oversight

Review of Selected FHA Major Applications' Information Security Controls

Published by the Department of Housing and Urban Development, Office of Inspector General on 2008-06-12.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                                                             Issue Date:
                                                                June 12, 2008
                                                              Audit Case Number
                                                                2008-DP-0004




TO:         Brian D. Montgomery, Assistant Secretary for Housing – Federal Housing
              Commissioner, H
            Mike Milazzo, Acting Chief Information Officer, Q

                   /s/
FROM:       Dorothy Bagley, Acting Director, Information Systems Audit Division, GAA

SUBJECT: Review of Selected FHA Major Applications’ Information Security Controls



                                   HIGHLIGHTS

 What We Audited and Why

             We audited the Federal Housing Administration’s (FHA) management of its
             information technology resources and compliance with U.S. Department of
             Housing and Urban Development (HUD) and other federal information security
             requirements. Our overall objective was to determine whether FHA effectively
             managed security controls relating to its information technology resources. This
             audit supported our financial statement audits of FHA and HUD as well as our
             annual Federal Information Security Management Act review.


 What We Found
             FHA did not (1) fully implement required security controls related to personnel
             security, user access, and audit log management for the Single Family Insurance
             System - Claims Subsystem; (2) define or implement adequate security controls
             over its business partners that develop, store, and process HUD data; and (3) have
             assurance that mandatory security controls had been implemented and follow the
             federal information security framework.
           We also found that the HUD Office of the Chief Information Officer did not
           follow its own policy on performing security impact assessments when significant
           changes were made to a system.

What We Recommend


           We recommend that FHA and HUD incorporate the federal information security
           program framework into their management processes so that security assessments,
           continuous monitoring, personnel security, and appropriate access to systems and
           data are assured.

           For each recommendation without a management decision, please respond and
           provide status reports in accordance with HUD Handbook 2000.06, REV-3.
           Please furnish us copies of any correspondence or directives issued because of the
           audit.


Auditee’s Response


           The complete text of the auditee’s response, along with our evaluation of that
           response, can be found in appendix A of this report.




                                            2
                            TABLE OF CONTENTS

Background and Objectives                                                         4

Results of Audit
                                                                                  5
      Finding 1: Weaknesses Existed in Security Controls for the Single Family
      Insurance System - Claims Subsystem

      Finding 2: FHA Did Not Define or Implement Adequate Security Control        10
      Requirements over Business Partner Development, Processing, or Storage of
      Single-Family Mortgage Data

      Finding 3: FHA Did Not Have Assurance That Mandatory Security Controls      13
      Had Been Implemented

      Finding 4: HUD OCIO Did Not Follow Its Own Policy on Performing Security    18
      Impact Assessments When Significant Changes Were Made

Scope and Methodology                                                             22

Internal Controls                                                                 23

Follow-up on Prior Audits                                                         24

Appendixes

   A. Auditee Comments and OIG’s Evaluation                                       26




                                             3
                       BACKGROUND AND OBJECTIVES

The Federal Housing Administration (FHA) provides mortgage insurance on loans made by
FHA-approved lenders throughout the United States and its territories. FHA has developed a
number of information systems to support its mortgage insurance and related program activities.
We recently evaluated 25 of FHA’s major information systems and issued an audit report on the
information security weaknesses identified. 1

The Federal Information Security Management Act of 2002 (FISMA) provides a
“comprehensive framework” to ensure that agency information security controls support and
protect federal operations and their assets. Compliance with FISMA entails an active
management of organizational risk and is the key element in the organization’s compliance with
the federal information security program framework. The information security framework
guides the selection of appropriate security controls for an information system—the security
controls necessary to protect individuals and the operations and assets of the organization. The
guidance provided in FISMA details the agency’s responsibilities to protect against unauthorized
use of information that could harm information collected on behalf of the agency. We used
FISMA’s requirements as the basis in developing our methodology for performing this audit.

Our overall objective was to determine whether FHA’s information system security controls had
been fully implemented for selected FHA applications. The criteria that we used during our
audit included information security circulars issued by the Office of Management and Budget,
FISMA, and publications by the National Institute of Standards and Technology.




1
 Audit Report No. 2008-DP-0002, “Review of FHA Controls over Its Information Technology Resources,” dated
October 31, 2007.


                                                    4
                                 RESULTS OF AUDIT

Finding 1: Weaknesses Existed in Security Controls for the Single
Family Insurance System - Claims Subsystem
Key personnel within FHA (1) did not enforce personnel security policies and ensure that
appropriate background investigations were completed for employees and contractors for the Single
Family Insurance System - Claims Subsystem, (2) gave excessive access rights and access to data
beyond employees’ and contractors’ job requirements, and (3) did not establish an effective audit
log management and monitoring process. FHA officials indicated that they either did not realize the
need to have background investigations or assumed that information technology (IT) developers’
background investigations had been properly completed. Further, FHA had not implemented
effective processes for managing and monitoring system access privileges and audit logs. Without
adequate background checks, access rights assignment, and audit log management, FHA did not
operate the Claims Subsystem in accordance with federal information security requirements. As a
result, the data processed within the Claims Subsystem were not adequately protected.


The Claims Subsystem is one of HUD’s mission-critical systems. This major application is used by
HUD headquarters and field office personnel, external government agencies, and business partners
to electronically submit and process claims for single-family mortgage insurance benefits. The
system processes approximately 178,000 claims per year. Payment schedules averaging $25-$30
million per day are transmitted to the U.S. Treasury, with total single-family mortgage insurance
benefit payments exceeding $6 billion per year.




 Appropriate Background
 Checks Were Not Performed

               FHA employees and contractors did not always have a background investigation
               or the appropriate background investigation. HUD Personnel Security Handbook
               732.2, REV-1, section 4-5B, states, “every HUD employee and every contractor
               working on behalf of HUD has, on record, no less than National Agency Check
               and Inquiries (NACI). For those with above-read access to financial systems or
               other systems designated by the Department a Limited Background Investigation
               is required.” In addition, the matrix for background investigations for financial
               systems in appendix A of the handbook indicates that the developer and project
               lead should have a limited background investigation, while supervisors of
               moderate risk systems and system/security administrators should have a
               background investigation, the highest investigation type.




                                                5
                 In our review of 24 HUD employees and contractors who had above-read access
                 to Claims Subsystem production data files, we identified the following:

                 •    Ten employees did not have a background investigation on file.
                 •    Eleven employees did not have the proper background investigation.
                      ƒ   Six HUD employees had only a minimum background investigation 2 but
                          should have had a limited background investigation 3 since they all had
                          greater than read access to Claims Subsystem production data files.
                      ƒ   Five HUD contactors did not have a full background investigation as
                          required for their positions. One of the five was the Endevor 4
                          administrator who had a limited background investigation rather than the
                          full background investigation required for system/security administrators.
                          The other four had minimum background investigations, although their
                          positions required them to have limited background investigations.
                 •    The remaining three employees had the proper background investigations.


                 FHA officials indicated that they did not know the employees and contractors did
                 not have a background investigation or did not have the proper background
                 investigations; rather, they assumed that the IT developers’ background
                 investigations had been properly conducted. By not performing required
                 background screenings, HUD increased its risk that unsuitable individuals would
                 have access to sensitive systems and data. Background investigations ensure, to the
                 extent possible, that employees are suitable to perform their duties.




2
  According to the HUD Handbook 732.3 REV-1, “Personnel Security/Suitability,” a minimum background
investigation consists of a National Agency Check and Inquiries (NACI) plus an automated credit check covering
residence and employment locations for the past five years, an interview of the subject, and written inquiry of
residences, and references. A National Agency Check and Inquiries is the minimum investigation required for all
Federal employment, including contractors, except when employment is not to exceed 180 days in the aggregate. It
is a background investigation, but is conducted only for individuals in non-sensitive positions and is referred to
Government-wide as a NACI.
3
  According to the HUD Handbook 732.3 REV-1, “Personnel Security/Suitability,” a limited background
investigation is an investigation which consists of a National Agency Check and Inquiries, credit search, personal
subject interview, and personal interviews by an investigator of subject’s background during the most recent three
years.
4
  Endevor is a configuration management tool that controls, automates, and monitors the entire application
development life cycle. An Endevor administrator can control source code files.


                                                        6
    Unnecessary Access Rights
    Were Granted to Production
    Data Files


                Some FHA application developers and Claims Subsystem users had more access
                to the application’s production data files 5 than was necessary to perform their
                assigned job functions. Specifically,

                     •   Two Claims Subsystem users, a financial analyst and an accountant from
                         the Single Family Accounting Branch, had access type “all” to all the data
                         files, which permitted them to read, write, and update records. Financial
                         analysts and accountants typically do not require access to production data
                         files and are not required to modify them.

                     •   Three application project officers for the Claims Subsystem had update
                         access to a data file but did not require above-read access.

                     •   Five IT contractor developers were granted above-read access to
                         production data files, which violated HUD’s policy of not allowing
                         developers access to production resources.

                FHA’s system owners did not realize that some users had been granted above-
                read access to Claims Subsystem data files as they had not implemented an
                efficient monitoring process.

                By not following the principle of least privilege, HUD decreased its ability to protect
                sensitive information and limit the potential damage that could result from accident,
                error, or unauthorized use. Additionally, HUD risked exposure of confidential and
                critical information by providing access to applications or system attributes that were
                above the users’ authorized access levels.

          Audit Logs Were Not
          Adequately Managed and
          Monitored


                FHA did not design or implement effective information security controls for
                monitoring and managing audit logs. National Institute of Standards and
                Technology (NIST) Special Publication (SP) 800-53, “Recommended Security
                Controls for Federal Information Systems,” states, “The organization regularly
                reviews/analyzes audit records for indications of inappropriate or unusual activity,
5
 The HUD General Deputy Assistant Secretary for Administration’s memorandum to the Office of Administration
Government Technical Representatives and Government Technical Monitors, dated February 28, 2000, states that
“HUD will no longer approve requests to provide IT developers with production accounts or allow access to
production resources (application systems).”


                                                      7
                  investigates suspicious activity or suspected violations, reports findings to
                  appropriate officials, and takes necessary actions.”

                  Although, the Claims Subsystem application’s audit logs were able to capture and
                  monitor its transactions, the application’s user login activities recorded in the
                  Customer Information Control System’s 6 audit log had not been sufficiently
                  retained and monitored. HUD stated that these user login data were not reviewed
                  unless there was an incident that required investigation. HUD Handbook
                  2400.25, REV-1, “Information Technology Security Policy,” requires audit logs
                  to be recorded and retained for no less than a year for systems rated moderate to
                  high, the periodic review of audit records for inappropriate or unusual activity,
                  investigation of suspicious activity or suspected violations, and reporting of
                  findings to the appropriate officials.

                  Without adequate security log management process controls in place, HUD could
                  not maintain an inclusive history of events, and it would be unable to perform
                  audit and forensic analysis and identify operational trends and long-term
                  problems, which could help establish security controls.



    Conclusion


                  FHA did not fully design or implement required information security controls
                  related to background checks, access rights, or audit log management because of
                  the insufficient security control oversight and monitoring at the general support
                  system and application levels. Without these information security controls in
                  place, FHA could not operate the Claims Subsystem, one of its major
                  applications, in accordance with federal information security requirements, and
                  the data processed within the Claims Subsystem were not adequately protected.


    Recommendations



               We recommend that the Assistant Secretary for Housing

               1A. Ensure that FHA system owners work closely with application government
                   technical monitors/government technical representatives to identify and obtain



6
 The Customer Information Control System is a transaction processing system that runs primarily on IBM
mainframe systems for online and batch activities and acts as a front-end access to an application (e.g., the Claims
Subsystem) and to provide online transaction management connectivity for mission-critical applications.


                                                          8
     the appropriate access and background investigations for their application
     users.

1B. Initiate a request with Office of Security and Emergency Planning staff to
    determine whether the FHA contractor employees have had the appropriate
    background investigations. Follow up with Office of Security and Emergency
    Planning staff to ensure that background investigations are initiated for FHA
    applications’ contractor staff if required.

1C. Obtain the listing of Claims Subsystem users with above-read access to the
    production data files from the Office of the Chief Information Officer (OCIO)
    and work with OCIO to make the necessary adjustment to their access
    privileges based on their job functions.

1D. Obtain the current listing of all users with above-read access to FHA
    application data from OCIO, perform an assessment to determine specifically
    what access is granted to all FHA developers including both HUD employees
    and contractors, and update this listing with the assistance of OCIO to ensure
    that the most restrictive set of rights/privileges or accesses needed by users for
    the performance of specified tasks are assigned.

We recommend that the Acting Chief Information Officer

1E. Provide FHA with a current listing of all users with above-read access to FHA
    application data and remove any developers’ unnecessary access to FHA
    applications upon FHA’s confirmation notification.

1F. Initiate a request with the Office of Security and Emergency Planning staff to
    determine whether the IT infrastructure contractor employees with
    administrative access (such as DB2, Endevor, and PVCS) to FHA applications
    and the platforms where the applications reside have had appropriate
    background investigations. Follow up with Office of Security and Emergency
    Planning staff to ensure that background investigations are initiated for IT
    infrastructure contractor staff if required.

1G. Require the HUD IT infrastructure contractor to maintain the Customer
    Information Control System audit log that allows the activities to be traced
    back for at least one year.

1H. Require the HUD information technology infrastructure contractor to provide
    a Customer Information Control System user failed logon attempts report and
    then disseminate pertinent information to the information system security
    officers for review and monitoring on a periodic basis.




                                   9
Finding 2: FHA Did Not Define or Implement Adequate Security
Control Requirements over Business Partner Development, Processing,
or Storage of Single-Family Mortgage Data
FHA did not develop or implement adequate information security controls for its business
partners and outside entities that remotely access or develop, process, and maintain HUD data for
the FHA Connection application. FHA depended on its business partners to generate, process,
and store FHA mortgage data but had not established information security guidance or
requirements. As a federal entity, FHA is required by FISMA to ensure that its data are
adequately protected from unauthorized access, use, destruction, disclosure, disruption, or
modification even when the data are maintained on behalf of the agency. FHA program staff
were not fully aware of their responsibility for the information collected, processed, and stored
on their behalf. By not providing adequate security controls and safeguards over data maintained
outside HUD’s secured physical perimeter, FHA did not comply with HUD regulations or
federal guidelines. As a result, data that were critical to FHA’s mission and its ability to operate
efficiently and effectively were at risk of theft, loss, or destruction.



 Security Controls for Business
 Partners Were Not Developed
 or Defined


               FHA did not develop or implement adequate security controls over its business
               partners and outside entities that remotely access or develop, process, and
               maintain HUD data outside the agency’s secured physical perimeter. FHA did
               not consider or assess the risk of exchanging information among business partners
               and other external entities or develop appropriate security controls. Based on
               interviews with FHA officials, there was no FHA-specific process that established
               specific requirements to protect information exchanged and/or that specified
               particular remedies for failure to protect the information as prescribed.

               We found a lack of management controls over the FHA Connection, an
               interactive system on the Internet that gives approved business partners and
               outside entities access to update single-family mortgage and insurance systems.
               As of April 1, 2008, 59,342 users from 22,425 institutions and branches had
               signed up to use the FHA Connection, and average volume was between 200,000
               and 250,000 transactions per day. FHA management did not (1) provide guidance
               on required security controls such as data retention and encryption or disposal of
               confidential and personally identifiable information, (2) require a memorandum of
               understanding with business partners detailing security requirements, or
               (3) monitor or require quality assurance reviews of systems that provide data to
               HUD or data collected, processed, and maintained remotely on behalf of HUD.



                                                10
                     FISMA holds federal agencies responsible for providing information security
                     protections commensurate with the risk and magnitude of the harm resulting from
                     unauthorized access, use, disclosure, disruption, modification, or destruction of
                     information collected or maintained by or on their behalf and information systems
                     used or operated by an agency or by a contractor of an agency or other
                     organization on behalf of an agency.

                     NIST SP 800-53 7 states that the assurance or confidence that the risk to the
                     organization’s operations, assets, and individuals is at an acceptable level depends
                     on the trust that the authorizing official places in the external service provider. In
                     some cases, the level of trust is based on the amount of direct control the
                     authorizing official is able to exert on the external service provider with regard to
                     the employment of appropriate security controls necessary for the protection of
                     the service and the evidence brought forth as to the effectiveness of those
                     controls. The level of control is usually established by the terms and conditions
                     of the contract or service-level agreement with the external service provider and
                     can range from extensive (e.g., negotiating a contract or agreement that specifies
                     detailed security control requirements for the provider) to very limited (e.g., using
                     a contract or service-level agreement).

                     FHA program managers and system owners did not review or require security
                     controls over FHA’s partners because they were not fully aware of the federal
                     requirements to do so. They believed that they should not have to provide
                     guidance, monitor, or require the business partners to implement and maintain
                     security measures.

                     Further, FHA maintained that there was no way to structurally organize a security
                     policy for all outside personnel that access its systems. Business partners
                     completed a yearly quality controls self-assessment as required by FHA;
                     however, there was no quality assurance requirement for information systems
                     security controls. FHA did not require or plan to address the lack of security
                     controls in the quality control process. As a result, FHA did not monitor the
                     security measures in place at its business partners’ sites and did not require
                     assurance regarding the information systems controls that were implemented.
                     Without these assurances, FHA could not fulfill its responsibilities under FISMA
                     related to providing information security protections commensurate with the risk
                     and magnitude of the harm resulting from unauthorized access, use, disclosure,
                     disruption, modification, or destruction of information collected or maintained by
                     FHA or on its behalf.




7
    “Recommended Security Controls for Federal Information Systems,” dated December 2006.


                                                            11
Conclusion

             FHA did not comply with federal statutes or information security requirements, as
             it did not develop or implement adequate security controls over its business
             partners and outside entities that remotely access or develop, process, and
             maintain HUD data outside the agency’s secured physical perimeter. This
             condition occurred because FHA program staff believed that they were not
             responsible for the information collected, processed, and stored on their behalf.
             Further, FHA management did not provide sufficient guidance on required
             security controls and adequately monitor business partner use of systems that
             provide data to HUD or data collected, processed, and maintained remotely on
             behalf of HUD. As a result, FHA data were at an unmeasured level of risk of
             theft, loss, or destruction.

             FHA relies heavily on its business partners’ and outside entities’ use of
             information technology systems and data to carry out its mission and operate
             efficiently and effectively. Therefore, appropriate security controls and
             safeguards must be established to minimize the risks associated with business
             partners and outside entities remotely accessing, developing, processing, and
             maintaining HUD data.


Recommendations



         We recommend the Assistant Secretary for Housing

         2A. Identify the information security controls needed by FHA to ensure that the
             data uploaded into the FHA Connection are adequately protected and use a
             risk-based approach that requires its business partners to design and
             implement appropriate information security controls in their operation.

         2B. Design and implement guidance, tools, and the communications necessary to
             ensure that FHA’s business partners are aware of their roles and
             responsibilities to protect FHA data.

         2C. Ensure that within the annual quality assurance requirements, there is a
             requirement for an assessment of the business partners’ information security
             controls that protect FHA data.

         2D. Coordinate the quality assurance plans with business partners to include
             security measures.




                                             12
Finding 3: FHA Did Not Have Assurance That Mandatory Security
Controls Had Been Implemented
FHA’s Office of Housing did not ensure that mandatory security controls 8 that establish a level
of “security due diligence” were implemented, assessed, or monitored. Our review of the
information security self-assessment 9 documents for several major FHA applications 10 disclosed
(1) missing or improperly assigned mandatory security controls, (2) common security controls
that were not clearly identified, and (3) a lack of appropriate security awareness and specialized
training. These deficiencies occurred because the responsibility for the assessment and
monitoring of common controls was not clearly assigned, HUD and federal regulations were
misunderstood, and some FHA personnel involved in completing security self-assessments
lacked the appropriate role-based training. As a result, HUD and FHA could not ensure that
their information systems and data were adequately secured and protected. Lack of
understanding the status of security programs and controls prohibits HUD and FHA management
from making informed decisions and investments to mitigate risks that can negatively impact
their ability to meet mission goals.



    Mandatory Security Controls
    Were Consistently Missing
    from System Security
    Documentation

                  During the Office of Housing’s self-assessments completed in September 2007,
                  not all required security controls were assessed. The mandatory security controls
                  were not assessed because they were not a part of the FHA-prepared security
                  control listing or due to the improper impact ratings for the applications. 11 This
                  omission resulted in those specific security controls not being included in the
                  FHA major applications’ security documentation and monitoring processes.
                  After the self-assessment process, FHA, independent from the Office of Inspector
8
  Controls are classified as common controls or application-specific controls. Security controls designated by the
organization as common controls are in most cases managed by an organizational entity other than the information
system owner. Application controls or organization security controls containing organization-defined parameters
(i.e., assignment and/or selection operations) give organizations the flexibility to define selected portions of the
controls to support specific organizational requirements or objectives.
9
  The self-assessment questionnaire, based on NIST SP 800-53 controls for information systems, provides the
agency baseline of mandatory controls.
10
   Single Family Insurance System - Claims Subsystem , Single Family Acquired Asset Management System, Single
Family Mortgage Notes, Home Equity Conversion Mortgages, Computerized Homes Underwriting Management,
FHA Connection, and FHA Subsidiary Ledger.
11
   As required by FISMA, the US Department of Commerce’s National Institute of Standards and Technology
promulgated the Federal Information Processing Standard (FIPS) 199 which establishes security categories for both
information and information systems. The security categories are based on the potential impact on an organization
should certain events occur which jeopardize the information and information systems needed by the organization to
accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions,
and protect individuals. Security categories are to be used in conjunction with vulnerability and threat information in
assessing the risk to an organization.


                                                            13
                 General and using contractor support, identified 23 NIST SP 800-53 security
                 controls as missing from FHA’s baseline 12 of security controls. The information
                 security controls missing from the entire selected FHA major application security
                 program included

                 •   Security-related activity planning;
                 •   Acquisition;
                 •   Security certification;
                 •   Fire protection;
                 •   Information system backup;
                 •   Information system component inventory (low and moderate baselines);
                 •   Flaw remediation;
                 •   Information system monitoring tool and techniques;
                 •   Media transport (moderate and high baselines);
                 •   Remote access;
                 •   Use of external information system;
                 •   Auditable events;
                 •   Audit monitoring, analysis, and reporting;
                 •   Time stamps;
                 •   Boundary protection (including control enhancements 3, 4, and 5);
                 •   Secure name/resolution service (authoritative service);
                 •   Architecture and provisioning for name/address resolution; and
                 •   Session authenticity.

                 There were also five security controls that were missing due to the improper
                 impact rating for the application. These lacking security controls applied to those
                 sections that were improperly assigned low, moderate, and high impact.

                 •   Contingency planning control CP-6.2 was not applicable to a moderate
                     system.
                 •   Remote maintenance was missing (from a moderate system).
                 •   Media labeling was not applicable to a moderate system.
                 •   Wireless access restriction was missing (from a moderate system).
                 •   Resource priority was not applicable to a moderate system.




12
  Baseline controls are the minimum security controls recommended for an information system based on the
system’s security categorization in accordance with FIPS 199.




                                                      14
Common Security Controls
Were Not Clearly Identified



            Security controls designated by the organization as “common controls” (i.e.,
            controls that are common to FHA and other HUD organizations) are managed by
            the Office of the Chief Information Officer (OCIO) rather than the information
            system owner. Organizational decisions on which security controls are viewed as
            common controls may greatly affect the responsibilities of individual information
            system owners with regard to the implementation of controls in a particular
            baseline. Every control in a baseline must be fully addressed by either the
            organization or the information system owner.

            OCIO’s information security self-assessment template is provided to the
            information systems security officer and system owners as guidance for the
            assessment of the minimum baseline security controls as outlined in NIST 800-53.
            The template did not clearly identify which of the template’s controls was HUD’s
            responsibility as a common control. This condition adversely impacted FHA’s
            ability to identify the controls it was responsible for on an application level.
            Consequently, FHA created its own set of information security controls
            determining which controls were its responsibility and which controls should be
            the responsibility of OCIO. As a result, mandatory controls were not assessed or
            monitored.

FHA Staff Required Role-Based
Security Awareness and
Training

            The Office of Housing was taking steps to improve its information technology
            security awareness and documentation; however, its lack of understanding of
            mandatory security controls for which it is responsible resulted in a deficient IT
            security program. Complete self-assessment information and guidance were
            provided on the HUD internal Web site; however, the proper tools were not used
            to ensure that all elements of the annual security reviews were completed and
            implemented. The noted deficiencies were primarily due to a misunderstanding
            of the regulations. The lack of FHA staff training contributed to these missing
            elements. Not all staff members who played a pertinent role in completing the
            security assessment documentation received the same training.

            Federal regulations require that individuals with security responsibility have the
            required training to meet their job functions. NIST SP 800-16, “Information
            Technology Security Training Requirements: A Role and Performance Model,”
            section 4.1, states, “...training and education are to be provided selectively, based



                                              15
             on individual responsibilities and needs. Specifically, training is to be provided to
             individuals based on their particular job functions. Education is intended for
             designated IT security specialists in addition to role based training.”


Conclusion


             FHA did not comply with HUD and federal regulations with regard to annual
             security assessments and had no assurance that all mandatory security controls
             had been implemented. As a result, HUD and FHA could not properly ensure
             that their information systems and data were adequately secured and protected
             from threats. The deficiencies identified above occurred because (1)
             responsibility for the assessment and monitoring of common controls was not
             clearly assigned, (2) HUD and federal regulations were misunderstood, and (3) all
             FHA personnel involved in completing security self-assessments did not receive
             the appropriate role-based training.

             It is necessary that officials understand the current status of security programs and
             controls to make informed judgments and investments that appropriately mitigate
             risks that could negatively impact their mission goals. FHA needs to ensure that
             all elements are fully implemented into its security documents to prevent and plan
             for possible situations and risks associated with the data HUD maintains.


Recommendations



         We recommend that the Assistant Secretary for Housing

         3A. Ensure that a training development plan is fully implemented so that staff may
             complete their tasks based on their specific positions and be fully aware of
             their roles and responsibilities as they relate to the management of the
             systems.

         3B. Monitor and ensure that the missing security controls are implemented in all
             future security self-assessments, continuous monitoring, activities, and the
             fiscal year 2008 certification and accreditation process.

         3C. Include missing security controls in appropriate system security plans used by
             the Office of Housing.




                                              16
We recommend that the Acting Chief Information Officer

3D. Revise the self-assessment template to note which of the controls listed are
    considered to be common controls and as a result, primarily the responsibility
    of OCIO as the general support system owner.




                                 17
Finding 4: HUD OCIO Did Not Follow Its Own Policy on Performing
Security Impact Assessments When Significant Changes Were Made
HUD’s Office of the Chief Information Officer (OCIO) made a significant change to a general
support system 13 that supports FHA’s core financial system, the upgrading of an operating
system, without performing a security impact assessment as required by federal and HUD
information system policy. This situation occurred because HUD’s contractor did not consider
the change to be significant and advised HUD that a security impact assessment was not needed.
To determine whether there was a security impact to the general support system, we performed a
series of compliance checks 14 and found a number of improper configurations, mostly related to
password issues, and policy violations on associated Windows servers. These vulnerabilities
should have been reported and incorporated into HUD’s monitoring program until corrected.
Without conducting a security impact assessment, OCIO could not assure itself or HUD’s
components that it had adequately protected HUD’s systems.


     HUD Did Not Follow Its Own
     Certification and Accreditation
     Policy

                 HUD did not comply with the federal information security framework related to
                 the continuous monitoring phase of the certification and accreditation process.
                 Specifically, HUD did not review significant changes made to a general support
                 system. A significant change imposes a change in the security risks faced and
                 needs to be analyzed by performing a security impact assessment. Our review
                 found that HUD did not complete a security impact assessment of the general
                 support system that supports FHA’s core financial system, FHA Subsidiary
                 Ledger, before upgrading the operating system from Solaris version 8 to version
                 10. Federal guidance specifically identifies operating system changes as
                 significant.

                 OCIO was not able to provide planning documentation to justify its reasoning
                 prepared in advance of the conversion for not conducting a security impact
                 assessment. OCIO staff stated that they relied on the contractor responsible for
                 HUD’s information technology infrastructure and did not believe a security
                 impact assessment or a new certification and accreditation were necessary. They
                 added that there were only a few systems converted to the new updated software


13
   An interconnected set of information resources under the same management control that shares common
functionality. It includes hardware, software, information, data, applications, communication, and people.
14
   Unlike scans, which usually involve a more comprehensive vulnerability assessment, a compliance check is a
manual check of configurations on the server against configuration guidelines provided by NIST and the Defense
Information Systems Agency security technical implementation guidelines.


                                                       18
                 and that a certification and accreditation would take place sometime in fiscal year
                 2008.

                 The federal guidance 15 that governs certification and accreditation states that
                 when accrediting a federal information system, an agency official accepts the
                 risks associated with operating the system and the associated implications
                 regarding agency operations, agency assets, or individuals. Completing a security
                 accreditation ensures that an information system will be operated with appropriate
                 management review, that there is ongoing monitoring of security controls, and
                 that there will be a reaccreditation whenever there is a significant change to the
                 system or its operational environment. The guidance specifically states that a
                 change to an operating system is a significant change.

                 A security impact assessment was not performed when completing changes to the
                 general support system because HUD’s information technology infrastructure
                 contractor recommended that a security impact assessment was not needed.
                 OCIO accepted the recommendation from the contractor without documented
                 evidence identifying reasons why a security impact assessment should not be
                 completed. After we questioned OCIO, OCIO staff requested additional
                 information and received a written document from the contractor explaining its
                 recommendation. However, the statement did not conform to either HUD or
                 federal policy.

                 FHA’s core financial system was one of the systems residing on the general
                 support system that migrated from the Solaris 8 operating system to the Solaris 10
                 operating system, and affected servers processed the financial data that were the
                 source for FHA’s financial statement reports. The lack of review before the
                 conversion left this information susceptible to undetected changes.


          Improper System
          Configurations Went
          Undetected


                 OCIO did not perform security assessments or testing on the UNIX servers
                 impacted by the conversion from Solaris 8 to Solaris 10 or associated Windows
                 servers to determine whether the new implementation created any new
                 vulnerabilities. Without testing, there would be no way to determine whether any
                 additional controls were needed to address the differences between the two
                 operating systems. We were told that HUD had not prepared standard procedures
                 for the new features in version 10, which could leave data vulnerable. In addition,
                 roles and responsibilities associated with these new features had not been
                 designated.

15
 NIST SP 800-37, “Guide for the Security Certification and Accreditation of Federal Information Systems,” dated
May 2004.


                                                      19
             To determine whether a security impact assessment would have identified
             security violations or improper configurations, we conducted compliance checks
             on production UNIX and supporting Windows servers. We did not find any
             critical security violations; however, we did find a number of improper
             configurations, which should be addressed. We provided OCIO with the results
             of the compliance checks.

             The configuration tests that we completed indicated that there were security
             violations or improper configurations to the systems that had not been addressed,
             thereby leaving data and information open to risk. Without a proper security
             assessment, HUD could not ensure that it had adequately protected its systems
             that process critical information.

Conclusion


             HUD’s OCIO did not follow its own or federal policy when it made a significant
             change to a general support system without performing a security impact
             assessment. This resulted in security violations and improper configurations that
             had not been addressed, thereby leaving data and information open to risk. This
             situation occurred because OCIO accepted its information technology contractor’s
             assertion that a security impact assessment was not needed, although the decision
             directly contradicted HUD and federal policy. The migration from Solaris 8 to
             Solaris 10 directly affected servers that housed FHA’s core financial system and
             financial data that were the source for FHA’s financial reports. The lack of
             review before the conversion might have left this information susceptible to
             undetected changes, which could call into question the validity of the FHA
             financial statements.


Recommendations

         We recommend that the Acting Chief Information Officer

         4A. Complete a certification and accreditation of the general support systems that
             upgraded from the Solaris 8 to the Solaris 10 operating system.

         4B. Provide training to system owners, including the general support systems
             owners, to ensure an understanding of federal regulations and the HUD
             handbook with regard to significant changes to their systems.

         4C. Issue a memorandum to its IT infrastructure contractors reminding them of
             their contractual obligation to fully comply with HUD security policy and



                                             20
obtain a signed acknowledgment and complete, at minimum, a security impact
assessment of the changes when significant changes are made to general
support systems and obtain in writing from the contractors their assurance that
they understand and accept this requirement.




                            21
                 SCOPE AND METHODOLOGY

We performed the audit
           •   From June through December 2007,
           •   At HUD headquarters in Washington, DC, and
           •   In accordance with generally accepted government auditing standards.

We reviewed information security documents, Office of Housing major applications, and
the general support systems’ compliance with federal and HUD information security
requirements. We focused on organizational structure and security documents that were
created in fiscal year 2007.

We used a selective sampling method to evaluate the compliance of the seven selected
Office of Housing major applications from a universe of 40 major FHA applications
reported in HUD’s system inventory list as of January 19, 2007. The seven major
applications were selected because they were managed by the Office of Housing, supported
FHA program areas, and were categorized as major applications.

To accomplish our objectives, we reviewed policies and procedures, interviewed FHA
system owners for each application, and obtained and analyzed supporting documentation.
We also interviewed staff from OCIO, the Office of Integration and Efficiency, and the
Office of Housing’s Office of Finance and Budget, Office of Systems and Technology, to
better understand the structure and organization upon which information security was based
in the Office of Housing. These interviews were conducted to determine roles and
responsibilities of the system owners from their perspectives and compare them to what is
stated in HUD policy. We also conducted compliance checks on production UNIX and
supporting Windows servers where major FHA applications reside to determine whether a
security impact assessment would have identified security violations or improper
configurations.




                                        22
                             INTERNAL CONTROLS

Internal control is an integral component of an organization’s management that provides
reasonable assurance that the following objectives are being achieved:

   •   Effectiveness and efficiency of operations,
   •   Reliability of financial reporting, and
   •   Compliance with applicable laws and regulations.

Internal controls relate to management’s plans, methods, and procedures used to meet its
mission, goals, and objectives. Internal controls include the processes and procedures for
planning, organizing, directing, and controlling program operations. They include the systems
for measuring, reporting, and monitoring program performance.



 Relevant Internal Controls
              We determined the following internal controls were relevant to our audit objectives:

              •   Appropriate level of access to data and systems,
              •   Compliance with personnel security requirements,
              •   Design and implementation of information security baseline controls,
              •   Compliance with certification and accreditation, and
              •   Compliance with information security assessments.

              We assessed the relevant controls identified above.

              A significant weakness exists if management controls do not provide reasonable
              assurance that the process for planning, organizing, directing, and controlling
              program operations will meet the organization’s objectives.


 Significant Weaknesses


              Based on our review, we believe the following item is a significant weakness:

              •   FHA and HUD’s OCIO had not fully integrated the federal information
                  security program framework with their organizational processes to ensure that
                  security documents, continuous monitoring, personnel security, and
                  appropriate access to systems and data were adequate (findings 1, 2, 3, and 4).




                                               23
                   FOLLOWUP ON PRIOR AUDITS


Review of FHA Controls over
Its Information Technology
Resources
Audit Report: 2008-DP-0002
October 31, 2007


           The following recommendations from our prior audit remain open:

           1A. Design and implement an FHA information security program consistent
               with HUD and federal requirements to include
                i. Designating a senior FHA staff member to lead information technology
                   and security functions within FHA. The FHA security function would
                   be subordinate to HUD’s for external reporting and department-wide
                   information security issues but would be able to focus and enhance HUD
                   requirements for FHA-specific needs and risks.
                ii. Ensuring that a compliant information security risk-based framework is
                    implemented for all FHA applications.

           1B. Direct application system owners to fully assume the roles and
               responsibilities of system owners in accordance with HUD IT Security
               Policy - Handbook 2400.25, REV-1.

           1C. Mandate a role-based training program for FHA program staff with
               significant information security responsibilities.

           2A. Structure the management authorities relating to information security
               functions so that they provide the oversight necessary to ensure that
               information security receives the consideration needed when allocating
               resources.

           2B. Direct application system owners to determine the amount and type of
               resources needed to ensure adequate security for their systems.

           2C. Develop an FHA-wide plan to ensure that the dollar amount and resources
               are listed in budget requests and that resources are adequate to complete
               security for their systems.

           2D. Revise the HUD standard business impact analysis to include all necessary
               elements outlined in NIST SP 800-34, “Contingency Planning Guide for
               Information Technology Systems,” so that the analysis supports the
               preparation of the continuity of operations and business resumption plans.


                                          24
2E. Provide additional guidance and training to application system owners
    regarding completion of their application’s business impact analysis.

3A. Complete the design and implementation of an information security program
    to include
       •   Accurate and fully agreed-upon descriptions of program office
           application system owner roles and responsibilities.
       •   Documented processes, procedures, or agreements related to the
           implementation of information security controls with FHA for each
           general support system on which its applications reside.
       •   Documenting, in HUD’s information technology policy, the use of the
           Information System Security Forum as a user representative forum for
           each general support system. The forum could be used to update the
           security officer on the status of information security policy on the
           general support systems on which its applications reside.

3B. Develop and provide role-based training to FHA staff with information
    security roles and responsibilities, including but not limited to
       •   Application system owners,
       •   Information system security officers,
       •   Project managers, and
       •   Authorizing officials and other staff with management responsibilities
           for the certification and accreditation process.

3C. Require FHA authorizing officials, information system owners, and
    information system security officers to obtain the training necessary to
    assume their information security roles and responsibilities.




                                25
                        APPENDIXES

Appendix A

        AUDITEE COMMENTS AND OIG’S EVALUATION


Ref to OIG Evaluation      Auditee Comments




                            26
Comment 1




            27
28
Comment 2




Comment 3




            29
30
Comment 4




Comment 5




            31
32
Comment 6




            33
34
                         OIG Evaluation of Auditee Comments

Comment 1   OIG agrees with FHA’s implemented corrective actions as stated. OIG also
            requests that supporting documentation and the completion dates be provided in
            order to confirm complete implementation of this recommendation. Once
            confirmed, no further correction action is necessary from FHA and this
            recommendation can be closed.

Comment 2   OIG agrees with FHA’s implemented corrective actions. OIG also requests that
            supporting documentation and the completion dates be provided in order to
            confirm complete implementation of this recommendation. Once confirmed, no
            further correction action is necessary from FHA and this recommendation can be
            closed.

Comment 3   OIG agrees with FHA’s implemented corrective actions as stated. OIG also
            requests that supporting documentation and the completion dates be provided in
            order to confirm complete implementation of this recommendation. Once
            confirmed, no further correction action is necessary from FHA and this
            recommendation can be closed.

Comment 4   OIG has revised the recommendation to reflect that the action OCIO is to carry
            out is contingent “upon FHA’s confirmation notification.”

Comment 5   OIG has made minor revisions to this recommendation based on discussions with
            OCIO.

Comment 6   OIG reevaluated the recommendation based on OCIO’s comments and has
            revised the recommendation accordingly.




                                            35