 24-hour period. 2 31 APPENDIX 2 Page 5 of 26 LAN PROTECTION Response Concur with intent. Although lockout settings already meet Reclamation LAN standards, we are willing to consider additional security enhancements as deemed appropriate. An evaluation will be made to determine if the settings should be changed. This evaluation is scheduled to be completed by June 30, 1997. The responsible official is the Chief, ADP Services Division. 3 32 APPENDIX 2 Page 6 of 26 LAN PROTECTION C. LAN Disaster Recovery Plan Condition: Criteria: Cause: Effect: The Service Center did not have a documented disaster recovery plan for its LAN. This weakness was identified in a March 1994 Office of Inspector General audit risk analysis (the first step in developing a disaster recovery plan) on its LAN. Office of Management and Budget Circular A-130, Appendix III, requires agencies to establish controls to ensure adequate security for all information processed, transmitted, or stored in Federal automated information systems. Specifically, agencies should establish a contingency plan and periodically test the capability of the plan to perform the f?mction in the event that its automated systems fail. Because no risk analysis has been performed on the LAN, no disaster recovery plan -has been developed by the Service Center. The lack of a disaster recovery plan increases the risk that offices will not be able to resume processing on a timely basis after a disaster occurs. Recommendation We recommend that the Director, Administrative Service Center, develop and periodicahy update a disaster recovery plan for the LAN. .` Response Concur. A risk analysis of the ASC LAN environment will be completed by September 30, 1997. The risk analysis will provide the basis for development of a LAN Disaster Recovery Plan which is targeted for completion by March 3 1, 1998. The responsible official is the Chief, ADP Services Division. 4 33 APPENDIX 2 Page 7 of 26 LAN PROTECTION D. User Access Control Condition: The security settings that provide access to the file servers were not controlled. We identified weaknesses in the way user profiles had been established. In NetWare, established user profiles superseded the ftle server default restrictions. As such, some users had a required password change interval greater than 90 days, had concurrent multiple or unlimited connections, and were not required to use unique passwords. In addition, the "SECURE CONSOLE" command was not used on any of the file servers we reviewed. The "SECURE CONSOLE" command is designed to prevent users from gaining access to the file server console by removing DOS from the system memory when the operating system is powered down. Also, the "SET ALLOW UNENCRYPTED PASSWORD = ON" was found on two of the file servers reviewed. This designation allows passwords to be UNENCRYPTED, thereby increasing the risk for passwords to be obtained and used by unauthorized users. Criteria: Office of Management and Budget Circular A- 130, Appendix III, requires agencies to establish controls to ensure adequate security for all information processed, transmitted, or stored in Federal automated information systems. It also requires agencies to implement and maintain a program to ensure that adequate security is provided for all agency information collected, processed, transmitted, stored, or disseminated in general support systems and major applications. The Circular further defines "adequate security" as "security commensurate with the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information. " Cause: Service Center procedures were not followed or were not in place to ensure that controls were adequate to safeguard the LANs. Effect: The minimum security settings for the Service Center's LAN increase the risk for unauthorized access to network systems, which could result in the loss of data and in unauthorized individuals gaining access to sensitive data files through DOS by bringing down the file server. 5 34 APPENDIX 2 Page 8 of 26 LAN PROTECTION Recommendations We recommend that the Director, Administrative Service Center: 1. Ensure that LAN security and password features are implemented, which will require all users to change passwords every 90 days; enforce unique password use; and limit concurrent multiple or unlimited connections to one per user and grant additional connections on an as-needed basis. Response Complied. The password change interval has been changed to 90 days or less on all servers. Unique passwords are now required for all individual users. Concurrent multiple connection authority has been removed from all accounts with the exception of those where a demonstrated need. exists. Requests for multiple .concurrent connections now require completion of an ASC-14 Computer Security Access Request Form with appropriate supervisory authorization. 2. Include the "SECURE CONSOLE" command in the AUTOEXEC.NCF file on all file servers to prevent users from gaining access to the system files in DOS mode. . `, Response Complied. A procedure to secure the console on all ASC file servers was implemented in August 1996. The "LOAD MONITOR" command with the "lock" option was included in the AUTOEXEC.NCF file in January 1997. 3. Ensure that the command "SET ALLOW UNENCRYPTED PASSWORD=ON" is not present in the AUTOEXEC.NCF file. Response Concur. The "SET ALLOW UNENCRYPTED PASSWORD=ON" command cannot be set at this time. Certain versions of the NETWARE "NETX" client requestor are present on some ASC workstations that are not compliant with the encrypted password feature. When the migration to Netware 4. lx NDS (Novell Directory Services) is completed at the ASC and all client workstations have been migrated to Netware VLMs, this command will be invoked on all file servers. Migration to NDS will be completed as part of a Reclamation-wide effort. Although unencrypted passwords are accepted at this time, the vast majority of passwords processed by ASC file servers are currently encrypted. Target date for completion is March 3 1, 1998. The responsible official is the Chief, ADP Services Division. 6 35 APPENDIX 2 Page 9 of 26 FFS APPLICATION - E. Access Security Controls Condition: FFS security access controls were not adequate. We identified 15 users. who were Service Center employees. who could update and modify the application vendor table of one of the Service Center's clients, as well as initiate disbursement documents. This access could result in the vendor table being changed and in an unauthorized disbursing document being entered. Criteria: Office of Management and Budget Circular A-l30, Appendix III, requires that security controls for personnel include such controls as individual accountability, "least privileged," and separation of duties. "Least privileged" is the practice of restricting users' access (to data files, to processing capability, or to peripherals) or type of access (read, write, execute, or delete) to the minimum necessary for the users to perform their jobs. Separation of duties is the practice of dividing the steps in a critical function among different individuals. Cause: Although the Service Center provided payment services to its client, the Service Center had not ensured that security controls in the FFS application prevented unauthorized payments. Effect: Without the applicable security access controls, the risk is increased for unauthorized payments to be disbursed. Recommendation We recommend that the Director, Administrative Service Center. coordinate with the client to limit Service Center users' access to the "least privileged" in the FFS application; that is, assurance should be provided that any user authorized to enter or change the vendor table does not also have access to disbursing documents. Response Complied. As requested by the ASC, the client has changed FFS security such that no employees have access to both the vendor tables and disbursement fimction. It should be noted that this condition was confined strictly to the transfer of a client's administrative payments function and related employees to the ASC in May 1996. The client is responsible for managing and controlling FFS access for this payments function. In other words, the ASC cannot initiate or change FFS access for employees performing this client's payments. Also, it should be noted that discussions with the auditors confirmed that no unauthorized disbursements were found. 7 36 APPENDIX 2 Page 10 of 26 MAINFRAME SYSTEM PHYSICAL AND LOGICAL SECURITY F. Physical Security Condition: Although access to the Service Center facilities was controlled, the Service Center could not identify all individuals who had card key access to the computer rooms, which house the mainframe and LAN. In addition, some Service Center visitors (for example, maintenance personnel, janitorial staff, and vendors) were not monitored when they were inside the computer room. Criteria: The Department of the Interior Automated Information System Handbook, when addressing the control for personnel access to computer facilities, states, "Access by visitors, equipment personnel, and other individuals not directly involved with managing or operating a sensitive automated information system installation will be controlled by individual authorization." The Handbook further states that it is recognized that different procedures and restrictions will be required for various categories of visitors but that all access by other than assigned personnel will be monitored. Cause: The Service Center's informal procedures provided for vendors, as well as for the building management company, to be issued card keys to these sensitive areas without identifying the individuals receiving the cards and without requiring formal access request forms. Also, current practices allow certain visitors to be unmonitored when they are in the sensitive areas. Effect: The Service Center cannot specifically identify all those individuals who have access to and/or are accessing the computer rooms. Furthermore, by not monitoring all visitors, the risk is increased for the Service Center's sensitive data and resources to be stolen or destroyed. Recommendations We recommend that the Director, Administrative Service Center: instituted for vendors in addition to contractors and Federal employees. Response Complied. Procedures for the issuance of card keys for vendors, contractors, and Federal employees have been documented. As evidenced by this recommendation,and Recommendation 3 (below), we believe this condition should have been more 8 37 APPENDIX 2 Page 11 of 26 MAINFRAME SYSTEM PHYSICAL AND LOGICAL SECURITY appropriately stated as a currency of documentation issue. Two levels of security control must be passed before entry into the computer room. As concluded by GSA, ASC's physical security exceeds security standards for a Level III Federal facility. Although the ASC has always had a strong physical security emphasis and program in place, it was recently enhanced with implementation of a picture identification card system that is now compatible with the Bureau of Reclamation system for Building 67 at the Denver Federal Center. 2. Evaluate the need for individuals outside of the ADP Services Division to be issued permanent card keys because such access should be limited to those individuals performing their day-to-day duties. Response Complied. The evaluation was completed by the ADP Services.Di4sion and the Management Services Division in February 1997. Permanent card keys are issued to just those individuals deemed appropriate. 3. Document procedures to ensure the Service Center's compliance with the Department of the Interior Automated Information Systems Handbook regarding visitor (such as maintenance personnel, janitorial staff, and vendors) monitoring. .: Response Complied. Procedures for monitoring visitor access to the computer room have been documented by the Management Services Division in compliance with the Department of the Interior's Automated Information Systems Handbook. 9 38 APPENDIX 2 Page 12 of 26 MAINFRAME SYSTEM PHYSICAL AND LOGICAL SECURITY G. Password Settings Condition: In RACF, general client user passwords for access to the mainframe were not prompted for change until after 180 days, and user ID codes were not automatically revoked until 180 days of inactivity. Criteria: The Department of the Interior Automated Information Systems Security Handbook recommends that passwords be changed every 90 days. Also. generally accepted industry standards indicate that password change intervals should be fi-om 60 to 90 days for users who do not have sensitive privileges and every 30 days for users who do have sensitive privileges because passwords may be guessed. copied, overheard, or recorded and played back. Cause: To make access to the mainframe applications more convenient for Service Center clients who use the mainframe applications only occasionally, notably theSF=52 System users, the Service Center increased the password interval to 180 days in 1994 after receiving approval from the Bureau of Reclamation's Security Administrator. However, this approval recommended that the Service Center change the password parameters, such as requiring a numeric or special character as part of the password, set in RACF security software. Service Center officials stated that the `180-day inrerval was acceptable because of security available within the mainframe applications. However, not all of the mainframe applications have access security. Effect: The current password settings reduce the effectiveness of the password as a control, thereby increasing the risk for unauthorized access to sensitive information through password disclosure. Recommendations We recommend that the Director. Administrative Service Center: 1. Evaluate the feasibility of setting the parameters in RACF security software to require,one numeric or special character as part of the password, as recommended by the Bureau of Reclamation's Security Administrator. Response Concur. An evaluation of using one numeric or special character as part of the ASC standard password will be completed by September 30, 1997. The responsible offtcial is the Chief, ADP Services Division. 10 39 APPENDIX 2 Page 13 of 26 MAINFRAME SYSTEM PHY-SICAL AND LOGICAL SECURITY 2. Reevaluate Which type of security encompasses the protection of voice and data networking?Definition: Cyber security or information technology security are the techniques of protecting computers, networks, programs and data from unauthorized access or attacks that are aimed for exploitation.
What was the name of the first widely recognized published document that identified the roles of management and policy issues in computer security?RR609 was the first widly recognized published document to identify the role of management and policy issues in computer security. Who decides how and when data in an organization will be used and or controlled?
What of information is the quality or state of being genuine or original?Authenticity: Authenticity of information is the quality or state of being genuine or original, rather than a reproduction or fabrication. Information is authentic when it is in the same state in which it was created, placed, stored, or transferred.
Which is data that has been organized structured and presented to provide additional insight into its context worth and usefulness?Data is raw, unorganized facts that need to be processed. Data can be something simple and seemingly random and useless until it is organized. When data is processed, organized, structured or presented in a given context so as to make it useful, it is called information.
|