HUD Information Resources: Strategic Focus and Improved Management
Controls Needed (Chapter Report, 04/14/94, GAO/AIMD-94-34).
The Department of Housing and Urban Development (HUD) continues to be
plagued by poorly integrated, ineffective, and unreliable information
systems that neither satisfy management needs nor provide adequate
control. It will take years to fully resolve these problems. This
situation exists because HUD's information management resources have not
been planned and managed to meet the Department's missions and strategic
objectives. In addition, HUD has not established adequate security for
its computers that process sensitive and privacy data and lacks
contingency plans for data processing in the event of a major disruption
or disaster. Finally, HUD's efforts to develop and implement integrated
financial systems have been impeded by ineffective planning and
management oversight. HUD's recent commitment to strategic planning and
its initial steps to address strategic planning represent the first
substantive actions taken since GAO reported on the absence of strategic
information resources planning a decade ago.
--------------------------- Indexing Terms -----------------------------
REPORTNUM: AIMD-94-34
TITLE: HUD Information Resources: Strategic Focus and Improved
Management Controls Needed
DATE: 04/14/94
SUBJECT: Management information systems
Computer security
Internal controls
Agency missions
Financial management systems
Information resources management
Strategic information systems planning
Proprietary data
Information systems analysis
Systems architecture
IDENTIFIER: HUD Financial Management Systems Strategic Integration Plan
HUD Tenant Rental Assistance Certification System Control
File System
HUD Core Accounting System
HUD Agency Accounting System
HUD Section 8 Rental Assistance Program
HUD Information Resources Management Program
FHA Multifamily National System
HUD Home Equity Conversion Mortgage System
HUD Single Family Accounting Management System
**************************************************************************
* This file contains an ASCII representation of the text of a GAO *
* report. Delineations within the text indicating chapter titles, *
* headings, and bullets are preserved. Major divisions and subdivisions *
* of the text, such as Chapters, Sections, and Appendixes, are *
* identified by double and single lines. The numbers on the right end *
* of these lines indicate the position of each of the subsections in the *
* document outline. These numbers do NOT correspond with the page *
* numbers of the printed product. *
* *
* No attempt has been made to display graphic images, although figure *
* captions are reproduced. Tables are included, but may not resemble *
* those in the printed version. *
* *
* A printed copy of this report may be obtained from the GAO Document *
* Distribution Facility by calling (202) 512-6000, by faxing your *
* request to (301) 258-4066, or by writing to P.O. Box 6015, *
* Gaithersburg, MD 20884-6015. We are unable to accept electronic orders *
* for printed documents at this time. *
**************************************************************************
Cover
================================================================ COVER
Report to the Secretary of Housing and Urban Development
April 1994
HUD INFORMATION RESOURCES -
STRATEGIC FOCUS AND IMPROVED
MANAGEMENT CONTROLS NEEDED
GAO/AIMD-94-34
HUD Information Resources
Abbreviations
=============================================================== ABBREV
AIMD - Accounting and Information Management Division
ADP - automated data processing
CFO - Chief Financial Officer
CFS/TRACS - Control Files Subsystem/Tenant Rental Assistance
Certification System
FHA - Federal Housing Administration
FMFIA - Federal Managers' Financial Integrity Act
GAO - General Accounting Office
HECM - Housing Equity Conversion Mortgage System
HUD - Housing and Urban Development
IPS - Information Policies and Systems
IRM - information resources management
ISP - information strategy planning
JFMIP - Joint Financial Management Improvement Program
MNS - Multifamily National System
OMB - Office of Management and Budget
SAMS - Single Family Accounting Management System
SGL - Standard General Ledger
Letter
=============================================================== LETTER
B-254783
April 14, 1994
The Honorable Henry Cisneros
The Secretary of Housing
and Urban Development
Dear Mr. Secretary:
This report presents the results of our evaluation of the
Department's information resources management program. This work was
conducted under our legislative authority to evaluate federal
agencies and programs.
This report contains recommendations to you in chapter 5. As you
know, 31 U.S.C. 720 requires the head of a federal agency to submit
a written statement of actions taken on our recommendations to the
Senate Committee on Governmental Affairs and the House Committee on
Government Operations not later than 60 days after the date of this
letter. A written statement must also be submitted to the House and
Senate Committees on Appropriations with the agency's first request
for appropriations made more than 60 days after the date of this
letter. We would appreciate receiving copies of these statements.
We are providing copies of this report to interested Members of
Congress, executive branch agencies, and the public. We will also
make copies available to others upon request.
Please call me at (202) 512-6253 if you or your staff have any
questions concerning the report. Other major contributors to this
report are listed in appendix II.
Sincerely yours,
Joel C. Willemssen
Director, Information Resources
Management/Resources, Community,
and Economic Development
EXECUTIVE SUMMARY
============================================================ Chapter 0
PURPOSE
---------------------------------------------------------- Chapter 0:1
The Department of Housing and Urban Development (HUD) relies on
information systems to help it administer federal housing programs,
enforce fair housing, and improve the nation's communities. As part
of the effort to update its 1984 general management review of HUD,
GAO assessed the effectiveness of HUD's information resources
management (IRM) program and its actions to address information
systems weaknesses.
To do this, GAO focused on determining whether the Department's (1)
IRM planning and data management support critical departmentwide
missions and strategic objectives; (2) computer security program
protects sensitive systems and critical operations; and (3) efforts
to integrate and strengthen financial management systems are
effectively planned and managed.
BACKGROUND
---------------------------------------------------------- Chapter 0:2
HUD relies on information systems to administer insured loans,
guarantees, and other programs valued at over $1 trillion; housing
subsidy programs that serve millions of families; and community
development grants to virtually every state and city in the country.
The Office of Information Policies and Systems (IPS), under the
Assistant Secretary for Administration, manages HUD's IRM resources.
In 1984 GAO reported that HUD suffered from fundamental management
weaknesses and lacked effective processes to plan and control its
financial and IRM resources. In 1989 HUD's highly publicized
scandals were attributed, in large part, to inadequacies in
departmental information and financial management systems;
inadequacies that prevented HUD from effectively overseeing and
managing its programs and resources.
RESULTS IN BRIEF
---------------------------------------------------------- Chapter 0:3
HUD continues to be plagued by poorly integrated, ineffective, and
generally unreliable information systems that do not satisfy
management needs or provide adequate control. HUD is taking action
to correct these IRM problems. However, it will take a number of
years to fully resolve them.
This situation exists because historically HUD's IRM resources have
not been planned and managed to meet the Department's missions and
strategic objectives. As a result, HUD's IRM plans are not based on
strategic business plans that identify what senior executives expect
to accomplish and what strategies, processes, resources, and
information are needed to achieve departmental missions and
objectives. HUD also lacks a departmentwide information architecture
that provides a standard framework to govern the management and use
of information and IRM resources, and a data management program to
ensure that departmentwide systems provide program managers with the
information they need to effectively accomplish their missions.
In addition, HUD has not established adequate security controls for
its computer systems that process sensitive and privacy data, and has
not provided for the recovery and continued processing of critical
systems in the event of a major disruption or disaster. These
computer security weaknesses pose serious risks to the integrity of
computer systems, the sensitive data they contain, and the critical
operations they support. Finally, HUD's effort to develop and
implement integrated financial systems has been impeded by
ineffective planning and management oversight.
The Secretary's commitment to strategic planning and HUD's early
steps to address strategic planning represent the first substantive
actions since GAO reported on the absence of strategic IRM planning a
decade ago. Senior HUD officials have also initiated actions and
plans to address the Department's data management, computer security,
and financial systems integration weaknesses. Full implementation of
these actions and plans can help resolve HUD's long-standing IRM
problems.
PRINCIPAL FINDINGS
---------------------------------------------------------- Chapter 0:4
INADEQUATE FOCUS ON
STRATEGIC BUSINESS
OBJECTIVES AND
DEPARTMENTWIDE DATA
MANAGEMENT
-------------------------------------------------------- Chapter 0:4.1
Although an IRM plan for the Department has been prepared, it is not
based on a strategic business plan because HUD does not have a
business planning process to establish strategic objectives and
determine the resources and information needed to achieve them.
Instead, IRM plans are prepared by IPS staff, based on input from
program managers and staff. Consequently, the Department's IRM
resources are not focused on achieving strategic mission objectives
and HUD continues to experience information shortfalls and inadequate
information systems. For example, in December 1992, the Secretary
reported substantial deficiencies in 98 information systems,
including 15 that do not adequately support mission requirements.
Also, without strategic business and IRM planning, HUD does not have
a sound basis for developing a departmentwide information
architecture--a standard framework for guiding the management and use
of data and IRM resources to accomplish HUD missions and objectives.
In addition, despite stressing the need to use common, integrated
data to support its many operations, HUD has not fully instituted a
departmentwide data management program to achieve this goal. For
example, critical data management standards such as common data
elements and data definitions were not established for HUD's first
two integrated financial systems projects--the Control Files
Subsystem/Tenant Rental Assistance Certification System (CFS/TRACS)
and the Core Accounting System. As a result, progress was slowed on
both these high priority integration projects and additional
resources were required to correct data problems in the development
of CFS/TRACS.
INADEQUATE PROTECTION OF
SENSITIVE AND CRITICAL
SYSTEMS
-------------------------------------------------------- Chapter 0:4.2
HUD has not taken the required steps to ensure proper security over
sensitive computer systems and data. Despite requirements
established by the Computer Security Act, the Office of Management
and Budget, and its own policy, HUD has not
identified all of its computer systems that process sensitive or
privacy data or prepared up-to-date and accurate security plans
for these systems;
established effective controls to prevent unauthorized individuals
from accessing data contained in the Department's most sensitive
computer systems;
ensured that required background investigations have been completed
on the hundreds of HUD and contractor personnel who operate,
manage, maintain, or use the computer systems; or
performed adequate computer security monitoring and training to
ensure that sensitive computer data are properly controlled and
safeguarded.
In addition, HUD has not fully developed and tested contingency plans
for (1) any of the 39 information systems it has determined to be
critical to its missions, or (2) the three computer installations GAO
visited, the nationwide telecommunications network, local area
networks, or microcomputers that are used to process or handle
critical information. As a result, HUD faces unnecessarily high
risks that its missions will be seriously impaired should a disaster
or major disruption occur.
Despite this, HUD has not reported the lack of contingency plans as a
material internal control weakness under the Federal Managers'
Financial Integrity Act. The IPS Director agrees that these computer
security and contingency planning problems are serious and he is
taking actions to strengthen computer security controls and develop
contingency plans.
INEFFECTIVE MANAGEMENT AND
OVERSIGHT OF THE FINANCIAL
SYSTEMS INTEGRATION EFFORT
-------------------------------------------------------- Chapter 0:4.3
Although there is a pressing need to correct long-standing financial
systems weaknesses, HUD until recently has not provided effective
oversight of its high-priority effort to integrate financial
management systems. For example, a lack of effective planning and
coordination for two system projects led to duplication of functions
between the systems. In addition, individual integration projects
have not been well managed. For instance, software has been deployed
before adequate testing; in one case this introduced a large number
of errors into a pilot region's database. In addition, HUD has not
developed a plan to guide the transition from its many stand-alone
financial systems to the new, fully integrated systems environment.
These problems resulted from inadequate project management and
oversight. Specifically, HUD management did not
obtain agreement on direction, goals, standards, and strategies
before implementing the integration effort;
clearly define project responsibilities; and
establish a mechanism to ensure sufficient coordination between
projects.
RECOMMENDATIONS
---------------------------------------------------------- Chapter 0:5
GAO recommends that the Secretary
develop strategic business and IRM planning processes that are
clearly linked to each other; develop an information
architecture to govern the development, deployment, and use of
IRM resources; and establish a data management program to
support integrated or departmentwide systems;
establish effective security controls to protect all sensitive
computer systems and eliminate current weaknesses, develop and
test contingency plans for all critical systems, and report the
lack of contingency plans as a material internal control
weakness under the Federal Managers' Financial Integrity Act;
and
establish and maintain clear lines of authority over the financial
management systems integration effort, a detailed plan to
transition from the existing systems environment, and a
monitoring mechanism so significant problems can be brought to
the attention of senior managers.
AGENCY COMMENTS
---------------------------------------------------------- Chapter 0:6
In commenting on a draft of this report, senior Department officials,
including the Assistant Secretary for Administration and Chief
Financial Officer, said they agreed with the need to correct IRM
deficiencies and identified actions underway or planned to address
GAO's recommendations. They said, however, they were concerned that
the draft report did not fully recognize and give credit to HUD for
the actions it has underway.
With respect to strategic planning, they agreed that HUD's IRM
planning has been hindered by the lack of strategic business
planning. The officials said the Secretary is committed to
developing a strategic business plan. HUD also issued departmentwide
data administration standards and financial systems integration
standards in November 1993, acquired computer software to develop a
data dictionary, and initiated a reorganization to elevate attention
to data administration.
The officials also agreed that HUD needs to do more to comply with
federal computer security requirements and noted several actions
being taken to better ensure the protection of sensitive data and
systems. HUD has asked its offices to prepare updated security plans
for their sensitive computer systems, expects to have security
software for mainframe computers replaced during the spring of 1994
and expects to have completed and tested contingency plans in place
by August 1994. In addition, HUD is seeking contractor assistance to
strengthen security monitoring and is considering ways to improve the
background investigation process.
Finally, the officials agreed that the Department had not effectively
managed its financial systems integration effort. They said HUD has
taken action to obtain agreement on the effort's direction and goals,
define responsibilities, and establish an oversight and coordination
mechanism. The officials questioned the need for a high-level
transition plan, stating that HUD plans to have each project team
include a transition plan as part of its detailed project work plan.
GAO believes that HUD's efforts to embark upon strategic business and
IRM planning and establish departmentwide data management and
financial systems integration standards are significant and represent
initial progress toward strengthening its IRM program. HUD's actions
to strengthen computer security and develop contingency plans are
encouraging and are needed to bring the Department into compliance
with federal and departmental computer security requirements. HUD
must successfully complete these actions, however, to reduce the
risks to its sensitive and critical systems and data.
GAO also agrees that HUD has clarified responsibilities and
strengthened oversight and accountability of the financial systems
integration effort. The sustained oversight by and commitment of
senior management must continue throughout the integration effort to
ensure that the Department's goals are met. In addition, to ensure
the success of large-scale modernizations, such as HUD's financial
systems integration effort, we believe that a detailed plan is needed
to manage the transition activities of concurrent systems development
and implementation efforts.
INTRODUCTION
============================================================ Chapter 1
HUD delivers a wide array of programs and services to millions of
Americans. The Department underwrites mortgage insurance for
single-family and multi-family homes and home improvements. It also
provides loans, grants, subsidies, and other types of assistance to
public and Indian housing authorities and state and local governments
for housing and community development, and carries out initiatives to
ensure compliance with the nation's fair housing regulations.
HUD has broad financial management responsibilities that are
associated with these programs--$379 billion in insurance-in-force
and about $14 billion in property and other assets related to the
Federal Housing Administration (FHA) fund; $422 billion in the
Government National Mortgage Association's mortgage-backed
securities; $731 billion in potential risk exposure at the Federal
National Mortgage Association and Federal Home Loan Mortgage
Corporation; $100 billion in long-term housing subsidy commitments;
and billions in outstanding grant commitments. HUD carries out its
broad responsibilities using about 13,500 staff in 16 main offices at
headquarters, 10 regional offices, and 71 field offices. The
Department's fiscal year 1993 budget was $25.2 billion.
Like many federal agencies, HUD relies on information and IRM
resources to help carry out its missions. HUD manages these
resources centrally through the Assistant Secretary for
Administration, who is the designated Senior IRM Official. All
operational responsibilities for IRM have been delegated to the
Office of Information Policies and Systems (IPS). The IPS Director
has primary responsibility for HUD's IRM policy, oversight, planning,
and operations. IPS has several offices, such as the Data
Administration Branch, which assists with technical issues related to
data administration, and the Automated Data Processing (ADP) Security
Office, which is responsible for the general oversight of HUD's
computer security program.
The Department uses a three-tiered systems architecture. This
architecture includes (1) microcomputers that serve as
multifunctional workstations in offices, (2) local area networks that
link office workstations, and (3) mainframe computer systems.
Headquarters and field office workstations are linked to mainframe
computer installations and other offices through HUD's national
telecommunications network. The Department's information technology
budget for fiscal year 1993 was $119.7 million.
LONG-STANDING INFORMATION
SYSTEMS PROBLEMS AND ACTIONS TO
IMPROVE
---------------------------------------------------------- Chapter 1:1
A decade ago, we reported that HUD lacked adequate information and
financial management systems necessary to ensure accountability for,
and control over, departmental programs.\1 In 1989 HUD's highly
publicized scandals were attributed, in large part, to fundamental
deficiencies in the Department's information and financial systems.
In particular, HUD's systems lacked credibility, were not responsive
to management needs, and did not provide adequate control. As we
describe later in this report, HUD's long-standing information and
financial management systems problems remain unresolved.
To address fundamental deficiencies in the Department's information
and financial systems, the Secretary initiated a number of actions
following the HUD scandals. For instance, after a Chief Financial
Officer (CFO) was appointed to oversee the Department's financial
affairs, HUD adopted the Financial Management Systems Strategic
Integration Plan and began implementing it throughout the Department
in November 1991. This high-priority, $100 million plan focused on
replacing about 100 different automated systems with 9 fully
integrated systems over a 7-year period.
Two of these integrated systems projects were underway at the time of
our review, the Control Files Subsystem/Tenant Rental Assistance
Certification System (CFS/TRACS) and the Core Accounting System. The
Secretary directed the development of CFS/TRACS in March 1991 to
correct long-standing problems in the Section 8 subsidy payment
process.\2 These problems had led to millions of dollars in incorrect
or misdirected subsidy payments, and prevented the Department from
accurately determining program funding needs.
The Core Accounting System, now designated the Agency Accounting
System, was being developed to eliminate problems with inconsistent
accounting systems and data and serve as the central accounting
system for all program areas. The system was expected to provide the
capability for capturing, recording, controlling, and summarizing the
financial results of operations for all program areas and provide the
framework for sharing standard accounting information throughout the
Department. HUD also began planning a third integration project, the
Mortgage Insurance System, to improve the Department's capabilities
in planning, administering, and evaluating mortgage insurance
operations and activities.
Generally, the goals and objectives of the integration plan are to
strengthen financial management controls, correct material
weaknesses, and improve the management of financial information.\3
HUD believes the integrated systems will allow the Department to
perform business functions in an effective manner while maintaining
appropriate financial controls.
In August 1993, the Deputy Secretary announced some steps to
strengthen management oversight, better support program office
requirements, and clarify responsibilities for financial systems
projects. In addition to these efforts, HUD took other actions to
strengthen its IRM program. These actions include the following:
Establishing an IRM Planning Board to ensure direct participation
by senior HUD executives in establishing departmental policies
and priorities, and in the allocation and oversight of IRM
resources. The Assistant Secretary for Administration chairs
the Board, which is composed of Assistant Secretaries who lead
the primary headquarters organizations. The Board is supported
by an IRM working group of senior-level staff who are designated
by Board members. The working group is the primary vehicle for
overseeing the Department's IRM resources budget and setting
priorities for systems projects.
Selecting a common computer hardware platform and programming
language and establishing a nationwide telecommunications
network. HUD's purpose was to provide a flexible and integrated
approach to providing computing and telecommunications
capabilities and facilitate the financial management systems
integration effort. Computer workstation users have the
capability to communicate with any computer mainframe or
workstation on HUD's telecommunications network.
Developing a systems development methodology that is supposed to be
used departmentwide. The methodology is consistent with federal
guidelines and industry practices and offers a structured
approach for solving problems and selecting and using the
appropriate methods, tools, and techniques.
--------------------
\1 Increasing the Department of Housing and Urban Development's
Effectiveness Through Improved Management, Vol. I, (GAO/RCED-84-9,
Jan. 10, 1984).
\2 The Section 8 Lower Income Rental Assistance Program was
established under legal authority of Section 8 of the U.S. Housing
Act of 1937 (42 U.S.C. 1437f) to assist low and very-low income
families obtain decent, safe, and sanitary rental housing.
\3 Office of Management and Budget (OMB) Circular No. A-127,
Financial Management Systems, July 23, 1993, requires agencies to
establish and maintain a single, integrated financial management
system. HUD's financial systems integration effort was intended to
bring the Department into compliance with this requirement.
OBJECTIVES, SCOPE, AND
METHODOLOGY
---------------------------------------------------------- Chapter 1:2
We reviewed HUD's IRM program and its actions to address information
systems weaknesses by determining whether the Department's (1) IRM
planning and data management support critical departmentwide missions
and objectives; (2) computer security program protects sensitive
systems and critical operations; and (3) efforts to integrate and
strengthen its financial management systems are effectively planned
and managed.
To determine whether strategic IRM planning supports HUD missions and
objectives, we reviewed federal laws, regulations, and guidance as
well as HUD policies and procedures on IRM planning. We interviewed
members of the IRM working group as well as planning officials in
headquarters and field offices to ascertain how the planning process
operates and their involvement and responsibilities in the process.
We also reviewed two of HUD's 5-year information resources management
plans and supporting documentation as well as program area management
plans to determine whether IRM planning and departmentwide strategic
mission planning are linked and focused on meeting strategic mission
objectives and satisfying managers' key information needs. In
addition, we interviewed program managers to discuss recent efforts
underway to conduct information strategy planning (ISP).\4
To determine whether departmental data management supports HUD's
missions and objectives, we reviewed HUD's system development and
data management policies. We also interviewed IPS senior managers
and officials responsible for data administration to determine
whether HUD had established a (1) departmentwide information
architecture for governing the management and use of IRM resources,
and (2) data management program to ensure that departmentwide systems
provide program managers with the information they need to accomplish
their missions efficiently and effectively. In addition, we reviewed
consultant studies and interviewed program and field staff to
identify and discuss problems with obtaining, managing, and sharing
computer data.
To assess the adequacy of HUD's computer security program and its
compliance with federal requirements, we examined HUD's plans,
policies, and procedures for protecting sensitive and critical
computer systems, data, and operations. We interviewed program
managers and staff in HUD headquarters and staff in one regional and
two field offices to discuss the adequacy of departmental computer
security controls, monitoring, and training. To review the
effectiveness of security controls over computer systems, we
interviewed HUD officials responsible for departmental computer
security and computer operations, and examined HUD Inspector General
reports as well as consultant studies documenting security reviews
and risk assessments. We inspected three contractor-operated
computer installations where sensitive systems that are critical to
HUD's missions are processed, and interviewed contractor officials
and personnel at the installations to discuss security and
contingency issues. We also inspected HUD's contractor-operated
backup data center and interviewed HUD and contractor officials to
discuss emergency response, backup, and recovery capabilities for the
Department's mainframe systems and data transmissions.
To determine whether the Department's effort to integrate and
strengthen its financial management systems has been effectively
planned and managed, we concentrated on overall project planning,
management, and oversight. We reviewed HUD's Financial Management
Systems Strategic Integration Plan as well as planning and system
development documentation for two projects that were underway. We
interviewed project managers at HUD headquarters and interviewed
contractors' staff and field staff on HUD's implementation and
coordination of the integration effort and obtained their views on
overall project management, planning, and oversight. We also
reviewed internal management reports, consultant studies, individual
project status reports, and external assessments of HUD's overall
integration effort.
We performed our audit from December 1992 through November 1993, in
accordance with generally accepted government auditing standards.
Our work was done primarily at HUD headquarters in Washington, D.C.
We also performed work at HUD's regional office in Philadelphia,
Pennsylvania, and subordinate field offices in Philadelphia and
Baltimore, Maryland; HUD's primary computer installation in Lanham,
Maryland, which hosts most of its important mainframe information
systems; computer installations in Silver Spring and Rockville,
Maryland, which host several of HUD's important mainframe information
systems; and HUD's backup computer installation in Reston, Virginia.
We selected the Philadelphia regional office because it has a
medium-size work load and officials stated that it is a fairly
typical regional operation.
We obtained comments on a draft of this report from HUD officials,
including the Assistant Secretary for Administration and the Chief
Financial Officer. These comments have been incorporated in the
report where appropriate and are discussed in chapter 6.
--------------------
\4 An ISP is a study to determine the strategic opportunities, goals,
critical success factors, and information needs of a specific
business function or entire organization or business enterprise. It
includes determining how new technology might be used to better meet
goals and improve business processes.
STRATEGIC IRM FOCUS AND DATA
MANAGEMENT ARE NOT ADEQUATE TO
MEET DEPARTMENT MISSIONS
============================================================ Chapter 2
HUD continues to be plagued by information shortfalls and inadequate
information systems because its IRM resources are not planned and
managed to meet its missions and strategic objectives. Contrary to
federal guidance, HUD's IRM plan is not based on a business plan that
focuses on the agency's strategic objectives and the approaches
needed to achieve the missions, goals, and objectives. The IPS
Director agreed that HUD's planning process has not been sufficient
to develop a strategic IRM plan. The lack of strategic business and
IRM planning has also prevented HUD from being able to develop a
departmentwide information architecture that would provide a standard
framework to manage and use data and IRM resources. Consequently,
many of HUD's information systems do not adequately support users and
mission needs, a problem we first reported 10 years ago.
In addition, HUD has not established departmentwide data standards
and a data dictionary or fully instituted a data management program.
This has contributed to inconsistent and incomplete data in some
information systems and hindered HUD's efforts to develop integrated
financial systems. Without a data management program, HUD cannot
provide the guidance and direction needed to manage and share
information and provide program managers with the information they
need to effectively accomplish their missions.
HUD's IPS Director agreed that IRM planning has been hindered by the
lack of strategic business planning and said the Secretary has begun
efforts to improve business planning. In addition, the IPS Director
noted that HUD finalized departmentwide data administration standards
(policies and guidelines for developing data standards) and financial
systems integration standards in November 1993 and is also planning
to establish a data management program and data administration
capability and develop a data dictionary.
IRM PLANS NOT BASED ON
STRATEGIC MISSION OBJECTIVES
---------------------------------------------------------- Chapter 2:1
Federal law and regulations require agencies to implement a strategic
IRM planning process that identifies the information and resources
needed to accomplish their missions efficiently and effectively.\1
IRM planning should be based on a strategic business plan that
defines what senior executives expect to accomplish and what
strategies, processes, resources, and information are needed to
achieve the Department's missions and strategic objectives.\2 Both
plans are to be based on top-down processes driven by an agency's
leadership and missions. Together, the strategic business plan and
supporting strategic IRM plan provide the basis for developing a
departmentwide information architecture to guide and control an
agency's investments in IRM resources.
HUD's IRM planning is not based on a strategic business plan because
HUD does not have a strategic business planning process. Instead,
IRM plans are prepared by IPS staff, based on their understanding of
input from program managers and the IRM working group. These IRM
plans are then forwarded to the IRM Planning Board and Deputy
Secretary for approval. Members of the Board's working group stated
that although the Board approves the plans, neither the Board nor its
working group have significant involvement in developing the final
IRM plans. The IPS Director agreed that this process has not been
sufficient to develop a strategic IRM plan, but said it is the best
he can do because HUD does not have a strategic business planning
process. The Director stated that the current Secretary and Deputy
Secretary recognize this problem and have been looking into ways to
resolve it.
The IPS Director and program officials agreed that IRM planning is
hindered by the lack of a business plan, which articulates the
Department's critical missions and strategic objectives. The
Assistant Secretary for Administration, the designated senior IRM
official, expressed similar concerns in a December 1992 report,\3
stating that HUD did not have a departmental planning process and
that planning was decentralized and often performed on an ad-hoc
basis with the budget driving HUD's management agenda, instead of the
management agenda driving the budget.
--------------------
\1 The Paperwork Reduction Act (44 U.S.C. Chapter 35) and OMB
Circular No. A-130, Management of Federal Information Resources,
June 25, 1993.
\2 Strategic Information Resources Management Handbook, U.S. General
Services Administration, October 1987.
\3 Program Challenges for the Future As Articulated by Principal
Staff, U.S. Department of Housing and Urban Development, Office of
Management and Planning, December 1992.
LACK OF STRATEGIC FOCUS
ADVERSELY AFFECTS HUD
OPERATIONS
-------------------------------------------------------- Chapter 2:1.1
The effects of inadequate strategic IRM planning have been evident
for many years. Ten years ago, we reported that due to ineffective
long-range IRM planning, HUD's information systems did not give
managers and staff the basic information they needed to manage and
control departmental programs and financial resources.\4 In a 1992
study, we reported that because of systems deficiencies program
officials were unable to provide the oversight needed to protect HUD
programs from fraud, waste, and abuse.\5
The Department has also noted these problems. In HUD's December 1992
Federal Managers' Financial Integrity Act (FMFIA) report, the
Secretary disclosed that the Department had 98 information systems
that did not comply with federal requirements because of substantial
system deficiencies (see app. I). This list included 15 systems
that did not meet mission requirements. HUD's Inspector General has
also reported strategic IRM planning deficiencies. As recently as
May 4, 1993, the Deputy Inspector General stated that HUD continues
to struggle with inadequate information systems because of poor
long-range planning.\6 The Deputy further stated that HUD's programs
are still at considerable risk of abuse and loss because of systemic
weaknesses in departmental information systems, weaknesses that
preclude HUD from effectively controlling and managing its wide array
of large, complex programs.
The lack of strategic IRM planning has also impeded HUD's attempts to
integrate its financial management systems. According to HUD program
managers, the Department failed to effectively identify all of its
business functions in planning HUD's multiyear financial management
systems integration. This resulted in significant project delays,
higher costs, and diminished manager and staff support for the
financial systems integration.
Concern over the viability of the integration effort was so high that
the new Secretary announced steps to redirect and strengthen the
overall financial management systems integration approach. These
steps include establishing a committee of senior-level
executives--the Systems Integration Steering Committee--to meet
biweekly to oversee and monitor individual financial systems
integration projects and make associated funding decisions. Also,
Assistant Secretaries were made accountable for integration projects
in their program areas.
--------------------
\4 GAO/RCED-84-9, Jan. 10, 1984.
\5 HUD Reforms: Progress Made Since the HUD Scandals but Much Work
Remains (GAO/RCED-92-46, Jan. 31, 1992).
\6 Statement of HUD Deputy Inspector General before the Committee on
Banking, Housing, and Urban Affairs, U.S. Senate, on May 4, 1993.
DEPARTMENTWIDE INFORMATION
ARCHITECTURE NOT DEVELOPED
-------------------------------------------------------- Chapter 2:1.2
The lack of strategic business and IRM planning has prevented HUD
from developing a departmentwide information architecture. An
information architecture defines the information that is needed to
achieve mission objectives and how the information systems will work
together to satisfy those objectives.\7 The architecture provides a
standard framework to govern the collection, development, deployment,
management, and use of data and IRM resources to accomplish missions
and objectives. While the IPS Director acknowledged that HUD needs
an information architecture, he pointed out that a useful
architecture could not be developed until HUD establishes a business
planning process and links it to strategic IRM planning.
Even though HUD lacks strategic plans and an information architecture
to guide its IRM investments, it has been updating its computer
hardware and moving forward to integrate its many stand-alone
financial management systems and improve support to various programs.
In doing so, HUD faces increased risks that investments made on these
projects will not support the Department's needs or be fully
consistent with future strategies for achieving its missions and
objectives.
--------------------
\7 An information architecture is a description of all functional
activities to be performed to achieve a desired mission, the
automated systems elements needed to perform the functions, and the
designation of performance levels of those systems elements. An
architecture also includes information on the technologies,
interfaces, and locations of functions, and is considered an evolving
description of an approach to achieving desired missions.
RECENT COMMITMENT TO PLANNING
---------------------------------------------------------- Chapter 2:2
The new Secretary recognizes that HUD needs to embark upon business
planning. According to the IPS Director, the Secretary has begun
efforts to determine what HUD should do, such as conducting business
process reengineering as part of the effort to reinvent HUD. The
Director said that these business planning efforts are focused on
certain areas of high interest.
Also, HUD's program areas are developing ISPs to identify information
needs and perhaps reengineer their business processes. Information
strategy plans incorporate information engineering techniques to
develop integrated information systems based on the sharing of common
data and procedures.\8 Although these initiatives are encouraging,
they are being carried out independent of each other.
--------------------
\8 Information engineering is a systematic process in which
information systems are developed that precisely support the business
of an organization or enterprise.
DATA MANAGEMENT PROGRAM NOT
FULLY INSTITUTED
---------------------------------------------------------- Chapter 2:3
HUD has stressed the need to use common, integrated data and
information to better support its financial and program operations;
however, it has not taken the steps necessary to ensure effective
data management. This has adversely affected the quality of data in
the Department's information systems and hindered the development of
HUD's integrated financial management systems. In particular, HUD
has not established common data elements and defined data
characteristics, nomenclature, and standards for accuracy and
timeliness. Nor has HUD established a data dictionary to communicate
data definitions and locations.\9
--------------------
\9 A data dictionary or data repository is a tool to help
organizations control their data assets by providing a central
catalog of data.
PROGRAMS AND INFORMATION
SYSTEMS INITIATIVES HINDERED
BY INEFFECTIVE DATA
MANAGEMENT
-------------------------------------------------------- Chapter 2:3.1
The lack of common data standards and a data dictionary has
contributed to inconsistent, incomplete, and untimely data in
essential program information systems such as the Federal Housing
Administration's (FHA) multifamily insurance systems. According to
an internal assessment, HUD lacks the information it needs to monitor
the multifamily insurance program, a program that includes about
15,000 multifamily projects and more than $47 billion in insurance
obligations.\10 In this regard, several Housing managers told us
information systems used to monitor multifamily programs suffer from
inconsistent, incomplete, and untimely data. They said that poor
data quality, in combination with other problems, has made these
systems practically useless. In addition, a recent consultant study
of insurance risks cited FHA's new Multifamily National System (MNS)
as offering little useful information for estimating HUD's potential
liability to cover mortgage defaults.\11 This assessment shows that
MNS did not meet HUD's expectation of providing the necessary data to
support better program accountability and risk management by using
data from several multifamily systems. As a result of this study,
HUD management increased its reserves for FHA multifamily mortgage
losses by about $6.4 billion.
HUD's effort to develop integrated financial systems over the past
couple of years has also been adversely affected by ineffective data
management. A primary objective of HUD's financial systems
integration is to improve data integrity and sharing through the use
of common data and systems. However, without standards to ensure
data quality and a data dictionary to convey to all users a common
understanding of the data and associated standards, HUD lacks the
basic management tools necessary for achieving this objective. As a
result, progress has been slowed on HUD's first two and highest
priority integration projects. In particular,
HUD did not establish definitions and standards for the Control
Files Subsystem/Tenant Rental Assistance Certification System
(CFS/TRACS) prior to collecting and entering data on 60,000
contracts nationwide. Consequently, housing managers told us
that field staff and contractors made their own assumptions
about what data to enter. As a result, there were unacceptable
variations in data consistency and completeness. Due to the
extent of these problems, the planned completion of the project
has been delayed by more than a year while HUD reconciles data
discrepancies. Also, additional staff were needed to correct
these problems, further straining resources and diverting staff
from managing programs.
HUD did not establish a uniform account coding structure for the
Core Accounting System because the program areas were not able
to agree on standards for the system and its data. The Core
Accounting project manager agreed that without these standards
HUD is unable to (1) provide the means to define and share
common financial and accounting data departmentwide and (2)
develop the integrated accounting system it needs to comply with
federal requirements for integrated financial systems.
--------------------
\10 HUD's December 1992 Report on Compliance with the Federal
Managers' Financial Integrity Act identified deficiencies in the FHA
multifamily insurance systems as a material control weakness.
\11 U.S. Department of Housing and Urban Development Assessment of
the Financial Condition of the Insured Multifamily Portfolio and an
Estimation of the Required Loss Reserves, Coopers & Lybrand, Apr.
29, 1993.
DATA ADMINISTRATION HAS NOT
BEEN EMPHASIZED
-------------------------------------------------------- Chapter 2:3.2
HUD has not established data standards or developed an agencywide
data dictionary because it has not made data administration a
departmentwide priority. Although HUD has a data administration
branch in IPS, this branch has focused on narrow technical issues,
rather than on administering and promoting a data management program
for the Department. The Branch Chief agreed that HUD does not have a
departmentwide program to institute data management policies and
standards, promote sharing across program boundaries, or resolve
conflicts that may arise over data ownership and how it should be
maintained and used to ensure data integrity and availability.
PLANS AND RECENT ACTIONS TO
STRENGTHEN DATA MANAGEMENT AND
DEVELOP STANDARDS
---------------------------------------------------------- Chapter 2:4
The IPS Director stated that data administration has not been
adequately employed and that these capabilities are necessary to
develop departmentwide systems and help program areas develop systems
to support headquarters and field operations. The Director further
stated that he plans to establish a data administration function to
carry out a departmentwide data management program.
In addition to his plan to establish a data management program and
data administration capability, the IPS Director stated that HUD
developed draft data administration standards in July 1993 to promote
the importance of data as a departmentwide resource and to maximize
its value, quality, and usability throughout the Department. These
standards were finalized in November 1993 and were incorporated into
HUD's financial systems integration standards policy. The data
administration standards describe HUD's policies and guidelines for
establishing common data and data standards.
After we completed our audit work, HUD acquired computer software in
December 1993 to enable it to develop a departmentwide data
dictionary. Developing a data dictionary should help HUD understand
what data it has and in which systems the data are located.
According to the Data Administration Branch Chief, it will take at
least 5 years to develop a data dictionary for existing systems.
This is because most of HUD's information systems are poorly
documented and analysts will have to review each software program,
update the documentation, establish data standards, identify data
used, and enter required information into the data dictionary. The
IPS Director told us he is committed to making improvements to data
management and that developing a data dictionary will take some time,
but it is an essential task that HUD must begin. He added that HUD
will not have to wait until the data dictionary is fully developed to
begin benefitting from having information about the data it has and
where the data are located.
COMPUTER SECURITY WEAKNESSES POSE
RISKS TO SENSITIVE DATA AND
CRITICAL COMPUTER OPERATIONS
============================================================ Chapter 3
The Computer Security Act of 1987 (P.L. 100-235) requires federal
agencies with computer systems that process sensitive information to
identify and develop security plans for these systems and to provide
periodic computer security training to personnel managing, using, and
operating these systems.\1 Federal policies further require agencies
to provide the security controls necessary to protect sensitive
computer systems from unauthorized use and establish contingency
plans to ensure that computer support of critical agency operations
can be continued should a disaster or major service interruption
occur.\2
However, HUD has not fully complied with these federal requirements,
even though its security policy contains provisions for their
implementation,\3 because computer security has not been a
departmental priority. In particular, HUD has not (1) identified all
of its sensitive computer systems or prepared up-to-date and accurate
security plans to protect them; (2) fully established fundamental
controls to restrict access to and use of the Department's most
sensitive computer data; (3) ensured that computer security is
properly monitored and staff are adequately trained; and (4)
established contingency plans to mitigate the damaging consequences
caused by the unexpected loss of computer systems and data that
support critical HUD operations. Consequently, HUD has security
weaknesses that pose risks to the integrity of its computer systems
and the sensitive data they contain and the Department cannot ensure
the recovery and continued processing of essential computer
operations should a major service disruption or disaster occur.
The IPS Director said he is aware of computer security weaknesses at
the Department and that most of these problems exist because offices
have not recognized the importance of computer security or placed
sufficient emphasis on maintaining an adequate level of computer
security. The Director agreed that these computer security problems
are serious and said he has actions underway to strengthen computer
security controls and develop contingency plans. These actions are
encouraging, however, it is too early to tell whether they will
resolve all the computer security problems we identified.
--------------------
\1 The Computer Security Act defines sensitive information as any
information that if lost, misused, or accessed or modified without
proper authorization could adversely affect either the national
interest or conduct of federal programs, or the privacy to which
individuals are entitled under the Privacy Act (5 U.S.C. 552 (a)).
\2 OMB Circular No. A-130, App. III., Management of Federal
Information Resources (June 25, 1993).
\3 U.S. Department of Housing and Urban Development Handbook,
Departmental Staff ADP Security Program (Sept. 1991).
SENSITIVE SYSTEMS NOT
IDENTIFIED AND SECURITY PLANS
ARE DEFICIENT
---------------------------------------------------------- Chapter 3:1
The Computer Security Act requires agencies to identify all computer
systems that contain sensitive information, prepare security plans
for each system identified, and revise the plans annually as
necessary. The act defines a computer system as
"any equipment or interconnected system or subsystems of
equipment that is used in the automatic acquisition, storage,
manipulation, management, movement, control, display, switching,
interchange, transmission, or reception of data or
information...."
In June 1993 the Department reported that it had 39 sensitive
computer systems. However, we found that HUD's list of sensitive
systems did not include all microcomputer-based systems that are
regularly used by field staff to access, store, manipulate, display,
transmit, receive, and manage various sensitive and privacy data.
For example, one office we visited regularly uses a locally-developed
microcomputer system to track administrative, financial, and staff
activities. The data contained in this system are obtained from one
of HUD's sensitive mainframe information systems. HUD's list also
did not include the Home Equity Conversion Mortgage (HECM) System.
HECM is a contractor-operated system that contains individuals'
social security numbers, financial data, and loan payment
information--data that are subject to the Privacy Act.
HUD did prepare security plans for the 39 systems it identified as
being sensitive. However, our analysis of these plans shows that 22
do not accurately describe the systems or the actions needed to
correct the security weaknesses because the plans have not been
maintained as required by federal law and guidelines and HUD's own
policy. For example:
Five security plans do not accurately reflect system upgrades,
modifications, or hardware and software changes that have
occurred over the last 30 months. Recent changes include the
migration of many sensitive systems to new mainframe computers,
the relocation of the Department's principal data center, and
the upgrade of its nationwide telecommunications network.
Eleven security plans do not describe planned actions that are
needed to resolve security deficiencies reported in risk
assessment studies by consultants.
Six security plans had both of the problems described above.
We also found other inaccuracies. For example, the plan for the
Single Family Accounting Management System (SAMS) inaccurately
reported that planning is in place to provide for continuity of data
processing support should a disaster or major disruption cause the
loss of computer operations.\4 Program and contractor officials
involved with system operations told us that there are no contingency
plans for SAMS or the contractor-owned computer installation where it
is processed. A program official responsible for SAMS security added
that the security plan is currently under revision.
The Director of HUD's ADP Security Office stated that in February
1993 HUD's program and administrative offices were asked to update
all of their computer security plans. The Director told us that as
of August 23, 1993, only three plans had been submitted to the
security office. One of these plans was for an operational system.
However, it lacked important information. For example, the plan did
not (1) discuss actions that need to be taken to resolve known
security deficiencies, (2) provide detailed descriptions of the
system implementation and operational controls in place, and (3) show
evidence of being reviewed for adequacy or approved by HUD's security
office. After we concluded our audit work, the Assistant Secretary
for Administration transmitted to all program Assistant Secretaries
in December 1993, instructions and requirements for updating the
plans, to focus a higher level of attention on the need for updating
computer security plans.
--------------------
\4 SAMS is a critical system that provides HUD managers and staff
with information that is essential to ensure the timely receipt of
and accounting for proceeds from the sale or rental of single family
properties and prevent erroneous or fraudulent payments to repair
contractors, brokers, and other vendors. HUD owns about 32,000
single family properties valued at more than $3 billion.
SENSITIVE COMPUTER SYSTEMS ARE
NOT ADEQUATELY PROTECTED
---------------------------------------------------------- Chapter 3:2
OMB Circular A-130 and departmental security policy require HUD to
implement and maintain computer security measures necessary to ensure
the integrity and confidentiality of sensitive computer data.
However, HUD has not provided an adequate level of security over its
computer systems. We reviewed three contractor-operated computer
installations (including HUD's principal data center) and HUD's
contractor-operated back up data center. Our review disclosed
several computer security weaknesses, including the following:
HUD's mainframes, which host most of the sensitive systems, lack
sufficient controls to protect them from being accessed by
unauthorized individuals. Because security software has not
been fully implemented, it does not prevent unauthorized
individuals from accessing sensitive systems and data. HUD
security officials told us they are aware of the problems. The
Director stated that security software to control access to the
Hitachi mainframe computer was replaced on November 6, 1993. He
expects to correct deficiencies on the other mainframe computer
systems during the spring of 1994.
Auxiliary computer system consoles in HUD's principal data center
have floppy disk-drives that, if used, could lead to the
inadvertent introduction of computer viruses in HUD's mainframe
computer systems.\5
A maintenance vendor was allowed direct access from a remote site
to one of HUD's mainframe computers. Contractor officials
responsible for the center stated that they did not know the
extent to which the maintenance vendor had access to sensitive
HUD applications and data. The IPS Deputy Director stated that
this access was terminated after we brought it to his attention.
He added that the access would not be reinstated until
appropriate controls are put into place.
Protection and storage of magnetic tapes containing sensitive and
privacy information are often inadequate. Doors to tape storage
areas in data centers were left open, allowing uncontrolled
access and the potential for individuals to remove sensitive
tapes from the premises without proper authorization.
Computer rooms or adjacent rooms in data centers are used to store
paper, thus increasing the risk of fire and damage to computer
systems.
Several HUD internal reviews, Inspector General reports, and
consultant studies have pointed out similar computer security
problems. For example, in the December 1992 Report on Compliance
with the Federal Managers' Financial Integrity Act, HUD identified
deficiencies in controls to limit access to sensitive systems, and
track and monitor transactions on sensitive systems as a material
internal control weakness. More recently, the Inspector General
reported that HUD did not provide adequate safeguards to protect
against unauthorized access to sensitive computer data.\6 The report
stated that access to sensitive information systems is not properly
limited to those with a need-to-know, that passwords are not
controlled and kept confidential, and that audit trails do not
properly document system transactions. In addition, in March 1993, a
consultant reported that eight computer systems that process
sensitive and privacy data lacked initial, current, or any
certification that the systems' safeguards conform to policies and
are effective.\7 The Director of HUD's Security Office was unable to
identify the total number of sensitive systems that lack
certification because the office does not monitor compliance with
this federal and departmental computer security requirement.
--------------------
\5 A system console is an electronic device that operators use to
enter commands and communicate with the mainframe computers.
\6 U.S. Department of Housing and Urban Development Audit of Fiscal
Year 1992 Financial Statements, Office of Inspector General (June 30,
1993).
\7 Department of Housing and Urban Development Risk Assessment Report
(Final), Booz-Allen and Hamilton, Inc. (Mar. 12, 1993).
INDIVIDUALS ALLOWED ACCESS
TO SENSITIVE DATA WITHOUT
PROPER BACKGROUND
INVESTIGATIONS
-------------------------------------------------------- Chapter 3:2.1
The seriousness of these computer security weaknesses is heightened
because required background investigations have not been completed
for hundreds of HUD and contractor personnel involved with the
operation, management, maintenance, or use of sensitive computer
systems. According to OMB Circular A-130 and HUD policy, background
investigations are required for all departmental and contractor
employees with access to sensitive data or systems. HUD Inspector
General security staff, responsible for arranging the requested
investigations, stated that investigations were sometimes not
performed because program office security administrators failed to
ensure that required investigations were requested. These staff said
they had on-hand 388 requests for background investigations that had
not been started at the beginning of October 1993.
In other cases, investigations of contractor personnel, who routinely
access data contained in four sensitive housing systems, were not
performed because it was not required in the contracts' provisions.
Housing Office contracting technical representatives told us that,
contrary to departmental policy, contractor employees who lack
background investigations are allowed access to sensitive computer
systems and data. As of early November 1993, the Branch Chief stated
that the contracts were going to be renegotiated. Although the
Branch Chief told us that provisions to require background
investigations will be included in any new contract proposals, we
were unable to review the new contract proposals because they had not
yet been prepared.
COMPUTER SECURITY MONITORING IS
INADEQUATE
---------------------------------------------------------- Chapter 3:3
Departmental policy gives the ADP Security Office within IPS
responsibility for the general oversight of HUD's computer security
program. According to the policy, the ADP Security Office, program
staff (designated as system owners), and other IPS staff share
responsibility for evaluating computer security threats, establishing
appropriate safeguards, and ensuring that departmental computer
security requirements are followed.
However, the problems we found show that HUD does not adequately
monitor or enforce its computer security requirements. HUD does not
systematically monitor security at any of the contractor-operated
computer installations we visited. In fact, HUD has relied on
contractors to independently initialize, set, and maintain security
software parameters for the Department's sensitive computer systems
at these installations. Consequently, HUD cannot ensure that these
systems, and the sensitive and privacy data they contain, are
sufficiently protected from unauthorized access, loss, or misuse.
We also found that computer security is not adequately monitored and
enforced at field offices. For example, the individuals responsible
for computer security at two field offices we visited told us that
they do not routinely monitor computer security because it is not a
high priority and they have too many other duties. Although HUD's
ADP Security Office has conducted a few field office inspections in
the past, it has not ensured that identified weaknesses are
corrected. For example, weaknesses in physical security, contingency
planning, and training that were identified at several field offices
about a year ago have still not been corrected.
The IPS Deputy Director stated that some computer security monitoring
is performed at HUD's principal data center, although it may not
always be documented. He cited a recent unannounced visit by his
staff to observe the test of the backup generator at the facility.
During our visit to the facility in May 1993, however, the IPS
Director for Computer Management agreed that HUD computer security
monitoring is not systematic and the ADP Security Office Director
added that it had been about 18 months since the last full security
inspection of the principal data center.
SECURITY TRAINING NOT
SUFFICIENT
---------------------------------------------------------- Chapter 3:4
The Computer Security Act requires that federal agencies provide
periodic training in computer security awareness and accepted
computer security practices to all employees who are involved with
the management, use, or operation of sensitive systems. HUD provides
initial training to new employees and attempts to promote
departmentwide security awareness by periodically issuing memoranda
and making available security-related training materials, such as
videos and personal computer based courses. The ADP Security Office
Director said he would like to make more training available, but that
there are no funds to do so.
Despite these training and awareness activities, we found that agency
personnel are not fully aware of their computer security
responsibilities. For example, some headquarters and field staff at
the offices we visited, who regularly use computers to process and
store sensitive and privacy data, told us they were not fully aware
of HUD's computer security policies and requirements for protecting
sensitive computer information. They attributed this to the lack of
training.
In addition, Housing Office contracting technical representatives,
responsible for briefing computer contractors on HUD's computer
security policies, told us they were unaware of this requirement.
After this requirement was pointed out to them, the contracting
technical representatives told us they could not meet it because they
lacked the necessary knowledge and experience to conduct the security
briefings. A March 1993 consultant report also disclosed that the
Department has not been providing necessary computer security
training for its employees.\8
--------------------
\8 Department of Housing and Urban Development Risk Assessment Report
(Final), Booz-Allen and Hamilton Inc., Mar. 12, 1993.
RECOVERY OF SYSTEMS SUPPORTING
CRITICAL OPERATIONS IS NOT
ENSURED
---------------------------------------------------------- Chapter 3:5
Disruptions of critical computer operations could adversely affect
HUD's ability to service mortgages, subsidize rents, provide grants,
and monitor thousands of Public Housing Authorities and other
agencies who deliver HUD's programs and services. To ensure that
critical operations can continue in emergencies, OMB Circular A-130
requires federal agencies to develop, maintain, and test plans that
provide for the continuity of operations for all information
technology installations supporting essential agency functions.
Because it cannot afford serious disruptions in the operation of its
critical computer systems, HUD also requires the development and
periodic testing of contingency plans that provide for backup,
continuity of operations, and recovery from events that may interrupt
normal operations. Under HUD's policy, contingency plans are
required for (1) each computer installation that hosts a critical
information system and (2) each critical information system.\9
Despite these requirements, HUD has not developed and tested
contingency plans for its nationwide telecommunications network,
local area networks, and microcomputers that carry or process
critical information throughout the Department, or any of the 39
information systems HUD designated as critical to its missions. In
addition, contingency planning for the three contractor-operated
computer installations that host 27 of HUD's 39 critical information
systems is inadequate. There is no contingency plan for one
installation and, according to contractor officials, the plan for
another does not specifically provide for the recovery of HUD's
critical systems. In the third case, HUD is developing a contingency
plan for its principal computer installation; however, it has not
finalized and fully tested the plan.
Because of the lack of contingency plans, HUD faces unnecessarily
high risks that its missions will be seriously impaired should a
major service disruption or disaster occur. Despite the serious
threat to HUD's ability to fulfill its missions, the Department has
not reported this as a material internal control weakness under the
Federal Managers' Financial Integrity Act.\10
According to the IPS Director, HUD's computer security and
contingency planning problems are serious and need to be corrected.
The Director attributed most of these problems to HUD program
managers' and staffs' failure to maintain security over systems and
data because they do not recognize the importance of doing so. On
October 1, 1993, HUD entered into a contract with the General
Services Administration to acquire backup support for the Hitachi
mainframe computer, located at the principal computer
installation.\11 The IPS Deputy Director said the draft contingency
plan for the computer installation will be revised to include both
the Unisys and Hitachi mainframe computers and the sensitive systems
they host.
In November 1993, the ADP Security Office Director stated that HUD
expects to test a backup capability for the Hitachi mainframe
computer in April 1994. The Director also stated that they expect to
have the revised contingency plan for the principal computer
installation drafted by that time. While this is encouraging, these
steps to correct problems at the principal computer installation have
not yet been implemented. In addition, we told HUD officials that it
was unclear how HUD plans to address the lack of contingency plans
for critical systems that are operated at other computer
installations or for the nationwide telecommunications network, local
area networks, and microcomputers that carry or process critical
information.
--------------------
\9 HUD designates information systems as being critical if they are
essential to perform its missions (e.g., many of HUD's critical
systems must be restored and fully operational within 24 hours,
regardless of why service is disrupted).
\10 Under the Federal Managers' Financial Integrity Act of 1982 (31
U.S.C. 3512), agencies must establish internal controls to
reasonably ensure that agency assets are effectively controlled and
accounted for. Agencies must also annually report weaknesses in
these controls and the status of any corrective actions. Policies
implementing the act further require agencies to incorporate security
controls that address the use of their automated information systems.
\11 HUD had no backup capability for the Hitachi mainframe computer,
which hosts seven critical systems at the principal computer
installation.
MANAGEMENT AND OVERSIGHT OF HUD'S
FINANCIAL SYSTEMS INTEGRATION
EFFORT ARE INEFFECTIVE
============================================================ Chapter 4
Our reports, as well as reports by the Inspector General and others,
have shown that inadequate information systems have kept HUD from
properly managing its financial resources. After the scandals in
1989, HUD reported that it was unable to comply with the Federal
Managers' Financial Integrity Act and other federal requirements
because the Department lacked an efficient, effective, and integrated
financial management system that could be relied upon to provide
timely, accurate, and relevant financial information and reports to
management. To address this weakness, HUD began a $100 million
financial management systems integration effort in 1991 to develop a
common accounting and financial management system and replace about
100 systems with 9 fully integrated financial systems.
In carrying out the financial systems integration, however, HUD did
not adequately oversee the planning and development of individual
financial systems or develop a detailed plan to effectively guide the
Department's transition from its existing operations to the planned
integrated systems environment. Consequently, the integration effort
was hampered by numerous problems, costly delays, and diminished
manager and staff support. These problems prompted the new Secretary
to take action to strengthen senior management's oversight, revise
HUD's integration strategy to more accurately take into account HUD's
program operations and business processes, and make other
improvements to address the project management and oversight problems
we identified.
FINANCIAL INTEGRATION HAMPERED
BY INEFFECTIVE PROJECT
MANAGEMENT
---------------------------------------------------------- Chapter 4:1
The ultimate success of the integration depends upon the
participation of HUD's program, field, and administrative offices.
Toward this end, HUD initially established a management structure to
provide oversight of the integration. This structure consisted of
(1) a Steering Committee of senior management officials to provide
high-level oversight; (2) the CFO's office, which was responsible for
overall project management; and (3) project oversight committees and
teams, which were led by experienced executives and composed of staff
from affected HUD programs, IPS systems development staff, and
contractor personnel.
Despite these measures, HUD's first two projects, CFS/TRACS and the
Core Accounting System, suffered delays and rising project costs
because of numerous problems. For example:
HUD collected data and developed software for the CFS/TRACS system
prior to identifying all of the system's functional
requirements. One of the results was that HUD had to relocate
system data from a local area network environment to a mainframe
computer to meet data processing and reporting requirements that
were not initially identified. This required HUD to make
substantial software revisions to accommodate the relocation.
Ineffective project planning drove up CFS/TRACS costs and drained
staff resources. Because it underestimated the staff-intensive
nature of collecting and entering data for the system, HUD was
forced to shift over 500 staff years away from other programs to
carry out this work. According to HUD's records, a year after
initiating work on the system the cost of establishing the
CFS/TRACS database exceeded the original $18 million estimate by
about $2 million. Furthermore, work on collecting and verifying
system data is still ongoing and the scheduled date for
completing this work has slipped more than a year.
A version of the CFS/TRACS software was installed and operated in
the field before it was adequately tested. In one case, the
untested software introduced a large number of errors in a pilot
region's database. Although they had not prepared an estimate,
regional officials told us they would have to continue to
redirect staff resources from other programs to correct the
errors.
HUD purchased commercially available software for the Core
Accounting System, despite the lack of consensus on the role of
the system. Should system requirements change extensively, this
software may no longer be able to satisfy all requirements.
Therefore, the Department risks having to alter its technical
approach or purchase additional software to meet its
requirements.
Our review found that inadequate project management and oversight
contributed to these problems. First, HUD management did not require
offices and staff to agree on project direction, goals, standards,
and strategies prior to project implementation. For example, the
Core Accounting System project manager stated that after more than a
year of work on the project, various offices had not reached
agreement on the system's role as the central accounting system.
Moreover, program officials working on HUD's third integration
project, the Mortgage Insurance System, told us that poor planning
and subsequent concerns over the viability of the system as it was
designed brought work on the project to a halt. Consequently, the
entire project is being replanned to better reflect the business
needs of HUD's housing programs. ISPs for the multifamily and single
family program areas are scheduled to be underway by April 1994.
Second, responsibility for the projects was not clearly defined. For
example, accountability for the CFS/TRACS project was not clear, with
the Deputy Assistant Secretary for Public and Indian Housing serving
as the Chairman of the project oversight committee, the CFO and
comptrollers in program offices setting policies and developing
plans, the Administration Office supervising contractors who were
developing the system, the IPS Director managing day-to-day
activities, and regional managers continuing the effort to verify and
establish the database. Therefore, disagreements among key players
as to their roles, the project's priority, and the purpose of the
system took long periods to resolve or were left unresolved.
Third, HUD did not have a mechanism in place to ensure that the daily
operations of the individual integration projects were sufficiently
coordinated to achieve HUD's systems integration objectives. Because
of this, CFS/TRACS and the Core Accounting System were planned and
developed with insufficient coordination between the projects. As a
result, the systems were inadvertently designed with duplicate
functions related to monitoring Section 8 budget execution because
the project teams were not aware of each others' plans and system
designs.
TRANSITION TO THE INTEGRATED
SYSTEMS NOT PLANNED
---------------------------------------------------------- Chapter 4:2
HUD has a complex organizational structure, in which its major
program offices operate independently of each other. To successfully
achieve systems integration, offices need to carefully assess and
plan for the impending organizational, procedural, and other changes
that will result from the transition to integrated systems and the
resources necessary to carry out all required tasks. This planning
involves defining new organizational roles, responsibilities, and
interrelationships for program areas using the integrated systems;
centralizing financial systems policies and standards; developing new
operational procedures; ensuring systems and information security in
the integrated environment; and facilitating communication and
coordination of the overall integration effort.
However, HUD has not developed a transition plan for the financial
systems integration and therefore lacks a complete organizational
perspective for this effort and a clear, documented strategy for
guiding the transition. Both the Deputy CFO for Finance and the IPS
Director agree that careful transition planning is needed.
ACTIONS TAKEN TO REVISE HUD'S
FINANCIAL SYSTEMS INTEGRATION
EFFORT AND STRENGTHEN PROJECT
MANAGEMENT
---------------------------------------------------------- Chapter 4:3
On May 4, 1993, the Secretary reported to Congress that HUD had made
little progress since it began integrating its financial management
systems in 1991. He also stated that he had begun taking steps to
redirect and strengthen the management of HUD's financial systems
integration. In this regard, the Secretary formed a Systems
Integration Steering Committee, chaired by the Deputy Secretary and
composed of the program Assistant Secretaries, the Assistant
Secretary for Administration, the CFO, and the Inspector General, to
review HUD's strategy for achieving its integration goals and
strengthen management oversight of the integration effort.
According to the Deputy CFO for Finance, the Steering Committee
fundamentally changed HUD's financial systems integration strategy.
Under the new strategy, which is articulated in the September 1993
revision of HUD's Financial Systems Integration Plan, program offices
are no longer required to make their program operations fit into nine
common, integrated financial systems. Instead, offices are
encouraged to develop systems that are consistent with their
management priorities and business needs. Systems to be developed
must follow the financial systems integration standards and be
integrated or interfaced with the Core Accounting System (now
designated the Agency Accounting System). We agree that the revised
strategy is a more reasonable approach in that it emphasizes meeting
the program operational needs while providing for integrating and
sharing financial data with the Agency Accounting System.
According to HUD's revised integration plan, the Steering Committee
has primary responsibility for management oversight of the
integration effort. The committee, which meets on a bi-weekly basis,
provides policy direction for all systems integration activities,
approves systems integration projects and oversees their
implementation, and monitors the allocation of budget resources. In
addition, the Steering Committee is supported by a Systems
Integration Working Group, composed of senior HUD staff and chaired
by HUD's CFO. Both the working group and the CFO assist the
committee in carrying out project oversight and monitoring
responsibilities.
The Deputy CFO for Finance stated that he believes HUD is addressing
the management and oversight weaknesses we identified. Through the
establishment of the Steering Committee and its related actions, he
believes HUD has the top-level management involvement it needs to
implement the integration plan and achieve the Department's
integration goals. He noted that because of this involvement, there
is agreement among HUD senior managers on the direction, scope, and
overall objectives of the integration effort. HUD's actions to reach
agreement on these matters are an important step toward addressing
and resolving the management and oversight problems we found.
In November 1993, the Steering Committee issued financial systems
integration standards. These standards set forth guidelines for
improving information and transaction processing support to the
program, administrative, and financial functions in the Department
and providing more accurate financial and analytical reports to
executive-level management. According to the standards, program
managers are required to prepare ISPs before initiating any major
system development effort, to define their business environment and
needs, and follow the Department's system development methodology.
As a first step toward implementing the financial systems integration
standards, HUD is developing an agencywide account coding structure
consistent with the Standard General Ledger, which will provide for
the tracking of specific program financial data.
The Steering Committee also clarified roles and responsibilities for
all financial systems integration projects. Program assistant
secretaries, who are served by systems, have been designated the
primary owners of information system projects and are directly
responsible for the success of the projects.
CONCLUSIONS AND RECOMMENDATIONS
============================================================ Chapter 5
CONCLUSIONS
---------------------------------------------------------- Chapter 5:1
The lack of strategic IRM planning, coupled with HUD's long-standing
information problems and inadequate information systems, continue to
impair the Department's ability to significantly improve its use of
IRM resources to satisfy mission needs. The absence of a strategic
information systems architecture poses increased risks that HUD's
investments in information technology will not be consistent with
strategies for achieving its missions and objectives. Ineffective
data management continues to adversely affect the usefulness and
reliability of data in the Department's information systems and
hinders the development of integrated financial systems.
Sensitive computer data and essential computer operations are also at
risk because HUD has not taken the steps necessary to safeguard these
systems against unauthorized access and ensure that computer support
for critical mission activities can be continued should disasters or
major service disruptions occur. In addition, inadequate oversight
of the planning and development of integrated financial systems has
impeded the Department's progress toward correcting long-standing
financial management system weaknesses.
Collectively, these problems threaten HUD's ability to provide
information and effectively use IRM resources to fully support its
future directions, missions, priorities, and programmatic needs.
Senior HUD officials have initiated actions and plans to address the
Department's strategic planning, data management, computer security,
and financial systems integration weaknesses. While HUD's actions
are encouraging, the efforts have only recently begun and do not
address all of the IRM problems we identified. Correcting these
problems will require the sustained commitment of the Department's
leadership and managers.
RECOMMENDATIONS
---------------------------------------------------------- Chapter 5:2
In order to make HUD's IRM program more responsive to its missions,
we recommend that the Secretary of Housing and Urban Development:
Establish strategic business and IRM planning processes and develop
and maintain up-to-date plans that are clearly linked to each
other. The plans should articulate senior executives' vision of
the Department's missions, objectives, and priorities, and
define the strategies and program and IRM resources needed to
properly support the missions and achieve the strategic
objectives. The Secretary should consider using the existing
IRM Planning Board, to develop the Department's strategic plans.
In any event, direct and substantive involvement of the
Secretary, Deputy Secretary, and senior executives is essential
to define the business vision and strategic objectives.
Direct IPS to develop a strategic information architecture that is
based on the strategic business and IRM plans to govern the
development, deployment, and use of IRM resources.
Establish a data management program to support integrated and
departmentwide systems, and ensure that the organization
responsible for this program has sufficient authority to
coordinate the development of standards for common data,
establish a data dictionary that provides definitions and
locations of data, and ensure compliance with departmentwide
data standards.
Eliminate weaknesses in computer security controls over automated
systems and installations that store, process, transmit, or use
sensitive or privacy data. This will require establishing
effective mechanisms to ensure that both HUD and contractor (1)
computer operations conform with federal and departmental
requirements; (2) staffs receive background investigations that
are commensurate with their access to sensitive systems; and (3)
staffs receive sufficient training so they are aware of and can
fulfill their computer security responsibilities.
Develop and test contingency plans to provide for the backup,
recovery, and continuity of operations of all systems and
computer installations that support critical Department
functions. Also, until these plans are fully developed and
tested, report the lack of contingency plans as a material
internal control weakness under the Federal Managers' Financial
Integrity Act.
Establish and maintain, as part of the implementation of HUD's
revised Financial Systems Integration Plan, (1) clear lines of
authority over the entire effort and individual systems
projects; (2) standards for the common data that will be used;
(3) a data dictionary for the integrated financial systems; (4)
a detailed plan to transition from existing systems to the
integrated systems that will be developed; and (5) an effective
monitoring mechanism to ensure that significant problems, with
any project or the integration effort as a whole, are brought to
the attention of senior managers and are corrected in a timely
manner.
AGENCY COMMENTS AND OUR EVALUATION
============================================================ Chapter 6
Senior Department officials, including the Assistant Secretary for
Administration and CFO, provided oral comments on a draft of this
report. The officials agreed that IRM improvements are needed, and
identified specific actions, either underway or planned, to address
our recommendations. They said HUD's new management team recognizes
the need to correct the deficiencies we pointed out, adding that our
draft report was very useful in influencing senior-level
deliberations on the need for strategic planning. They said,
however, that they were concerned the draft report did not fully
recognize and give credit for the actions HUD has underway.
ACTIONS TO IMPLEMENT STRATEGIC
BUSINESS AND IRM PLANNING
---------------------------------------------------------- Chapter 6:1
Senior-level HUD officials agreed that HUD's IRM planning has been
hindered by the lack of a strategic business plan. They said
historically there has not been a strategic business planning process
for HUD and that major improvements are needed to accurately reflect
business planning at the highest levels. In this regard, they stated
that the Secretary is committed to developing a strategic business
plan that focuses on HUD's long-term objectives and the approaches
needed to achieve the Department's missions, goals, and objectives.
The officials said the strategic business plan will be used to
support the development of a departmentwide information architecture.
They added that the new management team has completed a document,
"Program and Management Plan, Creating Communities of Opportunity,"
that describes the Department's priorities and will be the basis for
a business-driven planning process in the future.
The officials also said a document was recently drafted that
describes a revised IRM planning process that will be used as the
framework for supporting the Department's future strategic planning
methodology. The IPS Director stated that this draft document
represents HUD's initial efforts to develop an information planning
process that can also respond to the related annual planning calls of
the Department.
In prior discussions with officials, we pointed out that since the
ISP efforts were not linked to strategic business and IRM planning
processes, it was unclear how they would be factored into HUD's
business and IRM objectives and strategies. In this regard, the IPS
Director said the proposed planning process is a step forward because
it will establish linkages between program areas' ISPs and HUD's
strategic IRM planning process. We note, however, that these actions
do not address how the Department will link program areas' ISP
efforts to its intended strategic business planning process. We
believe the establishment of linkages between the planning processes
are necessary to have concerted plans and actions to achieve the
Department's strategic missions and business objectives. Without
such linkages, there is a risk that programs' business and
information strategies will not be closely aligned with the strategic
objectives of the Department.
We believe that the Secretary's commitment to strategic planning and
HUD's early steps represent the first substantive actions since we
reported on the absence of strategic IRM planning 10 years ago.
While HUD has not defined or established its strategic business and
IRM planning processes, its commitment to do so is encouraging.
ACTIONS TO IMPLEMENT A DATA
MANAGEMENT PROGRAM
---------------------------------------------------------- Chapter 6:2
Department officials said they have made progress toward improving
data management. They cited the departmentwide data administration
standards and standards for HUD's financial systems integration
efforts that were finalized in November 1993 as important steps
toward developing common data. The officials also said HUD acquired
computer software in December 1993 that will enable it to develop a
data dictionary. In addition, they noted that HUD has initiated a
reorganization to elevate attention to data administration and
combine information planning and data administration activities
within a single unit.
We believe that HUD's actions to establish departmentwide data
administration and financial systems integration standards are
encouraging. These new standards documents set forth a policy
framework that will allow HUD to begin to establish common data
elements, characteristics, and standards (for example, data accuracy
and timeliness standards). HUD has made progress, as well, in
addressing its lack of an account coding (financial classification)
structure for the financial systems integration effort. The
officials stated that HUD program areas are evaluating a proposed
coding structure. They said they will develop the coding structure
to be consistent with the Department's Standard General Ledger that
is also under development. If HUD successfully implements these new
policies, a data management program and data dictionary, the
Department will move toward its goal of increasing information
systems effectiveness through the use of common data that can be
understood and shared throughout the Department.
ACTIONS TO IMPLEMENT COMPUTER
SECURITY CONTROLS AND
CONTINGENCY PLANNING
---------------------------------------------------------- Chapter 6:3
HUD officials acknowledged that the Department has not fully complied
with federal security requirements and said HUD should do more to
ensure proper security over sensitive systems and data. They said
that over the past 3 years HUD has established a unit within IPS to
manage and oversee security and developed a departmental ADP security
program. They also noted that HUD replaced access control software
for the Hitachi mainframe computer in November 1993, and corrected
the specific weaknesses we found during our computer installation
inspection tours. They said HUD expects to upgrade the access
control software on the Unisys mainframes during the spring of 1994,
and have contingency plans completed and fully tested for most of
HUD's critical computer systems, networks, and installations by
August 1994. We are encouraged by these efforts and believe they
represent important steps that, if properly planned and implemented,
will bring the Department into compliance with federal and
departmental computer security requirements.
Department officials took exception to our statement that computer
security has not been a departmental priority, citing their actions
over the past 3 years as discussed above. We agree that HUD has
recently begun to focus more attention on computer security and has
initiated actions to correct the computer security weaknesses we
identified. However, we continue to believe the serious computer
security weaknesses we identified--including the failure to identify
all sensitive systems in the Department, deficient security plans for
sensitive systems and access controls for computer systems, failure
to restrict access to sensitive data and systems to individuals with
required background investigations, inadequate computer security
monitoring, insufficient computer security training, and lack of
contingency plans that provide for the recovery of critical
systems--indicate that computer security has not been sufficiently
emphasized within the Department. These conditions, which have not
been fully corrected, continue to pose threats to the security of
HUD's sensitive computer systems and data.
In regard to our findings pertaining to HUD background
investigations, the HUD officials said the Department is trying to
comply with federal policies and procedures. However, they
acknowledged that their process remains awkward, slow, and costly.
The officials said HUD is presently considering options to speed up
and reduce the cost of the background investigation process.
Department officials further agreed that they need to correct
deficiencies at contractor-operated computer installations where
contractor employees, who lack background investigations, routinely
access data contained in four sensitive housing systems. However,
they considered it inappropriate to extrapolate the problems we found
to deficiencies in HUD's overall background investigation process
because the cases represent unique situations in which there were
contracts several years old and for which the Government Technical
Representatives are not IPS staff.
We disagree that we improperly project our findings regarding the
lack of background investigations for HUD and contractor staff with
access to sensitive systems and data. While HUD stated that these
cases may be somewhat unique because of the absence of IPS staff, HUD
is responsible for ensuring that its sensitive systems and data are
protected from persons lacking required background investigations.
This responsibility is not mitigated because Government Technical
Representatives from one HUD organization rather than another oversee
the development of the contract. In addition, the federal
requirements for background investigations of employees and
contractor personnel predate the effective dates of these
contracts.\1 Furthermore, these contracts involve four of HUD's most
highly sensitive computer systems, which support users throughout the
Department. These systems store privacy data and proprietary
business information and are used to control billions of dollars in
housing program properties and assets. As such, HUD's failure to
ensure that background investigations were performed for contractor
employees, who continue to routinely access data in these sensitive
computer systems, poses a substantial threat that HUD cannot afford
to overlook.
HUD officials agreed that the Department needs to do a better job
monitoring compliance with computer security requirements, noting
that HUD is seeking contractor assistance to support a regular
monitoring program and more frequent computer security reviews at
headquarters and field offices. Regarding HUD's reliance on
contractors to initialize, set, and maintain security parameters on
the Department's mainframe computer systems, the officials remarked
that HUD has corrected this deficiency for one mainframe computer
system. In particular, the IPS Director replaced the security
software for one of HUD's mainframe computer systems and strengthened
controls over access by having the IPS ADP Security Office initialize
and set the security parameters itself. The Director has also placed
responsibility for maintaining the security parameters with the ADP
Security Office. The Director stated that enhanced access controls
for the remainder of HUD's mainframe systems are expected to be
completed during the spring of 1994. We believe the steps taken by
the IPS Director have strengthened internal controls over security
software and access to computer data.We also believe the planned
actions are needed to better monitor computer security compliance at
HUD offices and enhance access controls for the remainder of the
Department's mainframe systems. If these actions are properly
implemented, they will help protect the Department's sensitive
systems and data.
HUD officials also said they believe the Department has done a
credible job of addressing computer security awareness and training
requirements given its present budget situation. Despite HUD's
efforts, however, agency personnel told us they were not fully aware
of their computer security responsibilities. Although budgetary
constraints are difficult live with, they do not relieve the
Department of the obligation to ensure that all staff are made aware
of their computer security responsibilities and to obtain sufficient
training to fulfill them.
The officials agreed that disruptions of computer operations could
adversely affect their ability to process critical computer systems
that support HUD's missions, pointing out that the development and
testing of contingency plans are a HUD priority. They said HUD
expects to complete a business resumption plan for the entire
Department in July 1994. The plan is to include disaster recovery
planning for HUD's mainframe computer systems located in Lanham,
Maryland; headquarters and field office local area networks; 10
microcomputer systems designated as critical; and the Department's
telecommunications network. The IPS Director also stated that in
January 1994 HUD ordered a larger Hitachi computer system for its
primary computer installation in Lanham, Maryland. The existing
Hitachi computer system is to be moved to HUD's Reston, Virginia,
computer installation and serve as a back-up computer system. In
addition, the HUD officials agreed that contingency plans are needed
for the two other computer installations referenced in our report,
stating that HUD is currently working with the Office of Housing to
modify contracts to include contingency planning requirements.
Until HUD develops and fully tests contingency plans and disaster
recovery procedures for all of its critical computer systems, the
Department will continue to face unnecessarily high risks that its
missions will be seriously impaired should a major service disruption
or disaster occur. Therefore, we continue to believe that HUD should
report the lack of contingency plans as a material internal control
weakness under the Federal Managers' Financial Integrity Act.
--------------------
\1 OMB Circular No. A-130, Part III, Management of Federal
Information Resources (June 25, 1993); and OMB Circular No. A-71,
Transmittal Memorandum No. 1, Security of Federal automated
information systems (July 27, 1978) rescinded.
ACTIONS TO IMPROVE MANAGEMENT
AND OVERSIGHT OF THE FINANCIAL
SYSTEMS INTEGRATION EFFORT
---------------------------------------------------------- Chapter 6:4
Department officials agreed that HUD has not effectively managed its
financial systems integration effort. They stated, however, that
through the efforts of the Systems Integration Steering Committee,
HUD has taken action to obtain agreement on the effort's direction
and goals, define responsibilities, and establish an oversight and
coordination mechanism. We agree the efforts of the Systems
Integration Steering Committee have clarified responsibilities and
strengthened oversight and accountability for the financial systems
integration effort. We believe, however, these efforts must continue
throughout the integration effort to ensure that the Department's
integration goals are met.
Although the officials agreed that CFS/TRACS and the Core Accounting
System included duplicate functions related to monitoring Section 8
budget execution, they took exception to our finding that this was
due to the lack of effective planning and coordination. They stated
that HUD intentionally included the functions in the scopes of both
projects and left it up to the two project teams to work together to
decide how to provide the needed functionality. However, we continue
to believe that the lack of planning and coordination caused the
project teams to work on duplicative efforts. According to the
project teams and related documentation, project team members were
not aware that both teams were asked to automate the same functions.
It was not until HUD began to demonstrate the functionality of the
CFS/TRACS system that the two project teams became aware of the
duplication.
The officials also questioned the need for a high level,
departmentwide transition plan. They said it is HUD's belief that by
empowering the program assistant secretaries to develop systems plans
based on their business strategies, developing a central agency
accounting system to record financial activities, implementing
financial systems integration standards, and developing a uniform
accounting coding structure, a detailed transition plan is not
necessary. Instead, the officials noted that under the revised
integration strategy HUD plans to address this requirement by having
each project team include a transition plan as part of its detailed
project work plan.
We agree that each system project team should plan for conversion to
and implementation of the new integrated systems. This is consistent
with federal systems standards, HUD's system development methodology,
and accepted practice. However, for large-scale modernizations, such
as the financial systems integration effort, that include concurrent
implementation of many large systems projects over an extended
period, we believe that a detailed plan to guide the overall effort
is important to ensure success.
INFORMATION SYSTEM DEFICIENCIES
CITED IN HUD'S FISCAL YEAR 1992
FMFIA REPORT
=========================================================== Appendix I
System Name Title of Nonconformance
---------------------------- ----------------------------
Employees Time Reporting Does not comply with OMB
Circular A-127 (A-127) and
lacks automated
interfaces.\a
Annual Contributions Lacks automated interfaces.
Rapid Housing Payment Does not comply with A-127.
Insurance in Force Premium Inadequate data quality,
Liquidations and Controls documentation, and support
of mission.
Treasury Reporting Functionally redundant and
does not comply with the
Joint Financial Management
Improvement Program (JFMIP)
requirements.
Office of Procurement and Does not support overall
Contracts Management mission performance. Does
Information not comply with Standard
General Ledger (SGL) or
JFMIP's core financial
systems requirements.
Inadequate data quality,
interfaces, system
documentation, and audit
trails.
SF-224 Transaction Functionally redundant.
Reconciliation
Loan Accounting Does not comply with A-127.
Single Family Premium Inadequate support of
Collections mission and does not support
case-level reconciliation.
Inadequate subsidiary
ledger.
Single Family Insurance Inadequate support of
mission and does not support
case-level reconciliation.
Lacks effective interfaces.
Single Family Insurance Inadequate support of
Claims Subsystem mission and subsidiary
ledger.
Low Rent Housing Security Does not comply with JFMIP's
Ledger core financial systems
requirements.
Assisted Housing Accounting Does not comply with JFMIP's
core financial systems
requirements.
National Credit Bureau Lacks effective interfaces.
Referral
Federal Assistance Award Does not comply with A-127.
Data
Resource Allocation Does not comply with A-127.
Guideline
Mortgage Insurance General Does not comply with SGL or
Accounting JFMIP's core financial
systems requirements.
General Program Accounting Does not comply with JFMIP's
Diversified Payment core financial systems
requirements.
Furniture & Equipment Does not comply with A-127.
Management Information Lacks automated interfaces.
Section 235 Accounting Does not comply with A-127.
Section 235 Automated Does not comply with JFMIP's
Validation and Editing core financial systems
requirements.
Line of Credit Control Does not comply with A-127.
OMB Standard General Ledger In development phase. Does
not support overall mission.
Funds Accounting and Status Does not comply with A-127.
Tracking
Single Family Property Does not comply with A-127.
Disposition
Distributive Shares and Does not comply with A-127.
Refund
Multifamily Mortgage Auction Does not comply with A-127.
System Section 221(g)(4)
One-time Mortgage Insurance Inadequate subsidiary
Premiums ledger.
Section 8 Accounting Does not comply with JFMIP's
core financial systems
requirements.
Budget Management Does not comply with A-127.
Information
Treasury Check Writing Does not comply with JFMIP's
core financial systems
requirements.
Program Accounting Does not comply with A-127.
HUD Administrative Does not comply with A-127.
Accounting
Government National Does not comply with A-127.
Mortgage
Association Mortgage-
backed
Securities
Default Management Does not comply with A-127.
Pool Transfer Does not comply with A-127.
Subservicer Reporting Does not comply with A-127.
Check Record Issuance Does not comply with A-127.
MACOLA Accounting Software Multiple departmental
general ledgers.
Demographic Eligibility and Lacks current system
Allocations documentation.
Field Office Reporting and Lacks effective interfaces.
Management System/Community
Planning and Development
Annual Report to Congress Does not comply with A-127.
Action Grant Information Does not comply with A-127.
Secretary's Discretionary Does not comply with A-127.
Fund
Management Information
Community Planning and Does not comply with A-127.
Development Management
Information Retrieval
Homeless Assistance Does not comply with A-127.
Management Information
Economic Development Does not comply with A-127.
Management Information
Community Development Block Does not comply with A-127.
Grant Contract Activity
Urban Homesteading Program Does not comply with A-127.
Management Information
Community Development Block Lacks adequate data quality.
Grant Activities Reporting
HOME Investment Partnership Does not comply with A-127.
Act
Hope for Ownership of Single Does not comply with A-127.
Family
Homes
Community Planning and Does not comply with A-127.
Development Information
Management
Office of Personnel and Does not comply with A-127.
Training Personnel/Payroll
Bond Payment Does not comply with JFMIP's
core financial systems
requirements.
Tracking Advanced Does not support overall
Procurement Plans mission performance. Not in
compliance with SGL or
JFMIP's core financial
systems requirements.
Inadequate data quality,
system documentation, and
audit trails. Lacks
effective interfaces.
Project and Resource Does not comply with A-127.
Management
Departmental Accounts Does not comply with A-127.
Receivable Tracking/
Collection
Task Management Information Does not comply with A-127.
Integrated Procurement Does not support overall
Management mission performance. Not in
compliance with SGL or
JFMIP's core financial
systems requirements.
Inadequate data quality,
system documentation, and
audit trails. Lacks
effective interfaces.
Section 8 Management Lacks effective interfaces
Information and reconciliations with
other systems.
Computerized Underwriting Inadequate support of
Processing mission. Does not support
underwriting mission.
Average Area Purchase Prices Lacks effective interfaces.
Housing Development Grant Lacks effective interfaces.
Information
Computerized Home System not fully developed.
Underwriting Management Inadequate support of
mission.
Foreclosure Case Management Does not comply with A-127.
and Financial Tracking
Single Family Insurance Inadequate system
Consolidator and Distributor documentation.
Annual Premium Billing Inadequate support of
mission and data quality.
Lacks documentation.
Public Housing Fiscal Data Does not comply with A-127.
Survey
Policy Development and Does not comply with A-127.
Research Market Analysis
Support
Consolidated Single Family Inadequate support of
Statistical mission. Changed
requirements and reporting
entities have made system
development inadequate.
Single Family Default Lacks adequate interfaces.
Monitoring
Subsystem
Home Mortgage Disclosure Act Inadequate support of
mission.
Multifamily Property Does not comply with A-127.
Management
Multifamily Insurance Inadequate data quality and
documentation. Lacks
effective interfaces.
Multifamily Accounting Inadequate data quality and
Reporting documentation. Lacks
Servicing effective interfaces.
Institution Master File Does not comply with A-127.
Multifamily Information Inadequate support of
Processing mission. Needs to be
completed, technically
upgraded and integrated.
Credit Alert Interactive Does not comply with A-127.
Voice Response
Single Family Mortgage Notes Lacks effective interfaces.
Servicing
Mortgage Insurance Does not comply with JFMIP's
Accounting core financial systems
Diversified Payments requirements.
Title I Notes Servicing Does not comply with A-127.
Title I Insurance and Claims Inadequate support of
mission. Insufficient data
on insurance outstanding.
Multifamily Insurance and Lacks adequate interfaces.
Claims
Tenant Rental Assistance Lack of capability (system
Certification in development phase).
Multifamily Insured and Lacks effective interfaces.
Direct Loan Information
Departmental Automated Does not comply with A-127.
Audits Management
Travel Tracking Lacks single entry point for
data.
Public Housing Development Does not comply with A-127.
Cost Limits
Regional Operating Budget Lacks automated interfaces.
and
Obligations Tracking
Management Information Inadequate system
Retrieval documentation and audit
trails.
Public and Indian Housing Does not comply with A-127.
Fund
Assignment
System Management Lacks effective interfaces.
Information Retrieval/
Public Housing
Public Housing Authority Lacks data quality.
Statement of Operating
Receipts and Expenditures
Advanced Technology Ledger Does not comply with SGL or
Accounting JFMIP's core financial
systems requirements. Lacks
effective interfaces.
Issuer Management Does not comply with A-127.
Issues Profile Analysis Does not comply with A-127.
Database
Home Equity Conversion Inadequate data quality and
Mortgages documentation.
Reconciliation deficiencies.
----------------------------------------------------------
\a OMB Circular No. A-127, Financial Management Systems, July 23,
1993, requires that agencies establish and maintain a single,
integrated financial management system.
MAJOR CONTRIBUTORS TO THIS REPORT
========================================================== Appendix II
ACCOUNTING AND INFORMATION
MANAGEMENT DIVISION, WASHINGTON
D.C.
-------------------------------------------------------- Appendix II:1
Dr. Rona B. Stillman, Chief Scientist
David G. Gill, Assistant Director
William D. Hadesty, Technical Assistant Director
Brian C. Spencer, Technical Assistant Director
Mark D. Shaw, Evaluator-in-Charge
Paula N. Denman-Barnes, Senior Evaluator
�