oversight

Report 2003-005-MIS - Assessment Equal Employment Opportunity Commission - Integrated Mission System

Published by the Equal Employment Opportunity Commission, Office of Inspector General on 2005-09-30.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                    U.S. EQUAL EMPLOYMENT OPPORTUNITY COMMISSION
                                       P.O. Box 18858
                                  Washington, DC 20036-8858

Office of
Inspector General

                                        September 30, 2005


    MEMORANDUM

    TO              :    Sallie Hsieh, Director
                         Office of Information Technology

    FROM            :    Aletha L. Brown
                         Inspector General

    SUBJECT         :    Final Report of OIG Report, No. 03-06-MIS,
                         Assessment: EEOC Integrated mission System


    Attached is the Office of Inspector General (OIG) final report on the above subject matter.
    We appreciate your assistance and cooperation in conducting this review.

    Thank you for your draft report comments. They resulted in several changes to the report.
    Your comments are included, in their entirety, as Appendix I. If you have any questions
    regarding the final report, please contact Gregory Frazier, Management Analyst, at 663-4373
    or Gregory.Frazier@eeoc.gov.

    Thank you again for your assistance and cooperation during our assessment.


    Attachment
    c:    Angelica Ibarguen, Director
          Office of Human Resources

            Jeffrey Smith, Director
            Office of Chief Financial Officer
                OFFICE OF INSPECTOR GENERAL
                            Assessm ent
  Equal Employment Opportunity Comm ission - Integrated Mission System
                   OIG Report Number: 03-06-MIS
                         Sensitive Document
                            Final Report


Introduction

The Federal Information Security Management Act (FISMA) of FY-2002 requires that
every year each agency perform an independent evaluation of the information security
program and practices of that Agency to determine the effectiveness of the program
and practices. Under this Act, the Inspector General, or independent external auditor
as determined by the Inspector General, shall test the effectiveness of information
security policies, procedures, and practices of a representative subset of agency
systems.

FISMA also requires that the National Institute of Science and Technology (NIST):
(1) develop standards, guidelines, and associated methods and techniques for
information systems; (2) develop standards and guidelines, including minimum
requirements, for information systems used or operated by an agency, or by a
contractor of an agency, or other organization on behalf of an agency, other than
national security systems; and (3) develop standards and guidelines, including
minimum requirements, for providing adequate information security for all agency
operations and assets.

One of the standards developed by NIST to aid agencies in performance of their
information security responsibilities is the NIST Special Publication 800-26, Self-
Assessment Guide for Information Technology Systems. This special publication
provides a method for agencies to determine the current status of their information
security programs and, where necessary, establish a target for improvement. The
guide is a compendium of documents that address information security (such as: OMB
Circular A-130, Transmittal Four, Appendix III; NIST Special Publication 800-18,
Guide for Developing Security Plans for Information Technology Systems; and
Government Accountability Office, Federal Information Security Controls Audit
Manual).

Purpose, Scope, and Methodology

Using the NIST Special Publication 800-26, Self-Assessment Guide for Information
Technology Systems as our primary evaluation tool, the Office of Inspector General
(OIG) conducted an assessment of the Agency's Integrated Mission System (IMS).
The purpose of our assessment was to test the effectiveness of information security
policies, procedures, and practices used to secure IMS.

The Integrated Mission System (IMS) was designed and developed by the Equal
Employment Opportunity Commission, Office of Information Technology (OIT), in
consultation with the Office of Field Programs, the Office of General Counsel, the
Assessment - Integrated Mission System                  OIG Report Number: 03-06-MIS


Office of Federal Operations, and the Office of Research, Information, and Planning.
IMS was deployed during FY-2003 and consolidates and replaces several EEOC
database systems including the Charge Data System (CDS), the Automated Outreach
System, and the Litigation Tracking System. IMS provides an integrated database
application to support intake, mediation, investigation, state and local contract
processing, outreach, and litigation.

In order for OIG to make its assertion regarding the completeness of IMS’s security
controls, we reviewed the system’s risk assessment, security plan, as well as other
documents relating to information security. OIG also interviewed individuals from
the Office of Information Technology, Office of Human Resources and the Office of
Chief Financial Officer and Administrative Services to obtain additional information
about security controls that affect IMS. OIG reviewed 260 information system control
items identified in the NIST Special Publication 800-26, Self-Assessment Guide for
Information Technology Systems.

OIG’s primary fieldwork was performed from November 2003 through August 2004.
We did followup work in January 2005. All work regarding this assessment was
conducted in accordance with the Comptroller General’s Government Auditing
Standards, (2003 Revision).

On March 30, 2005, the Office of Inspector General issued a draft report outlining
findings and recommendations based upon our assessment of the Agency’s Integrated
Mission System. On April18, 2005 the Office of Information Technology issued its
comments concerning OIG’s draft report. OIT’s comments have been incorporated
into this report and a copy of the OIT’s comments are affixed to this report as an
attachment.

Findings and Recommendations

Overall, OIG found that the Integrated M ission System's security controls were
adequate, however some improvements could be made to better secure this system.
Based on the results of our assessment, the following are OIG's findings and
recommendations. These findings and recommendations relate to controls referenced
in the NIST Special Publication 800-26:


1.     Has a “Rules of Behavior” document been established and signed by
       users?

Finding
OIT has not developed an IM S “Rules of Behavior” document that is specific to
IMS and m ade available to every user prior to receiving access to the system and
made available to every user prior to receiving authorization for access to the
system. OMB Circular A-130, Transmittal Four, Appendix III requires the
establishment of a set of rules concerning use of and behavior within the application.
The rules shall be as stringent as necessary to provide adequate security for the
application and the information in it. Such rules shall clearly delineate responsibilities

                                                                                        2
     Assessment - Integrated Mission System                            OIG Report Number: 03-06-MIS


     and expected behavior of all individuals with access to the application. In addition,
     the rules shall be clear about the consequences of behavior not consistent with the
     rules. Although the IMS Security Plan addresses behavior in general, the plan does
     not provide for a mechanism to ensure that all employees have been made aware, and
     acknowledge their awareness, of the specific “Rules of Behavior” related to IMS.
     NIST Special Publication 800-18, Guide for Developing Security Plans for
     Information Technology Systems states that the rules of behavior should be specific
     to each system and made available to every user prior to receiving authorization for
     access to the system. It is recommended that the rules contain a signature page for
     each user to acknowledge receipt.

     Recommendation 1:
     OIG recommends that the Director, Office of Information Technology develop a
     specific “Rules of Behavior” document, that all users 1 of IMS are required to read, in
     which they acknowledge their understanding of what they have read and sign it either
     electronically or manually prior to being granted access to IMS.

     OIT Response
     The first finding indicated for this item, “OIT has not developed an IMS Rues of
     Behavior document” is incorrect. OIT does have a “Rules of Behavior” document for
     the Integrated Mission System (IMS). It has been available through the IMS On-Line
     Help System since August 2003.

     As part of a scheduled May 2005 IMS software release, OIT will implement a process
     by which users will be asked to read and electronically acknowledge their
     understanding of the IMS “Rules of Behavior” prior to being granted access to IMS.

     OIG Response
     OIG reviewed the home page for IMS, http://imse0.eeoc.gov/, as well as, the IMS
     Case Private Sector Charge Management - Version 2.2.0 and Federal Complaint
     Management - Version 2.1.0 login pages and found no evidence of on-line help or
     rules of behavior prior to being granted access to IMS. We have modified the
     language in our finding to reflect that OIT does have a Rules of Behavior document,
     however it is not provided to the user prior to being granted access to IM S.



     2.       Are mechanisms in place for holding users responsible for their
              actions?

     Finding:
     OIG found that while the IMS Security Plan addresses behavior, it does not
     adequately address the specific consequences concerning non-compliance. OMB
     Circular A-130, Transmittal Four, Appendix III requires the establishment of a set of



1. This shall include all new employees, during orientation, and any current employees for whom OIT does not have
a written acknowledgment on record.

                                                                                                            3
Assessment - Integrated Mission System                 OIG Report Number: 03-06-MIS


rules concerning use of and behavior within the application. The rules shall be as
stringent as necessary to provide adequate security for the application and the
information in it. Such rules shall clearly delineate responsibilities and expected
behavior of all individuals with access to the application. In addition, the rules shall
be clear about the consequences of behavior not consistent with the rules. For
example the NIST Special Publication 18, Guide for Developing Security Plans for
Information Technology Systems, Appendix A -Rules of Behavior, Major Applications
specifies that:

       Non-compliance of these rules will be enforced through
       sanctions commensurate with the level of infraction. Actions
       may range from a verbal or written warning, removal of system
       access for a specific period of time, reassignment to other
       duties, or termination, depending on the severity of the violation.

Recommendation 2:
OIG recommends that the Director, Office of Information Technology place language
within the IMS Security Plan that details in addition to rules of expected behavior,
specific consequences of non-compliance with the guidelines.

OIT Response
Per OIG’s recommendation, OIT will add the suggested wording into the applicable
section of the IMS System Security Plan. The IMS “Rules of Behavior” document
will likewise be modified to incorporate this wording.

OIG Response
OIG concurs.


3.     Is appropriate background screening for assigned positions completed
       prior to granting access to IMS?

Finding:
OIG found that a number of EEOC employees (federal employees and non-
federal contract employees) who currently access IMS have not had an
appropriate background screening prior to being granted access to IM S. The
Government Accountability Office - Federal Information Security Controls Audit
Manual (FISCAM) states that the security plan should include policies related to the
security aspects of hiring, terminating, and transferring employees and assessing their
job performance. Procedures that should generally be in place include hiring
procedures including contacting references; and background investigations and
periodic re-investigations performed at least once every 5 years (consistent with the
sensitivity of the position per criteria from the Office of Personnel Management).

Regarding background screening, OMB Circular A-130 Transmittal Four states, “for
most major applications, management controls such as individual accountability
requirements, separation of duties enforced by access controls, or limitations on the
processing privileges of individuals, are generally more cost-effective personnel

                                                                                      4
Assessment - Integrated Mission System                OIG Report Number: 03-06-MIS


security controls than background screening. Such controls should be implemented
as both technical controls and as application rules. For example, technical controls to
ensure individual accountability, such as looking for patterns of user behavior, are
most effective if users are aware that there is such a technical control. If adequate
audit or access controls (through both technical and non-technical methods) cannot
be established, then it may be cost-effective to screen personnel, commensurate with
the risk and magnitude of harm they could cause.”

Recommendation 3:
OIG recommends that the Director, Office of Information Technology coordinate with
the Director, Office of Human Resources (OHR) to identify (at minimum) those
individuals (both federal as well as contracted employees) whose job functions allow
them access to modify critical information or information system programming.
Background screening for these employees should be conducted before the end of the
fifth year of system operation or by the end of FY-2008.

OIT Response
OIT will continue to work with OHR to conduct background screening of federal
employees and contractors consistent with the requirements of OMB Circular A-130
Appendix III, Part B.B.2)c). Completion of this requirement is pending available
resources.

OIG Response
While OIG concurs with OIT’s response, we must stress the importance of conducting
background screenings (at minimum) on those individuals (both federal as well as
contracted employees) whose job functions allow them access to modify critical
information or information system programming.

This will provide assurances that IMS and the information that resides in it is
adequately protected against potential misuse.


4.     If encryption is used, does it meet federal standards?

Finding:
The encryption standard used in IMS does not meet federal encryption
standards. OIG reviewed the IMS Security Plan and found that the plan stated that
traffic between the forms server client (the client desktop and browser) and the
Windows NT web server is encrypted, by default, using 40-bit RC4 encryption.
According to the NIST Federal Information Processing Standards (FIPS) there are
four federally approved encryption algorithms which are AES, Triple DES, DES,
Skipjack. RC4 is not an approved federal encryption standard.


Recommendation 4:
OIG recommends that the Director, Office of Information Technology change the
encryption standard currently used by IMS between the forms server client (the client
desktop and browser) and the Windows NT to meet an encryption standard approved

                                                                                     5
Assessment - Integrated Mission System                OIG Report Number: 03-06-MIS


by NIST.

OIT Response
OIT is in the process of changing the IMS encryption standard to an encryption
standard approved by NIST. As referenced in NIST draft publications SP800-52, the
TLS protocol is the only approved protocol for protecting Federal data.

OIT implemented a TLS protocol to the Internet Explorer (IE) web browser agency-
wide when all EEOC desktops were upgraded to the Microsoft XP operating system.
The installed browser, IE 6.0.28, SP1, is configured with 128-bit encryption capability
by default.

OIT is in the process of migrating all IMS web services from Microsoft NT 4.0 to
Windows 2000 servers. According to NIST draft publication SP800-52, Apache is
currently the only web application capable of meeting the RSA needs in the TLS
protocol (for both clients and servers). Apache has been implemented on the IMS
web servers used by EEOC. When IMS is ready to be deployed to FEPAs, the TLS
protocol will be implemented on those IMS web servers to be accessed by FEPAs (via
the Internet) along with implementation of Verisign certificates.

OIG Response
OIG concurs.


Conclusion and Recommendations

During the assessment of the Integrated M ission System (IMS), OIG reviewed and
tested 260 separate information system control items as described in NIST Special
Publication 800-26, Self-Assessment Guide for Information Technology Systems.
Based upon the final results of our testing, we conclude that, overall, the Office of
Information Technology has adequately developed and deployed the appropriate
information security controls to ensure the security of information that resides in the
Agency’s Integrated Mission System. To further improve OIT’s ability to secure IMS
from potential harm, OIG recommends that the Director, Office of Information
Technology:

1.     Require acknowledgment of “Rules of Behavior” prior to being granted access
       to IMS;

2.     Develop specific consequences regarding non-compliance to stated rules of
       behavior; and

3.     Ensure that an approved FIPS algorithm is used to encrypt Agency
       information.

Since the Director of OIT has no control over the Agency’s Suitability Program or
the funds for background investigations, OIG recommends to the Director of the
Office of Human Resources and the Director of the Office of Chief Financial Officer

                                                                                     6
Assessment - Integrated Mission System                OIG Report Number: 03-06-MIS


and Administrative Services to:

4.     Conduct background screening of IMS users before the end of the fifth year
       of system operation or by the end of Fiscal Year 2008.


Audit Followup

The Office of Management and Budget issued Circular Number A-50, Audit
Followup, to ensure that corrective action regarding audit findings and
recommendations proceed as rapidly as possible. EEOC Order 192.002, Audit
Followup Program, implements Circular Number A-50 and requires that for resolved
recommendations, a corrective action work plan should be submitted within 30 days
of the final audit report date describing specific tasks and completion dates necessary
to implement audit recommendations. Circular Number A-50 requires prompt
resolution and corrective action on audit recommendations. Resolution should be
made within six months of final report issuance.




                                                                                     7