[Audit Report on the Automated Law Enforcement System, Bureau of Indian Affairs]
[From the U.S. Government Printing Office, www.gpo.gov]
Report No. 97-I-882
Title: Audit Report on the Automated Law Enforcement System, Bureau
of Indian Affairs
Date: June 16, 1997
**********DISCLAIMER**********
This file contains an ASCII representation of an OIG report. No attempt has been made to display
graphic images or illustrations. Some tables may be included, but may not resemble those in the
printed version.
A printed copy of this report may be obtained by referring to the PDF file or by calling the Office
of Inspector General, Division of Acquisition and Management Operations at (202) 208-4599.
******************************
United States Department of the Interior
OFFICE OF INSPECTOR GENERAL
Washington, D.C. 20240
MEMORANDUM
TO:
FROM:
SUBJECT SUMMARY:Automated Law Enforcement System, Bureau of Indian Affairs"
(No. 97-I-882)
Attached for your information is a copy of the subject final audit report. The objectives of
the audit were to: (1) determine whether the Bureau of Indian Affairs automated law
enforcement system, the Crime Reporting Information System (CRIS), met the law
enforcement reporting requirements of the Federal Bureau of Investigation and (2) provide
information to the Bureau of Indian Affairs that would assist it in implementing CRIS
effectively.
We found that CRIS is capable of meeting the law enforcement reporting requirements of
the Federal Bureau of Investigation and the operating needs of the Bureau of Indian Affairs.
However, the Bureau of Indian Affairs had not effectively communicated to law
enforcement field staff the efficiencies that could be gained by using CRIS. In addition,
CRIS was not implemented in compliance with Federal guidelines. To correct these
deficiencies, we recommended that the Bureau: (1) issue a law enforcement handbook to
require CRIS case report forms to be used for law enforcement case reporting; (2) instruct
law enforcement personnel about utilizing CRIS in preparing case reports; and
(3) implement CRIS to be in compliance with guidelines issued by the Office of
Management and Budget and Federal Information Processing Standards Publications.
Based on the Bureau's response to our three recommendations, we considered two
recommendations resolved and implemented and one recommendation resolved but not
implemented.
If you have any questions concerning this matter, please contact me at (202) 208-5745 or
Mr. Robert J. Williams, Assistant Inspector General for Audits, at (202) 208-4252.
Attachment
A-IN-BIA-001-96
United States Department of the Interior
OFFICE OF INSPECTOR GENERAL
Washington, D.C. 20240
AUDIT REPORT
Memorandum
To: Assistant Secretary for Indian Affairs
From: Robert J. Williams
Assistant Inspector General for Audits
Subject: Audit Report on the Automated Law Enforcement System, Bureau of Indian Affairs
(No. 97-I-882)
INTRODUCTION
This report presents the results of our audit of the Bureau of Indian Affairs automated law
enforcement system, the Crime Reporting Information System (CRIS). Our audit was
conducted as part of our review of the Department of the Interior's automated law
enforcement systems. The audit objectives were to: (1) determine whether CRIS met the
law enforcement reporting requirements of the Federal Bureau of Investigation and (2)
provide information to the Bureau of Indian Affairs that would assist it in implementing
CRIS effectively.
BACKGROUND
The Bureau of Indian Affairs Division of Law Enforcement Services is responsible for
providing administrative control and operational oversight for approximately 175 Bureau and
tribal law enforcement operations. 1 As part of that responsibility, the Division maintains
data concerning offenses, incidents, and services within the areas of its jurisdiction and
creates and distributes information to support operational, administrative, and planning needs
on behalf of the Division, Bureau management, area offices, agency offices, tribes, and tribal
police agencies and courts.
lEach operation can encompass more than one site; for example, the Navajo operation had seven
detention
sites, each requiring both hardware and software to implement CRIS.
Under the Uniform Federal Crime Reporting Act of 1988 (Public Law 100-690), which was
effective on January 1, 1989, the Congress mandated that all Federal agencies with law
enforcement responsibility report crime statistics. In response to the Act, the Federal Bureau
of Investigation requires that the crime statistics be reported in a uniform computerized
format into its automated system, the National Incident Based Reporting System (NIBRS).
The NIBRS program, which also became effective on January 1, 1989, as defined in
Volumes I-III of the "Uniform Crime Reporting, National Incident-Based Reporting System"
and the "Supplemental Guidelines for Federal Participation, " requires Federal agencies to
submit, on a monthly basis, information on 22 offense categories for each crime investigated
(the offense categories are in Appendix 1). The information to be reported includes the
following: location of the crime; race, sex, and age of the offenders; information about the
victims and property involved in the crime; and information on the arrests, such as arrest date
and type of apprehension. At the time of our review, which was conducted from February
to May 1996, the Department was reporting criminal investigation data under the Uniform
Crime Reporting Program instead of the NIBRS. The Program, which is the predecessor of
NIBRS, requires summary information to be submitted monthly to the Federal Bureau of
Investigation on the number of crimes investigated for only eight offense categories (see
Appendix 1).
Between January and March 1990, the Bureau of Indian Affairs phased the Integrated Police
Law Enforcement Management System (IPLEMS) into operation, which was to: (1) provide
police and other law enforcement personnel a readily available data base on people who had
a criminal record; (2) permit the dispatching of police to locations where their assistance was
needed; (3) collect the data on the incident and description of the incident; and (4) provide
for case management and reporting. However, in 1991, the Bureau determined that IPLEMS
did not meet the reporting requirements of NIBRS and decided to stop operating IPLEMS
once a new system was on-line.
In fiscal year 1991, the Division conducted an analysis of alternatives for a new system and
concluded that a personal computer-based system should be implemented as a short-term
solution for the Bureau to meet NIBRS requirements. In 1992, the Division defined the
detailed specifications for the personal computer-based system in a report entitled
"Recommended Technical Specifications for the Short-Term Solution to NIBRS Reporting
Requirements." In May 1994, the Bureau received Departmental approval to acquire the
hardware, software, and communications and network equipment required to implement the
recommended system, the Indian Law Enforcement Information Network (INLINE). In
August 1994, the Bureau purchased CRIS, an off-the-shelf software system, from Eaglesun
Systems Products, Inc., which was the application software component of INLINE. CRIS
can be operated on stand-alone personal computers or on local area networks. At the time
of our review, CRIS was in operation at 33 of the Bureau's more than 300 sites planned for
implementation of the system.2
2These sites include police departments and criminal investigative agencies, which are tribal police
departments
and Bureau area and agency offices; Bureau law enforcement administrative offices; and Bureau and
tribal
detention facilities.
2
SCOPE OF AUDIT
We did not include the controls or operation of IPLEMS in our review because IPLEMS was
being replaced by CRIS. As such, we limited our audit scope to reviewing the general and
application controls and system operations that had been implemented with CRIS. We
reviewed Bureau system documentation and CRIS operation as implemented at the Bureau's
Division of Law Enforcement Services office, in Albuquerque, New Mexico, and the Navajo
Department of Law Enforcement, in Window Rock, Arizona.
This audit was conducted in accordance with the "Government Auditing Standards," issued
by the Comptroller General of the United States. Accordingly, we included such tests of
records and other auditing procedures that were considered necessary under the
circumstances. As part of our review, we evaluated the system of internal controls over
CRIS to the extent that we considered necessary. The internal control weaknesses that we
found are discussed in the Results of Audit section of this report. If implemented, these
recommendations should improve the internal controls in these areas.
We also reviewed the Secretary's Annual Statement and Report to the President and the
Congress, which is required by the Federal Managers' Financial Integrity Act, for 1994 and
1995 to determine whether any reported weaknesses were within the objectives and scope
of our audit. We found that one material control weakness applicable to the Bureau of Indian
Affairs, cited in the 1994 report, was within the scope of this review. In that regard, the
report stated:
. . . the [Bureau's] Law Enforcement Program does not have an effective
information system necessary to meet its responsibilities under the
Uniform Federal Crime Reporting Act (P.L. 100-690). The Division of
Law Enforcement has been operating without a nationwide law
enforcement information system since January 1986. A new system
(IPLEMS [Integrated Police Law Enforcement Management System])
was phased into the operation in January 1990. There was inadequate
management and oversight of the standards for operation, lack of user
friendliness in the system, lack of compliancy with the National Incident
Based Reporting System (NIBRS), and unreasonable training
expectations.
To correct the material weakness, the Bureau said that it planned to implement, by 1994, a
new system, CRIS. The target date for implementation was revised subsequently to January
1996. The Secretary's Annual Statement and Report to the President and the Congress for
1995 indicated that this weakness had been corrected in 1995. Although the Bureau stated
that CRIS had not been fully implemented, the issue was removed from the material
weakness list as not meeting the Department's criterion for reporting outside the Department.
Based on our current review, we concluded that when CRIS is fully implemented, the
material weakness should be corrected.
3
PRIOR AUDIT COVERAGE
During the past 5 years, neither the General Accounting Office nor the Office of Inspector
General has issued any reports related to the scope of this review. However, in June 1989,
the Office of Inspector General did issue one report related to the scope of this review. The
report, "Law Enforcement Activities, Bureau of Indian Affairs" (No. 89-84), stated that the
Bureau had not planned, supervised, or controlled investigative activities in accordance with
requirements stated in the Departmental Manual and by the President's Council on Integrity
and Efficiency. To address these deficiencies, the report recommended that the Assistant
Secretary for Indian Affairs, in coordination with the Assistant Secretary for Policy, Budget
and Administration (now the Assistant Secretary for Policy, Management and Budget),
establish a management information system which: (1) could track and provide uniform
reports on cases and productivity for Bureau law enforcement activities and (2) had the
capability for use and information exchange by all Departmental bureaus. The
recommendation was designated as implemented when the Bureau began to use IPLEMS in
1990. Based on our review, we believe that if CRIS is implemented as planned, it could
meet these requirements effectively.
RESULTS OF AUDIT
We determined that CRIS is capable of meeting the Federal Bureau of Investigation's law
enforcement reporting requirements and the Bureau of Indian Affairs operating needs, such
as tracking cases and issuing uniform reports on cases and productivity. However, to ensure
that CRIS meets these reporting requirements, operates effectively, and has adequate internal
controls to safeguard law enforcement data, we believe that the Bureau should require the
use of CRIS by law enforcement staff and implement internal controls for security of data.
Utilization
CRIS can be used by law enforcement staff as the initial entry point for case report
information and as the source for maintaining law enforcement case data. However, the
Division had not effectively communicated the efficiencies that could be gained by using
CRIS to field staff. Specifically, some law enforcement personnel prepared case reports
manually or used word processing software, which resulted in duplication of effort by law
enforcement personnel in preparing case reports, and did not use CRIS for maintaining case
reports. In addition, CRIS had forms that could be used by law enforcement staff for case
reports; however, the CRIS forms had not been identified as the appropriate forms to be used
for case reports in the Bureau Manual (68 BIAM, Supplement 5). The Division has delayed
changing the required format for reporting case information contained in the Bureau Manual
to match the reports produced by CRIS until CRIS is implemented Bureauwide. Thus, based
on observations at the sites visited and discussions with Bureau law enforcement personnel,
we determined that law enforcement personnel were not using CRIS for case reporting in at
least 20 percent of Bureau sites where CRIS had been implemented.
Internal Controls
CRIS as implemented does not comply with Office of Management and Budget Circular
A-13O, "Management of Federal Information Resources," and Federal Information
Processing Standards Publications 88 and 112, "Guideline on Integrity Assurance and
Control in Database Administration" and "Password Usage," respectively, on computer
security. Specifically, the Bureau had not activated the security features available in the
existing software because of the limited number of authorized users and the limited amount
of computer resources. Also, the Bureau had not developed and implemented system rules
for CRIS, such as documented procedures for system security, recovery, and operations.
Further, the Bureau had not developed a process to ensure that internal controls, such as
limiting password entry attempts and separating duties, operated as planned. Instead, the
Bureau relied on an individual's knowledge to ensure that adequate controls were in place
and were complied with. Consequently, the Bureau did not have reasonable assurance that
CRIS was updated with only authorized information and was protected from access by
unauthorized personnel. We believe that if the Bureau implements these minimal control
procedures, including an internal system review process, data will be better protected (see
Appendix 2).
Recommendations
We recommend that the Assistant Secretary for Indian Affairs ensure that:
1. The Bureau issues a law enforcement handbook to require CRIS case report forms
to be used for law enforcement case reporting.
2. Law enforcement personnel are instructed about utilizing CRIS in preparing case
reports.
3. CRIS is implemented in compliance with guidelines issued by the Office of
Management and Budget and Federal Information Processing Standards Publications, as
detailed in Appendix 2. If these controls are not implemented, the Bureau should document
its assessment and acceptability of the resultant risk.
Bureau of Indian Affairs Response and Office of Inspector General Reply
In the March 20, 1997, response (Appendix 3) to the drafl report from the Acting Assistant
Secretary for Indian Affairs, the Bureau concurred with the three recommendations. In
addition, the Bureau stated that the security module had been put on-line since the
completion of audit fieldwork. However, the Bureau requested that we revise
Recommendation 1 so that a different "vehicle" could be used to implement the
recommendation. Based on the response, we therefore revised Recommendation 1 and
consider the Bureau's response sufficient for the recommendation to be considered resolved
but not implemented. Also based on the response, we consider Recommendation 2 resolved
and implemented and Recommendation 3 resolved but not implemented. Accordingly, the
5
unimplemented recommendations will be referred to the Assistant Secretary for Policy,
Management and Budget for tracking of implementation.
Since the report's recommendations are considered resolved, no further response to the
Office of Inspector General is required (see Appendix 4).
The legislation, as amended, creating the Office of Inspector General requires semiannual
reporting to the Congress on all audit reports issued, actions taken to implement audit
recommendations, and identification of each significant recommendation on which corrective
action has not been taken.
We appreciate the assistance of Bureau of Indian Affairs personnel in the conduct of our
audit.
6
REPORTABLE
APPENDIX1
OFFENSE CATEGORIES
National Incident Based Reporting System
1.
2.
3.
4.
5.
6.
7.
8,
9.
10.
11,
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
Homicide Offenses
Murder and nonnegligent manslaughter
Negligent manslaughter
Justifiable homicide
Sex Offenses, Forcible
Forcible rape
Forcible sodomy
Sexual assault with an object
Forcible fondling
Robbery
Assault Offenses
Aggravated assault
Simple assault
Intimidation
Burglary/Breaking and Entering
Larceny/Thefl Offenses
Pocket-picking
Purse-snatching
Shoplifting
Thefl from building
Theft from coin-operated machine or device
Theft from motor vehicle
Theft of motor vehicle parts or accessories
All other larceny
Motor Vehicle Theft
Arson
Bribery
Counterfeiting/Forgery
Destruction/Damage/Vandalism of Property
Drug/Narcotic Offenses
Drug/narcotic violations
Drug equipment violations
Embezzlement
Extortion/Blackmail
Fraud Offenses
False pretenseslswindle fconfidence game
Credit card/automatic teller
Machine fraud
Impersonation
Welfare
Wire fraud
Gambling Offenses
Betting/wagering
Operating/promoting/assisting gambling
Gambling equipment violations
Sports tampering
Kidnaping/Abduction
Pornography/Obscene Material
Prostitution Offenses
Prostitution
Assisting or promoting prostitution
Sex Offenses, Nonforcible
Incest
Statutory rape
Stolen Property Offenses (receiving, etc.)
Weanon Law Offenses
Uniform Crime Reporting Program
1. Homicide
Murder and nonnegligent manslaughter
Manslaughter by negligence
2. Forcible Rape
Rape by force
Attempts to commit forcible rape
3. Robbery
Firearm
Knife or cutting instrument
Strong-arm, hands, fists, feet, etc.
Other dangerous weapons
4. Aggravated Assault
Firearm
Knife or cutting instrument
Other dangerous weapons
Hands, fist, feet, etc.
5. Burglary
Forcible entry
Unlawful entry
Attempted forcible entry
6. Larceny - Theft (except motor vehicle)
7. Motor Vehicle Theft
Autos
Trucks and buses
Other vehicles
8. Arson
Structural
Mobile
Other
r-
APPENDIX 2
AUTOMATED INFORMATION SYSTEMS -
SECURITY AND CONTROLS
The Division of Law Enforcement Services should implement, at a minimum, controls cited
in Appendix III of Office of Management and Budget Circular A-130 ("Management of
Federal Information Resources") and Federal Information Processing Standards Publications
88 and112 ("Guideline on Integrity Assurance and Control in Database Administration" and
"Password Usage," respectively) as follows:
- Formally assign responsibility for security to specific individuals, and develop and
document a system security plan.
- Document procedures for system security, including procedures for reviewing and
evaluating recently implemented audit trail/logging features, system recovery, and the basis
for providing access to the Crime Reporting Information System (CRIS) to ensure that
reliance is not limited to an individual's knowledge of verbal procedures.
- Update the Bureau of Indian Affairs strategic plan to reflect the current status of the
implementation of CRIS and future requirements/plans to ensure that the integration of
information resources management planning with agency strategic planning promotes the
appropriate application of information resources.
- Limit the number of allowed password entry attempts to a number specified by the
Security Officer, and require that users be reauthorized after the specified number of entry
attempts is exceeded.
- Require that passwords consist of a minimum of four characters/numbers.
- Require adequate separation of duties relating to data entry, data approval, and system
administrative functions.
APPENDIX 3
Page 1 of 2
United States Department of the Interior
OFFICE OF THE SECRETARY
Washington, D.C. 20240
Memorandum
To: Assistant Inspector General for Audits
From: Acting Assistant Secretary - Indian Affairs & 4L
Subject: Draft Audit Report on Automated Law Enforcement Syste~ Bureau of Indian AtXairs
(Assignment No. A-IN-BIA-001-96)
The subject drafl audit report includes three recommendations to improve the automated law
enforcement system of the Bureau of Indian AfFairs. The Bureau agrees with the intent of the three
recommendations, but proposes an alternative action for Recommendation 1.
The Office of Law Enforcement Semites (Office) refers to the automated law erdiorcement system
as the Indian Law Enforcement Information Network (INLINE). INLINE utilizes an off-the-shelf
software "Crime Reporting Information System" (CRIS). CRIS, developed by Eaglesun Systems
Products, Inc., was purchased by the Bureau in August 1994. Because the draft audit report refers
to the automated law erd?orcement system as "CRIS," we will use CRIS in the response to refer to
the automated system.
At the time of the audit CRIS was in the initial stages of implementation and not all "modules" were
in use; most significantly the "security module" was not operational. Since the audit field work was
completed, the security module has been put on line.
Our responses to the three recommendations contained in the report are provided below:
Recommendation 1: We recommend that the Assistant Secretary for Indian AfFairs ensure
Bureau Manual (68 BIAM) is revised to require CRIS case report forms to be used
eniiorcement case reporting.
that the
for law
Response: We request that this recommendation be revised to read: "We recommend that the
Assistant Secretary for Indian Affairs ensure that the Bureau issue a law entlorcement handbook to
require CIUS case report forms to be used for law enforcement case reporting. " A manual is an
inappropriate vehicle for providing detailed technical guidance on procedures. The Bureau is
developing a handbook which will require the use of the CRIS case reporting forms for all locations.
The handbook will be completed by May 30, 1997; Mr. Tony Chewiwi, the Acting Director, Office
of Law Enforcement Services is the responsible official.
APPENDIX 3
Page 2 of 2
2
Recommendation: WerecommendthattheAssistantSecretary for Indian A.fMsrnsurethatlaw
entlorcement personnel are instructed about utilizing CRIS in preparing case reports
Response: In response to the audit findings, the Bureau sent trainers back to the Ilavajo Area in
order to provide additional assistance to the law enforcement staff in the use of C.SUS. In early
March the Office's Division of Information Management was co-located with the Indian Police
Academy in Artesi~ New Mexico. Moving the Division to the Academy will enhance the
effectiveness and efficiency of CRIS training by integrating it into the regular curriculum for Indian
Law Etiorcement Officers. This will also enable the Division to use the Federal Law Enforcement
Training Center's workstation complex to provide hands-on training. In additio% on-site training will
continue to be provided to the law enforcement personnel as CRIS is installed at the various
locations.
We consider this recommendation to be resolved and implemented.
Recommendation 3: We recommend that the Assistant Secretary for Indian AiThirs ensure that
CRIS is implemented in compliance with guidelines issued by the Office of Management and Budget
and the Federal Information Processing Standard Publications as detailed in Appendix 2. If these
controls are not implemented, the Bureau should document its assessment and acceptability of the
resultant risk.
Response The Bureau concurs with this recommendation. As a part of the documentation of CRIS,
a system security plan will be developed in accordance with OMB Circular A-130. The security plan
will be forwarded to the Bureau's designated automated information systems security officer. The
plan will be completed in July 1997; Mr. Craig Jones, Superviso~ Computer Specialist, Office of
Law Etiorcement Services, is responsible for preparation of the security plan.
10
APPENDIX 4
STATUS OF AUDIT REPORT RECOMMENDATIONS
Finding/
Recommendation
Reference Status Action Required
1 and 3 Resolved; not No further response to the Office of
implemented Inspector General is required. The
recommendations will be referred to the
Assistant Secretary for Policy,
Management and Budget for tracking of
implementation.
Implemented
No further action is required.
11
ILLEGAL OR WASTEFUL ACTIVITIES
SHOULD BE REPORTED TO
THE OFFICE OF INSPECTOR GENERAL BY:
Sending written documents to: Calling:
Within the Continental United States
U.S. Department of the Interior Our 24-hour
Office of Inspector General Telephone HOTLINE
1849 C Street, N.W. 1-800-424-5081 or
Mail Stop 5341 (202) 208-5300
Washington, D,C. 20240
TDD for hearing impaired
(202) 208-2420 or
1-800-354-0996
Outside the Continental United States
Caribbean Retion
U.S. Department of the Interior (703) 235-9221
Office of Inspector General
Eastern Division - Investigations
1550 Wilson Boulevard
Suite 410
Arlington, Virginia 22209
North Pacific Region
U.S. Department of the Interior (700) 550-7428 or
Office of Inspector General COMM 9-011-671-472-7279
North Pacific Region
238 Archbishop F.C. Flores Street
Suite 807, PDN Building
Agana, Guam 96910
. 0 . . . . - . . . . . .- . ..-.-...0 -* -*--- w
Toll Free Numbers:
1-800-424-5081
TDD 1-800-354-0996
FTS/Commercial Numbers:
(202) 208-5300
TDD (202) 208-2420
1849 C Stree~ N.W.
Mail Stop 5341
Washington, D.C. 20240
-
?.6.. o P= \/
**A*