[Audit Report on Followup of Mainframe Computer Policies and Procedures, Administrative Service Center, Bureau of Reclamation]
[From the U.S. Government Printing Office, www.gpo.gov]
Report No. 98-I-623
Title: Audit Report on Followup of Mainframe Computer Policies
and Procedures, Administrative Service Center, Bureau of
Reclamation
Date: August 20, 1998
**********DISCLAIMER**********
This file contains an ASCII representation of an OIG report.
No attempt has been made to display graphic images or
illustrations. Some tables may be included, but may not
resemble those in the printed version.
A printed copy of this report may be obtained by referring to the
PDF file or by calling the Office of Inspector General, Division of
Acquisition and Management Operations at (202) 208-4599.
******************************
U.S. Department of the Interior
Office of Inspector General
AUDIT REPORT
FOLLOWUP OF MAINFRAME
COMPUTER POLICIES AND PROCEDURES,
ADMINISTRATIVE SERVICE CENTER
BUREAU OF RECLAMATION
REPORT NO. 98-I-623
AUGUST 1998
MEMORANDUM
TO: The Secretary
FROM: Richard N. Reback
Acting Inspector General
SUBJECT SUMMARY: Final Audit Report for YourInformation
-"Followup of Mainframe Computer Policies
and Procedures, Administrative Service
Center, Bureau of Reclamation" (No. 98-I-623)
Attached for your information is a copy of the subject final audit
report. The objective of our audit was to determine
whether (1) the Bureau of Reclamation had satisfactorily implemented
the recommendations made in our March 1997 audit report "Mainframe
Computer Policies and Procedures, Administrative Service
Center, Bureau of Reclamation" (No. 97-I-683) and whether any new
recommendations were warranted and (2) the Service
Center's general controls were effective over computer center
management and operations, software change management,
and mainframe computer operating system
software.
We found that of the 24 recommendations made in our March 1997 report,
the Bureau had implemented 21 recommendations and had partially
implemented 3 recommendations. Further, we identified
six weaknesses in the areas of computer center management and
operations, software change management controls, and mainframe
computer operating system software.
We made 14 recommendations for improving the general controls at the
Service Center. Based on the Bureau's response to the draft report,
we considered 2 recommendations resolved and implemented and 12
recommendations resolved but not implemented.
If you have any questions concerning this matter,
please contact me at (202) 208- 5745.
Attachment
AUDIT REPORT A-IN-BOR-001-97
Memorandum
To: Commissioner, Bureau of Reclamation
From: Robert J. Williams
Assistant Inspector General for Audits
Subject:Audit Report on Followup of Mainframe
Computer Policies and Procedures, Administrative
Service Center, Bureau of Reclamation (No. 98-I-623)
INTRODUCTION
This report presents the results of our followup audit of
recommendations contained in our March 1997 audit report
"Mainframe Computer Policies and Procedures, Administrative
Service Center, Bureau of Reclamation" (No. 97-I-683). We
performed this audit in support of audits of the annual
financial statements of the Bureau of Reclamation and the
Service Center's clients. Annual financial statements are
required by the Chief Financial Officers Act. The objective
of this audit was to determine whether (1) the Service
Center had satisfactorily implemented the recommendations
made in our prior audit report and whether any new
recommendations were warranted and (2) the Service Center's
general controls were effective over computer center
management and operations, software change management, and
mainframe computer operating system software.
BACKGROUND
The Bureau of Reclamation's Administrative Service Center in
Denver, Colorado, is one of two Administrative Service
Centers within the Department of the Interior. The Service
Center's mission "is to improve economy and efficiency in
Government through the delivery of standard, automated
administrative systems." Specifically, the Service Center
provides (1) consolidated payroll and personnel services for
about 97,000 employees in the Department of the Interior and
eight other Federal agencies and (2) Government accounting,
integrated budgeting, and reporting services through the
Federal Financial System (FFS) to three Departmental and
five other Federal agencies. At the time of our audit,
payroll and personnel services were provided through the
Payroll/Personnel System (PAY/PERS) and the Federal
Personnel Payroll System (FPPS) that was in the latter
stages of development. The implementation of FPPS, which
is to replace PAY/PERS, began in September 1997 with the
conversion of three Departmental agencies from PAY/PERS.
The remaining Departmental and non-Departmental agencies are
to be converted to FPPS by December 30, 1998. In addition,
a new client, the Social Security Administration, was added
in March 1998, which increased the number of payroll
accounts by about 65,000.
The Service Center provides its services on a cost-
reimbursable basis, and this reimbursement function is
administered through the Bureau's Working Capital Fund. The
Service Center is organized into seven divisions that
"provide data center, application, system, and operational
support to the organization and clients" as follows:
- The ADP Services Division is responsible for (1)
planning, developing, and operating the Service Center's
computer center functions and (2) operating and maintaining
computers, system software, and data communication networks.
To assist the Division in carrying out its functions, the
Service Center has contracted with Tri-Cor Industries, Inc.
The Division provides data processing support for the
Departmental standardized administrative sensitive
systems.[1] To support these systems, the computer center
operates an IBM mainframe computer using the "OS/390"
operating system to manage the processing work load. The
access control security software installed on the mainframe
computer is the Resource Access Control Facility (RACF),[2]
which controls users' and computer programs' access to the
mainframe computer resources. Additionally, other system
software, such as database management, telecommunications,
and specialized vendor software, reside on the mainframe
computer and are used to support the sensitive systems. Data
center operations provide users with computer and
communications equipment and infrastructure, systems
software, and operational support. The Division manages
data center operations through scheduling activities,
planning for contingencies and capacity, and providing user
support. The Division also manages the information
resources security program.
- The FPPS Division is responsible for managing the
development, implementation, and operation of the FPPS
application. These responsibilities include controlling
software changes; providing technical assistance to users;
and managing tests of the application, converting data, and
implementing the FPPS application. To assist the Division
in carrying out its functions, the Service Center has
contracted with the Computer Sciences Corporation.
- The Application Management Office directs the program
activities of the Departmental administrative applications
assigned to the Service Center.
- The PAY/PERS Division operates and maintains
PAY/PERS. However, when all agencies have been converted to
FPPS, the PAY/PERS Division will no longer exist.
- The Payroll Operations Division plans, develops,
executes, and manages the interagency payroll program
delivered by the Service Center and performs payroll
administration and services for all payroll clients.
- The Financial Systems Division provides functional
and technical support to clients using FFS and related
financial applications.
- The Management Services Division provides Service
Center administrative support.
SCOPE OF AUDIT
The scope of our followup audit included an evaluation of
the actions
taken by Service Center management to implement the 24
recommendations made in our March 1997 audit report and a
review of the general controls in place during fiscal year
1997. To accomplish our objective, we interviewed Service
Center and contractor personnel, reviewed systems
documentation, observed and became familiar with computer
center operations, analyzed system security, reviewed system
and application software maintenance procedures, and
reviewed and tested implementation of the prior audit
recommendations. Because our review was limited to
evaluating the adequacy of internal controls at the Service
Center, we did not test the effectiveness of the internal
controls at the various agencies and clients supported by
the Service Center.
Our audit was conducted in accordance with the "Government
Auditing Standards," issued by the Comptroller General of
the United States. Accordingly, we included such tests of
records and other auditing procedures that were considered
necessary under the circumstances.
As part of our audit, we evaluated the Service Center's
general controls over its mainframe computer and application
systems that could adversely affect the data processing
environment. The control weaknesses that we identified are
summarized in the Results of Audit section and discussed
further in Appendix 1 of this report. If implemented, our
recommendations should improve the general controls in the
areas cited. Because of inherent limitations in any system
of internal controls, losses, noncompliance, or
misstatements may occur and not be detected. We also
caution that projecting our evaluations to future periods is
subject to the risk that controls or the degree of
compliance with the controls may diminish.
PRIOR AUDIT COVERAGE
During the past 5 years, the General Accounting Office has
not issued any
reports related to the scope of this audit. However, the
Office of Inspector General has issued two related reports
as follows:
- The March 1994 audit report "Compliance With the
Computer Security Act of 1987, Denver Administrative Service
Center, Bureau of Reclamation" (No.94-I-357) stated that the
Service Center generally complied with the requirements of
the Computer Security Act of 1987 but that improvements were
needed in the areas of security and operations. Since the
Service Center was addressing all of the deficiencies
identified, the report contained no recommendations.
- The March 1997 audit report "Mainframe Computer
Policies and Procedures, Administrative Service Center,
Bureau of Reclamation" (No.97-I-683) stated that
deficiencies identified in our March 1994 report relating to
performing a risk analysis of the Service Center's local
area networks and separating duties by using RACF security
software still existed. This report contained 24
recommendations for improving management and internal
controls at the Service Center. We reviewed actions taken by
Service Center management to implement these recommendations
as part of our current audit, the results of which are
summarized in the Results of Audit section and discussed in
Appendix 2 of this report.
RESULTS OF AUDIT
Regarding the prior report's recommendations, we found that
the Bureau of
Reclamation's Administrative Service Center management had
satisfactorily implemented 21 of the 24 recommendations (see
Appendix 2). Of the three remaining recommendations, one
recommendation (No. D.3) was scheduled for completion by
September 30, 1998, and we considered the planned actions
adequate to correct the deficiencies identified. We
considered the remaining two recommendations (Nos. G.2 and
J.1) partially implemented because actions had not been
completed to fully correct the previously identified
deficiencies. The actions taken to implement the 21
recommendations have improved the controls in the areas of
local area network protection; application access; mainframe
system physical and logical security; and contingency
planning, backup, and disaster recovery.
Regarding the general controls, we believe that overall,
the general controls were operating with no material
weaknesses. However, we found general control weaknesses
in the areas of computer center management and operations,
software change management, and mainframe computer operating
system software that were present during fiscal year 1997.
Office of Management and Budget Circular A-130, "Management
of Federal Information Resources," which defines minimal
sets of controls for managing Federal information resources,
and National Institute of Standards and Technology
publications require Federal agencies to establish and
implement computer security and management and internal
controls to improve the protection of sensitive information
in the computer systems of executive branch agencies.
Additionally, the Congress has enacted laws, such as the
Privacy Act of 1974 and the Computer Security Act of 1987,
to improve the security and privacy of sensitive information
in computer systems by requiring executive branch agencies
to ensure that the level of computer security and controls
is adequate. Also, the Departmental Manual outlines (1) the
requirements related to security clearance programs,
suitability, and types of security investigations and (2)
the process for determining position sensitivity. However,
Service Center management did not ensure that controls were
implemented and were operating effectively and in compliance
with established criteria. Specifically, we found that
general control practices and processes were not complied
with, the appropriate security levels were not assigned to
automated data processing (ADP)-related positions, some
mainframe computer functions were not operated efficiently,
software change management controls were not complied with,
and mainframe computer operating system software tools and
settings had not been implemented to ensure system and data
integrity. As a result, there was an increased risk of
unauthorized access to, modification of, and disclosure of
client-sensitive data; inefficient Service Center
operations; and loss of system and data integrity.
Overall, we identified 6 weaknesses and made 14
recommendations for improving the general controls at the
Service Center. The weaknesses in the areas of computer
center management and operations, software change management
controls, and mainframe computer operating system software
are discussed in the following paragraphs, and details of
the weaknesses and our respective recommendations to correct
these weaknesses are in Appendix 1.
Computer Center Management and Operations
We found that Government and contractor employees who
filled ADP-related
sensitive and critical positions did not have proper
background clearances. Without information on the
security-related background of personnel assigned to
sensitive and critical positions, there was an increased
risk that sensitive systems could be impaired or
compromised. In addition, Service Center operations could be
improved if some mainframe computer functions, such as
moving changed software from the test environment to the
production environment process and scheduling computer
production, were centralized, and a standardized software
change control tool was used. When mainframe computer
functions are decentralized and not standardized, there is
an increased risk of inefficient operations and unnecessary
costs. We made three recommendations to address these
weaknesses.
Software Change Management Controls
We found control weaknesses in the area of managing software
changes made
to the FPPS application and to the mainframe computer
operating system. Because of the weak controls, there was
an increased risk that unauthorized changes could be made to
the sensitive FPPS application and to the critical operating
system, which could affect application and system integrity.
We made seven recommendations to address these weaknesses.
Mainframe Computer Operating System Software
We found that the Service Center had not implemented the
available operating system software tools which would
improve (1) the effectiveness of access controls to the
mainframe computer resources and (2) mainframe computer
system processing and data integrity. As a result, the risk
was increased that access controls could be bypassed and
unauthorized activities would not be detected. We made four
recommendations to address the weaknesses in this area.
Bureau of Reclamation Response and Office of
Inspector General Reply
In the June 17, 1998, response (Appendix 3) to the draft
report from the
Commissioner, Bureau of Reclamation, the Bureau concurred
with all 14 of the new recommendations. Based on the
response, we consider Recommendations C.1 and C.2 resolved
and implemented and Recommendations A.1, A.2, B.1, C.3, D.1,
D.2, D.3, D.4, E.1, E.2, F.1, and F.2 resolved but not
implemented. Accordingly, the unimplemented recommendations
will be referred to the Assistant Secretary for Policy,
Management and Budget for tracking of implementation (see
Appendix 4).
In its response, the Bureau said that "the report language
regarding the FPPS system did not adequately consider that
FPPS was under development during the time of the audit."
We disagree. We clearly identified in Finding C that the
weaknesses occurred during the latter stages of development
and the early stages of implementation. However, we have
added wording (page 1) to further clarify that the FPPS was
in the latter stages of development during the period of our
review.
Regarding our March 1997 report, we consider 21
recommendations resolved and implemented and the remaining 3
recommendations (Nos. D.3, G.2, and J.1) partially
implemented. Accordingly, updated information on the status
of the three prior recommendations will be forwarded to the
Assistant Secretary for Policy, Management and Budget (see
Appendix 5).
Since the recommendations contained in this report are
considered resolved, no further response to the Office of
Inspector General is required (see Appendix 4).
The legislation, as amended, creating the Office of
Inspector General requires semiannual reporting to the
Congress on all audit reports issued, actions taken to
implement audit recommendations, and identification of each
significant recommendation on which corrective action has
not been taken.
We appreciate the assistance of Bureau personnel in the
conduct of our audit.
**FOOTNOTES**
[1]:According to the National Institute of Standards and
Technology, sensitive systems are defined as "systems that
contain any information, the loss, misuse, or unauthorized
access to or modification of which could adversely affect
the national interest or the conduct of Federal programs, or
the privacy to which individuals are entitled under the
Privacy Act, but which has not been specifically authorized
under criteria established by an Executive Order or an Act
of Congress to be kept secret in the interest of national
defense or foreign policy."
[2]:RACF is an IBM-licensed product that provides access
control by identifying and verifying users to the system,
authorizing access to protected resources, logging detected
accesses to protected resources, and logging detected
unauthorized attempts to enter the system.
DETAILS OF WEAKNESSES AND RECOMMENDATIONS
COMPUTER CENTER MANAGEMENT AND OPERATIONS
A. Background Clearances
Condition: In our prior report, we recommended that Service
Center management require all contractor employees
to have proper background clearances. However,
during our current audit, we found that contractor
personnel at the ADP Services Division had received
background clearances but that not all contractor
personnel at the FPPS and Financial Systems
Divisions had received background clearances.
Additionally, Service Center Federal personnel
involved in designing, developing, operating, or
maintaining sensitive automated systems did not
have background checks and security clearances
commensurate with their job responsibilities and
the sensitivity of the information accessed.
Specifically, 154 of the 189 Service Center
employees who performed these ADP-related duties
did not have the appropriate ADP background
clearances.
Criteria: Office of Management and Budget Circular A-130,
Appendix III, "Security of Federal Automated
Information Resources," requires agencies to
establish and manage security policies, standards,
and procedures that include requirements for
screening individuals participating in the design,
development, operation, or maintenance of sensitive
applications or those having access to sensitive
data. In addition, the Departmental Manual (441 DM
4.6) requires position sensitivity levels of "non-
critical sensitive" or "critical sensitive" and
associated security clearances for ADP-related
positions for which employees are required to
design, test, operate, and maintain sensitive
computer systems. Security clearances are also
required of employees who have access to or process
sensitive data requiring protection under the
Privacy Act of 1974. Further, the Departmental
Manual (441 DM 5.15) requires that all consultants
or contractors performing ADP-related sensitive and
critical duties have background investigations to
determine position suitability and to receive a
security clearance.
Cause: Service Center management had not uniformly
developed and implemented, across all Service
Center Divisions, personnel security policies
requiring contractor personnel who perform ADP-
related sensitive and critical duties to be
screened for position suitability. Additionally,
Service Center management did not ensure that the
level of position sensitivity for ADP-related
positions was assigned at the level commensurate
with the risk and sensitivity of the data accessed
and processed and that background checks were
performed on employees who filled these positions.
Effect: Without proper personnel background investigations,
managers had limited knowledge of the suitability of
their employees and contractors, from a security
standpoint, for their respective jobs. Without this
assurance, there was an increased risk that the
Service Center's sensitive systems could be impaired
or compromised by personnel.
Recommendations
We recommend that the Director, Administrative Service
Center:
1. Develop and implement policies and procedures which
require contractor employees who fill ADP-related sensitive
or critical positions to have documented suitability
screening and proper background investigations and
appropriate security clearances.
2. Evaluate the position sensitivity of ADP-related
positions, assign position sensitivity levels in accordance
with the Departmental Manual, and ensure that those
employees working on sensitive systems have the proper
background investigations and security clearances before
they are assigned to the positions.
APPENDIX 1
Page 1 of 11
COMPUTER CENTER MANAGEMENT AND OPERATIONS
B. Operating Efficiencies
Condition: At the Service Center, each division
controlled the process of moving changed
software from the test to the production
environment, different software tools were
used to control the movement of the changed
software, and internal and external clients
controlled their mainframe computer
production scheduling.
Criteria: Office of Management and Budget Circular A-130
states that management should oversee its processes
to maximize return on investment and minimize
financial and operational risk. Further, the
Circular requires that financial management systems
conform to the requirements of Office of Management
and Budget Circular A-127, "Financial Management
Systems." Circular A-127 requires that agency
financial management systems process financial
events effectively and efficiently.
Cause: Service Center management did not ensure that its
processes were operating efficiently because of
preferences of internal and external clients and
because management had not developed and
implemented consistent standards for controlling
operational processes.
Effect: There was an increased risk that changed software
would negatively impact the mainframe computer
operating system; costs of maintaining different
software tools would increase Service Center
operating costs, which would be passed on to clients;
and mainframe computer usage could be reduced.
Additionally, without centralized control of
production scheduling, there was an increased risk
that critical processing jobs would not receive the
required priority.
Recommendation:
We recommend that the Director, Administrative Service
Center, in
coordination with the Service Center's internal and external
clients, evaluate the feasibility of centralizing the
process of moving changed software from the test environment
to the production environment, using standardized software
tools to control the software change process, and
centralizing mainframe computer production scheduling.
APPENDIX 1
Page 1 of 11
COMPUTER CENTER MANAGEMENT AND OPERATIONS
C. Application Software Change Management Controls
Condition: Software changes made to the FPPS duringthe latter
stages of development and the early stages of
implementation were not approved, reviewed, or
evaluated adequately before changed software was
installed for use in production; documentation was
not adequate to monitor changes made to the
software; and available library control software[1]
was not implemented to ensure consistency and
completeness throughout the FPPS application.
Criteria: Federal Information Processing Standards
Publication 106, "Guideline on Software
Maintenance," provides guidelines for managing
software maintenance. Publication 106 states that
all software changes should be carefully evaluated
and formally reviewed prior to installing the
changed software. The publication further states,
"In order to monitor maintenance effectively, all
activities must be documented. . . . The key to
successful documentation is that not only must the
necessary information be recorded, it must be
easily and quickly retrievable by the maintainer."
In addition, FPPS Division policies and procedures
require that all changes to the FPPS application be
thoroughly documented, be accepted by all involved
parties, and pass a quality assurance review.
Cause: FPPS Division management did not ensure that
Division personnel followed software change
management practices for making software changes to
the FPPS application because of the time
constraints to implement FPPS and because FPPS was
encountering problems and was considered by
Division personnel to be unstable. In addition, we
found that FPPS Division management did not hold
its personnel accountable for complying with
Division policies and procedures when they made
changes to the FPPS application. Further, FPPS
Division management said that they did not
implement the available library control software,
which would ensure adequate documentation of the
FPPS application, because at that time, the vendor
library control software was not working correctly.
Effect:There was an increased risk that the changes made to
the FPPS application would not perform according to
specifications, which could adversely affect user
satisfaction and could adversely impact other
applications interfacing with the FPPS application or
the mainframe operating system.
Recommendations:
We recommend that the Director, Administrative Service
Center:
1. Require that software changes be adequately reviewed
and approved before the changes are implemented.
2. Implement procedures to ensure that all software
changes to the FPPS application are properly documented.
3. Implement the available library control software when
corrected to ensure adequate documentation of the FPPS
application.
**FOOTNOTES**
[1]:Library control software is a system for keeping track
of changes to and versions of software programs, documenting
components to build executable programs, and preventing
unauthorized access to program files.
APPENDIX 1
Page 1 of 11
COMPUTER CENTER MANAGEMENT AND OPERATIONS
D. Operating System Software Change Management
Condition: Change controls over the mainframe computer
operating system software were not adequate. The
ADP Services Division change control procedures did
not address adequate separation of duties between
the development, test, and installation functions.
Thus, one individual could perform all of these
critical functions. In addition, the change control
procedures did not ensure that all changes were
properly approved by Division management. While
the change management procedures required approval
of all software changes, changes were made without
documented evidence of approval.
Criteria: Appendix III of Office of Management and Budget
Circular A-130 states that one of the minimum
controls required in a general support system is
personnel controls. One such control is separation
of duties, which is "the practice of dividing the
steps in a critical function among different
individuals." Also, Federal Information Processing
Standards Publication 106 states that "to be
effective, the policy should be consistently
applied and must be supported and promulgated by
upper management to the extent that it establishes
an organizational commitment to software
maintenance." In addition, Publication 106 states
that "prior to installation, each change
(correction, update, or enhancement) to a system
should be formally reviewed." Finally, Division
system change request procedures require that all
change requests be approved by the appropriate
branch chief.
Cause: ADP Services Division management did not ensure
that appropriate separation of duties existed in
developing and testing mainframe operating system
software and parameter changes and in moving
operating system software and parameter changes
into the production environment, although the
number of employees within the Division may allow
for a separation of these duties. Additionally,
Division management had not implemented controls to
ensure that the process of making system software
changes was in compliance with its documented
procedures. Further, management had not implemented
procedures to require periodic reviews of critical
datasets and system parameters to identify
inappropriate changes to the mainframe operating
system environment. Although Division management
had implemented a change control software tool that
provided a systematic and automated means of
controlling the movement of software changes, all
the capabilities of the software tool were not
implemented because of other Division priorities.
Effect:There was an increased risk that unauthorized,
untested, and undocumented changes could be made to
the mainframe computer operating system software and
parameters, which would affect system processing and
data integrity, and that these changes would not be
detected or detected in a timely manner.
Recommendations:
We recommend that the Director, Administrative Service Center:
1. Evaluate current ADP Services Division procedures and
determine the feasibility of implementing controls in the
change management process over operating system software to
ensure that adequate separation of duties is addressed and
complied with.
2. Develop procedures and implement controls to ensure
that changes to the operating system parameters are
identified, approved by ADP Services Division management,
and documented.
3. Develop procedures requiring periodic reviews of
critical datasets and system parameters.
4. Evaluate implementing available capabilities in the
current change control software tool to more effectively
control changes to the operating system software.
APPENDIX 1
Page 8 of 11
MAINFRAME COMPUTER OPERATING SYSTEM SOFTWARE
E. System Audit Tools
Condition: Service Center management did not use available
mainframe computer operating system audit tools
that would improve integrity over system processing
and data and that would detect inappropriate
actions by authorized users. Specifically:
- Operating system integrity verification and
audit software was not used. Such software could
assist data center and installation security
management in identifying and controlling the
mainframe computer operating system's security
exposures that may result from system setting
options; from installing "back doors" to the
operating system; and from introducing viruses and
Trojan horses, which can destroy production
dependability and circumvent existing security
measures.
- Computer operators and system programmers had
the capability to change the system initialization
process and thus affect system processing. System
options that would log the results in the SYSLOG[2]
of actions taken by the computer operators and
system programmers affecting mainframe operating
system configuration were not implemented.
Therefore, an audit trail of the system
initialization process and changes to the operating
system configuration could not be produced for
periodic review. Based on recommendations made by
our audit staff during the review, Service Center
management implemented the logging capabilities
within the system; however, procedures had not been
developed and implemented to require periodic
reviews of the logs.
- Periodic reviews of critical System Management
Facility (SMF)[3] logs to identify unauthorized
changes to data by authorized users and critical
events affecting system processing were not
performed. For example, reviews were not performed
of record type 7, which records when the system
audit trail is lost, and record type 90, which
records events such as SET TIME, SET DATE, and SET
SMF, all of which affect system processing and
audit trails.
Criteria: Appendix III of Office of Management and Budget
Circular A-130 requires agencies to establish
controls to ensure adequate security for all
information processed, transmitted, or stored in
Federal automated information systems. In
addition, the Circular states that individual
accountability is one of the personnel controls
required in a general support system. The Circular
further states that an example of one of the
controls to ensure individual accountability
includes reviewing or looking at patterns of users'
behavior, which requires periodic reviews of the
audit trails. Also, the National Institute of
Standards and Technology's "An Introduction to
Computer Security: The NIST Handbook" states that
audit trails are "technical mechanisms" to achieve
individual accountability.
Cause: Service Center management did not acquire operating
system integrity and verification software, did not
encourage the use of available system audit trails
to detect and identify inappropriate actions
affecting the system processing and data integrity,
and did not establish procedures requiring periodic
reviews of available system logs. Instead, Service
Center management relied on its staff to make
appropriate changes to the system initialization
process and on authorized users to make only
appropriate changes.
Effect:As a result, there was an increased risk that
mainframe computer operating system security
exposures would not be identified. Additionally,
without periodic reviews of the system audit trails,
there was an increased risk that processing problems
or unauthorized activities would not be detected or
detected timely and that the responsible individuals
would not be held accountable for the inappropriate
actions.
Recommendations:
We recommend that the Director, Administrative Service
Center:
1. Evaluate acquiring system verification and auditing
software.
2. Develop and implement procedures to ensure that
periodic reviews are performed of the SYSLOG and critical
SMF logs to identify unauthorized or inappropriate
activities and that unauthorized or inappropriate activities
are reported to Service Center management.
**FOOTNOTES**
[2]:SYSLOG is an audit trail that logs the results of
actions taken by computer operators and system programmers
during system initialization.
[3]:The System Management Facility (SMF) logs record all system
activity
and serve as an audit trail of system activity, including
identifying
users who performed the activity.
APPENDIX 1
Page 8 of 11
MAINFRAME COMPUTER OPERATING SYSTEM SOFTWARE
F. Mainframe Operating System Options
Condition: ADP Services Division management did not
implement mainframe operating system
options that would strengthen controls over
computer programs which access sensitive
operating system functions. We found 13
libraries[4] that were able to run in the
"Authorized Program Facility (APF)-
authorized" state, even though the
libraries were not required to run in the
APF. By running in the APF-authorized
state, these libraries may be considered
part of the mainframe operating system and
thus have access to all of the mainframe
resources.
Criteria: IBM's publication titled "OS/390 Initialization and
Tuning Reference" states that "the parameter
LNKAUTH specifies whether all libraries" in the
LNKLST** member[5] "are to be treated as Authorized
Program Facility (APF)-authorized when accessed as
part of the concatenation, or whether only those
libraries that are named in the APF table are to be
treated as APF-authorized."[6] Additionally, the
publication addresses managing system security and
states that the "authorized program facility (APF)
allows your installation to identify system or user
programs that can use sensitive system functions."
Cause: Division Management implemented a default option
(LNKLST) that allowed libraries within the LNKLST**
member to run in the APF-authorized state. An
alternative option (APFTAB) is provided which
requires only those libraries that are named
specifically in the APF table to be able to run in
the APF-authorized state. The 13 libraries were
automatically added to the LNKLST** member when the
operating system was upgraded in July 1997.
Because Division management did not review the
members used to define APF-authorized libraries,
these 13 libraries remained in the LNKLST** member.
Further, because Division management implemented
the LNKLST option, these 13 libraries were
unnecessarily provided the ability to run in the
APF-authorized state. Therefore, management did
not have assurance that only approved libraries had
access to sensitive operating system functions.
Based on recommendations of our audit staff during
the review, the libraries were removed from the
LNKLST** member. However, if the APFTAB option had
been used, Division personnel would have been
required to enter the 13 library names into the APF
table, thus providing additional assurance that
only approved libraries would run in the APF-
authorized state.
Effect: By implementing the LNKLST option rather than the
APFTAB option, the risk increased for unauthorized
libraries to run in an authorized state, thus
bypassing operating system controls, and for system
integrity to be lost.
Recommendations:
We recommend that the Director, Administrative Service Center:
1. Evaluate the feasibility of using the APFTAB option,
thus providing additional assurance that only approved
libraries would run in the APF-authorized state.
2. Perform periodic reviews of all members used to define
the APF-authorized libraries to ensure that only those
required to run in the APF-authorized state are given this
authority.
**FOOTNOTES**
[4]:A library is a collection of programs or data files or a
collection of functions (subroutines) that are linked into
the main program when it is compiled. (The Computer Language
Company, Inc., Computer Desktop Encyclopedia, Version 9.4,
4th Quarter, 1996.)
[5]:Concatenation means to link together in a series
or chain. (Webster's Ninth New Collegiate Dictionary,
Merriam-Webster Inc.,
Springfield, Massachusetts, 1989, p. 271.)
[6]:LNKLST** member "defines the collection of program
libraries to be searched, in sequence, for programs
when no specific [library] has been supplied in the job
stream." (Mark S. Hahn, CONSUL Risk Management, Inc.,
A Guide to SYS1.PARMLIB, Monograph Series 4,
The Information Systems Audit and Control Foundation,
Inc., Rolling Meadows,Illinois, February 1996, p. 38.)
APPENDIX 2
Page 1 of 6
SUMMARY OF RECOMMENDATIONS AND
CORRECTIVE ACTIONS FOR AUDIT REPORT
MAINFRAME COMPUTER POLICIES AND PROCEDURES, DENVER
ADMINISTRATIVE SERVICE CENTER,
BUREAU OF RECLAMATION" (No. 97-I-683)
--------------------------------------------------------
Status of Recommendations
Recommendations and Corrective Actions
--------------------------------------------------------
A.1. Require all Implemented. All contractor
contractor employees to employees in the ADP Services
have proper background Division are required to have
clearances. background clearances.
However, the current review
found that contractor
employees
in other Service Center
Divisions did not have
appropriate clearances.
--------------------------------------------------------
B.1. Enhance the Implemented. NetWare intruder
intruder detection lockout settings have been
settings to suspend a modified on all production
user account, after servers to suspend a user
unsuccessful access identification (ID) for a
attempts, for a period period of 24 hours after three
of time long enough to incorrect log-in attempts have
ensure that the user been made within a 24-hour
will have to contact an period.
administrator to have
the user ID reset.
--------------------------------------------------------
C.1. Develop and Implemented. Subsequent to
the
periodically update a completion of current
disaster recovery plan fieldwork, the LAN Disaster
for the LAN. recovery Plan was completed.
--------------------------------------------------------
D.1. Ensure that LAN Implemented. The password
security and password change interval has been
features are implemented revised to 90 days or less on
which will require all all servers. Unique passwords
users to change are required for all
individual
passwords every 90 days; users. Concurrent multiple
enforce unique password connection authority has been
use; and limit removed from all accounts
concurrent multiple or except for those where a
unlimited connections to demonstrated need exists.
one per user and grant
additional connections
on an as-needed basis.
--------------------------------------------------------
D.2. Include the "SECURE Implemented. A procedure to
CONSOLE" command in the secure the console on all
AUTOEXEC.NCF file on all Service Center file servers
was
file servers to prevent implemented. At the monitor
users from gaining console screen, the "LOCK FILE
access to the system SERVER CONSOLE OPTION" was
files in DOS mode. implemented to lock the system
console manually whenever the
server is initialized.
--------------------------------------------------------
D.3. Ensure that the Partially implemented. All
command "SET ALLOW Service Center NetWare servers
UNENCRYPTED PASSWORD=ON" will be configured to require
is not present in the encrypted passwords when all
AUTOEXEC.NCF file. Service Center NetWare file
servers have been migrated to
NetWare Directory Services.
This is 75 percent
implemented.
The target date for full
implementation originally was
March 31, 1998, but the date
has been changed to September
30, 1998.
--------------------------------------------------------
E.1. Coordinate with Implemented. As requested by
the client to limit the Service Center, the client
Service Center users' has changed FFS security so
access to the "least that no employee has access to
privileged" in the FFS both vendor tables and
application; that is, disbursement documents.
assurance should be
provided that any user
authorized to enter or
change the vendor table
does not also have
access to disbursing
documents.
--------------------------------------------------------
F.1. Document procedures Implemented. Procedures for
for the issuance of key the issuance of card keys for
cards and require that vendors, contractors, and
the procedures be Federal employees have been
instituted for vendors documented.
in addition to
contractors and Federal
employees.
--------------------------------------------------------
F.2. Evaluate the need Implemented. The evaluation
has
for individuals outside been completed. Permanent
card
of the ADP Services keys are issued to only those
Division to be issued individuals deemed
appropriate.
permanent card keys
because such access
should be limited to
those individuals
performing their day-to-
day duties.
--------------------------------------------------------
F.3. Document procedures Implemented. Procedures for
to ensure the Service monitoring visitor access to
Center's compliance with the computer room have been
the Department of the documented in compliance with
Interior Automated the Departmental Handbook.
Information Systems
Handbook regarding
visitor (such as
maintenance personnel,
janitorial staff, and
vendors) monitoring.
--------------------------------------------------------
G.1. Evaluate the Implemented. Evaluation of
feasibility of setting using one numeric or special
the parameters in RACF character as part of the
security software to Service Center standard
require one numeric or password has been completed.
special character as Service Center management, in
part of the password, as coordination with its clients,
recommended by the determined that requiring
Bureau's Security numeric or special characters
Administrator. as part of the password was
not
feasible.
--------------------------------------------------------
G.2. Reevaluate the Partially implemented. The
standard RACF password Service Center issued a
change intervals and memorandum to the system
owners
revocation settings to in October 1997 outlining the
ensure that the level of alternatives identified in the
risk associated with the feasibility study referenced
in
mainframe applications Recommendation G.1. System
and the current password owners responded in December
settings is acceptable 1997, agreeing to reduce the
to the Service Center, expiration period for
passwords
as well as to its from 180 days to 90 days,
clients and the reduce the allowable period of
Department, and address inactivity of a user ID from
the results in a current 180 days to 90 days, and
remove
risk assessment. inactive user IDs from the
system after 1 year of
inactivity. With the
exception
of one client, all inactive
users are removed manually
once
a month. Procedures for
removing Social Security
inactive users are being
developed.
--------------------------------------------------------
H.1. Evaluate the Implemented. Evaluation has
feasibility of limiting been completed. This
authority
the number of Service has been limited to three
Center users who have senior-level system
programmers
access authority to who work in the System
Software
alter SMF logs. Management Branch.
--------------------------------------------------------
H.2. Ensure that the SMF Implemented. Batch and TSO
record type 60 logging type 60 records are written to
is active or RACF the SMF log. Type 60 record
settings are adjusted to collection has been activated
specifically audit for "started tasks" as well.
critical datasets
maintained on the
mainframe computers and
to therefore provide an
audit trail of system
activity.
--------------------------------------------------------
I.1. Evaluate the extent Implemented. Evaluation has
to which the been completed. Assignment of
"OPERATIONS" attribute the OPERATIONS attribute has
should be available to been restricted to employees
Service Center user IDs. who need the attribute to
Specifically, the use of perform their duties.
other more restrictive
RACF authorities (such
as DASDVOL authority)
should be considered
where possible.
--------------------------------------------------------
I.2. Activate the Implemented. The feature
security feature RACF OPERAUDIT has been activated,
OPERAUDIT and ensure and the resultant logs will be
that security personnel reviewed on a quarterly basis
perform periodic reviews by the Service Center Computer
of the resultant logs to Security Manager.
identify unauthorized
activity.
--------------------------------------------------------
J.1. Ensure that the Partially implemented. The
group responsible for identification of critical
monitoring security datasets has been completed,
performs periodic and a requirement to perform
reviews of user access periodic reviews of reports
levels to identify auditing the critical datasets
required necessary has been established.
changes and to ensure Performance of these actions
that user access levels would enable monitoring
are authorized. personnel to identify user
access levels; however, the
actions would not ensure that
the user access level was
authorized. Therefore,
procedures need to be
established to compare the
critical dataset reports with
approved user authorization
requests.
--------------------------------------------------------
J.2. Institute a policy Implemented. A policy of
of "least privileged" "least privileged" access is
in
access levels to ensure place.
that access to resources
and data is limited to
those users who require
such access.
--------------------------------------------------------
K.1. Evaluate the Implemented. The ADP Services
staffing requirements of Division has completed the
the group responsible evaluation and has identified
for monitoring security adequate staffing within the
to ensure the separation Division for accomplishing the
of duties within RACF. separation of the security
administration and auditing
functions. The security
administration function will
be
maintained with the same
staffing levels. The security
auditing function will be
placed within a quality
management function in the
Division's IRM and Customer
Service Branch.
--------------------------------------------------------
L.1. Document and Implemented. While the Bureau
implement procedures to disagreed with the
ensure that recommendation, it has taken
Decentralized Security action to modify existing
Administration Facility policy and procedures to
records are updated for reflect a new process.
oral access adjustments
to allow for the
reconciliation of access
requested with access
allowed.
--------------------------------------------------------
M.1. Provide resources Implemented. A computer
to ensure the security plan for 1997 was
development of a developed and submitted to the
computer security plan Department of the Interior's
for the sensitive Office of Information
Resources
systems in accordance Management.
with the Computer
Security Act and
Circular A-130, Appendix
III.
--------------------------------------------------------
N.1. Perform a risk Implemented. A risk analysis
analysis of the Service of the computer center has
been
Center's computer center completed.
and its applications.
--------------------------------------------------------
N.2. Update the existing Implemented. The Continuity
of
Continuity of Operations Operations Plan has been
Plan for the mainframe, updated for the mainframe,
sensitive applications, sensitive applications, and
and telecommunications telecommunications links.
links so that the
current operating
environment is
documented.
--------------------------------------------------------
O.1. Develop a Implemented. Subsequent to
the
comprehensive business completion of fieldwork, the
recovery plan, which business recovery plan was
includes procedures for completed. The plan will be
its business functions. evaluated during the next
annual review.
--------------------------------------------------------
APPENDIX 4
STATUS OF CURRENT AUDIT REPORT RECOMMENDATIONS
-------------------------------------------------------
Finding/Recommendation
Reference Status Action Required
--------------------------------------------------------
--------------------------------------------------------
C.1 and C.2 Implemented. No further action is
required.
--------------------------------------------------------
A.1, A.2, B.1, Resolved; not No further response
C.3, D.1, D.2, implemented. to the Office of
D.3, D.4, E.1, Inspector General is
E.2, F.1, and required. The
F.2 recommendations will
be referred to the
Assistant Secretary
for Policy,
Management and
Budget for tracking
of implementation.
--------------------------------------------------------
APPENDIX 4
STATUS OF PRIOR AUDIT REPORT RECOMMENDATIONS
--------------------------------------------------------
Finding/Recommendation
Reference Status Action Required
--------------------------------------------------------
A.1, B.1, C.1, Implemented. No further action is
D.1, D.2, E.1, required.
F.1, F.2, F.3,
G.1, H.1, H.2,
I.1, I.2, J.2,
K.1, L.1, M.1,
N.1, N.2, and
O.1
--------------------------------------------------------
D.3, G.2, and Resolved; not No further response
J.1 implemented. to the Office of
Inspector General is
required. The
information regarding
the status of these
recommendations will
be provided to the
Assistant Secretary
for Policy,
Management and Budget
for tracking of
implementation.
--------------------------------------------------------
ILLEGAL OR WASTEFUL ACTIVITIES SHOULD BE REPORTED TO THE OFFICE
OF INSPECTOR GENERAL BY:
Sending written documents to:
Within the Continental United States
U.S. Department of the Interior
Office of Inspector General
1849 C Street,N.W.
Mail Stop 5341
Washington, D.C. 20240
Calling:
Our 24 hour
Telephone HOTLINE
1-800-424-5081 or
(202) 208-5300
TDD for hearing impaired
(202) 208-2420 or
1-800-354-0996
Outside the Continental United States
Caribbean Region
U.S. Department of the Interior
Office of Inspector General
Eastern Division- Investigations
1550 Wilson Boulevard
Suite 410
Arlington, Virginia 22209
Calling:
(703) 235-9221
North Pacific Region
U.S. Department of the Interior
Office of Inspector General
North Pacific Region
238 Archbishop F.C. F'lores Street
Suite 807, PDN Building
Agana, Guam 96910
Calling:
(700) 550-7428 or
COMM 9-011-671-472-7279