Issue Date July 28, 2011 Audit Report Number 2011-DP-0008 TO: Yolanda Chávez, Deputy Assistant Secretary for Grant Programs, DG Jerry Williams, Chief Information Officer, Q //s// FROM: Hanh Do, Director, Information Systems Audits Division, GAA SUBJECT: The Disaster Recovery Grant Reporting System that Maintained Recovery Act Information Had Application Security Control Deficiencies HIGHLIGHTS What We Audited and Why We audited the Disaster Recovery Grants Reporting (DRGR) system to determine whether adequate controls were in place to safeguard and accurately track and report $1.93 billion in American Recovery and Reinvestment Act of 2009 (ARRA) funds allocated to the Office of Community Planning and Development’s (CPD) Neighborhood Stabilization Program 2. Specifically, we reviewed the implementation of application controls over business processes, interfaces, and data management systems. The assignment was initiated to address ARRA’s requirement for reporting accurate data. The results will be used to support our annual review of the U.S. Department of Housing and Urban Development’s (HUD) consolidated financial statements. What We Found CPD had improved the DRGR system within the last year. Specifically, it had 1. Established policies and procedures for user access requests and completion of user rules of behavior before granting the user access to the system, 2. Updated configuration management plans, 3. Created an application system and user manuals, and 4. Ensured that contractors tested both drawdown controls and computer processes in accordance with regulations. CPD’s improvements to the DRGR system were beneficial to the overall assurance that the system’s data were properly maintained, safeguarded, and in compliance with Federal regulations. In order for HUD to address ARRA requirements for accurate data requirements, improvements should be made to the DRGR system. '''''''''''''''''''''''''' '''''' ''''''''''''''' '''''''''''''''' ''''''' ''''''' '''''''''''''''' ''''''''''''''''''''' ''''''''''' ''''''''''''''''''' '''''''''''''''''''''''''''' '''''' ''''''''''''''''''''''''' '''''''''''' '''''''''''''''''' ''''''''''''''''''''''''' '''''''''''' ''''''''''''''''' '''' ''''''''''''''''' ''''' '''''''''''''''' ''''''''' ''''''''''' '''''' ''''''''''' ''''''''''''''''''''''''''' ''''''' ''''''''''' '''''''''''''''''''' Management attention is also needed to address application controls over business processes. For example, security management is lacking in the areas of security documentation, vulnerability scans, and contingency plan testing. Also, to ensure that DRGR system data are secure, application security management needs to be effectively implemented. What We Recommend '''''''' ''''''''''''''''''''''''''''' '''''''' '''''''''''' ''''''''''''''' ''''''' ''''''''''''''''' ''''''''''''''''' ''''' ''''''''''''''''''' ''''''' '''''''''''' ''''' '''''' '''''''''''' '''''''''''''''' ''''''''''''''''''''''''' ''''' ''''''''' ''''''''''' ''''''''''''''''''''''''''' ''''''' ''''''''''' ''''''''''''''''''''' '''''''''''''' ''''''''''' ''''''' ''''''''''''''''''' ''''''''''''''''''''''''''''' ''''' '''''''''' ''''''''''''''''' '''''''''' '''' '''''''''''''''''' '''''''''''''''''''''''''''' ''''''' ''''''''''''''''' '''''''''''' '''''''''''' the DRGR system owner needs to coordinate with the Office of the Chief Information Officer (OCIO) to ensure that vulnerability scans are completed, security documentation is updated, and the contingency plan is adequately tested. We also recommend that OCIO ensure that the DRGR system is included in the annual disaster recovery test as it is a mission-critical application. For each recommendation without a management decision, please respond and provide status reports in accordance with HUD Handbook 2000.06, REV-3. Please furnish us copies of any correspondence or directives issued because of the audit. Auditee’s Response 2 We requested responses from OCIO and CPD to be received by July 8, 2011. We received written responses to the draft report from OCIO and CPD on July 8, 2011. CPD requested changes to some of OIG’s data elements included in the report and provided overall comments on the DRGR system ''''''''''''' ''''''''''''''''' '''''''''''''''''''''. OCIO suggested verbiage changes to recommendations for Finding #2. The complete text of OCIO’s and CPD’s response, along with our evaluation of that response, can be found in appendix A of this report. 3 TABLE OF CONTENTS Background and Objective 5 Results of Audit Finding 1: '''''''''''''' ''''''''''''''''''' '''' '''''''' '''''''''''''''' '''''''''''''''''' '''''''''' ''''''''' '''''''''''''''''''''' 7 Finding 2: Weaknesses Existed in the Application Security Management 10 Program of the DRGR System Scope and Methodology 14 Internal Controls 16 Follow-up on Prior Audits 17 Appendixes A. Auditee Comments and OIG’s Evaluation 18 4 BACKGROUND AND OBJECTIVE Operational since February 1999, the Disaster Recovery Grant Reporting (DRGR) system was developed by the U.S. Department of Housing and Urban Development’s (HUD) Office of Community Planning and Development (CPD) for the Disaster Recovery Community Development Block Grant (CDBG) program and other special appropriations. Data from the system are used by HUD staff to review activities funded under these programs and for required quarterly reports to Congress. The system was developed for grantees to identify activities funded under their action plans and amendments, to include budgets and performance goals for those activities. To receive funding, these grantees must prepare a citizen participation plan, publish their proposed use of the funds, and submit an action plan to HUD. Once an action plan is submitted and approved, grantees can submit quarterly reports summarizing obligation, expenditures, drawdowns, and accomplishments for all of their activities. On July 30, 2008, Public Law 110-289, the Housing and Economic Recovery Act of 2008 (HERA), was passed to provide housing reform. HERA designated HUD to distribute $3.92 billion in Federal funds to States and local entities using the CDBG model. (The CDBG model is an entitlement program that distributes funds annually, by formula, to large communities and States as well as smaller communities and Indian reservations.) The HERA funds and distribution are known as the Neighborhood Stabilization Program (NSP) and are meant for the purchase and rehabilitation or development of foreclosed-upon or abandoned homes and residential properties. This program is now referred to as NSP1. Eligible uses include (1) establish financing mechanisms for purchase and redevelopment of foreclosed-upon homes and residential properties; (2) purchase and rehabilitate homes and residential properties that have been abandoned or foreclosed upon to sell, rent, or redevelop such homes and properties; (3) establish land banks 1 for homes that have been foreclosed upon; (4) demolish blighted structures; and (5) redevelop demolished or vacant properties. The emergency nature of HERA and corresponding statutory timeframes did not give HUD sufficient time to develop a new system or modify an existing system to perfectly fit the program. Therefore, HUD decided to expand the use of the DRGR system application to include NSP1 in 2008. The DRGR system was selected for the program because no other application and reporting system was sufficiently flexible to deal with the alternative requirements. HUD made significant modifications to the system to allow for the reporting of specific activities under NSP1. The American Recovery and Reinvestment Act of 2009 (ARRA) was passed on February 17, 2009, to provide competitive grant awards to States, units of general local government, and nonprofit organizations for economic recovery from the recession. It revised some of the program rules for NSP1 (HERA) and appropriated an additional $2 billion for NSP to be competitively awarded. This program is now referred to as NSP2. The eligible uses noted for NSP1 were revised as follows: (1) “establish land banks for homes that have been foreclosed 1 A land bank is a governmental or nongovernmental nonprofit entity established, at least in part, to assemble, temporarily manage, and dispose of vacant land for the purpose of stabilizing neighborhoods and encouraging reuse or redevelopment of urban property ( Federal Register Notice 73 FR 58330). 5 upon” was modified by ARRA to read “establish and operate land banks for homes and residential properties that have been foreclosed upon,” and (2) ARRA added a provision to the use “redevelop demolished or vacant properties,” stating that funding used for section 2301(c)(3)(E) of HERA must be available only for the redevelopment of demolished or vacant properties as housing. In addition, ARRA repealed a section of HERA related to reinvestment of profits. ARRA also authorized the establishment of the NSP Technical Assistance (NSP-TA) program to improve the capacities of NSP grantees and the implementation of their programs. ARRA set aside $50 million of the $2 billion appropriation specifically for this purpose. NSP- TA grants were awarded to States, units of general local government, nonprofit organizations, and other organizations capable of providing technical assistance to the NSP grantees. On July 21, 2010, Public Law 111-201, the Dodd-Frank Wall Street Reform and Consumer Protection Act, authorized $1 billion in additional funds for NSP. This program is now referred to as NSP3. NSP3 provides formula grant awards to States and units of local government to undertake eligible activities as provided under HERA. In addition, up to 2 percent of the funds can be made available by HUD for technical assistance grants. The objective of this review was to assess whether adequate system controls within the DRGR system were in place to safeguard, track, and report on ARRA NSP2 funding. Our review was focused on determining whether the security controls over business processes, interfaces, and data management systems, complied with generally accepted auditing principles and the U.S. Government Accountability Office’s Federal Information System Controls Audit Manual (FISCAM) elements. 6 RESULTS OF AUDIT Finding 1: ''''''''''''''' ''''''''''''''''''' ''''' ''''''' ''''''''''''''' ''''''''''''''''' ''''''''''' '''''''' '''''''''''''''''''''''' '''''''''' '''''''''''''''''' '''''''''''''''' '''''''' '''''''' '''''''''''''''''''' ''''''''''''''''''''' '''''''''''''''''''''' ''''''''' '''''''''''''''' ''''''''''''''''''''''''''' ''''' '''''''''''''''''''''' '''''''''''' ''''''''''''''''''''' ''''''''''''''' ''''''''' '''''''''''''''''''' ''''''''' ''''''''''' '''''''' '''''''''''' ''''''''''''''''' ''''''''''''' CPD was aware that '''''''''''' '''''''''''''''''' needed improvement; however, due to prioritizing tasks for the system with budgetary and staffing constraints, not all controls had been implemented. ''''' ''''''' ''''''''''''''''' ''''''''''''''''' '''' ''''''' ''''''''''''''''' ''''' ''''''''''''''' '''''''''''''''''''''' ''''''''''' ''''''''''''''''' ''''''''''''''''''''''''''''' ''''''''''''' '''''''''' ''''''' ''''' '''''''''' ''''''''''''''''''''''''' ''''''' '''''''''' ''''''''''''''' '''''''''''''' '''''''''''''''''''''' '''''' ''''''''''''''''' ''''''''' '''''''''''''''''''''''''''' ''''''''' ''''''' '''''' ''''''''''''''''''' ''''' '''''''''''''''''' ''''''''''''''''''''''''''''''' '''''''''''''''''''''''''''''''' '''''' ''''''''''''''''' '''''''''''''''''''''' '''''' '''''''''' '''''''''''' '''''' ''''' ''''''''' ''''''''''''''' '''''''''''''''' '''''''' '''''''''''' ''''''' '''''''''' '''''''''''''''' '''''''''''''''' '''''''''''''''''''' ''''''' '''''''' ''''''''' ''''''''' ''''''''''' ''''' ''''' ''''''''''''''''' ''''''' ''''' '''''''''''''''' ''''''''' ''''' '''''''' ''''' ''''''' ''''''''''''''''' ''''''''' ''''''''''''''''' ''''''''''''''''''''''' '''''''''''''''''''' '''''''' '''''''''' '''''''' '''''''''' '''''''''''''''''''''''''' ''''''''' ''''''' ''''''''''''''''''''''' '''''''' ''''''''' ''''''''''''''''''''''''''''' ''''''''''' ''''''''' ''' ''''''''' '''''''''''' ''''''''''''''''' ''''''''''''''''''''''''''''''''' ''''''' ''' '''''''''''''' ''''''''''''' '''''''''''''' ''''''' ''''' ''''''''' ''''''''''''''''''''''''''' '''''' '''''''''''' '''''''''''''''''' '''''''''''''' '''''''''''' '''''''' ''''''''''''''''''' '''''''''''' ''''''''''''' ''''''''' ''''' '''''''''''''''''''''' ''''''''''''''''' ''''''''''''''''''' '''' '''''''''''''''' ''''' '''''''''''''''' '''''''''''' '''''''''''''''' ''''''''''''''''''''''''''' ''''''' ''''''' '''''''''''''''''''''''' '''''''''''''''''''' '''''''''''''''' '''''''''''' ''''' ''''''''''''''' ''''''''''''''''' ''''''''''''''''''' '''''''''''' '''''''''''''' ''''''''''''''''''''''''''''''' '''''' ''''''''''''''' ''''''''''''''''''''' '''''''''''' '''''''''''''''''' '''''''' ''''''' '''''''''''''''''''' ''''' '''''''''''''' '''''''''''''' '''''''' ''''''''''''''' '''''''''' '''''''''''''''''''''' ''''''''' '''''''' '''''''' ''''''''''' '''''''' '''''''''''''''''''''''''' '''''' '''''''''''''''' ''''''' ''''' ''''''''' ''''' ''''''' '''''''''''''''' '''''''''''''''''''''' '''''''''''''''''' ''''''''' '''''''''''''''' ''''''''''''' ''''' ''''''''''''''''' ''''''''''''''''''''' '''''' ''''''''''''''''''''' '''''''' '''''''''''' '''''''''''''' '''''''' '''''''''''''''''''''''' '''''''''''''''''' ''''''''''''''''''''' ''''''''''''''''''''''' '''''''''' ''''''''' '''''''''''''''''''''''''' '''''''' '''''''''''''''''''' ''''''''''''''''''''''''''''''' '''''''''''''' ''''''''' ''''''''''' ''''''''''''''''' '''''''''''''''''''''''''' '''''''''''''''' '''''''' '''''' '''''''''''''''''''''''' '''''''''''''''''' '''''''''''''''' ''''''''''''''''''''' '''''''''''''''''''''' '''''''''''''''''' '''''''''''' '''' ''''''''''''' '' 7 '''''''''''''''''''' '''''''''''''' '''''''''''''''''' '''''''''''' '''''''''''''''''' ''''''''' ''''''''''''''' ''''''''''''''''''' '''''''''''''''''''' '''''''' ''''''''''''''' '''''''''''''' '''''''''''' ''' ''''''''''''''''''''' ''''''''' ''''''''''''''' ''''''''''''''''''''' ''' ''''' ''''''''''''''''''''''' ''''''''''''''''''' '''''''' '''''''''''''''''' '''''''''''' '''''''' ''' '''''''''''''''''' ''''''''''''''''''''''' '''''''''''''''' '''''''' ''''''''''''''''''''' ''''''''' ''''''''''''''''' ''''''''''''''''''''' ' '''''''''''''''''''''''''' ''''''''''''''' ''''''''''''''''''''''''''''''' ''''''''''''''''' '''''''' '''''''''''' ''''''''''''''''''' ''''''''''''''''''''''''''' '''''''''''''''' '''''' '''''''' ''''''''''''''''''''' '''''''''''''' '''''''''' ''''''''''''''' ''''''''''''''''''''''' ''''''''''''''''''''' ''''''''' ''''''''''''''''' ''''''''' ''''''''''''' ''''''''''' '''''''''''''''''' '''''''' '''''''''''''''' '''''''''''' '''''''' '''''' '''''''''' '''''''''''''''''' '''''''''''''''''' ''''''''' '''''''''''''''' ''''''''''''''''''''' '''''''''''''''''' '''''''''''''''''''' '''''''''''' ''''''''''''''''' '''''''''''''''''''''' ''''''''''''''''' ''''''''''''''''''''''''''''' '' ''''''''''''' '''''''''''''''''''''' '''''''''' ''''''''''''''''''''''''' ''''''''''''''''''' ''''''''''''''''''' '''''''''' '''''''''''''''''''''' '''''''''' '''''''' '''''''''''''''''''''' '''''''''''''''' '''''''''''''''''''''''''''' '''' ''''''''''''' CPD did not follow industry guidance regarding ''''''''''' '''''''''''''''''' ''''''''''''''''''''''''' based on Federal Information Processing Standards Publication 200 (FIPS PUB 200), “Minimum Security Requirements for Federal Information and Information Systems.” ''''''''' '''''''''''''''''''''''' '''''''''''''''''''''' '''''''' ''''''''''''''''''''' ''''''' '''''''''''''''''''''''''''''' ''''' '''''''''''''''''''' ''''''''''''''''' ''''''''' ''''''''''''' ''''''''''''''''''''''''''' ''''''''''''''''' ''''''''''''' ''''''''''''''''' ''''' '''''''' ''''''''''''''' '''''''''''''''''' ''''' '''''''''''''' '''''''' '''''''''''''''''''''''''' ''''''''''''''''''''''' ''''''''''''''''''''''''''''''' '''''''''' '''''''''''''''''''' ''''' ''''''''''''''''''' ''''''''''''''''''''''''''''' ''''' ''''''''''''''''''''''''''''''' ''''''''''''''''''''''''' ''''''''''''''' '''''''''''''''''' ''''''''' ''''' ''''''''''''''''' '''''''''' ''''''' ''''''''''''''''' ''''' ''''''''''''''''''''''''' '''''''''''''''''''''''''' '''''''''''''''''' '''''''''''' ''''''''' '''''' '''''''''''''''''' '''''''''''''''' ''''' '''''''''''' '''''''''''''' '''''' '''''''''' '''''''''' ''''''' ''''''''''' '''''''''''''''''''''''''''''' ''''''' '''''''''''' '''''''''''''''''''' '''''''''' ''''''''''''''' '''''''''''''''' ''''''''''''''''''''''' '''''''' ''''''''''' '''''''' ''''''''''' ''''' ''''''''''''''''' ''''''''''''''''''''''' ''''''''' '''''''''''''' '''''''''' '''''''''''' '''''''''''''''''''''''' '''''''''' '''''''' '''''''''' ''''''''''''''''' ''''''''' '''''''''''''''''''''''' '''''''''' ''''''''''''''''' '''''''''''''' '''''''''''''' ''''''''''' ''''''''''''' ''''''''''''''''''''''''''' ''''''''''' '''''''''''''''''' '''''''''''''' ''''''' ''''''' ''''''''''''' '''''' '''''''''''''''''' ''''' '''''''''''' '''''''''' ''''''''''' HUD Information Technology Security Policy, 2400.25, REV-2, CHG-1, also states that system owners are responsible for identifying events which require auditing ''''' '''''''''''''''' ''''''''''''''''''''''''''''''' '''''''''''''''''''''''''''''' '''''''''' ''''''' ''''''''''''''''' ''''''''''''''''' 8 ''''''''''''''''''''''''''' ''''''' '''''''''''''''' '''''''''''''' '''''''''''''''' ''''''' '''''' '''''''''' ''''' '''''''''''' ''''''''''''''''''' ''''''''''''''''''''''''''''' ''''''''' '''''''''''''' ''''''''''''''' ''''''''''''''''' ''''''''''''''' '''''''' '''''' ''''' ''''''''''''' '''''''' '''''''''''''' ''' '''''' ''''''''' '''''''''' ''''''' '''''''''''' ''' ''''' '''''''''''' '''''''''' '''''''''''''' ''''''''''''''''''''' '''''''''''''''''''' '''''''''''''''''''' ''''''''''''' '''''''' '''''''' ''''''''''''''' '''''''''''''''' ''''''''''' ''''''''''''''''' '''' '''''''' '''''''''''''''' ''''''''' '''''''''''''''''' ''''' '''''''' ''''''''''''''''' ''''''' '''''''' ''''''''''''''' ''''''''''''''' ''''''''''''''''' ''''' '''''''''''''''''''' ''''''''''''''''''''''''' '''''''''''' '''''''' '''''''''''''''''' ''''''''''''' ''''''''''''''''''' ''''''''''''' ''''''''''''''' ''''' ''''''''''' ''''''''''''''''' ''''''''''''''''' ''''''''' '''''''''''''''' ''''''''''''''' '''''''''''''''' '''''''''' ''''''''''''''''''' ''''''''''''''''''''' ''''''''''''' ''''''''''''''''' '''''''''''''''''''''''' '''''''''''''''''' '''''''''''''''''''''' '''''''''''''''''''''' ''''''''' ''''' ''''''''''''''''''''''''' '''''''' '''''''''''''''''' ''''''''''''''''''''''''' '''''''' ''''' ''''' '''''''''''''' '''''''''''''''''''''' '''''''''''' '''''' '''''''''''''''''''''''''' ''''''''''''''''''''''''''''''' The system owner stated that the information technology (IT) budget had been used mainly to address new congressional requirements. Conclusion ''''''''''' '''''''''''''' ''''' '''''''''''''''''''' '''''' '''''''''''' ''''''''''''''''' ''''''''''''''''''''''''''' ''''' '''''''''' '''''''''''''''''''''''' ''''''''''''' ''''''''''''''''''''''''''''' '''''' '''''''''' '''''''''''''''''' '''''''''''' '''''''''' ''''''''''''''''' ''''''' '''''''''''''''''''' '''' ''''''''' '''''''' ''''''''''''''''''' ''''' ''''''''''''''''' '''''''''' ''''''''''' '''''''''''''''''' ''''' ''''''''''''''''' '''''''''''''''''' ''''''''''''''''''''''' ''''''''''''' ''''''''''''' ''''''''''''''' '''''''''' ''''''''''''''' '''''''''''''''''''' ''''' '''''''''''''''''''' ''''' '''''''''''' '''''''''''''''''' ''''' ''''''''''' '''''''''''''''''''''''''''''' ''''''''''''''''''''''' ''''''''''''' '''''''''' '''''''''''''''''''''''''' ''''''''''''''''' '''''''''''''''''''''''''' ''''' '''''''''''' ''''' ''''''''''''' '''''''''''''''''''' '''''''''''''''''''' '''''''''''''''''''''''' '''''''''' '''''''''''''' '''''' '''''''''''''''''''' ''''' ''''''''''''''''''''''''''''''''' '''''''''''' ''''''''''''''''''' '''''''''''''''''' '''''''''''''''''' '''''''''''''''''''''''''' '''''''''' ''''''' ''''''''''''''''''''''' ''''' ''''''''''''''''''' ''''''' '''''''''''''''''''''''''''''''''' ''''' '''''''''''''''' ''''''''' ''''''''''''''''''''''''''''''''' ''''''''''''''''''''''''''''''' ''''' '''''''''''''''''''' ''''''''''''''''''' ''''' ''''''''''''''''''''' '''''' ''''''''''' ''''''''''''''''''''''''' ''''''''''''''''''''''''' '''''''''''''''''' '''''''''''''''' ''''''''''''''''''''''' ''''''''''''''''''' ''''''''''''''''' ''''''''' '''''''''''''''''''' ''''''''''''''''''''''''''''' Recommendations We recommend that the Office of Community Planning and Development 1A. Modify the DRGR system’s '''''''''''' ''''''''''''''''''' '''''''''''''''''''''''''' ''''' '''''''''''''''' '''''''' ''''''''''''''''''''''' ''''''''''''''''''''''''''''' '''''''' '''''''''''''''''''''''''''' '''''''''''''''''''''''''''''''' ''''' ''''''''''''''''''' '''''''''''''''''''' ''''''' ''''''''''''''''''''''''' '''''''''''' '''''''''''''''' '''' '''''''''''''''''''''''''''''''' ''''''' '''''''''''''' ''''''''' '''''''''''''''''''' '''''''''''''' '''''''''''''''''''''' ''''''''''''''''''' ''''''''''''''''''''''''''' '''''''''''' '''''''''''''''''''' ''''''''''''''''' '''''''''' '''''''''''''''''''''''' '''''''''''''' ''''''''''''''''''''''''''''''''' '''''''''''''''''' '''''''''''''''''''''''''''''' '''''''''''''''''''''''''''''' '''''''''''''''''''''' '''''''' '''''''''''''''''''''''''''''''' '''''''''' '''''''''''''''''''''''''' ''''''''''''''''''''' 9 Finding 2: Weaknesses Existed in the Application Security Management Program of the DRGR System The DRGR program office’s application security management program had weaknesses. Specifically'' '''''' '''''''''''''''''' '''''''''''' ''''''''''' ''''''''''''''''''''''' ''''''''''''''' ''''''''''''''''''''''''''''''' '''''''''''''''''''''' '''''''''''''''''''''''' '''''' ''''''' ''''''''''''''' ''''' '''''' '''''''''''' ''''''''''''''''''''''''''' '''''''''''''''' ''''''''''''''''''' '''''''' ''''''''''''''''''''''''''''' ''''''''''''''' '''''''''''' '''''''''''''''''''''''''' '''''''''''''''''''''' '''''' ''''''''''''''' ''''''''''''''''' '''''''''''''''' '''''''' ''''''' '''''''''''''''''' ''''''''''''''''' ''''''''''' '''''''''''''''' ''''''''' ''''''''''' ''''''''''''''''''''''''''''' ''''''''' ''''''''''''''''''''' ''''''''''''''''''''' ''''''''''''' (2) the DRGR system security documentation had not been updated to reflect current information about the system and its environment; and (3) although the DRGR system had been classified as a mission-critical system, it was not tested during the most recent annual disaster recovery test. These conditions occurred because DRGR program officials are responsible for communicating with the OCIO to ensure that security controls of their system are adequate and their system documentation is up to date, however they did not provide updated information to OCIO. As a result, the necessary security controls may not have been implemented. In addition, since the contingency plan had not been adequately tested the effectiveness of the plan or the system’s readiness to deal with a potential disaster could not be determined. '''''' '''''''''''' '''''''''''' '''''''''' ''''''' ''''' ''''''''''''' ''''''''''''''' ''''''''''''''''''''' '''''''''''' '''''''' '''''''''''''''''''' ''''''''''''''' '''''''''''' ''''''''' '''''''''''''' In May 2009, OCIO completed a vulnerability scan analyzing several of the DRGR system’s business processes. '''''''''''''''' ''''''''''' ''''''''''' '''''''''''''''''''''' ''''''''''''''''' '''''''' ''''''''''' '''''''' ''''''''''''' '''''''' ''''' ''''' ''''''''''''''''''''''' '''''''''' '''''''''''''''''''' ''''''''''''''''' '''' '''''''''''''''' '''''''' ''''''''''''' ''''''''''''''''''''' ''''''' ''''''''''''''''''''''' ''''''''''''''' ''''''''' '''''''' ''''''''''''''''''' ''''''''''''''''''' '''''''''''''''''' ''''''''''''''''''''''''''' ''''''''''''''''''''''' ''''' '''''''' ''''''''''''' '''''''' '''''''''' '''''''''''''''''' '''''''''''''''''''''''''' '''''''' '''''''''''''''''' ''''''''''''''''' ''''''''''''' '''''''' '''''''' '''''''''''''''''''''''' ''''''''' '''''''''''''' '''' '''''''''''''''''' '' '''''''''''''''''''''' '''''''''''''''''''''''''''''' ''''''''' '''' '''''''''''''''''''''' ''''''''''''''''''' '''''''''''''''''''''' ''''''''''''''''' '''''''''''''''''''''''''' '''''''''''' '''''''''''' ''''''''''''''''''''''' FISCAM states that organizations need to “Implement effective application security management.” Elements of an effective plan include · “Periodically assess and validate application security risks · Document and implement application security policies and procedures · Monitor the effectiveness of the security program · Effectively remediate information security weaknesses” The condition described above occurred because the DRGR system owner did not monitor the effectiveness of the security management program '''''' ''''''''''''''''''''''''''''' ''''''''''''' ''''''''' '''''''''''''''''' ''''''' ''''''''''''''''' ''''''''''''' ''''''''' '''''''''''''''' ''''''''''''' '''''''''''''''''''' '''''''' ''''''''''''''''''''''''''' '''''''''''''''' 10 ''''''''' ''''''''''' '''''''''''''' '''''' ''''''' ''''''''''''''''''''''''' ''''''''''''' '''''''''''''''''''''''' ''''''''' ''''''''''''''''''''' ''''''' ''''''' ''''''''''''''''''' ''''' ''''''''''''''''''''''''' '''''''''''''''''''''''''''''' ''''''''''''' Without effective security management over the application, the DRGR system could not obtain reasonable assurance that the application was effectively secure. The DRGR Program Office Did Not Have Up-to-Date Security Documentation for Its DRGR System DRGR system security documentation (such as the security plan, risk assessment, and contingency plan) had not been updated for consistency and to address changes to the information system and its environment of operation. For example, the DRGR system’s risk assessment (V6.5.3) showed the application categorized as a high-risk system and not a mission-critical system. However, the DRGR system’s contingency plan (V6.5.3) categorized it as moderate risk and listed it as a mission-critical system. Also, the DRGR system’s security plan (V6.5.3) stated that the system interfaced externally with the Line of Credit Control System (LOCCS) and the drawdowns created in the DRGR system were reconciled with LOCCS to ensure accuracy of financial balances. However, the DRGR system owner confirmed that the system did not automatically reconcile with LOCCS; rather, the owner used the reports generated by a third-party software reporting tool to reconcile the DRGR system drawdown data to LOCCS. NIST SP 800-53, Revision 3, “Recommended Security Controls for Federal Information Systems and Organizations,” states that organizations should develop a security plan that “is consistent with the organization’s enterprise architecture.” It also states that organizations should “update the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments.” The above condition occurred because the DRGR system owner and its system security officers were not aware of the inconsistency in the system’s security documentation. They explained that this inconsistency was a mistake and stated that they would review and update the documentation. Without up-to-date system security documentation, risks associated with the DRGR system may not have been properly identified and addressed. Mission-critical and high-risk systems have different security requirements, and if documentation is not current, these requirements will not be enforced. 11 The DRGR Contingency Plan Had Not Been Adequately Tested The DRGR system was categorized as a HUD mission-critical system, yet the application was not adequately tested as required by HUD Information Technology Security Policy, 2400.25, REV-2, CHG-1. Contingency plan testing for the DRGR system was conducted in November 2010, however it was not tested under conditions that simulate a disaster or test the restoration of operations. The security policy stated that “Program Offices/System Owners shall ensure that plans for moderate and high- impact systems are tested/exercised at least annually in compliance with the HUD contingency planning guidance and NIST SP 800-34. 2 Testing should be coordinated with elements responsible for COOP (continuity of operations plan), CIP (critical infrastructure protection) and incident response.” Also, NIST SP 800-34 specifically requires that “each information system component should be tested to confirm the accuracy of individual recovery procedures. This includes the “restoration of normal operations.” The DRGR system had not been tested in the HUD disaster recovery test because its system classification had not been updated in the Cyber Security Assessment and Management system (CSAM) 3 to reflect that it is a mission-critical system. OCIO bases the list of systems to be tested for annual disaster recovery on CSAM data, and because DRGR system data were not complete in CSAM, the DRGR system was not tested during the most recent disaster recovery test. OCIO was working with the IT contractor to address contract issues that would allow the DRGR system to be included in the next disaster recovery test. By not conducting an adequate contingency plan test for the DRGR system the system owner could not determine the plan’s effectiveness and the organization’s readiness to execute the plan as intended in an emergency situation. Further, without validating one or more of the system components and the operability of the plan, the DRGR system owner would not be able to identify and address the deficiencies in the plan. 2 NIST SP 800-34, “Contingency Planning Guide for Federal Information Systems” 3 The CSAM C&A (certification and accreditation) Web originated as the U.S. Department of Justice (DOJ) in- house application supporting the C&A process, plans of action and milestones management, and Federal Information Security Management Act (FISMA) reporting. HUD selected this DOJ shared service center as its FISMA reporting solution. 12 Conclusion The DRGR system owner needs to improve its application security management program to fully address Federal guidelines. The DRGR system owner did not update security documentation and adequately test its contingency plan that allows appropriate risks to be addressed and proper security controls to be implemented. '''''''''''' ''''''''''' '''''''''' ''''''' '''''''''''''' '''''''''''''''' '''''''''''''' ''''''''' '''''''''' ''''''''''''''''''''''''''' '''''' '''''''''''''''''' ''''''''' '''''''''''''''''''''''''''' ''''''''''''''' ''''''''''''''''''''''''' ''''' ''''''''''''''''''''''''' ''''' '''''''''' ''''''''''' '''''''''''''''''''' ''''''''' ''''''''''''''''''''''''''''' '''''''''''''''''' '''''''''' ''''''''' '''''''''''''''''''''' '''''''''''''''''''''' ''' '''''''''''''''''''''''''''' '''''''' ''''''''' ''''''' ''''''''''' ''''''''''''''''''''''' '''''''''''' '''''''''''' ''''''''' ''''' '''''''''''''''''''''''''''' ''''''''' '''''''''''' ''''''''''''''''''''''' ''''' ''''''''''''''' ''''''' ''''''''''''''''' '''''''''''''''''''''''''''''' Further, the contingency plan had not been adequately tested, to determine whether the plan could be successfully executed in an emergency situation. Recommendations We recommend that the Office of Community Planning and Development 2A. ''''''''''''''''''''''''' '''''''''' ''''''''''' ''''''''''''' '''''''''''''''''''''''' ''''''''' '''' ''''''''''''''''''' ''''''''''''''''''''''''''''' ''''''''''''' ''''' '''''''''''''''' ''''''''' ''''''' ''''''''''''''''''''''''' '''''''''''''''''''' '''''''''''''''''''''''''' '''''''''''''''''''' ''''' ''''''' ''''''''''''''''''''' '''''''''''' '''''''''''''''''''''''''''' ''''' '''''''''''' ''''''''''''' ''''''' ''''''''''''''''''''''''' ''''''''' ''''''''' '''''''''''' '''''''''' ''''''' '''''''''''''''''''''''' ''''' '''''''' ''''''''''''' '''''''''''''''''''' ''''''''''''''''''''''''' ''''''''''''''''' '''''''' ''''''''''''''''''' ''''''''''''''''''''' 2B. Ensure that the DRGR system owner reviews and updates DRGR system security documentation to ensure that it is consistent and to address changes to the information system environment. 2C. Coordinate with HUD OCIO and contractors responsible for the disaster recovery test to perform the contingency plan test on the DRGR system that addresses restoration of normal operations. We recommend that the Office of the Chief Information Officer 2D. Ensure that the DRGR system’s contingency plan is tested in compliance with the HUD contingency planning guidance and NIST SP 800-34. 13 SCOPE AND METHODOLOGY We conducted the audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective(s). We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective. We performed the audit · From February through June 2011. · At HUD headquarters, Washington, DC. To accomplish our objective, we · Reviewed CPD’s DRGR system documentation (such as functional requirements, data requirements, system security plan, and risk assessment) to gain an understanding of the system configuration, policies and procedures, and drawdown processes. · Interviewed CPD management officials and users to understand the DRGR system processes, controls, and risks. · Obtained computer-processed disbursement data from the HUD Central Accounting Processing System (HUDCAPS) for the period October 1, 2010, through March 31, 2011. We assessed the reporting controls for the DRGR system interface by (1) reviewing existing information about the data and the system that produced the data, (2) comparing data between HUD’s financial reporting application system—HUDCAPS and the DRGR system, and (3) interviewing agency officials knowledgeable about the data. We determined that the data were sufficiently reliable for the purposes of this report. · Reviewed and assessed the audit and accountability controls for the DRGR system. · Assessed 77 business user activity features as described in the DRGR Operations Manual and Grantee User Manual. We selected 77 activities from a total of 103 business user activity features that were listed in the manuals. These 77 activities were objectively selected based on most common usability by the audit team ''''''' ''''''''''' ''''''''''''''''''''''''''' ''''' '''''''''''''''''''''' ''''''''''''' '''''''''''' · Reviewed DRGR system documentation to obtain a basic understanding of business functions '''''''' '''''''' ''''''''''''''''''''' ''''''''''''''' '''' '''''''''''''''''' '''''''''''''''''''''''''''' '''''''''''''''''''''''''''''''''' ''''' '''''''''''''''''' ''''''''''''''''''''''' · Determined whether the DRGR system grantees’ reporting methodology complied with Office of Management and Budget guidance. · Reviewed a subset of NSP2 grantees’ data in the DRGR system and compared it to the data reported in FederalReporting.gov 4 to determine whether the grantees’ reporting data 4 FederalReporting.gov is the central nationwide data collection system for Federal Agencies and Recipients of Federal awards under Section 1512 of the Recovery Act. Recipients will access www.FederalReporting.gov in order to fulfill their reporting obligations. Federal Agency and Recipient users will be able to submit reports, view and comment on reports (Federal Agency and Prime Recipient users), and update or correct reports. 14 were accurate. · Reviewed the DRGR system corrective actions for vulnerability scans to determine whether identified risks had been remediated. · Evaluated applicable controls in the Federal Information System Controls Audit, NIST publications, and HUD’s Information Technology Security Policy, 2400.25, REV-2, CHG-1. 15 INTERNAL CONTROLS Internal control is a process adopted by those charged with governance and management, designed to provide reasonable assurance about the achievement of the organization’s mission, goals, and objectives with regard to · Effectiveness and efficiency of operations, · Relevance and reliability of information, and · Compliance with applicable laws and regulations. Internal controls comprise the plans, policies, methods, and procedures used to meet the organization’s mission, goals, and objectives. Internal controls include the processes and procedures for planning, organizing, directing, and controlling program operations as well as the systems for measuring, reporting, and monitoring program performance. Relevant Internal Controls We determined that the following internal controls were relevant to our audit objective: · Up-to-date written policies and procedures used for implementation of controls. · Managerial oversight and monitoring. · Compliance with Federal requirements. We assessed the relevant controls identified above. A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, the reasonable opportunity to prevent, detect, or correct (1) impairments to effectiveness or efficiency of operations, (2) misstatements in financial or performance information, or (3) violations of laws and regulations on a timely basis. Deficiencies Based on our review, we believe that the following items are deficiencies: · ''''''''''''' '''''''''''''''' '''' '''''''' '''''''''''''' ''''''''''''''''' '''''''' '''''''' ''''''''''''''''''''' (finding 1). · Application security management of the DRGR system had weaknesses (finding 2). 16 FOLLOW-UP ON PRIOR AUDITS Review of Selected Controls Within the Disaster Recovery Grant Reporting System - Audit Report 2009-DP-0007 On September 30, 2009, the HUD Office of Inspector General (OIG) audited selected controls within the DRGR system (Audit Report 2009 DP 0007 - Review of Selected Controls Within the Disaster Recovery Grant Reporting System). The audit concluded that (1) access control policies and procedures for the DRGR system violated HUD policy, (2) the system authorization to operate was outdated and based upon inaccurate and untested documentation, (3) CPD did not adequately separate the DRGR system and security administration functions, and (4) CPD had not sufficiently tested interface transactions between the DRGR system and LOCCS. As a result, CPD could not ensure that only authorized users had access to the application, user access was limited to only the data that were necessary for users to complete their jobs, and users who no longer required access to the data in the system had their access removed. In addition, the application had been operating under an outdated security certification for 7 months. Although CPD had initiated the authorization process, it was initiated without updated accurate documentation; therefore, results would also be based upon inaccurate information. To address the issues cited, OIG issued recommendations that CPD (1) formalize the user access request process and strengthen access controls; (2) update and correct system documentation and resubmit the revised documentation for security certification and accreditation; (3) separate the duties of system and security administration and reassign the help desk functionality; and (4) work with its contractors to ensure that tests of drawdown controls and transaction processing reports are performed as stated in the functional requirements documentation or if other controls are used, remove from the system documentation stated controls that are not in use. CPD continued to address the recommendations through May 2011. Final actions to address the recommendations from this audit were taken, and all of the recommendations were closed as of May 31, 2011. 17 Appendix A AUDITEE COMMENTS AND OIG’S EVALUATION Ref to OIG Evaluation Auditee Comments OIG received CPD responses on July 8, 2011 via e-mail. It is important to distinguish which data is critical ''''''' '''''''''''' '''''''' ''''''''''''''''''''''''''''' '''''' ''''''''''''''''''''''''''' '''''''' ''''' ''''''' ''''''''''''''''''''''''''''''''''''''' ''''''''''''''''' ''''''''''''' All financial disbursement requests from DRGR for funds to every organization under every HUD approved activity have always been submitted to LOCCS at the grant level and to be processed the grant banking information must match the Tax Identification Numbers (TINs) from our grantee/grant profiles to get to Comment 1 the bank routing info that is maintained by the HUD's CFO staff in Ft. Worth. No HUD or grantee users can modify any banking information in DRGR. If unauthorized users added activities, draws related to them would still go to the grantee bank accounts based on bank routing that is inaccessible from DRGR and any attempts to access these funds would still have to be done through the grantee's own financial systems. Consequently, DRGR considers draw approvals paramount to tracking data on grantee oversight of money going to each funded organization. As previously explained to the OIG, many DRGR system actions taken by HUD staff and grantees each draw submission, approvals, rejections, and revision only occur once each '''''' ''''' ''''''''''''''' '''''''''''' '''''''' '''''''''''''''' Each new action creates a new record with a user and a time stamp. '''''' '''''''''''''''''''''''' '''''''''''''''''''''' Comment 2 '''''''''' '''''''' ''''''''''''''' ''''''''''''''''' ''''' '''''''''''''''''''''''''' '''''''''''''''''' '''''' '''''''''''' ''''''''''''' '''''''''''' ''''''''''' ''''' '''''''''' '''''''''''''''''''''''''''''' '''''''''''''' '''''' ''''''''''''''''' Other actions such as DRGR Action Plan and QPR report submission can also be archived '''''''''''''''''''''' ''''''''''''' ''''''' ''''''''' ''''''''' ''''''''' '''''''''' '''''''''''''' QPRs are typically only approved once and can only be unapproved by superusers which are tracked through email requests. CPD already tracks the comments of HUD staff reviews at the QPR level and at the activity level for every quarterly review of grantee such financial, performance, and program compliance issues '''''''''''' ''''''''''' '''''''''' ''''''''' ''''''''' ''''''''''''''''''' As also discussed, system development work requests already existed before this OIG audit for modifying DRGR '''''''''''''''''''' ''''''''''''''''' ''''''''''''' ''''''' '''''''' '''''''''' ''''''''''''''''''''' '''''' ''''''''''''''' ''''''''''''' ''''''''''''''' ''''' ''''''''''''' '''''''''''' ''''''''''''' '''''''''''''''''''''''' '''''''' ''''''''''''''''''''''' ''''''''''' ''''' ''''''''''''''''' '''''''''''''''''''' CPD will use this work request to modify '''''''''''' ''''''''''''''''' ''''''''''''' ''''''' ''''''''''''' key items related to user accounts. Rather than keeping only the latest record which can be easily archived, ''''''' ''''''''' '''''''''''''''''''' '''''''''' '''''''''''''' '''''''''''''''''' '''''''''''''''''''''''''' ''''' ''''''''' ''''''''''''' ''''''' '''''' '''''''''' '''''''''''''''''' ''''''''''''''''''' '''' ''''''''''''''' ''''''' ''''''''''''''''' '''''' ''''''''' ''''''''' ''''''''''''''''''' ''''''''' ''''''''''''''''''''' ''''''''''''' ''''''''''''''''' 18 Ref to OIG Evaluation Auditee Comments However, beyond tracking activity drawdowns and obligation updates in addition to CPD comments at the activity level during every quarterly QPR review, CPD review of official grantee support records for compliance monitoring at the activity level occurs during on-site monitoring. Grantee iformation in DRGR is primarily used to facilitate risk assessments and to Comment 3 help determine the scope of on-site monitoring. HUD already modified DRGR to track every HUD action on grantee records using the grantee simulator under the last OIG DRGR audit. Responsibility for compliance with federal requirements is at the grantee level and repayment of any noncompliant use of funds is from the grantee. All controlled monitoring communications regarding non-compliance and any potential repayments are directed to grantee managers. CPD does not agree that our goal should be to increase the # of total data elements tracked at the activity level through user, stamp and value changes. CPD considers the tracking excess grantee data elements at the activity level Comment 4 to have no value for audit and monitoring purposes. As explained above, DRGR already tracks key user audit information through archives. CPD already provided a detailed list of items to be modified in existing history tables during the field work portion of this OIG audit. We have spent a great deal of time and money recently tracking user certifications and improving system performance. Adding excess data elements would degrade system performance and responsiveness and serve no substantive monitoring/audit purpose. 19 ' '' '''''''''''' '''''''''''' '''''''''''''''' '''''''''''''''' ''''''''''''' ''''' ''''''''''''' ''''''''' '''''''' '''''''' '''''''''''''''' ''''''''''' '''''''' '''''''' '''''''' ''''''''' ''''''''''' ''''''' ''''''' ''''''''''''''' '''''''''''' ''''''''' ''''''''''''''''''''''''''''' ''''' ''''''''''''''''' ''''''''''''' ''''''''''''''' ''''''''''''' '''''''''' '''' '''''' '''''''''''''''' ''''''''''''' ''''''''''''''''''' '''''''' ''''''''''''''''' ''''''''''''''' '''''''''' ''''' '''''''''''''' '''''''''''''' '''''''''''''''' '''''''''' ''''''''' ''''''''''' '''''''' '''''''''''''' ''''''''' '''''''''''''''' '''''''''''''''''' ''''''''' ''''''''''''''' ''''''''' ''''' ''''''''''''''' ''''''''''''''''''''' ''''''''''''''' ''''''''' '''''''''' '''''''' ''''''''''''' ''''''' ''''''''' '''''''' ''''''''' ''''''''''''''' ''''''''''' ''''''''' ''''''''''''''' Comment 5 '''''''''''' '''' ''''''''' '''''''' '''''''''' ''''''' ''''''''' ''''''' ''''''''''''' '''''''''''''''' ''''''''''' ''''' '''''''''' '''''''''''''''''' ''''''''''' '''''''''' ''''''' ''''''''' ''''''''''''' '''''''''''''''' '''''''' '''''''''''''''' ''''''''''''''''''' ''''' '''''''''' '''''''' ''''''''''''''''' '''''' '''''''''''''' '''''''' ''''''''''''''' ''''''''''' ''''''' '''''''' ''''''' ''''''''' ''''''''''' '''''''' '''''''' ''''''''''''' ''''''''''' '''''''' '''''''''''''' '''''''''''''' ''''''''''''''' ''''''''''' '''' '''''' ''''''''''''''' ''''''''' '''''''''''''' '''''''''''''' '''''''''''' ''''''''''''''''''' '''''''' ''''''''''''''''' '''''''''''''' '''''''''''''' ''' ''''''''' '''''''''''' ' ''''''''''' ''''''''''' ''''''' ''''''''''' ''''' '''''''''' '''''''''''''' '''''''''''' '''''''' ''''''''' ''''''''''''' '''''''' '''''''''''''' ''''''' '''''''''''''''' '''''''''''''''' '''''''''''''' ''' ''''''''' '''''''''''' ' '''''''''''' ''''''''''' ''''''' ''''''''''''' ''''' ''''''''' '''''''''''''''''' ''''''''''''''''' '''''''' ''''''''' '''''''''''' ''''''' '''''''''''' ''''''' '''''''''''''' ''''''''''' ''''''' '''''''' ''''''' ''''''''' ''''''''''' '''''''' ''''''' '''''''''''''''' ''''''''''' ''''''' '''''''''''''''' '''''''' '''''''''''''''' ''''''''''''''''' ''''''''''''' ''''''''''''''''' ''''''''''''' ''''''''' '''' '''''' '''''''' '''''''''''''''''''' '''''''''''''''''' '''''''' ''''''''''''' '''''''''' ''''''' '''''''' ''''''' ''''''''' '''''''''''''' ''''''''' '''''''''''''''''' '''''''''' ''''''''' '''''''''''' ''''''' ''''''' ''''''''''''' ''''''''''' '''''''' '''''''''''' ''''''''''''''''''' ''''''''''''''''''''''' '''''''''''''''' '''''''''''''' ''''''''''''' ''''''''''' ''''' '''''' '''''''''''''''''''' ''''''''''''''''''' ''''''''' ''''''''''''''''''''''''''' '''''' ''''''' '''''''''''''' ''''''''' '''''''' '''''''' '''''''' ''''''''' '''''''''''''''''' '''''''''''''''''''''''''' '''''''''''''' '''''''''' '''''''' '''''' ''''''''''''' '''''''''''' '''''''' '''''''''''' 20 '' '' ''''''''' ''''''''''' '''''''' ''''''''''''''' ''''''''''' '''''''' '''''''' ''''''' ''''''''' ''''''''''' '''''''' ''''''' '''''''''''''''' '''''''''' '''''''' '''''''''''' ''''''''''''''' '''''''''''''' '''''''''' ''''' '''''' '''''''''''''''''''' '''''''''''''''' ''''''''' ''''''''''''''' '''''''' '''''''' ''''''''''''' '''''''''''' '''''' '''''''' ''''''''''''''''' ''''''''''' '''''''''''''''''''' ''''''''''''''''''''''''' ''''''''''''' '''''''' '''''''''''''''' '''''''''' ''''''' ''''''''' ''''''' ''''''''' '''''''''''' '''''''' '''''''' ''''''''''''''' ''''''''''' '''''''' '''''''''''' '''''''''''''''' '''''''''''''' ''''''''' '''' '''''' '''''''''''''''''' '''''''' ''''''''''''''' '''''''' ''''''''''''''''' '''''''''''' '''''''''''''' '''''''''''' ''''' ''''''''' '''''''''''''''' '''''''''' ''''''''' '''''''''''''''' '''''''''''''''''' '''''''''''''''''''''''''''' '''''''''''' '''''''' '''''''''''''''' ''''''''''''''' '''''''''' ''''' ''''''''''''''' '''''''''''''' '''''''' '''''''''''''''' ''''''''''''''''''' '''''''''''''' '''''''''''''''' ''''''''' '''''''' '''''''''''' '''''''' '''''''' ''''''' '''''''''''''' '''''''''''''' '''''''''''''''' ''' ''''''''' '''''''''''' ' ''''''''''''''''''' '''''''''''''''''''' ''''''''' ''''''''''' '''''''''' '''''''' ''''''''''''' ''''' ''''''''''' '''''''' ''''''''' '''''''''''''''''''' ''''''''''''' '''''''' ''''''''''''' Comment 5 '''''''''''''' ''''''''''''''''''' '''''''''''' ''''''''''''' '''''''' '''''''' '''''''''''''' ''''''''''''''' ''' '''''''' '''''''' '''''''' '''''''''''''' '''''''''''''' '''''''' ''''''''''''' ''''''' '''''''' ''''''''''''' ''''''' '''''''' '''''' ''''''''''''' ''''''''' '''''''' ''''''''' '''''''''''' ''''''''''''''''''''' '''''''''''''''''''''' ''''''''''''''''''''' ''''' '''''' ''''''''''''''''''' ''''''' ''''''''''''' '''''''''''''''''''''''''' ''''''''''''''' ''''''''' '''''' ''''' ''''''''''''''' ''''''' ''''''''''''''' ''''''''''' '''''''' '''''''' '''''''' ''''''''' ''''''''''''''''' ''''''''''''''''' ''''''''''' '''''''' ''''''' ''''''''''''''' '''''''''''' '''''''' ''''''''''''' '''''''''''''''''''''''''''''' '''''''''''' ''''''''''''''' '''''''''''' '''''''''' '''' ''''''' ''''''''''''''''' '''''''' '''''''''''''' ''''''''' '''''''' ''''''''' '''''''' ''''''''' '''''''''''' ''''''' ''''''' ''''''''''''''' ''''''''''' ''''''''' '''''''''''' '''''''''''''''' '''''''''''' '''''''''''''''''''' '''''''''''''''' ''''''''''''''' ''''''''' '''' '''''' ''''''''''''''''''' ''''''''''''''''''''''''''''' ''''' '''''''''''''''''''' ''''''''''''''''''''''''''''' '''''''''''''''''''' '''''''' ''''''''' ''''''''''''''' ''''''''' ''''''' '''''''' ''''''' ''''''''' ''''''''''' '''''''''''''''''''''''''''''''' '''''''''''''''' ''''''' '''''''' '''''''''''''''' '''''''''''' '''''''' ''''''''''''''' '''''''''''''''''''''''''''''''' ''''''''''''''' ''''''''''''' '''''''''' '''' ''''''' ''''''''''''''''' '''''''''''''''''''''''''''''''' ''''' ''''''''''''''' '''''''''''''''''''''''''''''''' ''''''''''''''''''' '''''''' ''''''' 21 Cause #3 is not accurately stated. CPD and CISO staff conducted a DRGR Contingency Plan test on November 10, 2010 at 10:00 am. DRGR was Comment 6 declared a Mission Critical system October 6, 2010 and was updated as Mission Critical in CSAM; but did not get updated in HUD’s Inventory of Automated Systems (IAS). The HUD IT contract for FY 2011 was already underway and DRGR did not get include in the scope of systems to be tested during the spring 2011 Disaster Recovery Testing Office of Community Planning and Development: CPD Response to Recommendation #1: '''''''' ''''''''' ''''''''' '''''''''''''''''' ''' ''''''''''''''''' '''''''' '''' ''''''''''''''''''' ''''''''''' '''''''''''' '''''''''''''''''''''' '''''''''''''''' ''''''''''''' '''''''''''''' ''''' ''''''''' ''''' '''''''' '''''''''''' '''''''''''' ''''' ''''''''' '''''''''''' ''''''''''''''''''''''''''''' ''''' ''''''''''' '''''''''''''''' '''''' '''''''''''''''''''' ''''' '''''''' ''''''''' ''''''''''''''''''''''' ''''''''''''''''''''''''''''' ''''''''''''' ''''' '''''''''' '''''' '''''''''''''' ''''''''''''''''''''' ''''''''''''' '''''''''' '''''''' ''''''''''''''''''''''''' ''''''''''''''''''''''''''' ''''''''''''''''' ''''''''' ''''''''''''''''' ''''''''''''''''' ''''''''''''''' '''''''' ''''''''''' '''''''''''''''''''''''' ''''''''''''''''' '''''''''''''''''' '''''''''''''' '''''''''''''''''' ''' ''''''''''''''''' ''''' ''''''''''''''''''' ''' '''''''''''''''''''''''''''''''' '''''''''' ''''' '''''''''''''''' '''' ''''''''' '''''''''''''' ''''''''''''' ''''''''''''''''' '''''''''''''''''''''' ''''''' Comment 7 ''''''''''''' '''''''''''''' '''''''' '''''''''''''''' '''' ''''''''''''''''''''' '''''' '''''''''''''''' '''''''''''''''''''''''''' ''''''''' ''''''''' ''''''' ''''''''''''''''' '''''''' '''''''''''''''''''' '''''''''''' '''''''' '''''''''' '''''''''''' ''''' ''''''''''''''''''''''''''' '''''''' ''''''''''''''''''' ''''''' '''''''''''''' '''''''''''''''''' ''''''' '''''''''''''''''''''''' ''''''''''''''''''''''''''''' '''''''''''''''' '''''' ''''''''' ''''''''''''' '''''''''' ''''''''''''''''''' ''''''''''''''''''''''''''''''''''''''' ''''''''' ''''''''''''' ''''' ''''''''''''''''''''''' ''''''''' ''''''' '''''''''''''''''' '''''''''''''''''''' '''''''''''''''''''''''''''' '''''''''' ''' '''''''' ''''''''''''''''''''''''' ''''''''''''''' ''''' ''''''''' ''''' '''''''' ''''''''''''''''' ''''' '''''' '''''''''''''''''''' '''''''''''''' ''''''' ''''''''' ''''''''''''''''''''''''''' CPD plans are to conduct the next DRGR Vulnerability Scan in July 2011, immediately following the next scheduled application release. As part of that process, the system owner and information system security officer and IT operations will verify that that all information security weaknesses identified in the 2009 DRGR scan have been remediated and will ensure that any newly identified weaknesses as a result of the scan are mitigated. CPD Response to Recommendation #2: The DRGR system owner and its system security officers have updated the DRGR security documentation to consistently reflect DRGR’s Status as mission critical and security Comment 8 categorization moderate in each document. The Contractor currently in the process of producing annual security documentation updates. CPD will ensure that the content of all future security documentation is consistent and reflects DRGR’s current condition and status. 22 CPD Response to Recommendation #3: DRGR was declared a Mission Critical system in October 2010 and was updated as Mission Critical in CSAM. The system was not updated as mission critical in the HUD’s Inventory of Automated Systems (IAS). Even so, the HUD IT contract for FY 2011 was already underway and did not foresee to include DRGR in the scope of the Disaster Recovery Testing). CPD coordinated with OCIO/Chief Comment 9 Information Security Officer (CISO) staff in October 2010 and arranged to have CISO staff conduct a DRGR Contingency Plan test on November 10, 2010 at 10:00 am. CPD will continue to coordinate with HUD OCIO and responsible contractors to conduct the contingency plan test on DRGR. CPD will also insure that ensure that HUD OCIO and responsible contractors include DRGR when performing DR tests. 23 U.S. DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT WASHINGTON, DC 20410-3000 CHIEF INFORMATION OFFICER MEMORANDUM FOR: Hanh Do, Director, Information System Audit Division, GAA FROM: Jerry E. Williams, Chief Information Officer, Q SUBJECT: Draft Audit Report – The Disaster Recovery Grant Reporting System that Maintained Recovery Act Information had Application Security Control Deficiencies This memorandum is in response to your June 29, 2011 draft audit report entitled, “The Disaster Recovery Grant Reporting System that Maintained Recovery Act Information had Application Security Control Deficiencies.” The Office of the Chief Information Officer (OCIO) has carefully reviewed the report and is providing comments on the report and its recommendations. The attachment lists the recommendations issued by the Office of the Inspector General and OCIO’s response to the recommendations. Once the final report is issued, we will then be able to provide you with a definitive timeline and estimated completion date. We look forward to working with you and your staff to resolve and close out the recommendations. Should you have any questions or need additional information, please contact Joyce M. Little, Director, Office of Investment Strategies Policy and Management, at 202-402-7404. Attachment(s) 24 Draft Office of the Chief Information Officer (OCIO) and Report Management Comments for OIG’s Consideration Reference Page 13, Request the OIG revise the recommendation by deleting “IT operations” Comment 10 Rec. 2A and replacing with “OCIO”. Page 13, Request the OIG delete the recommendation in its entirety and replace with Rec. 2C “Coordinate with the HUD OCIO to provide HUD Disaster Recovery Plan Comment 11 for Service Continuity and Availability Management (DRPSCAM) support for the DRGR system. Page 13, Request the OIG delete the recommendation in its entirety and replace with Rec. 2D “Ensure the DRGR system has HUD Disaster Recovery Plan for Service Comment 11 Continuity and Availability Management (DRPSCAM) support.” 25 OIG Evaluation of Auditee Comments Comment 1 CPD states that grantee users cannot modify banking information in DRGR, however this type of information was not reviewed in the scope of our audit. '''''''''' '''''''''''''''''''''' '''''''' '''''''''''''''''''''''''' '''''''''''''''' '''''''' ''''''''''' '''''''''''''''' '''''''''''''''''''''''''' '''''''' ''''''''''''''''''' ''''''''' '''''''''''''''''''''''' '''''''''''''''''''' '''''''''' ''''' '''''''' ''''''''''''''' ''''''''''''''''' '''''''''''''''''''' '''''''''''''''''' '''''''''''' '''''''''''''' '''''''' ''''' ''''''''' '''' '''''''''''''''' ''''''''''''' ''''''''''''''''' '''''' '''''''''' ''''''''' ''''''''''''''''''''' '''''''''''''''''''' ''''' ''''''''''' ''''' ''''''''''''''''''''''' ''''''''' '''''''' '''''''''' '''''''''''''''''''''''''''' ''''''' ''''''''''''''' ''''''''''''' '''''''''''''''''''' ''''''' ''''''''''''''''' '''''''' '''''''''''''''''' ''''''''' '''''''''''''''''''''''''''''''' ''''' ''''''''''''''''' ''''''''''''''' ''''''''''''''' '''''' '''''''''''' ''''''' ''''' ''''''''''''''' '''''''''' ''''''''''''''''''''''' Comment 2 After receiving documentation from the auditee prior to issuance of the draft report, OIG removed the following elements from the draft report; 1) create draws, 2) approve draws, 3) approve vouchers over threshold, and 4) approve quarterly performance reports. Comment 3 OIG disagrees that HUD has already modified DRGR to track every HUD action on grantee records. ''''''' '''''''''''''''''''' '''''' ''''''' '''''''''''''''' '''' ''''''' ''''''''''''' ''''''' '''''''''''''''''''' '''' ''''''''''' '''''''' '''''''' '''''''''' '''''''''''''''''''' ''''''''' ''''''''''''''''' ''''''''''''' ''''''''''''''''' ''''''''''''''''''''''''''' '''''''' ''''''''''''' '''''''' '''''''''''' ''''''' ''''''''''''''''' ''''''''''' ''''''''''''''''''' ''''' ''''''' '''''''''''''''''''' ''''''' '''''''''' ''''''''''''''' '''''''''''''' '''''''''' ''''' '''''''' ''''' ''''''' ''''''' ''''''' '''''''''' '''''''''''''''''' '' ''''''''''''''' ''''' ''''''' '''''''''''''''''' ''''''''' '''''''' '''''''''''''' Comment 4 OIG agrees with CPD that not all data elements need to be tracked. OIG has modified the draft report to reflect CPD comments received on specific data elements needed and not needed. The data elements that are listed in this report would serve monitoring and audit purposes in the event of a security violation. Comment 5 After receiving documentation from the auditee prior to issuance of the draft report, OIG removed data elements from the draft report. ''''''''' ''''''''''''''' ''''''''' '''''''''''''''' ''''''''''''''''''''' ''''''''' ''''''''''''''''' '''''''' ''''''''''''''''' ''''' '''''''' ''''''''''' '''''''''''''''' ''''''''''' '''''''''''''''''''''' '''''''''''''' '''''''' ''''''''''''''''''''''' ''''''' Comment 6 The auditee is referring to “Cause #3” as written in the Notification of Findings and Recommendations that were provided on June 14, 2011. OIG disagrees that the cause is not accurately stated. On page 12 in the audit report, OIG states the cause occurred because system information was not entered into CSAM. CPD states that the system was not updated in IAS. OIG received confirmation from OCIO that information was not completely entered into CSAM. As a result, the cause will remain unchanged in the report. Comment 7 The auditee is referring to “Recommendation #1” as written in the Notification of Findings and Recommendations that were provided on June 14, 2011. This comment refers to recommendation 2A in the audit report. We acknowledge CPD’s response and are encouraged with their stated plan to address recommendation 2A. 26 Comment 8 The auditee is referring to “Recommendation #2” as written in the Notification of Findings and Recommendations that were provided on June 14, 2011. This comment refers to recommendation 2B in the audit report. We acknowledge CPD’s response and are encouraged with their stated plan to address recommendation 2B. Comment 9 The auditee is referring to “Recommendation #3” as written in the Notification of Findings and Recommendations that were provided on June 14, 2011. This comment refers to recommendation 2C in the audit report. We acknowledge CPD’s response and are encouraged with their stated plan to address recommendation 2C. Comment 10 OIG agrees to revise the recommendation based on OCIO comments. Comment 11 OIG cannot revise the recommendation as suggested by OCIO. We did not review the HUD Disaster Recovery Plan for Service Continuity and Availability Management support for DRGR as it was not in the scope of our review. The plan was only mentioned after audit fieldwork was completed. We cannot determine whether the disaster test for DRGR will be included in the plan and how the test will be conducted for this mission critical system. As a result, the recommendation will remain unchanged in the report. 27
The Disaster Recovery Grant Reporting System that Maintained Recovery Act Information Had Application Security Control Deficiencies
Published by the Department of Housing and Urban Development, Office of Inspector General on 2011-07-28.
Below is a raw (and likely hideous) rendition of the original report. (PDF)