[Audit Report on General Controls Over the Automated Information System, Royalty Management Program, Minerals Management Service]
[From the U.S. Government Printing Office, www.gpo.gov]

Report No. 98-I-336

Title: Audit Report on General Controls Over the Automated Information
       System, Royalty Management Program, Minerals Management
       Service

     Date:  March 24, 1998



                  **********DISCLAIMER**********

     This file contains an ASCII representation of an OIG report.  No attempt
     has been made to display graphic images or illustrations.  Some tables
     may be included, but may not resemble those in the printed version.

     A printed copy of this report may be obtained by referring to the PDF
     file or by calling the Office of Inspector General, Division of
     Acquisition and Management Operations at (202) 208-4599.

                  ******************************




     U.S. Department of the Interior
     Office of Inspector General
         
         
         
     AUDIT REPORT
         
         
     GENERAL CONTROLS OVER THE AUTOMATED INFORMATION SYSTEMS,
     ROYALTY MANAGEMENT PROGRAM, MINERALS MANAGEMENT SERVICE
         
     REPORT NO. 98-I-336
     MARCH 1998
         
         
         
         
     Memorandum
  

     To:       Director, Minerals Management Service
  
     From:     Robert J. Williams
               Acting Inspector General 
  
     Subject:  Audit Report on General Controls Over the Automated
               Information System, Royalty Management Program,
               Minerals Management Service (No. 98-I-336)
  
  
  
     INTRODUCTION
     This report presents the results of
     our audit of the general controls over the automated information
     system at the Minerals Management Service's Royalty Management
     Program. We performed this audit to support our audit of the
     Service's financial statements, which is required by the Chief
     Financial Officers Act. The objective of this audit was to evaluate
     the adequacy of the general controls over the Program's automated
     information system in the areas of security program development,
     physical and logical access, software development and change
     management, separation of duties, system software, and service
     continuity.
  
     BACKGROUND
  
     The Minerals Management Service's Royalty Management Program is
     responsible for collecting and disbursing revenues of about $4
     billion annually that are generated from leasing Federal and Indian
     lands and for collecting royalties for minerals extracted from leased
     lands. To aid in accomplishing its mission objectives and meeting its
     financial reporting requirements, the Program uses an automated
     information system that includes a mainframe computer, a
     minicomputer, and personal computers and servers which support local
     area networks for each Program division, a wide area network, and an
     enterprisewide network. For collecting rents and royalties, the
     Program primarily uses the mainframe computer. For disbursing rents
     and royalties, verifying collections, and reporting financial
     information, the Program uses all of the components of its automated
     information system.
  
     The Program's mainframe computer, minicomputer, and some of the
     personal computers and servers are located in three buildings at the
     Denver Federal Center, in Denver, Colorado. The Program also has
     personal computers and servers located in leased buildings in Golden,
     Colorado, and at Program division offices in Dallas and Houston,
     Texas.
  
     Since 1992, Program management has been planning, developing, and
     moving to a "client/server" processing environment.  In a
     client/server environment, data are more difficult to protect.
     Specifically, the data are stored and processed in multiple
     locations, and the data must travel through telecommunication systems
     between the clients and the servers where the data are inherently
     susceptible to being released to unauthorized outside parties, lost,
     or damaged. Additionally, the Program's data are "proprietary";
     therefore, if access to the data is denied or if the data are
     inappropriately released, lost, or damaged, the Program, suppliers of
     the data, or others having an interest in the data could be adversely
     impacted.
  
     The Program's automated information system was operated and maintained
     by the contractor American Management Systems Operations Corporation.
     The contract with the Corporation requires the Corporation to: (1)
     maintain system software; (2) maintain and develop application
     software; and (3) maintain other software, such as teleprocessing and
     general utilities.
  
     Overall system security policies for the Program are established by
     the Installation Automated Information System Security Officer,
     within the Program's Systems Management Division. System security
     administration for the mainframe computer, the minicomputer, the wide
     area network, and the enterprisewide network is the responsibility of
     the Corporation. Security administration for the Program's local area
     networks is the responsibility of each of the Program's seven
     divisions, which consist of the Accounting and Reports Division, the
     Royalty Valuation Division, the Systems Management Division, the
     State and Indian Compliance Division, and the Compliance Divisions at
     Dallas and Houston and Lakewood, Colorado.
  
     SCOPE OF AUDIT
  
     To accomplish our objective, we reviewed the general controls that
     were in place during January through June 1997. Specifically, we
     reviewed the controls in six major areas: security program
     development; logical and physical access; software development and
     change management; separation of duties; system software; and service
     continuity. We interviewed Program and contractor personnel, reviewed
     systems documentation, observed and became familiar with computer
     center operations and network components, analyzed system security,
     and evaluated service continuity procedures and testing. In addition,
     we reviewed procedures to maintain system and application software
     for the mainframe computer, the local area networks, the wide area
     network, and the enterprisewide network. Because our review was
     limited to evaluating the adequacy of general controls over the
     automated information system, we did not evaluate the effectiveness
     of manual control procedures that may have operated as compensating
     controls for the automated information system general controls. While
     our objective was to review the general controls of the automated
     information system, the primary emphasis was on the servers that
     supported data processed and maintained on the local area, wide area,
     and enterprisewide networks.
  
     Our audit, which was conducted during December 1996 through August
     1997 at the Program's facilities in Denver and Golden, was made in
     accordance with the "Government Auditing Standards," issued by the
     Comptroller General of the United States. Accordingly, we included
     such tests of records and other auditing procedures that were
     considered necessary under the circumstances.
  
     As part of our audit, we evaluated the internal controls that could
     adversely affect the Program's automated information system. The
     control weaknesses that we found are summarized in the Results of
     Audit section and discussed in detail in Appendix 1 to this report.
     If implemented, our recommendations should improve the internal
     controls in the areas reviewed. Because of inherent limitations in
     any system of internal controls, losses, noncompliance, or
     misstatements may occur and not be detected. We also caution that
     projecting our evaluations to future periods is subject to the risk
     that controls or the degree of compliance with the controls may
     diminish.
  
     PRIOR AUDIT COVERAGE
  
     During the past 5 years, the General Accounting Office has not issued
     any reports related to the objective and scope of this audit.
     However, in July 1997, the Office of Inspector General issued the
     report "Royalty Management Program's Automated Information Systems,
     Minerals Management Service" (No. 97-I-1042), which identified
     weaknesses in mainframe application software development and change
     management. During our current audit, we noted that Program
     management had agreed with the seven recommendations made in our
     prior audit report and that two of the seven recommendations had been
     implemented. One of the implemented recommendations and three of the
     recommendations that were resolved but not implemented affected the
     change request process (change management), which is discussed in the
     scope of this audit. We further noted that implementation of the
     three recommendations was delayed because of the priority of
     implementing the changes mandated by the Federal Oil and Gas Royalty
     Simplification and Fairness Act of 1996.
  
     RESULTS OF AUDIT
     
     The Royalty Management Program had established general controls over its
     automated information system; however, except for the controls over
     physical access to the automated information system, we concluded that
     the general controls were not adequate in the six major areas reviewed.
     Office of Management and Budget Circular A-130, "Management of Federal
     Information Resources," and National Institute of Standards and
     Technology publications require Federal agencies to establish and
     implement computer security and management and internal controls to
     improve the protection of sensitive information in the computer
     systems of executive branch agencies. Additionally, the Congress
     enacted laws, such as the Privacy Act of 1974 and the Computer
     Security Act of 1987, to improve the security and privacy of
     sensitive information in computer systems by requiring executive
     branch agencies to ensure that the level of computer security and
     controls over the sensitive information is adequate. Further, the
     Department of the Interior and the Program have issued policies and
     procedures to implement general controls to protect sensitive data in
     automated information systems. The controls were not adequate because
     Program management had not established necessary policies and
     procedures, had not assigned responsibilities for ensuring that
     policies and procedures were developed and followed, and had not held
     officials accountable for noncompliance with the established
     controls. The lack of adequate controls increased the risk of (1)
     unauthorized access and modifications to and disclosure of Program
     data, (2) theft or destruction of Program software and sensitive
     information, and (3) loss of critical Program systems and functions
     in the event of a disaster or system failure.
  
     Overall, we identified 13 weaknesses and made 23 recommendations for
     improving the general controls over the Program's automated
     information system. A summary of the weaknesses noted in the six
     major areas is provided in the following paragraphs, and specific
     details of the weaknesses and our respective recommendations to
     correct these weaknesses are in Appendix 1.
  
     Security Program Development
  
     We found weaknesses in the automated information system security
     program. Specifically, Program management did not identify and
     address all risks affecting proprietary and financial data in the
     automated information system, did not have adequate security-related
     personnel policies and procedures, and did not have security
     awareness statements on file for all employees who used the automated
     information system. As a result, there was an increased risk that
     sensitive data may be impaired or compromised by individuals and that
     data may be inadvertently disclosed or destroyed or erroneously
     modified. We made seven recommendations to address these weaknesses.
  
     Access Controls
  
     We found weaknesses in logical access controls over the Program's
     automated information system. These weaknesses were in the areas of
     resource classification, default settings, commercial off-the-shelf
     software access controls, access levels granted to users, and numbers
     of allowed log-in attempts. As a result, there was an increased risk
     that sensitive data maintained on the automated information system
     were vulnerable to unauthorized access, manipulation, and disclosure.
     We made eight recommendations to address these weaknesses.
  
     Software Development and Change Management
  
     We found that the controls over changes to client/server application
     software were not adequate. Specifically, Program management did not
     have controls to ensure that client/server application software
     changes were authorized, approved, and tested before being moved into
     production. As a result, there was an increased risk that the most
     critical client/server application software changes were not made and
     that client/server applications would not perform as intended. We
     made one recommendation to address this weakness.
  
     Separation of Duties
  
     We found that Program management did not separate the duties of the
     client/server application programmers from the duties of the users
     and did not separate the duties of client/server security
     administrators from reviewers. As a result, there was an increased
     risk that accidental or intentional actions by programmers could
     threaten the integrity of the Program's data and disrupt system
     processing and that inappropriate actions by security administrators
     would not be detected or detected timely. We made two recommendations
     to address these weaknesses.
  
     System Software Controls
  
     We found that the controls over system software were not adequate in
     detecting and determining inappropriate use. Specifically, the
     security software in use for the mainframe computer was no longer
     supported by the vendor, and available mainframe computer system
     audit tools to ensure integrity over system processing and data were
     not used. As a result, there was an increased risk that programs and
     data files would not be protected from unauthorized access and that
     inappropriate mainframe computer system initialization and processing
     would not be recorded and identified. Additionally, without periodic
     reviews of the system audit trails, there was an increased risk that
     processing problems or unauthorized activities may not be detected or
     detected timely and that the responsible individual or individuals
     may not be held accountable for the inappropriate action. We made
     four recommendations to address these weaknesses.
  
     Service Continuity
  
     We found that local area networks and personal computers used by the
     Program's divisions which maintain proprietary and financial data
     were not included in the Program's disaster recovery plans. As a
     result, there was an increased risk that critical systems may not be
     recovered in the event of a disaster or system failure. We made one
     recommendation to address this weakness.
  
     Minerals Management Service Response and Office of Inspector General
     Reply
  
     In the January 21, 1998, response (Appendix 2) from the Director,
     Minerals Management Service, to our draft report, the Service stated
     that of the report's 24 recommendations, it "agree[d]" with 11
     recommendations, "partially agree[d]" with 2 recommendations, and
     "disagree[d]" with 11 recommendations. Based on the response, we
     deleted one recommendation (No. F.3) and revised one recommendation
     (No. I.1) in the draft report. Also based on the response, we
     consider 1 recommendation resolved and implemented and 12
     recommendations unresolved, and we request additional information for
     10 recommendations.  The status of each recommendation is in Appendix
     3, and the Service's responses to the recommendations and our
     comments are presented within each finding.   Additional Comments on
     Audit Report
  
     The Service said that it "disagree[d]" with the overall "implicit
     conclusion" that the Royalty Management Program's automated
     information system was not in compliance with Office of Management
     and Budget Circular A-130 and that it believes that it is in
     "substantial compliance with the spirit and intent" of the Circular.
     Further, the Service stated that the audit report "does not actually
     deal with the overall or general controls" because we did not review
     redundant and compensating controls. In addition, the Service stated
     that "recurring management control reviews have addressed such manual
     controls and generally found they were working effectively or
     prompted corrective actions to resolve minor control deficiencies."
     Further, the Service stated that "audits performed under the Chief
     Financial Officers Act of 1990 have covered these controls, and each
     report concluded that our financial information was reliable."
  
     The criteria we used included not only Office of Management and Budget
     Circular A-130 but also standards and guidelines referenced in the
     Circular from the Department of Commerce (National Institute of
     Standards and Technology), the General Services Administration, and
     the Office of Personnel Management and policies and procedures of the
     Department and the Program. Since the controls cited in and
     referenced by Appendix III of Circular A-130 are "a minimum set of
     controls" to be included in an agency's automated information
     security program, we believe that any deviation from these minimum
     controls would indicate that an agency's automated information system
     security program does not reduce risk to an acceptable level and
     ensure that an agency is in compliance with the Circular. However,
     since our review identified weaknesses in the general controls over
     the automated information system in the areas of security program
     development, access controls, software development and change
     management, separation of duties, system software controls, and
     service continuity, we do not believe that the Service's "substantial
     compliance" with the minimum controls set forth in the Circular was
     adequate to address the potential risks identified by our review.
  
     While we stated that we did not evaluate the effectiveness of manual
     control procedures which may have operated as compensating controls
     in the scope section of the report, the audit staff did evaluate the
     general controls that were defined in the Program's policies and
     procedures.  Because redundant or compensating controls were not
     cited by the Program in its policies and procedures as the primary
     controls used to ensure the integrity, confidentiality, and
     availability of Program information, these controls were not
     evaluated.
  
     During the audit, we reviewed an Automated Information Systems Review
     that the Service performed in fiscal year 1996 which concentrated on
     the Program's change management controls over applications in the
     mainframe environment. The Service's review identified weaknesses
     concerning application testing and documentation that we also cited
     in the Prior Audit section of this report. Further, we found similar
     weaknesses in software development and change management controls in
     the client/server environment (see Finding I in Appendix 1.)
  
     While we are not questioning that the financial statements were
     presented fairly, we found, as a result of our evaluation,
     inadequacies in the Program's general controls over the automated
     information system in the areas of security program development,
     access controls, software development and change management,
     separation of duties, system software controls, and service
     continuity. These weaknesses, identified with the general controls,
     will result in our having to raise the overall level of risk of
     possible loss associated with the internal control structure of the
     Royalty Management Program in future financial statement audits.
  
     Regarding system security, we agree that system security controls
     implemented should be measured against costs and risks. However, the
     Program did not provide evidence that such a measurement study was
     performed. Further, our findings identified breakdowns in existing
     controls cited in the Program's policies and procedures. While no
     system is completely free of errors, an adequate security program
     would provide a foundation for the Service to determine what controls
     were operating effectively and the level of risk that the Service is
     mitigating with these controls.
  
     We disagree that the Program is being held to "unattainable standards"
     because the standards we used were those cited in Appendix III of
     Circular A-130 as "the minimum set of controls" to be included in an
     agency's automated information security program. In addition, in our
     evaluation of the Program's general controls as defined in its
     policies and procedures, we found that the controls were not
     operating effectively.
  
     We disagree with the Service's statement that our findings did not
     demonstrate a "single negative impact" because the impact of these
     inadequacies taken as a whole indicates that there is no assurance
     that the overall risk to the Program was at an acceptable level.
  
     In accordance with the Departmental Manual (360 DM 5.3), we are
     requesting a written response to this report by April 17, 1998. The
     response should provide the information requested in Appendix 3.
  
     The legislation, as amended, creating the Office of Inspector General
     requires semiannual reporting to the Congress on all audit reports
     issued, actions taken to implement audit recommendations, and
     identification of each significant recommendation on which corrective
     action has not been taken.
  
     We appreciate the assistance of Minerals Management Service personnel
     in the conduct of our audit.  

     A. Risk Assessments
  
            Condition:     Risk assessments of the Royalty Management
     Program's automated information         system did not identify and
     address all risks affecting proprietary and financial         data in
     the automated information system or correctly assess some of the risk
     elements. For example, we found that Program management did not:
  
             -             Identify and address the impact that (1)
     converting to the year 2000   would have on application processing,
     (2) using system security software which   is no longer supported by
     the vendor could have on operations, and (3)   having royalty and
     financial information on local area network applications and
     personal computer databases could have on operations.
  
             -              Correctly assess the risk for the
     "Geopolitical" and "External   Directives" elements, which were
     assessed as low risk. Significant geopolitical   and external
     directives, such as the possible abolishment of the Program and the
     enactment of the Federal Oil and Gas Royalty Simplification and
     Fairness Act,   have impacted the Program during the past 2 years. We
     believe that the level of   risk associated with these elements was
     such that it increased the potential for   lowering employee morale
     and thus increased the risk of sabotage or breach of   other physical
     security measures, as well as the possibility of data errors and
     omissions that affect data and system integrity.
  
         Criteria:  Office of Management and Budget Circular A-130,
     Appendix III, "Security of     Federal Automated Information
     Resources," states that adequate security     "includes assuring that
     systems and applications used by the agency operate     effectively
     and provide appropriate confidentiality, integrity, and availability,
     through the use of cost-effective management, personnel, operational,
     and     technical controls." The Circular further states that,
     although formal risk     analyses need not be performed, "the need to
     determine adequate security will     require that a risk-based
     approach be used." According to the Circular, "This     risk
     assessment approach should include a consideration of the major
     factors in     risk management: the value of the system or
     application, threats, vulnerabilities,     and the effectiveness of
     current or proposed safeguards." Also, the National     Institute of
     Standards and Technology's "An Introduction to Computer     Security:
     The NIST Handbook" provides guidance on computer security risk
     management. The NIST Handbook specifically addresses the selection of
     safeguards to mitigate risk and the acceptance of residual risk. In
     addition,     Program policy requires that local area network
     administrators participate in the     risk assessment process.
  
       Cause:  Program management did not ensure that risk assessments
     were performed in   accordance with risk management guidelines.
     Specifically, the assessments did   not address (1) all risks
     associated with its automated information system, (2)   the selection
     of safeguards to mitigate risks, and (3) the acceptance of residual
     risk. In addition, Program management did not effectively communicate
     the   responsibility of local area network administrators to
     participate in risk   assessments and had not adequately addressed
     that local area network   applications and personal computer
     databases should be included in the   Program's security program.
  
       Effect: Without identifying all significant threats and
     vulnerabilities to the automated   information system, Program
     management was unable to determine the most   appropriate measures
     needed to protect against threats or reduce the   vulnerabilities.
     Further, without including the Program's local area network
     applications and personal computer databases as part of the risk
     assessments,   there was little assurance that all threats and
     vulnerabilities were identified and   considered when Program
     security policies and plans were developed.    Therefore, there was
     an increased risk that critical Program resources would not   be
     adequately protected and that expensive controls would be implemented
     for   resources that did not require significant protection.
  
     Recommendations:
  
     We recommend that the Director, Minerals Management Service:
  
     1.  Ensure that risk assessments are conducted in accordance with
     guidelines which recommend that risk assessments support the
     acceptance of risk and the selection of appropriate controls.
     Specifically, the assessments should address significant risks
     affecting systems, appropriately identify controls implemented to
     mitigate those risks, and formalize the acceptance of the residual
     risk.
  
     2.  Formally assign and communicate responsibility to local area
     network administrators to participate in risk assessments and ensure
     compliance with the Program's security policy.
  
     3.  Determine the risks associated with local area network
     applications and personal computer databases which contain
     proprietary and financial data and, based on the results of the risk
     assessments, establish appropriate security policies and procedures.
  
     Minerals Management Service Response and Office of Inspector General
     Reply
  
     Based on the Service's response, we request that the Service provide
     additional information for Recommendation 3 and that it reconsider
     its responses to Recommendations 1 and 2, which are unresolved (see
     Appendix 3).
  
     Recommendation 1.  Nonconcurrence.
  
     Service Response. The Service stated that it "plans to enhance and
     better document" its risk assessment process. The Service further
     stated that it believed its "previous assessments were in accordance
     with guidelines" because of the "rapidly changing computing and
     communication environment."
  
     Office of Inspector General Reply. We disagree that "previous
     assessments were in accordance with guidelines." Office of Management
     and Budget Circular A-130, Appendix III, and referenced standards and
     guidelines of the National Institute of Standards and Technology
     state that "risk management is the process of assessing risk, taking
     steps to reduce risk to an acceptable level, and maintaining that
     level of risk." Since the Service did not address a number of
     significant conditions/issues that affect risks to the Program's
     automated information system, identify the risks associated with
     these conditions, or identify the controls in place to reduce the
     risks to an acceptable level, we believe that the Program's risk
     assessment process was not in accordance with the guidelines.
     Additionally, Appendix III of Circular A-130 was revised so that
     Federal computer security programs could better respond to the
     rapidly changing technological environment. Although the Service
     disagreed with the recommendation, we believe that its action to
     enhance and document its risk assessment process is indicative of its
     intent to comply with the recommendation. However, we request that
     the Service clarify its intent (see Appendix 3).
  
     Recommendation 2. Nonconcurrence.
  
     Service Response. The Service stated that policies "define the LAN
     [local area network] administrators' role in contingency planning and
     security," and it provided additional information to support its
     position.
  
     Office of Inspector General Reply. While the additional information
     did address the administrators' role in contingency planning and
     security, it did not address the recommendation. The "RMP Automated
     Information Systems Security Manual" states that administrators
     should participate in the risk assessment process. During our audit,
     we found that the administrators were not always aware of their
     responsibilities to identify risks and implement controls that would
     mitigate risks and that the administrators' individual position
     descriptions did not always address these responsibilities.
  
     Additional Comments on Finding
  
     The Service stated that it believes that we did not apply risk
     assessment criteria appropriately because "Circular A-130 states `the
     Appendix no longer requires the preparation of formal risk analyses'
     and that risk assessments `can be formal or informal, detailed or
     simplified, high or low level, quantitative (computationally based)
     or qualitative (based on descriptions or rankings), or a combination
     of these. No single method is best for all users and all
     environments.'"
  
     We agree that formal risk analyses are not required and that risk
     assessments can be formal or informal. However, we found that the
     Program's analyses were not based on risk-based management as
     described by Appendix III of Circular A-130 and referenced standards
     and guidelines of other Federal executive branch agencies and the
     Departmental Manual (375 DM 19). According to the NIST Handbook,
     risk-based management "is the process of assessing risk, taking steps
     to reduce risk to an acceptable level, and maintaining that level of
     risk." In its response, the Service provided additional information
     related to each of the examples in this finding. However, the
     additional information provided did not indicate that the Program
     used risk-based management in developing its controls.   

     B. Security

     -Related Personnel Policies and Procedures
  
         Condition:  The Program's security-related personnel policies and
     procedures were not     adequate to ensure system integrity.
     Specifically, we found that:
  
             - Contractor employees received the same type of background
     check and   security clearance regardless of their duties and the
     risk associated with the   computer-related work they performed.
     Thus, contractor employees, such as   system programmers and computer
     operators, who could bypass technical and   operational controls,
     received the same security clearance as administrative   assistants.
  
             - Computer-related work was not technically reviewed by
     contractor or   Program personnel whose position sensitivity was
     greater than that of the   position sensitivity of individuals
     performing the work.
  
             -             Contractor employees did not always submit
     requests for background   checks for security clearances.  Further,
     the requests that were submitted for   background checks were not
     submitted within the time frames specified in the   contract. An
     average of 175 calendar days elapsed, instead of the 2 weeks
     stipulated in the contract, between the dates the employees were
     hired and the   dates the requests were received by the Minerals
     Management Service's   Security Officer in Personnel for forwarding
     to the Office of Personnel   Management. The Office of Personnel
     Management performed background   checks for the same employees in an
     average of 84 days, and the Minerals   Management Service approved
     the security clearances in an average of 22 days.   Thus, most of the
     delay in the security clearance process was attributable to
     contractor and Program personnel.
  
             -             Systems Management Division employees did not
     have documentation   to support that appropriate background checks
     for security clearances and   required periodic followup background
     checks had been performed.
  
         Criteria:  The Departmental Manual (441 DM) specifies that
     position sensitivity should     be based upon risk factors such as
     degree of public trust, fiduciary     responsibilities, importance to
     program, program authority level, and     supervision received. In
     addition, the Manual requires consideration of     automated data
     processing (ADP) factors, such as the level of responsibility and
     technical review of work, for incumbents who are responsible for
     planning,     directing, and implementing computer security;
     planning, directing,     implementing, operating, and maintaining
     computer systems; and accessing or     processing automated
     information records systems that contain proprietary data.
     Further, work is to be technically reviewed by individuals filling
     ADP "critical-     sensitive" positions when individuals filling ADP
     "noncritical-sensitive"     positions perform computer work such as
     directing, planning, designing,     operating, and maintaining a
     computer system to ensure system integrity. In     addition, the
     terms of the contract require that the "assistant manager"
     positions' sensitivity level be ADP "critical-sensitive," that
     background check     requests be submitted to the Service within 2
     weeks after an employee's hire     date, and that the employees be in
     probationary status until the background     checks are completed and
     the security clearances are approved.
  
       Cause:  The Systems Management Division staff and the contractor
     staff who were   responsible for technical reviews of the work were
     not in positions classified as   ADP "critical-sensitive."
     Additionally, Program contracting personnel did not   ensure that
     contractor personnel (1) submitted requests for background checks
     and (2) remained in probationary status and did not perform critical
     computer   work until background checks were completed and security
     clearances were   approved. Further, personnel or security files did
     not reflect that appropriate   background checks or that required
     periodic followup background checks were   performed. 
     Effect: As a result, there was an increased risk that employees would
     perform critical   automated information system operations and
     maintenance work without   appropriate oversight or adequate
     assurance that their backgrounds would   warrant such trust.
  
     Recommendations:
  
     We recommend that the Director, Minerals Management Service:
  
     1.  Evaluate Systems Management Division and contractor ADP positions
     to determine position sensitivity in relation to risk and ADP
     factors. Also, assurance should be provided that automated
     information system work is technically reviewed by persons whose
     position sensitivity levels are greater than the position sensitivity
     levels of the employees who are performing the work.
  
     2.  Establish controls to ensure that the contractor is fulfilling its
     contractual obligation of submitting requests for background checks
     within the specified time frame and that contractor employees who are
     in probationary status and awaiting security clearances are not
     performing critical ADP work.
  
     3.  Establish controls to ensure that personnel or security files
     accurately reflect that background checks and periodic followup
     background checks are performed as required.
  
     Minerals Management Service Response and Office of Inspector General
     Reply
  
     Based on the Service's response, we request that the Service provide
     additional information for Recommendations 1 and 2 and that it
     reconsider its response to Recommendation 3, which is unresolved (see
     Appendix 3).
  
     Recommendation 1. Partially concur.
  
     Service Response. The Service stated it planned to "reevaluate the
     position sensitivity level for the senior personnel in charge of the
     contractor activity to determine if those position[s] should be
     classified at a higher level. In accordance with Departmental
     criteria, most ADP [automated data processing] staff are designated
     noncritical sensitive. We doubt it was the OIG's [Office of Inspector
     General] intention to imply that all work must be reviewed by persons
     at a higher sensitivity level; however, this would be impossible in a
     multiple level organization because there are only two sensitivity
     levels from which to choose, i.e., 'noncritical-sensitive' and
     critical-sensitive.'"
  
     Office of Inspector General Reply. The Departmental Manual identifies
     four sensitivity levels. Further, although the Service indicated that
     some staff would have the next higher security level of "critical
     -sensitive" to perform technical reviews, we found that only one ADP
     staff position was classified as "critical-sensitive" and that the
     position was not responsible for performing technical reviews.
     Although the Service only partially concurred with the
     recommendation, we believe that the action to reevaluate position
     sensitivity levels is indicative of its intent to comply with the
     recommendation.
  
     Recommendation 2. Partially concur.
  
     Service Response. The Service said that it agreed that controls were
     needed to ensure that the contractor submitted requests for
     background checks in a timely manner. The Service further stated that
     the contractor had been "directed" and had "begun to track and is
     accountable for the status of its submission of these requests." The
     Service also said that it agreed that contractor employees awaiting
     clearances should be in "probationary status" but that having the
     employees not performing their assigned duties would be "unacceptably
     costly." According to the Service, it was "exploring alternatives"
     with the contractor such as having the contractor "perform a
     preliminary 'criminal and credit check' which is quick and
     inexpensive."
  
     Office of Inspector General Reply. Preliminary investigations would be
     a suitable alternative to prohibiting contractor employees from
     performing their assigned duties before the background clearances
     have been accomplished. Although the Service only partially concurred
     with the recommendation, we believe that its action to evaluate
     alternatives such as preliminary investigations is indicative of its
     intent to comply with this recommendation.
  
     Recommendation 3. Nonconcurrence.
  
     Service Response. The Service stated that controls are "in place to
     ensure that personnel or security files accurately reflect background
     checks."  The Service further stated that its Office of
     Administration and Budget "maintains documentation and a tracking
     system" on all security clearances and background checks of its
     employees and contractors. The Service stated that it disagreed with
     our statement that followup background checks are required, stating
     that it is in compliance with Department of the Interior guidance
     which states that followup checks "are authorized only for national
     security positions and not for public trust positions."
  
     Office of Inspector General Reply. The Office of Administration and
     Budget's documentation and tracking system, while serving as part of
     the control, did not ensure that personnel or security files
     accurately reflected that background checks were requested and
     documented in the "official personnel files" of the employees.
     Additionally, the Departmental guidance included by the Service was
     dated 1993; however, the Code of Federal Regulations (5 CFR 1), dated
     1997, states that followup background checks are required of
     employees in positions that are for national security and other
     positions considered to be "high risk." The Office's Security Officer
     verified that the Program has employees in "high risk" positions,
     such as the Chief, Systems Management Division; the Installation
     Security Officer; the Contractor's Project Manager; and supervisors
     within the Systems Management Division. As such, employees in these
     positions would be required to have followup background checks.  
 
     C.  Security Awareness Statements
  
         Condition:  We found that automated information system users did
     not have security     awareness statements on file acknowledging the
     employees' acceptance of their     responsibilities to safeguard the
     Program's proprietary data and assets.
  
         Criteria:  The Department's "Automated Information Systems
     Security Handbook"     requires employees who use sensitive automated
     information system resources     to sign statements acknowledging
     their responsibilities for the security of the     resources.
     Additionally, the "RMP [Royalty Management Program] Automated
     Information Systems Security Manual" requires that employees sign a
     Minerals     Management Service Security Statement, which
     acknowledges their     responsibilities to safeguard Program
     -sensitive data and assets, and requires the     Installation
     Automated Information System Security Officer (Installation
     Security Officer) to verify that security awareness statements are
     signed by the     employees before their system access requests are
     approved.
  
       Cause:  Program management did not ensure that its employees signed
     security   awareness statements. In addition, the Installation
     Security Officer did not   ensure that security statements were on
     file before the Installation Security   Officer approved access to
     the automated information system.
  
       Effect: As a result, employees may not be aware of their
     responsibilities to safeguard    automated information system data
     and assets and thus inadvertently disclose    sensitive information.
  
     Recommendation:
  
     We recommend that the Director, Minerals Management Service, establish
     controls to enforce Program policy which requires employees to sign
     security awareness statements before access to system resources is
     approved by the Installation Automated Information System Security
     Officer.
  
  
  
     Minerals Management Service Response and Office of Inspector General
     Reply
  
     Based on the Service's response, we request that the Service
     reconsider its response to the recommendation, which is unresolved
     (see Appendix 3).
  
     The Service stated that while its own test sample confirmed that users
     have appropriate access to the Program's systems, it "concur[s] that
     [its] filing system for access approvals needed improvement." The
     Service further stated that all statements are "now consistently
     filed and reconciled by the ADP security officer."
  
     The Service agreed with the recommendation and said that it was
     implemented. However, while the security awareness statements
     referred to in the finding provide evidence that users accepted their
     responsibility to safeguard the Program's proprietary data and
     assets, these statements do not support the appropriateness of access
     to Program systems. Without familiarity with the methodology employed
     in the Service's test, such as sample selection and test performance,
     we must rely on the tests performed using statistical sampling
     software and generally accepted Government auditing standards
     followed by the audit staff. Further, the Service stated, in its
     response to Recommendation D.2, that "all MMS [Minerals Management
     Service] employees are granted access to view royalty, production,
     and reference data." Accordingly, if the Service's tests did not
     include all Service employees, there is no assurance that all
     statements have been filed and reconciled. Therefore, we consider
     this recommendation unresolved and request that the Service
     reconsider its response to the recommendation (see Appendix 3).
  
     D. Resource Classifications
  
         Condition:  The Program's computer resources (data files,
     application programs, and     computer-related facilities and
     equipment) were not classified appropriately to     determine the
     levels of access controls that should be implemented over the
     resources. For example, no "major application" was identified in the
     Program's     annual security plan, even though the applications and
     data files were     "proprietary" and critical to the Program in
     accomplishing its mission and     reporting financial information.
     Further, access controls over sensitive data on     the servers used
     by the Program's divisions were not as stringent as the access
     controls over sensitive data on the mainframe.
  
         Criteria:  Office of Management and Budget Circular A-130,
     Appendix III, directs     agencies to assume that all major systems
     contain some sensitive information     that needs to be protected but
     to focus extra security controls on a limited     number of
     particularly high-risk or major applications. According to the NIST
     Handbook, "Security levels, costs, measures, practices, and
     procedures should     be appropriate and proportionate to the value
     of and degree of reliance on the     information systems and to the
     severity, probability, and extent of potential     harm." Further,
     the determinations should flow directly from the results of risk
     assessments that identify threats, vulnerabilities, and the potential
     negative     effects that could result from disclosing confidential
     data or failing to protect the     integrity of data supporting
     critical transactions or decisions. Accordingly,     Program policy
     requires that users be given access only to the resources needed
     to perform their assigned duties.
  
       Cause:  Program management had not identified the resources that
     needed significant   protection.  Further, Program management did not
     require application owners   who are responsible for approving user
     access levels to the applications to   classify their resources based
     on the level of sensitivity of the information   contained in their
     applications.
  
       Effect: As a result, there was an increased risk that resources
     were not adequately   protected from unauthorized access and
     disclosure and therefore were subject   to either accidental or
     intentional changes to computer operations and data.    Conversely,
     the level of protection provided for low-risk resources may be in
     excess of that required. Furthermore, Program management did not have
     a   reliable basis for making critical decisions regarding security
     safeguards for its   sensitive applications.
  
     Recommendations:
  
     We recommend that the Director, Minerals Management Service:
  
     1.  Ensure that individual computer resources are classified based on
     the level of sensitivity associated with each resource.
  
     2.  Evaluate controls over resources to ensure that the access
     controls have been implemented commensurate with the level of risk
     and sensitivity associated with each resource.
  
     Minerals Management Service Response and Office of Inspector General
     Reply
  
     Based on the Service's response, we request that the Service
     reconsider its response to Recommendations 1 and 2, which are
     unresolved (see Appendix 3).
  
     Recommendation 1. Nonconcurrence.
  
     Service Response. The Service said that it believed that its "current
     classifications are appropriate." The Service further stated that its
     mainframe systems "receive heightened security because they are more
     mission critical, not because they are more sensitive" and that these
     systems "must be protected more strenuously to ensure the integrity
     of the official records." The Service also stated: "A more moderate
     level of protection is necessary for proprietary information than for
     mission critical information. The umbrella protection mechanism for
     all types of proprietary information is physical controls coupled
     with employee training."
  
     Office of Inspector General Reply. We disagree that the Service's
     current classifications are appropriate. In its response to
     Recommendation M.1, the Service indicated that the Program had not
     identified all "mission critical" systems. Further, in our opinion,
     mission critical systems resided on personal computers and local area
     networks that supported the Program's mission to accurately and
     timely disburse rents, bonuses, and royalty revenues to the U.S.
     Treasury, the states, and the Indian tribes, as well as financial
     transactions and external reporting. Additionally, the Service stated
     that the umbrella protection over its proprietary data, which do not
     reside on the mainframe computer, is limited to "physical controls"
     and "employee training."  However, these controls do not meet the
     minimum controls required for Federal automated information
     resources. The purpose of resource classification is to provide a
     basis for determining the controls necessary to ensure appropriate
     implementation of risk-based management, as required by Office of
     Management and Budget Circular A-130, Appendix III.
  
     Recommendation 2. Nonconcurrence.
  
     Service Response. The Service said that it believes that its "existing
     access controls over resources already meet the intent of this
     recommendation." The Service further stated that all of its employees
     "are granted access to view royalty, production, and reference data.
     Since most of this data is proprietary, employees are trained in its
     proper use and must sign statements acknowledging their
     responsibility to protect it. State and Tribal employees have access
     to such data within their jurisdictions only. The ability to add or
     change data is limited to those employees who require that access to
     perform their jobs."
  
     Office of Inspector General Reply. We disagree that the Service's
     existing access controls meet the intent of the recommendation. By
     its response, we inferred that the Service had not complied with the
     personnel control of "least privilege" required by Appendix III of
     Circular A-130 and the "RMP Automated Information Systems Security
     Manual." The Circular defines least privilege as "the practice of
     restricting a user's access (to data files, to processing capability,
     or to peripherals) or type of access (read [which means to view],
     write, execute, delete) to the minimum necessary to perform" an
     employee's job. Further, the Program's Manual states, "[P]rivileges
     granted to users are only those privileges that are absolutely
     necessary for job performance."  In addition, Appendix III of
     Circular A-130 and the Departmental Manual (375 DM 19) state that the
     "greatest threat" to most computer systems comes from authorized
     users. However, as stated by the Service, "All [Service] employees
     are granted access to view royalty, production, and reference data."
     Therefore, we believe that allowing all Service employees to have
     access to view Program data indicates that access controls were not
     implemented commensurate with the level of risk and sensitivity of
     each resource. Further, as cited in Findings E, F, and G in this
     report, controls over access were inadequate; therefore, we believe
     that the Service's current access controls over resources do not meet
     the intent of the recommendation.
  
     E. Default Settings Provided With Commercial Off-the-Shelf Software
  
         Condition:  Default settings provided with commercial off-the
     -shelf software were not     removed after the software was installed
     and implemented. For example, we     found that the default user
     identification (ID) and associated default password     had not been
     removed when Program management upgraded to the latest     version of
     the Integrated Data Management System (IDMS). The default user     ID
     provides users with administrative privileges to establish and remove
     users     and to access all mainframe computer resources.
  
         Criteria:  The "RMP Automated Information Systems Security
     Manual" requires that     default user IDs and passwords be removed
     once commercial off-the-shelf     software is implemented.
  
       Cause:  Rather than deleting the default user ID and password,
     Program management   relied on the mainframe security software to
     protect against unauthorized   access.
  
       Effect: As a result, there was an increased risk that the automated
     information system   could be accessed by unauthorized users.
  
     Recommendation:
  
     We recommend that the Director, Minerals Management Service, implement
     controls to enforce Program policy that default user IDs and
     passwords are to be removed from the automated information system
     when commercial off-the-shelf software is implemented.
  
     Minerals Management Service Response and Office of Inspector General
     Reply
  
     In its response, the Service indicated agreement with the
     recommendation. However, the Service needs to provide additional
     information for the recommendation (see Appendix 3).
  
     Additional Comments on Finding
  
     Even though the Service agreed with this recommendation, it stated
     that our conclusion was incorrect that "the use of this default ID
     allows access to all mainframe computer resources" because "the
     security architecture prevented" the misuse of resources. The
     security architecture requires that a user who wants to access the
     mainframe have a "valid RACF logon password" and a "user ID defined
     to the data dictionary." We disagree that the security architecture
     prevented the misuse of resources. Vendor documentation states that
     the default ID can be used to establish a user in the dictionary and
     perform all activities cited in this finding. In addition, we found
     that at least two applications did not rely on the Program's
     "security architecture."
  
     F. Commercial Off-the-Shelf Software Access Controls
  
         Condition:  Commercial off-the-shelf software access controls
     were not implemented to     safeguard against unauthorized access to
     the mainframe computer, personal     computers, and servers.
     Specifically, we found that:
  
             -             Resource Access Control Facility (RACF)
     provides the capability to   set rules for passwords in which the
     installation can require the use of specific   characters (a mix of
     letters and numbers) within the passwords, but this feature   was not
     used.
  
             -             A default security setting was found on a
     server file that allows   passwords to be unencrypted.
  
             -             The "SECURE CONSOLE" command was not found on a
     server file   which removes the Disk Operating System (DOS) from the
     server memory.    The removal of DOS from the server memory prevents
     an individual from   inserting a diskette into the server drive and
     loading unauthorized software that   could perform such functions as
     change passwords, establish trustee rights,   create users, and
     assign security levels. Also, the "SECURE CONSOLE"   command disables
     the users' ability to change the server date and time, thus
     allowing users to bypass access restrictions.
  
         Criteria:  Office of Management and Budget Circular A-130,
     Appendix III, requires     agencies to establish controls to ensure
     adequate security for all information     processed, transmitted, or
     stored in Federal automated information systems.      Also, the
     Department's "Automated Information Systems Security Handbook"
     states that proprietary, personnel, sensitive, and mission-critical
     information     should be protected from unauthorized disclosure. In
     addition, the Program's     Automated Information Systems Security
     Manual states that a mix of letters and     numbers is recommended
     for passwords used to access the Program's     automated information
     system.
  
       Cause:  The Program's policy recommended rather than required the
     use of a mix of   both letters and numbers in passwords to access its
     automated information   system. In addition, there was no centralized
     security administration for the   local area networks and personal
     computers that contain proprietary and   financial data, and no
     Program procedures were in place to ensure that controls   were
     adequate to safeguard these local area networks and personal
     computers.
  
       Effect: As a result, there was an increased risk that unauthorized
     access could be    gained to the automated information system, which
     could result in the loss of   data and in unauthorized individuals
     gaining access to sensitive data files.    Recommendations:
  
     We recommend that the Director, Minerals Management Service:
  
     1.  Evaluate the current Program policy which only recommends that
     passwords contain a mix of letters and numbers for all automated
     information system components. Implement, if the Program determines
     that a mix of letters and numbers should be required, the security
     software option within RACF that would enforce this requirement. If
     the Program determines that a mix of letters and numbers is not
     required, the risk should be addressed in the risk assessment.
  
     2.  Develop and implement centralized security administration for the
     local area networks used by the Program's divisions that contain
     proprietary and financial data.
  
     Minerals Management Service Response and Office of Inspector General
     Reply
  
     In its response, the Service indicated agreement with both
     recommendations. However, the Service needs to provide additional
     information for Recommendations 1 and 2 (see Appendix 3).
  
     G. Access Levels Granted
  
         Condition:  We found that controls were not adequate to ensure
     that access levels granted     to users of the Program's automated
     information system were appropriate.      Specifically, access
     managers had not approved all automated information     system access
     granted to users of the access managers' applications and had not
     performed periodic reviews to determine who the users were and
     whether the     levels of access granted in the automated information
     system were the access     levels approved.
  
         Criteria:  The "RMP Automated Information Systems Security
     Manual" states that     supervisors and managers are responsible for
     ensuring that employees' ADP      access certifications are
     appropriate for the job they will perform before users     are set up
     to access the automated information system. Also, the "Generally
     Accepted Principles and Practices for Securing Information Technology
     Systems," issued by the National Institute of Standards and
     Technology, states:     "It is necessary to periodically review user
     account management on a system.      Reviews should examine the
     levels of access each individual has, conformity     with the concept
     of least privilege, whether all accounts are still active, [and]
     whether management authorizations are up-to-date."
  
       Cause:  Program management had not ensured that its policies were
     implemented   effectively because access managers were not included
     in the process of   approving access to the automated information
     system. Additionally, the   Program's policies and procedures did not
     require that access managers perform   periodic reviews of users'
     levels of access to application files and system   records. In
     addition, Program management could not efficiently, through
     automated means, perform reconciliations of authorization forms and
     access   levels granted in the automated information system because
     the audit tools   available for the automated information system had
     not been acquired.    Although automated capabilities were not
     acquired, Program management could   ensure that user access levels
     were appropriate to the work performed through   a recertification
     process whereby users resubmit the ADP access certifications
     annually.
  
       Effect: As a result, there was an increased risk that unauthorized
     access, data   manipulation, or disclosure of proprietary information
     may occur. In addition,   a periodic review of access files may limit
     the damage resulting from accidents,   errors, or unauthorized use of
     automated information system resources and   increase assurance that
     access levels were revised when users were reassigned   or promoted
     or they terminated their employment. Additionally, since periodic
     reviews were not performed, there was an increased risk that
     unauthorized   access would not be detected or detected timely.
  
     Recommendations:
  
     We recommend that the Director, Minerals Management Service:
  
     1.  Implement controls to ensure that access managers approve all
     access to their applications in accordance with Program policy.
  
     2.  Document procedures which require that users' access levels be
     reviewed periodically or that employees be recertified to ensure that
     the levels of access granted are appropriate for the duties assigned
     to the users.
  
     Minerals Management Service Response and Office of Inspector General
     Reply
  
     Based on the Service's response, we request that the Service
     reconsider its responses to Recommendations 1 and 2, which are
     unresolved (see Appendix 3).
  
     Recommendation 1. Nonconcurrence.
  
     Service Response. The Service stated that it believes that "effective
     controls have been in place to assure that application managers
     approve all access to their applications."  It further stated that it
     "acknowledge[d] that our filing system for such approvals needed
     improvement and are in the process of resolving this problem."
  
     Office of Inspector General Reply. We disagree that effective controls
     were in place which ensured that application managers approved all
     access to their applications. We found that the Program did not
     enforce its policy which required application managers to approve all
     access granted to users of their applications. We performed a
     statistical test of users who had access to Program applications and
     production data and found that over 10 percent of those users tested
     did not have their access approved by the application manager or the
     Installation Security Officer. We discussed access approvals with
     application managers and found that these managers were unaware of
     how many of the users had access to the managers' applications.
     Therefore, the problem was not attributable to the "filing system"
     but to the lack of enforcement of Program policy.
  
     Recommendation 2. Concurrence.
  
     Service Response. The Service stated that it "concur[red] with the
     need to document these procedures" but "disagree[d] with the OIG's
     [Office of Inspector General] implication (in its statement of
     effect) of any significant risk of security breaches." The Service
     further stated: "Access to mission-critical systems has been
     carefully managed and controlled through documented security
     procedures and controls, including mainframe access matrices and
     annual reviews by the Security Manager. Our own tests confirmed that
     no unauthorized access exists or has existed."
  
     Office of Inspector General Reply.  The Service agreed that procedures
     should be documented but stated that it had procedures and controls
     in place for mission-critical systems. However, we disagree that
     adequate procedures and controls were in place because the Program's
     procedures did not address periodic reviews of users' access levels.
     The Service disagreed that any significant risk of security breaches
     would occur because mission critical systems are "carefully managed
     and controlled" through "documented security procedures and
     controls." Since the Service stated in its response to Recommendation
     M.1 that it had not identified all mission critical systems, it is
     unclear how the Service managed and controlled its mission critical
     systems. Regarding the annual review, under the current version of
     the security software, a review of user access levels within the
     system could not be performed. Therefore, the Program's procedures
     did not ensure that all users' access levels were reviewed
     periodically and that the levels of access granted were appropriate
     for the duties assigned to the users, thus ensuring implementation of
     "least privilege." Further, the use of the matrix identified users
     within a group and the group's levels of access, but it did not
     identify access levels for each user. In addition, without
     familiarity with the methodology employed in the Service's test, such
     as the sample selection and test performance, we must rely on the
     tests performed using statistical sampling software and generally
     accepted Government auditing standards followed by the audit staff.
  
     H. Number of Log-in Attempts
  
         Condition:  The Program's number of unsuccessful log-in attempts
     to access its automated     information system exceeded the standard
     established by the Department.      Specifically, in 1992, Program
     management increased the number of      unsuccessful log-in attempts
     from three to five before a user's ID and password     were revoked.
  
         Criteria:  The Department's "Automated Information Systems
     Security Handbook" states     that the number of unsuccessful log-in
     attempts should be three.
  
       Cause:  Program management did not follow the Departmental standard
     because, they   stated, it was difficult for some state and tribal
     organizations, which are external   customers, to access the
     mainframe computer through telephone lines.
  
       Effect: As a result, the increased number of invalid attempts
     reduced the effectiveness   of the password as an access control.
     Thus, there was an increased risk of   unauthorized access to
     sensitive information.
  
     Recommendation:
  
     We recommend that the Director, Minerals Management Service, evaluate
     the need to deviate from the Departmental standard for the number of
     unsuccessful log-in attempts. If the Program determines that this
     number should remain at five, Program management should request, from
     the Department, a waiver from the standard of three attempts.
  
     Minerals Management Service Response and Office of Inspector General
     Reply
  
     Based on the Service's response, we consider this recommendation
     resolved and implemented (see Appendix 3).
  
     I. Client/Server Application Software Changes
  
         Condition:  Change management controls over client/server
     application software were not     adequate. Specifically, we found
     that there were no controls to ensure that: (1)      Program
     management authorized and approved software changes and (2)      the
     changes to the application software were adequately tested before the
     changed software was moved into production.
  
         Criteria:  National Institute of Standards and Technology Special
     Publication 500-161,     "Software Configuration Management: An
     Overview," states that software     configuration control management
     procedures should define the specific steps     taken to analyze and
     evaluate the change request, clarify the meaning of the     request,
     and resolve the problem described. In addition, the procedures should
     identify the appropriate individuals or organization responsible for
     evaluating     the requests and discuss the submission of the
     evaluation results to the     appropriate review board or individuals
     for approval or disapproval. Federal     Information Processing
     Standards Publication 106, "Guideline on Software     Maintenance,"
     states that testing is a critical component of software
     maintenance and that, as such, test procedures must be consistent and
     based on     sound principles. Further, the Publication states that
     tests should examine     whether the application software is "doing
     what it is supposed to do."
  
       Cause:  Program management did not enforce procedures for
     authorizing, approving,   and testing client/server application
     software.
  
       Effect: As a result, there was an increased risk that the most
     critical client/server   application software changes were not made
     and that applications would not   perform as intended.
  
     Recommendation:    
  
     We recommend that the Director, Minerals Management Service, enforce
     its procedures for authorizing, approving, and testing client server
     application software before the software is moved into production.
  
     Minerals Management Service Response and Office of Inspector General
     Reply
  
     In its response, the Service stated that the documented procedures
     "are already in place."
  
     Although the Service provided additional information in its response
     showing that client/server software development and change management
     procedures had been in place since 1995, the information, which we
     requested, was not provided during our audit. Based on the subsequent
     information provided by the Service, we agree that the Service has
     documented procedures.  However, we found that these procedures had
     not been enforced during fiscal year 1997. Specifically, in our
     review of four client/server applications, we found no evidence to
     support that software changes were authorized, approved, and tested.
     Therefore, we have revised this finding and recommendation and
     request that the Service respond to the revised recommendation (see
     Appendix 3).
  
     J. Duties Related to Client/Server Applications
  
         Condition:  The duties related to client/server applications were
     not separated effectively.     Specifically, we found that:
  
             -             Application programmers were authorized to
     access client/server   production data to perform "ongoing
     maintenance" on applications.
  
             -             At least one application programmer acted as a
     backup to an end user,   which required the programmer to change
     production data in the Minerals   Management Service Appeals Tracking
     System.
  
             -             The individual responsible for setting up users
     of the Royalty   Management Program Desktop applications was also the
     person designated to   review server security logs, which record the
     activities of the users of the   applications.
  
         Criteria:  Office of Management and Budget Circular A-130,
     Appendix III, requires that     security controls for personnel
     include least privilege and separation of duties.      The Circular
     states, "Least privilege is a practice of restricting a user's access
     (to data files, to processing capability, or to peripherals) or type
     of access (read,     write, execute, delete) to the minimum necessary
     to perform his or her job."      Separation of duties is the practice
     of dividing the steps in a critical function     among different
     individuals.  Also, the NIST Handbook states, "Separation of
     duties refers to dividing roles and responsibilities so that a single
     individual     cannot subvert a critical process."  The "RMP
     Automated Information Systems     Security Manual" states, "Access to
     sensitive data is limited to those persons     who use or process the
     data in performing their official duties."
  
       Cause:  Program management did not appropriately assign duties for
     application   programmers to ensure that critical processes were not
     subverted. Specifically,   programmers should not have access to
     production data because access to   production data should be
     restricted to users. Also, Program management had   not ensured that
     independent reviews of server security logs were performed
     periodically.
  
       Effect: As a result, there was an increased risk that accidental or
     intentional   unauthorized actions by programmers could threaten the
     integrity of the   Program's data and disrupt system processing.
     Furthermore, there was an   increased risk that inappropriate actions
     by the individuals who established   system users would not be
     detected or would not be detected timely.
  
     Recommendations:
  
     We recommend that the Director, Minerals Management Service:
  
     1.  Implement controls to ensure that application programmers do not
     have access to the production client/server application data or the
     capability to update/change these data.
  
     2.  Improve detection controls by ensuring that management or the
     Installation Security Officer reviews server security logs
     periodically.
  
     Minerals Management Service Response and Office of Inspector General
     Reply
  
     Based on the Service's response, we request that the Service provide
     additional information for Recommendation 2 and that it reconsider
     its response to Recommendation 1, which is unresolved (see Appendix
     3).
  
     Recommendation 1. Nonconcurrence.
  
     Service Response. The Service stated: "While application programmers
     do not routinely require update access to any RMP [Royalty Management
     Program] production data, there are instances when temporary access
     is needed by specific programmers under controlled circumstances. To
     mitigate any future risks associated with this access, procedures
     have been reinforced which detail actions to be taken when requesting
     temporary access to mainframe and client/server production data." The
     Service also "refute[d]" our statement that application programmers
     serve as backups to end users.
  
     Office of Inspector General Reply. The Service indicated that
     procedures were in place to control the risk when application
     programmers had update access to Program data. However, we did not
     find such procedures; therefore, we could not test the procedures to
     ensure that temporary access was provided to specific programmers
     under controlled circumstances. To resolve this recommendation, the
     Service is requested to provide documentation of the procedures the
     Program uses that mitigate risk when programmers are allowed update
     access to production data.
  
     Regarding application programmers serving as backups to end users, we
     found during our audit that a programmer analyst had been given
     access to a client/server application to change the database, to make
     table updates, and to print reports. According to Program personnel
     who were responsible for the application, this access was authorized
     so that the programmer could provide backup duties to a Program
     employee.
  
     Recommendation 2. Concurrence.
  
     Service Response. The Service stated that the contractor was "being
     directed to address the review of server security logs within their
     overall internal control procedures."
  
     Office of Inspector General Reply. We accept the Service's alternative
     of having the contractor review the logs rather than Program
     management or the Installation Security Officer. However, regardless
     of who does the review, the procedures must ensure adequate
     separation of duties between the key functions of the security log
     reviewer and the security administrator.
  
     K. Security Software
  
         Condition:  The version of RACF, the commercial mainframe
     security software, that was      used by the Program was no longer
     supported by the vendor. Although the     upgraded version of RACF
     had been purchased, it had not been implemented.
  
         Criteria:  Federal Information Processing Standards Publication
     106, "Guideline on     Software Maintenance," states that "the goal
     of software maintenance     management is to keep systems
     functioning."
  
       Cause:  Program management had not implemented the upgraded version
     of RACF   because management was in the process of requesting a
     waiver from the   Department from consolidating its mainframe
     operations with another   mainframe operation, which has the upgraded
     RACF, as required by Office of   Management and Budget Bulletin 96
     -02, "Consolidation of Agency Data   Centers." If the waiver is
     granted to the Program, the upgraded version of   RACF will need to
     be implemented immediately.
  
       Effect: Using security software that was not supported by the
     vendor increased the risk    that security software would not be
     maintained and that programs and data files   would not be protected
     from unauthorized access.
  
     Recommendation:
  
     We recommend that the Director, Minerals Management Service, ensure
     that the upgraded version of RACF is implemented immediately if the
     Program is granted a waiver from consolidating its mainframe
     operations with another mainframe operation.
  
     Minerals Management Service Response and Office of Inspector General
     Reply
  
     In its response, the Service stated that it believes that we
     "misunderstood the effects of delaying this software upgrade.
     Although this is a moot point now that MMS [Minerals Management
     Service] has replaced its processor, the decision not to upgrade the
     RACF software was well founded."
  
     Although the Service indicated that it had replaced its processor, we
     were not provided information to determine whether the Service has
     ensured that the upgraded version of RACF or equivalent security
     software was implemented on the new processor. Therefore, we consider
     this recommendation unresolved and request that the Service
     reconsider its response to the recommendation (see Appendix 3).
  
     Additional Comments on Finding
  
     The Service stated that the Program "initially delayed the upgrade
     because it was considering a processor replacement that would require
     an entire new suite of mainframe software products." The Service
     further stated, "Upgrading RACF at that time would have been an
     inherently risky and potentially expensive decision." Regarding these
     statements, we were not provided any documentation to support these
     statements that the decision to not implement the upgraded version of
     RACF was based on the Service's plan to implement a new processor or
     that the upgrade of RACF would be "risky and potentially expensive."
  
     L. Mainframe Computer System Audit Tools
  
         Condition:  Program management did not use available system audit
     tools to ensure integrity     over system processing and data and to
     detect inappropriate actions by     authorized users. Specifically,
     we found that:
  
             -             System integrity verification and audit
     software was not used. This   software could assist data center and
     installation security management in   identifying and controlling the
     mainframe computer operating system's security   exposures such as
     setting system options inappropriately, installing "back   doors" to
     the operating system, and introducing viruses and Trojan horses, that
     can destroy production dependability and circumvent existing security
     measures.
  
             - Computer operators and system programmers had the
     capability to   change the system initialization process and thus
     affect system processing.    Additionally, system options that
     produce a system audit trail were not   implemented. Therefore, an
     audit trail that logs the results of actions taken by   computer
     operators and system programmers in the SYSLOG during system
     initialization could not be produced for periodic review.
  
             - Periodic reviews of System Management Facility (SMF) logs
     to identify   critical events affecting system processing were not
     performed. For example,   reviews were not performed of record type
     7, which records when the system   audit trail is lost, and record
     type 90, which records events such as "SET   TIME," "SET DATE," and
     "SET SMF," all of which affect system processing   and production of
     audit trails.
  
             - Periodic reviews of SMF logs to identify unauthorized
     changes to data   by authorized users were not performed. Even though
     one of the SMF record   types, record type 60, which logs all
     activity affecting Virtual Storage Access   Method data sets that
     contain lease and site security data, was activated during   our
     audit, the logs were not reviewed to detect inappropriate actions or
     unusual   activity by authorized users.
  
         Criteria:  Office of Management and Budget Circular A-130,
     Appendix III, requires     agencies to establish controls to ensure
     adequate security for all information     processed, transmitted, or
     stored in Federal automated information systems. In     addition, the
     Circular states that individual accountability is one of the
     personnel     controls required in a general support system. The
     Circular further states that     an example of one of the controls to
     ensure individual accountability is     reviewing or looking at
     patterns of users' behavior, which requires reviews of     the audit
     trails. The NIST Handbook states that audit trails are a technical
     mechanism to achieve individual accountability.
  
       Cause:  Program management did not acquire system integrity and
     verification software,   did not implement system options to record
     actions taken affecting system   initialization, did not encourage
     the use of available system audit trails to detect   and identify
     inappropriate actions affecting the system processing and data
     integrity, and did not establish procedures requiring periodic
     reviews of   resultant logs because the logs were extensive and
     difficult to read. Further,   Program management had not considered
     converting the logs to a more useful   format to extract critical
     information. Instead, Program management relied on   its staff to
     make appropriate changes to the system initialization process and on
     authorized users to make only appropriate changes.
  
       Effect: As a result, inappropriate mainframe computer system
     initialization and   processing were not recorded and identified.
     Additionally, without periodic   reviews of the system audit trails,
     there was an increased risk that processing   problems or
     unauthorized activities would not be detected or would not be
     detected timely and that the individual responsible would not be held
     accountable for the inappropriate actions.
  
     Recommendations:
  
     We recommend that the Director, Minerals Management Service:
  
     1.  Evaluate acquiring system verification and auditing software.
  
     2.  Implement the system options to record activities in the SYSLOG
     during the system initialization process and develop and implement
     procedures to ensure that periodic reviews of the SYSLOG for
     unauthorized or inappropriate activities are performed and that
     unauthorized or inappropriate activities are reported to Program
     management.
  
     3.  Evaluate the available SMF record types and implement procedures
     to ensure that critical SMF logs are reviewed periodically and that
     Program management addresses the problems identified.
  
  
     Minerals Management Service Response and Office of Inspector General
     Reply
  
     In its response, the Service indicated agreement with Recommendations
     2 and 3. However, the Service needs to provide additional information
     for Recommendations 2 and 3 and needs to reconsider its response to
     Recommendation 1, which is unresolved (see Appendix 3).
  
     Recommendation 1. Nonconcurrence.
  
     Service Response. The Service stated that the Program "routinely uses
     a number of system-assurance mechanisms such as control reports,
     system-assurance programs and user- reconciliation reports" but that
     it "remains alert to any technologic developments that would improve
     system integrity and operations." The Service further stated, "As
     these packages become available, they will be examined for
     applicability to the RMP [Royalty Management Program] computing
     environment."
  
     Office of Inspector General Reply. The mechanisms cited by the Service
     provide information related mainly to application processing system
     assurance. Although the Service said that it will evaluate the use of
     software packages to assist in providing assurance over system
     integrity and operations, the Service should state concurrence or
     nonconcurrence with the recommendation to evaluate the acquisition of
     operating system-verification and auditing software that would
     identify mainframe operating system security exposures.
  
     M. Disaster Recovery Plans
  
         Condition:  Local area networks and personal computers used by
     the Program's divisions     that maintain proprietary and financial
     data were not included in the Program's     disaster recovery plans.
  
         Criteria:  Office of Management and Budget Circular A-130,
     Appendix III, states that     agencies should establish a contingency
     plan and periodically test the plan to     ensure that operations
     will continue in the event that automated systems fail.
  
       Cause:  Program management did not ensure that all systems which
     maintain proprietary   and financial data were included in its
     disaster recovery plans.
  
       Effect: If the disaster recovery plans are incomplete because all
     sensitive systems are   not included, personnel required to perform
     the disaster recovery procedures   may not be able to recover
     critical systems in the event of a disaster or a system   failure.
  
     Recommendation:
  
     We recommend that the Director, Minerals Management Service, update
     the disaster recovery plans to include all mission-critical systems.
  
     Minerals Management Service Response and Office of Inspector General
     Reply
  
     Based on the Service's response, we request that the Service provide
     additional information for the recommendation (see Appendix 3).
  
     Additional Comments on Finding
  
     The Service stated, "We believe the disaster recovery plans we have in
     place for our mainframe and client servers provide coverage for
     virtually all of our mission-critical applications." In our opinion,
     this statement implies that disaster recovery plans are not required
     for other components of the Program's automated information system,
     such as local area networks and personal computers used by the
     Program's divisions. The local area networks and personal computers
     used by the Program's divisions were the components of the automated
     information system used to develop the Program's financial statements
     and to report financial information to the U.S. Treasury and the
     Office of Management and Budget. Further, these components also
     support the Program's mission to accurately and timely disburse
     rents, bonuses, and royalty revenues to the U.S. Treasury, the
     states, and the Indian tribes. Therefore, we believe that these
     components not only are "mission critical" to the Program but also
     are part of the Program's general support system. Office of
     Management and Budget Circular A-130, Appendix III, defines general
     support systems as "an interconnected set of information resources
     under the same direct management control which shares common
     functionality." Further, the Circular addresses the need for
     continuity of support for general support systems as well as major
     applications.
  
  
  
               STATUS OF AUDIT REPORT RECOMMENDATIONS
  
                      Finding/Recommendation
                            Reference
    
                              Status
    
                         Action Required
    
  
                               A.1  
  Unresolved.  
  Reconsider the recommendation
  to clarify that the enhanced risk
  assessment process will include
  the identification of significant
  risks affecting systems, will
  appropriately identify controls
  implemented to mitigate those
  risks, and will formalize the
  acceptance of residual risk.  Also,
  an action plan that includes target
  dates and titles of officials
  responsible for implementation
  should be provided.  
                               A.2
  
  
  
  
  
  
  
  
  A.3, F.1, F.2, L.2, L.3,
  and M.1  Unresolved.
  
  
  
  
  
  
  
  
  Management concurs;
  additional information
  needed.  Reconsider the response to ensure
  that local area network
  administrators participate in the
  risk assessment process, and
  provide an action plan that
  includes target dates and titles of
  officials responsible for
  implementation.
  
  Provide an action plan that
  includes titles of officials
  responsible for implementation.  
  B.1, B.2, E.1, and J.2  Management concurs;
  additional information
  needed.  Provide an action plan that
  includes target dates and titles of
  officials responsible for
  implementation.  
  
  
  
                      Finding/Recommendation
                            Reference
    
  
  
                              Status
    
  
  
                         Action Required
    
  
  B.3, D.1, D.2, and  L.1  
  Unresolved.  
  Reconsider the recommendations,
  and provide action plans that
  include target dates and titles of
  officials responsible for
  implementation.  
                               C.1  Unresolved.  Provide information relating to
  how the reconciliation of the
  statements was performed and the
  dates the actions were completed.  
                               G.1  Unresolved.  Reconsider the recommendation,
  and provide information regarding
  controls which ensure that all
  access managers approve all
  access to their applications.  Also,
  an action plan that includes target
  dates and titles of officials
  responsible for implementation
  should be provided.  
                               G.2  Unresolved.  Reconsider the recommendation,
  and provide information regarding
  documentation of procedures 
  requiring users' access level
  reviews or recertification of users'
  access be performed periodically. 
  Also, an action plan that includes
  target dates and titles of officials
  responsible for implementation
  should be provided.  
                               H.1  Implemented.  No further action is required.  
  
                                 
  
  Finding/Recommendation
                            Reference
    
  
  
                              Status
    
  
  
                         Action Required
    
  
                               I.1  
  Unresolved.  
  Respond to the revised
  recommendation, and provide an
  action plan that includes target
  dates and titles of officials
  responsible for implementation.  
                               J.1
  
  
  
  
  
  
                               K.1  Unresolved.
  
  
  
  
  
  
  Unresolved.   Reconsider the recommendation,
  and provide the procedures that
  mitigate risks when application
  programmers are allowed update
  access to production data.
  
  
  Reconsider the recommendation,
  and provide information on
  whether the upgraded version of
  the security software has been
  implemented on the new
  processor  




    ILLEGAL OR WASTEFUL ACTIVITIES SHOULD BE REPORTED TO THE OFFICE OF
    INSPECTOR GENERAL BY:

    Sending written documents to:                 



    Within the Continental United States
    
    U.S. Department of the Interior
    Office of Inspector General 
    1849 C Street,N~.W.
    ~Mail Stop 5341
    Washington, D.C. 20240

    Calling:

    Our 24~hour
    Telephone HOTLINE
    1-800-424-5081 or
    (202) 208-5300
    
    TDD for hearing impaired                                                  
    (202) 208-2420 or
    1-800-354-0996



    Outside the Continental United States

    
    Caribbean Region
    
    U.S. Department of the Interior
    Off~ce of Inspector General
    Eastern Division- Investigations
    1550 Wilson Boulevard
    Suite 410
    Arlington, Virginia 22209

    Calling:
    (703) 235-9221


    North Pacific Region

    U.S. Department of the Interior
    Office of Inspector General
    North Pacific Region
    238 Archbishop F.C. F'lores Street
    Suite 807, PDN Building
    Agana, Guam 96910

    
    Calling:
    (700) 550-7428 or 
    COMM 9-011-671-472-7279