[Audit Report on Implementation of Recommendations for Improving Mainframe Computer Policies and Procedures at the Administrative Service Center]
[From the U.S. Government Printing Office, www.gpo.gov]

Report No. 99-I-938

Title: Audit Report on Implementation of Recommendations for Improving
       Mainframe Computer Policies and Procedures at the Administrative
       Service Center 

Date:  September 30, 1999

**********DISCLAIMER********** 
This file contains an ASCII representation of an OIG report. No attempt has been made to display graphic images or illustrations. Some tables may be included, but may not resemble those in the printed version. 

A printed copy of this report may be obtained by referring to the PDF file or by calling the Office of Inspector General, Division of Acquisition and Management Operations at (202)219-3841. 
*********************************

AUDIT REPORT

Memorandum

To:  Director, National Business Center, Office of the Secretary

From:  Robert J. Williams
Assistant Inspector General for Audits

Subject:  Audit Report on Implementation of Recommendations for Improving Mainframe Computer Policies and Procedures at the Administrative Service Center  (No. 99-I-938)

INTRODUCTION
	
This report presents the results of our audit of the implementation of recommendations contained in our August 1998 audit report titled "Followup of Mainframe Computer Policies and Procedures, Administrative Service Center, Bureau of Reclamation" (No. 98-I-623) and our March 1997 audit report titled "Mainframe Computer Policies and Procedures, Administrative Service Center, Bureau of Reclamation" (No. 97-I-683).  The objective of the audit was to determine whether the Administrative Service Center1 satisfactorily implemented recommendations in our prior audit reports and whether any new recommendations were warranted.  This audit supports the audits of the financial statements of the Department of the Interior and the Service Center's clients.

BACKGROUND

The Administrative Service Center in Denver, Colorado, is one of two administrative service centers within the Department of the Interior.  The Service Center's mission is "to improve economy and efficiency in government through the delivery of standard, automated administrative systems and centralized operations."  Specifically, the Service Center provides (1) consolidated payroll and personnel services for about 160,000 employees in the Department of the Interior and nine other Federal agencies and (2) Government accounting, integrated budgeting, and reporting services through the Federal Financial System (FFS) to three Departmental and six other Federal agencies.  During our audit, payroll and personnel services were provided through the Payroll/Personnel System (PAY/PERS) and the Federal Personnel Payroll System (FPPS).  However, effective December 6, 1998, all payroll and personnel services  were provided through FPPS.


The Service Center provides its services on a cost-reimbursable basis through the Bureau's Working Capital Fund.  The Service Center is organized into six divisions, which "provide data center, application, system, and operational support to the organization and clients" as follows:  

- The ADP Services Division is responsible for (1) planning, developing, and operating the Service Center's computer center functions and (2) operating and maintaining computers, system software, and data communication networks.  To assist the Division in carrying out its functions, the Service Center has contracted with an information technology solutions provider. The Division provides data processing support for the Departmental standardized administrative sensitive systems.2  To support these systems, the computer center operates an IBM mainframe computer using the "OS/390" operating system to manage the processing work load.  The access control security software installed on the mainframe computer is the Resource Access Control Facility (RACF),3 which controls users' and computer programs' access to the mainframe computer resources.  Additionally, other system software, such as database management, telecommunications, and specialized vendor software, reside on the mainframe computer and are used to support the sensitive systems.  Data center operations provide users with computer and communications equipment and infrastructure, systems software, and operational support.  The Division manages data center operations through scheduling activities, planning for contingencies and capacity, and providing user support.  The Division also manages the information resources security program.

- The FPPS Division is responsible for managing the development, implementation, maintenance, and operation of the FPPS application.  These responsibilities include controlling software changes; providing technical assistance to users; and managing tests of the application, converting data, and implementing the FPPS application.  The Service Center has contracted with Computer Sciences Corporation to assist the Division in carrying out its functions.

- The Application Management Office directs the program activities of the Departmental administrative applications assigned to the Service Center.

- The Payroll Operations Division plans, develops, executes, and manages the interagency payroll program delivered by the Service Center and performs payroll administration and services for all payroll clients.


- The Financial Systems Division provides functional and technical support to clients using FFS and related financial applications.

- The Management Services Division provides Service Center administrative support.

SCOPE OF AUDIT

The scope of our audit included an evaluation of the actions taken by Service Center management to implement the 24 recommendations made in our March 1997 audit report and the 14 recommendations made in our August 1998 report and a review of the general controls in place during fiscal year 1998.  To accomplish our objective, we interviewed Service Center personnel, reviewed systems documentation, and reviewed and tested implementation of the prior audit recommendations.  Because our audit was limited to evaluating the adequacy of internal controls at the Service Center, we did not test the effectiveness of the internal controls at the various agencies and clients supported by the Service Center.



Our audit was conducted in accordance with the "Government Auditing Standards," issued by the Comptroller General of the United States.  Accordingly, we included such tests of records and other auditing procedures that were considered necessary under the circumstances.

As part of our audit, we evaluated the Service Center's general controls over its mainframe computer and application systems that could adversely affect the data processing environment.  The control weaknesses that we identified are summarized in the Results of Audit section of this report. If implemented, our recommendations should improve the general controls in the areas cited.  Because of inherent limitations in any system of internal controls, losses, noncompliance, or misstatements may occur and not be detected.  We also caution that projecting our evaluations to future periods is subject to the risk that controls or the degree of compliance with the controls may diminish.

PRIOR AUDIT COVERAGE

During the past 5 years, the General Accounting Office has not issued any reports related to the scope of this audit.  However, the Office of Inspector General has issued three related reports as follows:

- The March 1994 audit report "Compliance With the Computer Security Act of 1987, Denver Administrative Service Center, Bureau of Reclamation" (No. 94-I-357) stated that the Service Center generally complied with the requirements of the Act but that improvements were needed in the areas of security and operations.  Since the Service Center was addressing all of the deficiencies identified, the report did not contain any recommendations.


- The March 1997 audit report "Mainframe Computer Policies and Procedures, Administrative Service Center, Bureau of Reclamation" (No. 97-I-683) stated that deficiencies identified in our March 1994 report relating to performing a risk analysis of the Service Center's local area networks and separating duties by using RACF security software still existed.  This report contained 24 recommendations for improving management and internal controls at the Service Center.

- The August 1998 audit report "Followup of Mainframe Computer Policies and Procedures, Administrative Service Center, Bureau of Reclamation" (No. 98-I-623) stated that deficiencies identified in our March 1997 report relating to performing background clearances for contractor employees still existed.  This report contained 14 recommendations for improving management and internal controls at the Service Center.  We reviewed actions taken by Service Center management to implement these recommendations as part of our current audit, the results of which are summarized in the Results of Audit section and discussed in Appendix 2 of this report.



RESULTS OF AUDIT

Regarding the 24 recommendations contained in our March 1997 audit report, we found that the Service Center had satisfactorily implemented 23 recommendations and had partially implemented 1 recommendation (No. G.2) (see Appendix 1).  During the current audit, we found that the scheduled completion date for the unimplemented recommendation was changed from September 30, 1997,  to September 30, 1999.

Regarding the 14 recommendations contained in our August 1998 report, we found that the Service Center had implemented 7 recommendations, had partially implemented 4 recommendations, and had not implemented 3 recommendations (see Appendix 2).  During the current audit, we found that the actions needed to implement the partially implemented and unimplemented recommendations were scheduled to be completed from October 1, 1999, to April 1, 2000.  

The actions taken to implement 30 of the recommendations and the progress made to implement the remaining 8 recommendations have improved the controls in the areas of computer center management and operations, local area network protection, mainframe physical and logical security, software change management, and service continuity.

Regarding our evaluation of the general controls during this audit, we believe that, overall, the controls were operating with no material weaknesses.  However, we found that improvements were needed in the area of continuity of operations.  Office of Management and Budget Circular A-130, "Management of Federal Information Resources," defines minimal sets of controls for managing Federal information resources, and National Institute of Standards and Technology publications require Federal agencies to establish and implement computer security and management and internal controls to ensure the protection of sensitive information in the computer systems of executive agencies.  Also, the Departmental Manual and Departmental policy bulletins require that information systems be secure and that critical business functions and operations performed by Service Center clients continue after a disaster or an emergency.  We found that Service Center management had not ensured that its Business Recovery Plan was adequate and that critical business functions would resume within 3 days after a disaster or an emergency.  As a result, there was an increased risk that the critical business functions of the Service Center and the critical operations of its clients may not be able to fully recover from a disaster or an emergency to resume the critical business functions within the required 3-day time frame required by the Plan.  

Business Recovery Plan

In response to our March 1997 audit report, the Service Center developed a Business Recovery Plan to address recovery of its business functions and operations performed by Service Center clients in the event of a disaster or an emergency.  We found that Service Center management had not ensured that the Plan would be adequate to continue critical business functions and operations in the event of a disaster or an emergency.  Specifically, Service Center management did not ensure that (1) employees assigned responsibility in the Plan to recover critical business functions were trained in their roles and responsibilities to implement the Plan, (2) the Plan was tested, (3) alternate work sites were identified from which the Service Center could conduct its critical business functions, and (4) the Plan was stored at off-site facilities.

- Training.  Service Center management did not ensure that Service Center personnel responsible for critical business functions continuing in the event of a disaster or an emergency were trained in their roles and responsibilities.  The Business Recovery Plan included requirements for training Service Center personnel to ensure that critical business functions would continue after a disaster or emergency.  However, according to Service Center management, training of Service Center personnel was not accomplished because of higher priorities of the Service Center. Without sufficient training before a disaster or an emergency, Service Center personnel could be unprepared to effectively respond to disasters or emergencies.

- Testing.   The Service Center's Business Recovery Plan had not been tested to ensure that the planned procedures for recovering business functions were feasible.  While the Plan required periodic testing, Service Center  management said that they had not established a process to test the Plan because they believed there was no requirement to test the Plan.  As a result, Service Center management had no assurance that critical business functions would be operational after a disaster or an emergency.   Also, the Service Center had little assurance that the Plan's assumptions and procedures would satisfy the Center's recovery needs.


- Alternate Work Sites.   Although the Service Center's computer center has a "hot site" location in case of a disaster or an emergency, the Business Recovery Plan did not identify alternate work sites from which the Service Center could conduct its critical business functions.  Departmental Policy Bulletin 98-001, "Continuity of Operations Planning - Guidance and Schedules," requires that all plans identify "one or more safe sites from which essential functions of the facility/organization can be performed."  According to Service Center management, an alternate  work site would be determined at the time a disaster was declared.  Without identification of specific alternate work sites, Service Center management had little assurance that the chosen site would be capable of supporting staff and systems necessary to conduct the Service Center's critical functions in the event of a disaster or an emergency or that critical functions would be resumed within the required 3 days.

- Storage of the Business Recovery Plan.  We found that copies of the Business Recovery Plan were not maintained at the Service Center's off-site locations.  According to Service Center management and the requirements of the Plan, the Plan was to be kept in electronic and hard copy form at the Center's off-site storage facility. Without access to the Plan at the off-site storage and computer facilities, the Service Center had little assurance that the Plan would be available after a disaster or an emergency.

Recommendations

We recommend that the Director, National Business Center:

1.  Provide training to Service Center personnel who are responsible for the recovery of critical business functions about their roles and responsibilities related to the Center's Business Recovery Plan.

2.  Periodically test the Business Recovery Plan and update the Plan based on the test results.

3.  Identify alternate work sites that would be capable of supporting essential Service  staff and systems in the event of a disaster or an emergency.

4.  Ensure that copies of the Business Recovery Plan are maintained at the  Center's off-site facilities.

National Business Center Response and Office of Inspector General Reply

In the September 14, 1999, response (Appendix 3) to the draft report from the Director, National Business Center, the Service Center concurred with the four recommendations.  Based on the response, we consider Recommendations 1, 2, and 3 resolved but not implemented and Recommendation 4 resolved and implemented.  Accordingly, the unimplemented recommendations will be forwarded to the Assistant Secretary for Policy, Management and Budget for tracking of implementation (see Appendix 4). 

Based on this audit, we found, for our March 1997 report, that Recommendations A.1, B.1, C.1, D.1, D.2, D.3, E.1, F.1, F.2, F.3, G.1, H.1, H.2, I.1, I.2, J.1, J.2, K.1, L.1, M.1, N.1, N.2, and O.1 are resolved and implemented and that  Recommendation G.2  is resolved but not implemented.  Accordingly, the updated information on the recommendations will be forwarded to the Assistant Secretary for Policy, Management and Budget (see Appendix 1).


Based on this audit, we found, for our August 1997 report, that Recommendations C.1, C.2, C.3,  D.3,  E.1, E.2, and F.1 are resolved and implemented and Recommendations A.1, A.2, B.1, D.1, D.2, D.4, and F.2 are resolved but not implemented. Accordingly, the updated information on these recommendations will be forwarded to the Assistant Secretary for Policy, Management and Budget (see Appendix 2).

Since the recommendations contained in this report are considered resolved, no further response to the Office of Inspector General is required (see Appendix 4).

Section 5(a) of the Inspector General Act (Public Law 95-452, as  amended) requires the Office of Inspector General to list this  report in its semiannual report to the Congress.

We appreciate the assistance of Service Center personnel in the conduct of our audit.

SUMMARY OF RECOMMENDATIONS AND 
CORRECTIVE ACTIONS FOR MARCH 1997 AUDIT REPORT
"MAINFRAME COMPUTER POLICIES AND PROCEDURES, DENVER ADMINISTRATIVE SERVICE CENTER,
BUREAU OF RECLAMATION" (No. 97-I-683)





Recommendation

Status of Recommendations
and Corrective Actions

A.1.	Require all contractor employees to have proper background clearances.
Implemented.  All contractor employees in the ADP Services Division are required to have background clearances. 

B.1.	Enhance the intruder detection settings to suspend a user account, after unsuccessful access attempts, for a period of time long enough to ensure that the user will have to contact an administrator to have the user identification (ID) reset.

Implemented.  NetWare intruder lockout settings have been modified on all production servers to suspend a user ID for a period of 24 hours after three incorrect log-in attempts have been made within a 24-hour period.

C.1.	Develop and periodically update a disaster recovery plan for the local area network (LAN).

Implemented.  The LAN Disaster Recovery Plan was completed.

D.1.	Ensure that LAN security and password features are implemented, which will require all users to change passwords every 90 days; enforce unique password use; and limit concurrent multiple or unlimited connections to one per user and grant additional connections on an as-needed basis.

Implemented.  The password change interval has been revised to 90 days or less on all servers. Unique passwords are required for all individual users.  Concurrent multiple connection authority has been removed from all accounts except for those where a demonstrated need exists.

D.2.	Include the "SECURE CONSOLE" command in the AUTOEXEC.NCF file on all file servers to prevent users from gaining access to the system files in DOS mode.

Implemented.  A procedure to secure the console on all Service Center file servers was implemented.  At the monitor console screen, the "LOCK FILE SERVER CONSOLE OPTION" was implemented to lock the system console manually whenever the server is initialized.

D.3.  Ensure that the command "SET ALLOWUNENCRYPTED PASSWORD'ON" is not present in the AUTOEXEC.NCF file.

Implemented.  All Service Center NetWare servers have been configured to require encrypted passwords.  All Service Center NetWare file servers have been migrated to NetWare Directory Services.

E.1.	Coordinate with the client to limit Service Center users' access to the "least privileged" in the FFS application; that is, assurance should be provided that any user authorized to enter or change the vendor table does not also have access to disbursing documents.

Implemented.  As requested by the Service Center, the client has changed FFS security so that no employee has access to both vendor tables and disbursement documents.

F.1.	Document procedures for the issuance of key cards and require that the procedures be instituted for vendors in addition to contractors and Federal employees.

Implemented.  Procedures for the issuance of card keys for vendors, contractors, and Federal employees have been documented.

F.2.	Evaluate the need for individuals outside of the ADP Services Division to be issued permanent card keys because such access should be limited to those individuals performing their day-to-day duties.

Implemented.  The evaluation has been completed.  Permanent card keys are issued to only those individuals deemed appropriate.

F.3.	Document procedures to ensure the Service Center's compliance with the Department of the Interior Automated Information Systems Handbook regarding visitor (such as maintenance personnel, janitorial staff, and vendors) monitoring.

Implemented.   Procedures for monitoring visitor access to the computer room have been documented in compliance with the Departmental Handbook.

G.1.	Evaluate the feasibility of setting the parameters in Resource Access Classification Facility (RACF) security software to require one numeric or special character as part of the password, as recommended by the Bureau's Security Administrator.

Implemented.  Evaluation of using one numeric or special character as part of the Service Center standard password has been completed.  Service Center management, in coordination with its clients, determined that requiring numeric or special characters as part of the password was not feasible.G.2. Reevaluate the standard RACF password change intervals and revocation settings to ensure that the level of risk associated with the mainframe applications and the current password settings is acceptable to the Service Center, as well as to its clients and the Department, and address the results in a current risk assessment.

Partially implemented.  The expiration period for passwords has been reduced from 180 days to 90 days.  In addition, the allowable period of inactivity of a user ID has been reduced to 90 days, and inactive user IDs are removed from the system after 1 year of inactivity except for the Social Security Administration.  Procedures for removing Social Security Administration inactive users are still under development because the Social Security Administration was not a Service Center client at the time our recommendation was made.  Thus, the Social Security Administration was not included in initial negotiations to change password intervals.  The target date for full implementation was September 30, 1997, but the date has been changed to September 30, 1999.

H.1.	Evaluate the feasibility of limiting the number of Service Center users who have access authority to alter System Management Facility (SMF) logs.

Implemented.	Evaluation has been completed.  This authority has been limited to three senior-level system programmers who work in the System Software Management Branch.

H.2.	Ensure that the SMF  record type 60 logging is active or  RACF settings are adjusted to specifically audit critical datasets maintained on the mainframe computers and to therefore provide an audit trail of system activity.

Implemented.	Batch and time sharing option (TSO) type 60 records are written to the SMF log.  Type 60 record collection has been activated for "started tasks" as well.

I.1.	Evaluate the extent to which the "OPERATIONS" attribute should be available to Service Center user IDs.  Specifically, the use of other more restrictive RACF authorities (such as DASDVOL authority) should be considered where possible.

Implemented.	An evaluation has been completed.  Assignment of the OPERATIONS attribute has been restricted to employees who need the attribute to perform their duties.I.2.  Activate the security feature RACF OPERAUDIT and ensure that security personnel perform periodic reviews of the resultant logs to identify unauthorized activity.

Implemented.  The feature OPERAUDIT has been activated, and the resultant logs will be reviewed on a quarterly basis by the Service Center's Computer Security Manager.

J.1.	Ensure that the group responsible for monitoring security performs periodic reviews of user access levels to identify necessary changes and to ensure that user access levels are authorized.

Implemented.  The identification of critical datasets has been completed.  Additionally, a requirement has been established to perform periodic reviews of the critical datasets and users' access levels to ensure that the access levels are authorized.

J.2.	Institute a policy of "least privileged" access levels to ensure that access to resources and data is limited to those users who require such access.

Implemented.  A policy of "least privileged" access has been established.

K.1.	Evaluate the staffing requirements of the group responsible for monitoring security to ensure the separation of duties within RACF.

Implemented.  The ADP Services Division has completed the evaluation and has identified adequate staffing within the Division for accomplishing the separation of the security administration and auditing functions.  The security administration function will be maintained with the same staffing levels.  The security auditing function will be placed within a quality management function in the Division's Information Resources Management and Customer Service Branch.

L.1. 	Document and implement procedures to ensure that Decentralized Security Administration Facility records are updated for oral access adjustments to allow for the reconciliation of access requested with access allowed.

Implemented.  While the Service Center disagreed with the recommendation, it has modified existing policy and procedures to ensure that Decentralized Security Administration Facility records are updated.M.1.  Provide resources to ensure the development of a computer security plan for the sensitive systems in accordance with the Computer Security Act and Circular A-130, Appendix III.

Implemented.  A computer security plan for 1997 was developed and submitted to the Department of the Interior's Office of Information Resources Management.

N.1.	Perform a risk analysis of the Service Center's computer center and its applications.

Implemented.  A risk analysis of the computer center has been completed.

N.2.	Update the existing Continuity of Operations Plan for the mainframe, sensitive applications, and telecommunications links so that the current operating environment is documented.

Implemented.  The Continuity of Operations Plan has been updated for the mainframe, sensitive applications, and telecommunications links.

O.1.	Develop a comprehensive business recovery plan, which includes procedures for its business functions.

Implemented.  A business recovery plan was completed in March 1998.  We evaluated the plan as part of this audit and determined that the plan needed improvements to be effective.

SUMMARY OF RECOMMENDATIONS AND 
CORRECTIVE ACTIONS FOR AUGUST 1998 AUDIT REPORT
"MAINFRAME COMPUTER POLICIES AND PROCEDURES, DENVER ADMINISTRATIVE SERVICE CENTER, BUREAU OF RECLAMATION" (No. 98-I-623)

Recommendations

Status of Recommendations
and Corrective Actions

A.1.  Develop and implement policies and procedures which require contractor employees who fill ADP-related sensitive or critical positions to have documented suitability screening and proper background investigations and appropriate security clearances.

Partially implemented.  The Service Center  developed a draft policy documenting security clearances and background investigations for contractor personnel.  This policy will be reviewed by Service Center management and the labor bargaining unit for changes and approval.  The target date for full implementation was scheduled to be March 1, 1999; however, the target date has been changed to April 1, 2000.



A.2.	Evaluate the position sensitivity of ADP-related positions, assign position sensitivity levels in accordance with the Departmental Manual, and ensure that those employees working on sensitive systems have the proper background investigations and security clearances before they are assigned to the positions.

Partially implemented. A draft policy requiring security clearances and background checks has been completed and is undergoing Service Center management review.  Position sensitivity evaluations, background investigations, and security clearances have been requested for Service Center employees in the ADP and FPPS Divisions.  However, the local labor bargaining unit has challenged the recommendation for other employees.  The target date for completing clearances for ADP and FPPS Division employees is April 1, 2000.

B.1.	Evaluate the feasibility of centralizing the process of moving changes to software from the test environment to the production environment and using standardized software tools to control the software change process and of centralizing mainframe computer production scheduling.

Not implemented.  The Service Center will perform a feasibility study of employing a centralized change management process.  The target date for completing the study is October 1, 1999.C.1.	Require that FPPS software changes be adequately reviewed and approved before the changes are implemented.

Implemented.  The Service Center has developed FPPS standard operating procedures that require software changes to  be approved by management, to be made in a dedicated test environment, to be tested and approved for production by staff not involved in the programming of the change, and to be moved to production by the FPPS Database Administrative staff.

C.2.	Implement procedures to ensure that all software changes to the FPPS application are properly documented.

Implemented.  The Service Center has developed FPPS standard operating procedures that require software changes to be fully documented on a change request form or problem report form.

C.3.	Implement the available library control software when corrected to ensure adequate documentation of the FPPS application.

Implemented. The available library control software was being tested.  The FPPS Division has established standard operating procedures to ensure adequate documentation of the FPPS application.  We believe that this operating procedure meets the intent of the recommendation. 

D.1.	Evaluate current ADP Services Division procedures and determine the feasibility of implementing controls in the change management process over operating system software to ensure that adequate separation of duties is addressed and complied with.

Partially implemented.  The ADP Services Division has evaluated the feasibility of implementing controls in the change management system over operating system software.  The Division is awaiting a decision by Service Center management.  The target date for the decision by Service Center management is October 1, 1999.

D.2.	Develop procedures and implement controls to ensure that changes to the operating system parameters are identified, approved by ADP Services Division management, and documented.


Not implemented.  The Service Center will identify and develop procedures and controls to ensure that changes to the operating system parameters are identified and approved by ADP Services Division management. The target date for the developed procedures is April 1, 2000.D.3.	Develop procedures requiring periodic reviews of critical datasets and system parameters.

Implemented.  The Service Center  developed policies and procedures that require a periodic review of critical datasets and system parameters, and all critical datasets have been identified.

D.4.	Evaluate implementing available capabilities in the current change control software tool to more effectively control changes to the operating system software.

Partially implemented.  The Service Center is evaluating the capabilities of the change control software and is identifying the change process  to be used, the process for the changes, and resources necessary to manage and document the changes to the operating system software.  The target date for completing the evaluation is October 1,1999.

E.1.	Evaluate acquiring system verification and auditing software.

Implemented.  The Service Center has  evaluated several tools that are available on the market.  In addition, the Service Center had an independent review of the ADP Services Division and of the need for system verification and auditing software. As a result, the Service Center has acquired system verification and auditing software.

E.2.	Develop and implement procedures to ensure that periodic reviews are performed of the SYSLOG and critical SMF logs to identify unauthorized or inappropriate activities and that unauthorized or inappropriate activities are reported to Service Center management.

Implemented.  The Service Center developed and implemented procedures for reviewing the SYSLOG and critical SMF logs. F.1.	Evaluate the feasibility of using the APFTAB option, thus providing additional assurance that only approved libraries would run in the APF-authorized state.

Implemented.  The Service evaluated the feasibility of using the APFTAB option.  The Service Center concluded that the APFTAB option was not needed to provide additional assurance that only approved libraries ran in the APF-authorized state.  The Service Center believes the standards and controls in place provide adequate assurance.  It is an ADP standard that no user libraries will be added to the LINKLST.  Only system libraries maintained by the ADP Services Division reside in the LINKLST.

F.2.	Perform periodic reviews of all members used to define the APF-authorized libraries to ensure that only those members required to run in the APF-authorized state are given this authority.

Not implemented.  The Service Center will develop procedures for review of members used to define the APF-authorized libraries.  The target date for implementation of the reviews was October 1, 1998, but the date has been changed to October 1, 1999.



APPENDIX 4


STATUS OF AUDIT REPORT RECOMMENDATIONS



Findings/Recommendations
Reference            Status 

            

1, 2, and 3		Resolved; not 
			implemented.

Action Required No further response to the Office of Inspector General is required.  The recommendations will be forwarded to the Assistant Secretary for Policy, Management and Budget for tracking of implementation.

4                 Implemented.

Action Required No further action is required.