oversight

HUD's Controls Over Selected Configuration Management Activities Need Improvement

Published by the Department of Housing and Urban Development, Office of Inspector General on 2011-03-24.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                                                                  Issue Date
                                                                  March 24, 2011
                                                                  Audit Report Number
                                                                  2011-DP-0006




TO:          Douglas A. Criscitello, Chief Financial Officer, F
             Mercedes M. Márquez, Assistant Secretary for Community Planning and
                Development, D
             Jerry E. Williams, Chief Information Officer, Q


FROM:        Hanh Do, Director, Information Systems Audit Division, GAA

SUBJECT:     HUD’s Controls Over Selected Configuration Management Activities Need
             Improvement


                                     HIGHLIGHTS

What We Audited and Why


        We audited the U.S. Department of Housing and Urban Development’s (HUD) controls
        over selected configuration management (CM) activities. This audit was based on work
        performed during our fiscal year 2009 and 2010 reviews of information system security
        controls in support of the annual financial statement audits. During those audits, we
        identified weaknesses in security controls over selected CM activities.
What We Found


      Although HUD had processes and procedures for managing the configurations of systems
      in HUD’s computing environment, those procedures were not always followed.
      Specifically, (1) CM documentation for the eTravel and Integrated Disbursement and
      Information System (IDIS) Online systems was outdated, and (2) HUD did not
      consistently follow its own Configuration Change Management Board (CCMB) review
      and approval process.


What We Recommend


      We recommend that the Office of the Chief Financial Officer update the CM plan for the
      eTravel system and ensure that contractor support staff reviews application CM
      documentation at least annually and updates the documentation when changes occur.

      We recommend that the Assistant Secretary for Community Planning and Development
      update the CM plan for IDIS Online and ensure that contractor support staff reviews
      application CM documentation at least annually and updates the documentation when
      changes occur.

      We recommend that the Office of the Chief Information Officer ensure that all products
      running on the HUD information technology infrastructure are CCMB approved and that
      products selected for pilot testing are CCMB approved before conducting the test.

      For each recommendation without a management decision, please respond and provide
      status reports in accordance with HUD Handbook 2000.06, REV-3. Please furnish us
      copies of any correspondence or directives issued because of the audit.


Auditee’s Response


      The draft audit report was issued on February 22, 2011, and written comments were
      requested from each of the report’s addressees by March 8, 2011. We received written
      comments dated March 2, 7 and 14, 2011. The Office of the Chief Financial Officer,
      Office of Community Planning and Development, and Office of the Chief Information
      Officer generally agreed with the recommendations in our report.

      The complete text of each auditee’s response, along with our evaluation of those
      responses, can be found in appendix A of this report.




                                              2
                         TABLE OF CONTENTS

Background and Objectives                                                      4

Results of Audit

     Finding 1: CM Documentation for eTravel and IDIS Online Was Outdated      5
     Finding 2: HUD’s CCMB Review and Approval Process Was Not Consistently    9
                Followed

Scope and Methodology                                                         12

Internal Controls                                                             13

Appendix

   A. Auditee Comments and OIG’s Evaluation                                   14




                                        3
                           BACKGROUND AND OBJECTIVES

The U.S. Department of Housing and Urban Development (HUD) relies extensively on
information technology (IT) to carry out its mission and provide services to the American public.
Given the prevalence of cyber threats today, HUD must manage its IT assets with due diligence
and take the necessary steps to safeguard them while complying with Federal mandates and the
dictates of good stewardship.

Within HUD, the Office of the Chief Information Officer (OCIO) is responsible for the security
of IT resources. One of the major goals of OCIO is to maintain an enterprise security program
that meets all security and privacy-related regulations, statutes, and Federal laws. OCIO
coordinates, develops, and implements IT security policy and procedures for HUD.

Configuration management (CM) is one component within the entitywide security program
under OCIO’s area of responsibility. According to the National Institute of Standards and
Technology (NIST), CM provides assurance that the system in operation is the correct version
(configuration) of the system and that any changes to be made are reviewed for security
implications. CM can be used to help ensure that changes take place in an identifiable and
controlled environment and that they do not unintentionally harm any of the system’s properties,
including its security. To achieve this objective, HUD established the Configuration Change
Management Review Board (CCMB) to ensure that all changes made to the HUD IT
infrastructure and system development platforms take place through a rational and orderly
process.

The Office of the Chief Financial Officer’s (OCFO) eTravel system is a critical system that
supports HUD’s travel needs. eTravel is the Web service interface between the HUD Central
Accounting Program System and the FEDTraveler.com system.1 According to HUD’s Inventory
of Automated Systems, HUD’s Integrated Disbursement and Information System (IDIS) Online
is a Web-based grants management system used by the Office of Community Planning and
Development (CPD) to automate the administration of grants, including those grants established
by the American Recovery and Reinvestment Act of 2009. IDIS Online is used by more than
1,200 HUD grantees, including urban counties and States, to plan activities, draw down program
funds, and report on accomplishments. IDIS Online has more than 15,000 individual grantee
users as well as several hundred HUD headquarters and field office users.

Our overall objectives were to determine whether (1) CM plans for the selected applications
were kept up to date and (2) selected software products followed HUD’s CM policies.




1
    FEDTraveler.com is an enterprise solution for Government Travelers.
                                                         4
Finding 1: CM Documentation for eTravel and IDIS Online Was
Outdated
CM documentation for eTravel and IDIS Online was not compliant with NIST Special
Publication (SP) 800-532 and HUD’s own internal policies and procedures. This condition
occurred because neither OCFO nor CPD ensured that contractors responsible for maintaining
these CM plans kept them up to date in accordance with the most current HUD CM policy,
procedures, and template. Because system configuration documentation was not kept up to date,
HUD risked providing improper organizational and strategic directions and could not ensure that
resource assignments for the implementation would be adequately provided.



CM Documentation Was Outdated


                   CM documentation for the eTravel and IDIS Online systems was outdated. We
                   reviewed the CM plans for the systems and determined that the plans did not
                   follow CM guidance contained in HUD’s Software Configuration Management
                   Policy (Handbook 3252.1) and the HUD software configuration plan template.
                   Plans for both systems lacked information as follows:

                          The Roles and Responsibilities section did not include development, test,
                           and production groups that are part of the CM process personnel to ensure
                           proper authorization, testing, approval, and tracking of all configuration
                           changes; and

                          The Information section did not include contact information for the
                           supporting groups mentioned above that may be needed for informational
                           and troubleshooting purposes.

                   In addition, the CM plans for both systems contained outdated information, as
                   outlined in the tables for each system below:

                           Outdated Information in the eTravel CM Plan
1       Section 1.3, Project References, contained a reference to the HUD System Development
        Methodology (SDM), dated August, 2005, although the document had been revised and
        updated as of January 2009. It also contained a reference to the HUD ADP [automated data
        processing] Documentation Standards, Handbook 2400.15, which was cancelled in April
        2002. However, it did not reference the HUD Software Configuration Management Policy
        Handbook (3252.1) or the HUD Software Configuration Management Procedures, which
        are HUD’s primary CM documents.


2
    NIST SP 800-53: Recommended Security Controls for Federal Information Systems and Organization
                                                       5
2       Section 1. 2.1, FedTraveler P221, did not clearly identify the eTravel system environment.
        It did not identify the vendor for each product used or provide the hardware information for
        each server or list the operating system. Further, the hardware and software information for
        the development/test environment should be listed if it is different from the production
        environment. The CM server information, such as CM tool version and server name, was
        excluded. In addition, this section and section 2.4, Tools, still listed the old CM tool.
3       Section 1.6, Points of Contact, listed outdated personnel information for the government
        technical representative. Also, section 1.6.2, Coordination, still listed people who had left
        HUD. For example, the point of contact for server/operations support had retired, and the
        point of contact for Office of Information Technology (“OIT-Infrastructure”) had left HUD.
4       The eTravel CM plan did not follow the HUD SDM software configuration plan template.
        The following sections were missing: Baseline Identification, Measurements, Configuration
        Status Accounting, Configuration Management Libraries, Release Management, and
        Configuration Audits. In addition, the plan did not have a System Overview section
        covering required information such as system environment or special conditions.


                         Outdated Information in the IDIS Online CM Plan
1       Section 1.4, Project References, contained references to the HUD Configuration
        Management Policy, dated February 2001, and the HUD Software Configuration
        Management Procedures, dated October 2007, although the documents had been revised and
        updated as of July 2008 and January 2010, respectively. In addition, references to the
        project management plan, quality assurance plan, and risk assessment plan did not clearly
        specify whether they referred to IDIS’ plans or other Federal publications. Also, the
        Integrated Disbursement and Information System Configuration Management Plan, dated
        January 2006, listed in this section could not be located for verification.
2       Section 1.3, System Overview, did not clearly identify the system environment. It only
        identified some servers that serve as the hosts for SiteMinder3 and Lightweight Directory
        Access Protocol4 as well as the application and database servers. It did not list the servers
        that host MicroStrategy, which is a business intelligence reporting tool used by IDIS Online,
        or provide the hardware information for each production server or identify the operating
        system that the application was running under. Further, the hardware and software
        information for the development/test environment should be listed since the CM process
        involves the activities conducted on both development and test servers. The plan also left
        out its CM server’s information such as CM tool version and server name. In addition, the
        interface information, such as interface type, data, and frequency of the interfaced
        applications’ organizations, was not provided.

                    NIST SP 800-53, section CM-9, Configuration Management Plan, states, “The
                    organization develops, documents, and implements a configuration management
                    plan for the information system that: a. Addresses roles, responsibilities, and
                    configuration management processes and procedures; b. Defines the configuration
                    items for the information system and when in the system development life cycle
                    the configuration items are placed under configuration management; and c.
3
    SiteMinder is an authentication and security tool.
4
  Lightweight Directory Access Protocol is an Internet protocol that e-mail and other programs use to look up
information from a server.
                                                         6
                  Establishes the means for identifying configuration items throughout the system
                  development life cycle and a process for managing the configuration of the
                  items.”

                  HUD Software Configuration Management Policy Handbook (3252.1), section 3-
                  2, HUD Software Configuration Management Policies, item B, states, “Prepare a
                  SCM5 plan for each software project according to the documented procedure for
                  managing the configuration to the software, review it annually, and update it
                  when changes occur. The plan shall comply with HUD SDM Software
                  Configuration Plan template.”

                  Absent updated documentation, HUD risks that (1) outdated policies and plans
                  may not address current risk and, therefore, be deemed ineffective; (2) programs
                  and program modifications might not be properly authorized, tested, and approved
                  and access to and distribution of programs may not be carefully controlled; and
                  (3) organizational strategic directions and resource assignments for
                  implementation cannot be adequately provided.


Conclusion



                  CM documentation for eTravel and IDIS Online was not kept up to date. Neither
                  OCFO nor CPD ensured that the contractors responsible for maintaining the
                  eTravel and IDIS Online CM plans kept the information up to date in accordance
                  with the most current HUD CM policy, procedures, and template. If system
                  software CM documentation is not kept up to date, HUD risks providing improper
                  organizational and strategic directions and cannot ensure that resource
                  assignments for implementation will be adequately provided.


 Recommendations



                  We recommend that OCFO

                  1A.     Update the CM plan of eTravel to remove references that are obsolete
                          and/or no longer applicable and add all missing information.

                  1B.     Ensure that contractor support staff reviews application CM
                          documentation at least annually and update the documentation when
                          changes occur.




5
    Software Configuration Management
                                                  7
We recommend that the Assistant Secretary for Community Planning and
Development

1C.   Update the CM plan of IDIS Online to remove references that are obsolete
      and/or no longer applicable and add all missing information.

1D.   Ensure that contractor support staff reviews application CM
      documentation at least annually and update the documentation when
      changes occur.




                              8
Finding 2: HUD’s CCMB Review and Approval Process Was Not
Consistently Followed
HUD did not ensure that its CCMB review and approval process was consistently followed. All
software products running in HUD’s computing environment had not been CCMB approved, and
some products were not CCMB approved before pilot testing. OCIO managers did not believe
that software products owned and/or tested by its IT support contractors required CCMB
approval. Failure to follow agency policies and procedures for effective agency CM controls
increases the risk of potential security impacts due to specific changes to an information system
or its surrounding environment.



    CCMB Review and Approval Process
    Was Not Properly Followed


                 We identified instances within HUD’s CM process that demonstrated that HUD
                 did not follow the CCMB review process properly. Specifically,

                         Although the majority of software products running in HUD’s computing
                          environment went through the formal CCMB process and obtained CCMB
                          approval before their use, the Computer Associates (CA) Unicenter
                          Service Desk (Service Desk),6 HUD’s help desk application, which has
                          been in use since 2007, was not approved by the CCMB.
                         CA Harvest, a software tool for use in the CM of source code and other
                          software development assets, went through multiple pilot tests without
                          prior CCMB approval. Compounding the issue, OCIO’s Office of
                          Enterprise Architecture determined in November 2007 that CA Harvest
                          would not meet user needs and moving to CA Harvest would not be cost
                          effective. However, pilot tests were conducted using CA Harvest over a
                          2-year period, with no request submitted for CCMB review and evaluation
                          of this tool. HUD has demonstrated a history of obtaining CCMB
                          approval for software products before pilot testing, even if the products are
                          ultimately not used.

                 This condition occurred because the OCIO managers did not believe that software
                 products owned and/or tested by its IT support contractors required CCMB
                 approval.

                 The HUD Project Leaders Guide to Preparing Submission for the Configuration
                 Change Management Board states that the purpose of a platform configuration
                 change management process is to ensure that all changes made to HUD’s IT
6
  Service Desk is the help desk application used by HUD’s IT contractor. The purpose of this application is to
provide HUD users with a customer-focused single point of contact for receiving consistent technical support by
promptly and efficiently answering calls and providing personal customer assistance. In addition, it automates
incident, problem, and change management as well as customer surveys.
                                                        9
                   infrastructure and system development platforms take place in accordance with a
                   rational and orderly process. It also states that the most critical elements of the
                   CCMB submission are the sections that provide the explanations as to (1) why a
                   change to the IT infrastructure or systems development platform is necessary, (2)
                   how the product or product version proposed to be added to the platform was
                   selected, and (3) what will be involved in implementing the change. It
                   emphasizes that the explanation for the need for change is very important,
                   particularly if there already is a standard established for the general class of
                   products. It states that the submission should address the functionality required
                   that is not provided by the products currently available in the HUD infrastructure,
                   as well as the criteria used to evaluate products, and the results of the evaluation.
                   It strongly recommends that anyone thinking about proposing a new standard
                   come to the CCMB to request concurrence with the idea that a new standard is
                   needed before investing time and effort in researching products and conducting
                   detailed evaluations.

                   CCMB Classification, approved on May 17, 2006, has defined a pilot lifecycle as
                   “Product/standard to be used in conjunction with technology research efforts only
                   (e.g. testing, pilots).”

                   The HUD SDM, Version 6.06, Requirements Change, states that requirements
                   changes must be approved by the project CCB (Change Control Board)7 before
                   project resources are assigned to implement the change.

                   NIST SP 800-64, Security Considerations in the System Development Life Cycle,
                   states that an effective agency configuration management and control policy and
                   associated procedures are essential to ensure adequate consideration of the
                   potential security impacts due to specific changes to an information system or its
                   surrounding environment. Further, it states that configuration management and
                   control procedures are critical to establishing an initial baseline of hardware,
                   software, and firmware components for the information system and subsequently
                   for controlling and maintaining an accurate inventory of any changes to the
                   system. Changes to the hardware, software, or firmware of a system can have a
                   significant security impact. Documenting information system changes and
                   assessing the potential impact on the security of the system on an ongoing basis is
                   an essential aspect of maintaining the security accreditation.

                   By not consistently following its CCMB approval process and ensuring that all
                   software products are approved for testing and use, HUD increases its risk that
                   products will not meet the needs of its users or the intended purpose of the
                   software and that resources will be unnecessarily expended.




7
    Change Control Board serves as the decision-making body for each program area project.
                                                         10
Conclusion



             OCIO did not ensure that the CCMB review and approval process was
             consistently followed. OCIO managers did not believe that software products
             owned and/or tested by its IT support contractors required CCMB approval.
             Failure to follow the CCMB review process increases HUD’s risk that products
             will not meet the needs of its users or the intended purpose of the software and
             that resources will be unnecessarily expended.



 Recommendations


             We recommend that OCIO

             2A.    Ensure that Service Desk is approved by the CCMB.

             2B.    Ensure that all products selected for the pilot test are approved by the
                    CCMB before conducting the test.

             2C.    Ensure that all products running on the HUD IT network infrastructure
                    have obtained CCMB approval.




                                             11
                        SCOPE AND METHODOLOGY

The review covered the period October 1, 2008, through September 30, 2010. We performed the
audit at HUD headquarters in Washington, DC, from March through November 2010. During
our fiscal year 2009 review of information system security controls in support of the annual
financial statement audit, we identified inconsistencies and weaknesses in the application of CM
policies and procedures at HUD. Consequently, this separate project was initiated to further
develop the details of the deficiencies.

Our review was based on guidance from publications by NIST and HUD’s own SDM and CM
policies and procedures. These publications contain guidance for CM and control. We evaluated
controls over the identification and management of security features for hardware, software, and
firmware components of an information system

To accomplish our objectives, we reviewed CM policies and procedures and discussed
procedures and practices with management and staff personnel responsible for CM.

We conducted the audit in accordance with generally accepted government auditing standards.
Those standards require that we plan and perform the audit to obtain sufficient, appropriate
evidence to provide a reasonable basis for our findings and conclusions based on our audit
objectives. We believe that the evidence obtained provides a reasonable basis for our findings
and conclusions based on our audit objectives.




                                               12
                              INTERNAL CONTROLS

Internal control is a process adopted by those charged with governance and management,
designed to provide reasonable assurance about the achievement of the organization’s mission,
goals, and objectives with regard to

        Effectiveness and efficiency of operations,
        Reliability of financial reporting, and
        Compliance with applicable laws and regulations.

Internal controls comprise the plans, policies, methods, and procedures used to meet the
organization’s mission, goals, and objectives. Internal controls include the processes and
procedures for planning, organizing, directing, and controlling program operations as well as the
systems for measuring, reporting, and monitoring program performance.


 Relevant Internal Controls

               We determined that the following internal controls were relevant to our audit
               objectives:
                    Policies, procedures, control systems, and other management tools used
                      for implementation of security and technical controls for HUD’s system
                      security.
                    Policies, procedures, controls, and other management tools implemented
                      to detect, prevent, and resolve security incidents.

               We assessed the relevant controls identified above.

               A deficiency in internal control exists when the design or operation of a control does
               not allow management or employees, in the normal course of performing their
               assigned functions, the reasonable opportunity to prevent, detect, or correct (1)
               impairments to effectiveness or efficiency of operations, (2) misstatements in
               financial or performance information, or (3) violations of laws and regulations on a
               timely basis.

 Significant Deficiency

               Based on our review, we believe that the following item is a significant deficiency:

                  HUD did not consistently perform CM control activities and monitor
                   implementation of required HUD and NIST policies (findings 1 and 2).




                                                 13
                        APPENDIX A


         OCFO’s COMMENTS AND OIG’S EVALUATION


Ref to OIG Evaluation      Auditee Comments




Comment 1



Comment 2




                            14
                       OIG Evaluation of OCFO’s Comments

Comment 1   OIG agrees with OCFO’s comment and planned corrective action.

Comment 2   OIG agrees with OCFO’s comment and planned corrective action.




                                         15
            CPD’s COMMENTS AND OIG’S EVALUATION


Ref to OIG Evaluation      Auditee Comments




Comment 1




                            16
                        OIG Evaluation of CPD’s Comments

Comment 1   OIG agrees with CPD’s comment and planned corrective action.




                                          17
          OCIO’s COMMENTS AND OIG’S EVALUATION


Ref to OIG Evaluation     Auditee Comments




                           18
Ref to OIG Evaluation   Auditee Comments




Comment 1



Comment 2



Comment 3




                         19
                       OIG Evaluation of OCIO’s Comments

Comment 1   OIG agrees with OCIO’s comments.

Comment 2   OIG agrees with OCIO’s comment.

Comment 3   OIG agrees with OCIO’s comment.




                                        20