oversight

The Disaster Recovery Grant Reporting System that Maintained Recovery Act Information Had Application Security Control Deficiencies

Published by the Department of Housing and Urban Development, Office of Inspector General on 2011-07-28.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                                                      Issue Date
                                                              July 28, 2011
                                                      Audit Report Number
                                                                   2011-DP-0008




TO:         Yolanda Chávez, Deputy Assistant Secretary for Grant Programs, DG
            Jerry Williams, Chief Information Officer, Q

            //s//
FROM:       Hanh Do, Director, Information Systems Audits Division, GAA

SUBJECT: The Disaster Recovery Grant Reporting System that Maintained Recovery Act
         Information Had Application Security Control Deficiencies



                                   HIGHLIGHTS

 What We Audited and Why


             We audited the Disaster Recovery Grants Reporting (DRGR) system to determine
             whether adequate controls were in place to safeguard and accurately track and
             report $1.93 billion in American Recovery and Reinvestment Act of 2009
             (ARRA) funds allocated to the Office of Community Planning and
             Development’s (CPD) Neighborhood Stabilization Program 2. Specifically, we
             reviewed the implementation of application controls over business processes,
             interfaces, and data management systems. The assignment was initiated to
             address ARRA’s requirement for reporting accurate data. The results will be used
             to support our annual review of the U.S. Department of Housing and Urban
             Development’s (HUD) consolidated financial statements.


 What We Found


             CPD had improved the DRGR system within the last year. Specifically, it had
                    1. Established policies and procedures for user access requests and completion
                       of user rules of behavior before granting the user access to the system,
                    2. Updated configuration management plans,
                    3. Created an application system and user manuals, and
                    4. Ensured that contractors tested both drawdown controls and computer
                       processes in accordance with regulations.

            CPD’s improvements to the DRGR system were beneficial to the overall
            assurance that the system’s data were properly maintained, safeguarded, and in
            compliance with Federal regulations. In order for HUD to address ARRA
            requirements for accurate data requirements, improvements should be made to the
            DRGR system. '''''''''''''''''''''''''' '''''' ''''''''''''''' '''''''''''''''' ''''''' ''''''' '''''''''''''''' ''''''''''''''''''''' '''''''''''
            ''''''''''''''''''' '''''''''''''''''''''''''''' '''''' ''''''''''''''''''''''''' '''''''''''' '''''''''''''''''' ''''''''''''''''''''''''' '''''''''''' ''''''''''''''''' ''''
            ''''''''''''''''' ''''' '''''''''''''''' ''''''''' ''''''''''' '''''' ''''''''''' ''''''''''''''''''''''''''' ''''''' ''''''''''' ''''''''''''''''''''

            Management attention is also needed to address application controls over business
            processes. For example, security management is lacking in the areas of security
            documentation, vulnerability scans, and contingency plan testing. Also, to ensure
            that DRGR system data are secure, application security management needs to be
            effectively implemented.


What We Recommend

            '''''''' ''''''''''''''''''''''''''''' '''''''' '''''''''''' ''''''''''''''' ''''''' ''''''''''''''''' ''''''''''''''''' ''''' ''''''''''''''''''' ''''''' '''''''''''' '''''
            '''''' '''''''''''' '''''''''''''''' ''''''''''''''''''''''''' ''''' ''''''''' ''''''''''' ''''''''''''''''''''''''''' ''''''' ''''''''''' ''''''''''''''''''''' ''''''''''''''
            ''''''''''' ''''''' ''''''''''''''''''' ''''''''''''''''''''''''''''' ''''' '''''''''' ''''''''''''''''' '''''''''' '''' '''''''''''''''''' '''''''''''''''''''''''''''' '''''''
            ''''''''''''''''' '''''''''''' '''''''''''' the DRGR system owner needs to coordinate with the Office
            of the Chief Information Officer (OCIO) to ensure that vulnerability scans are
            completed, security documentation is updated, and the contingency plan is
            adequately tested.

            We also recommend that OCIO ensure that the DRGR system is included in the
            annual disaster recovery test as it is a mission-critical application.

            For each recommendation without a management decision, please respond and
            provide status reports in accordance with HUD Handbook 2000.06, REV-3.
            Please furnish us copies of any correspondence or directives issued because of the
            audit.




Auditee’s Response


                                                                                   2
We requested responses from OCIO and CPD to be received by July 8, 2011. We
received written responses to the draft report from OCIO and CPD on July 8,
2011.

CPD requested changes to some of OIG’s data elements included in the report and
provided overall comments on the DRGR system ''''''''''''' ''''''''''''''''' '''''''''''''''''''''. OCIO
suggested verbiage changes to recommendations for Finding #2. The complete
text of OCIO’s and CPD’s response, along with our evaluation of that response,
can be found in appendix A of this report.




                                         3
                                                   TABLE OF CONTENTS

Background and Objective                                                                                                                            5

Results of Audit

      Finding 1: '''''''''''''' ''''''''''''''''''' '''' '''''''' '''''''''''''''' '''''''''''''''''' '''''''''' ''''''''' ''''''''''''''''''''''   7
      Finding 2: Weaknesses Existed in the Application Security Management                                                                          10
      Program of the DRGR System

Scope and Methodology                                                                                                                               14

Internal Controls                                                                                                                                   16

Follow-up on Prior Audits                                                                                                                           17

Appendixes
  A. Auditee Comments and OIG’s Evaluation                                                                                                          18




                                                                                     4
                          BACKGROUND AND OBJECTIVE

Operational since February 1999, the Disaster Recovery Grant Reporting (DRGR) system was
developed by the U.S. Department of Housing and Urban Development’s (HUD) Office of
Community Planning and Development (CPD) for the Disaster Recovery Community
Development Block Grant (CDBG) program and other special appropriations. Data from the
system are used by HUD staff to review activities funded under these programs and for required
quarterly reports to Congress. The system was developed for grantees to identify activities
funded under their action plans and amendments, to include budgets and performance goals for
those activities. To receive funding, these grantees must prepare a citizen participation plan,
publish their proposed use of the funds, and submit an action plan to HUD. Once an action plan
is submitted and approved, grantees can submit quarterly reports summarizing obligation,
expenditures, drawdowns, and accomplishments for all of their activities.

On July 30, 2008, Public Law 110-289, the Housing and Economic Recovery Act of 2008
(HERA), was passed to provide housing reform. HERA designated HUD to distribute $3.92
billion in Federal funds to States and local entities using the CDBG model. (The CDBG model
is an entitlement program that distributes funds annually, by formula, to large communities and
States as well as smaller communities and Indian reservations.) The HERA funds and
distribution are known as the Neighborhood Stabilization Program (NSP) and are meant for the
purchase and rehabilitation or development of foreclosed-upon or abandoned homes and
residential properties. This program is now referred to as NSP1. Eligible uses include (1)
establish financing mechanisms for purchase and redevelopment of foreclosed-upon homes and
residential properties; (2) purchase and rehabilitate homes and residential properties that have
been abandoned or foreclosed upon to sell, rent, or redevelop such homes and properties; (3)
establish land banks 1 for homes that have been foreclosed upon; (4) demolish blighted structures;
and (5) redevelop demolished or vacant properties.

The emergency nature of HERA and corresponding statutory timeframes did not give HUD
sufficient time to develop a new system or modify an existing system to perfectly fit the
program. Therefore, HUD decided to expand the use of the DRGR system application to include
NSP1 in 2008. The DRGR system was selected for the program because no other application
and reporting system was sufficiently flexible to deal with the alternative requirements. HUD
made significant modifications to the system to allow for the reporting of specific activities
under NSP1.

The American Recovery and Reinvestment Act of 2009 (ARRA) was passed on February 17,
2009, to provide competitive grant awards to States, units of general local government, and
nonprofit organizations for economic recovery from the recession. It revised some of the
program rules for NSP1 (HERA) and appropriated an additional $2 billion for NSP to be
competitively awarded. This program is now referred to as NSP2. The eligible uses noted for
NSP1 were revised as follows: (1) “establish land banks for homes that have been foreclosed
1
  A land bank is a governmental or nongovernmental nonprofit entity established, at least in part, to assemble,
temporarily manage, and dispose of vacant land for the purpose of stabilizing neighborhoods and encouraging reuse
or redevelopment of urban property ( Federal Register Notice 73 FR 58330).


                                                        5
upon” was modified by ARRA to read “establish and operate land banks for homes and
residential properties that have been foreclosed upon,” and (2) ARRA added a provision to the
use “redevelop demolished or vacant properties,” stating that funding used for section
2301(c)(3)(E) of HERA must be available only for the redevelopment of demolished or vacant
properties as housing. In addition, ARRA repealed a section of HERA related to reinvestment of
profits. ARRA also authorized the establishment of the NSP Technical Assistance (NSP-TA)
program to improve the capacities of NSP grantees and the implementation of their programs.
ARRA set aside $50 million of the $2 billion appropriation specifically for this purpose. NSP-
TA grants were awarded to States, units of general local government, nonprofit organizations,
and other organizations capable of providing technical assistance to the NSP grantees.

On July 21, 2010, Public Law 111-201, the Dodd-Frank Wall Street Reform and Consumer
Protection Act, authorized $1 billion in additional funds for NSP. This program is now referred
to as NSP3. NSP3 provides formula grant awards to States and units of local government to
undertake eligible activities as provided under HERA. In addition, up to 2 percent of the funds
can be made available by HUD for technical assistance grants.

The objective of this review was to assess whether adequate system controls within the DRGR
system were in place to safeguard, track, and report on ARRA NSP2 funding. Our review was
focused on determining whether the security controls over business processes, interfaces, and
data management systems, complied with generally accepted auditing principles and the U.S.
Government Accountability Office’s Federal Information System Controls Audit Manual
(FISCAM) elements.




                                               6
                                                                            RESULTS OF AUDIT

Finding 1: ''''''''''''''' ''''''''''''''''''' ''''' ''''''' ''''''''''''''' ''''''''''''''''' ''''''''''' '''''''' ''''''''''''''''''''''''
'''''''''' '''''''''''''''''' '''''''''''''''' '''''''' '''''''' '''''''''''''''''''' ''''''''''''''''''''' '''''''''''''''''''''' ''''''''' '''''''''''''''' ''''''''''''''''''''''''''' ''''' '''''''''''''''''''''' ''''''''''''
''''''''''''''''''''' ''''''''''''''' ''''''''' '''''''''''''''''''' ''''''''' ''''''''''' '''''''' '''''''''''' ''''''''''''''''' ''''''''''''' CPD was aware that '''''''''''' ''''''''''''''''''
needed improvement; however, due to prioritizing tasks for the system with budgetary and staffing
constraints, not all controls had been implemented. ''''' ''''''' ''''''''''''''''' ''''''''''''''''' '''' ''''''' ''''''''''''''''' ''''' '''''''''''''''
'''''''''''''''''''''' ''''''''''' ''''''''''''''''' ''''''''''''''''''''''''''''' ''''''''''''' '''''''''' ''''''' ''''' '''''''''' ''''''''''''''''''''''''' ''''''' '''''''''' ''''''''''''''' ''''''''''''''
'''''''''''''''''''''' '''''' ''''''''''''''''' ''''''''' '''''''''''''''''''''''''''' ''''''''' ''''''' '''''' ''''''''''''''''''' ''''' '''''''''''''''''' ''''''''''''''''''''''''''''''' ''''''''''''''''''''''''''''''''
'''''' ''''''''''''''''' ''''''''''''''''''''''



   '''''' '''''''''' '''''''''''' '''''' '''''
   ''''''''' ''''''''''''''' ''''''''''''''''
   '''''''' '''''''''''' '''''''


                          '''''''''' '''''''''''''''' '''''''''''''''' '''''''''''''''''''' ''''''' '''''''' ''''''''' ''''''''' ''''''''''' ''''' ''''' ''''''''''''''''' ''''''' ''''' '''''''''''''''' '''''''''
                          ''''' '''''''' ''''' ''''''' ''''''''''''''''' ''''''''' ''''''''''''''''' ''''''''''''''''''''''' '''''''''''''''''''' '''''''' '''''''''' '''''''' '''''''''' ''''''''''''''''''''''''''
                          ''''''''' ''''''' ''''''''''''''''''''''' '''''''' ''''''''' ''''''''''''''''''''''''''''' ''''''''''' ''''''''' ''' ''''''''' '''''''''''' '''''''''''''''''
                          ''''''''''''''''''''''''''''''''' ''''''' ''' '''''''''''''' ''''''''''''' '''''''''''''' ''''''' ''''' ''''''''' ''''''''''''''''''''''''''' '''''' '''''''''''' ''''''''''''''''''
                          '''''''''''''' '''''''''''' '''''''' ''''''''''''''''''' '''''''''''' ''''''''''''' ''''''''' ''''' '''''''''''''''''''''' ''''''''''''''''' ''''''''''''''''''' '''' ''''''''''''''''
                          ''''' '''''''''''''''' '''''''''''' '''''''''''''''' ''''''''''''''''''''''''''' ''''''' ''''''' ''''''''''''''''''''''''

                                  '''''''''''''''''''' '''''''''''''''' '''''''''''' ''''' '''''''''''''''
                                  ''''''''''''''''' ''''''''''''''''''' '''''''''''' ''''''''''''''
                                  ''''''''''''''''''''''''''''''' '''''' ''''''''''''''' '''''''''''''''''''''
                                     ''''''''''''
                                  '''''''''''''''''' '''''''' ''''''' '''''''''''''''''''' ''''' ''''''''''''''
                                     '''''''''''''' ''''''''
                                  ''''''''''''''' '''''''''' '''''''''''''''''''''' ''''''''' '''''''' ''''''''
                                     ''''''''''' '''''''' ''''''''''''''''''''''''''

                          '''''' '''''''''''''''' ''''''' ''''' ''''''''' ''''' ''''''' '''''''''''''''' '''''''''''''''''''''' '''''''''''''''''' ''''''''' '''''''''''''''' ''''''''''''' ''''' '''''''''''''''''
                          ''''''''''''''''''''' '''''' ''''''''''''''''''''' '''''''' '''''''''''' '''''''''''''' '''''''' '''''''''''''''''''''''' '''''''''''''''''' ''''''''''''''''''''' '''''''''''''''''''''''
                          '''''''''' ''''''''' '''''''''''''''''''''''''' '''''''' ''''''''''''''''''''

                          ''''''''''''''''''''''''''''''' '''''''''''''' ''''''''' ''''''''''' ''''''''''''''''' '''''''''''''''''''''''''' '''''''''''''''' '''''''' '''''' ''''''''''''''''''''''''
                                  '''''''''''''''''' '''''''''''''''' '''''''''''''''''''''

                                           '''''''''''''''''''''' '''''''''''''''''' '''''''''''' '''' '''''''''''''
                                              ''


                                                                                                                7
                '''''''''''''''''''' '''''''''''''' '''''''''''''''''' ''''''''''''
                '''''''''''''''''' ''''''''' ''''''''''''''' '''''''''''''''''''
                '''''''''''''''''''' '''''''' ''''''''''''''' '''''''''''''' ''''''''''''
                   '''
                ''''''''''''''''''''' ''''''''' ''''''''''''''' ''''''''''''''''''''' '''
                   ''''' '''''''''''''''''''''''
                ''''''''''''''''''' '''''''' '''''''''''''''''' '''''''''''' '''''''' '''
                   '''''''''''''''''' ''''''''''''''''''''''' '''''''''''''''' ''''''''
                ''''''''''''''''''''' ''''''''' ''''''''''''''''' ''''''''''''''''''''' '
                   '''''''''''''''''''''''''' '''''''''''''''

''''''''''''''''''''''''''''''' ''''''''''''''''' '''''''' '''''''''''' ''''''''''''''''''' ''''''''''''''''''''''''''' '''''''''''''''' '''''' '''''''' '''''''''''''''''''''
        '''''''''''''' '''''''''' ''''''''''''''' '''''''''''''''''''''''

                ''''''''''''''''''''' ''''''''' ''''''''''''''''' ''''''''' '''''''''''''
                   '''''''''''
                '''''''''''''''''' '''''''' '''''''''''''''' '''''''''''' '''''''' ''''''
                   '''''''''' ''''''''''''''''''
                '''''''''''''''''' ''''''''' '''''''''''''''' '''''''''''''''''''''
                '''''''''''''''''' '''''''''''''''''''' '''''''''''' '''''''''''''''''
                '''''''''''''''''''''' ''''''''''''''''' ''''''''''''''''''''''''''''' ''
                   '''''''''''''
                '''''''''''''''''''''' '''''''''' '''''''''''''''''''''''''
                ''''''''''''''''''' ''''''''''''''''''' '''''''''' ''''''''''''''''''''''
                   '''''''''' ''''''''
                '''''''''''''''''''''' '''''''''''''''' '''''''''''''''''''''''''''' ''''
                   '''''''''''''

        CPD did not follow industry guidance regarding ''''''''''' '''''''''''''''''' ''''''''''''''''''''''''' based
        on Federal Information Processing Standards Publication 200 (FIPS PUB 200),
        “Minimum Security Requirements for Federal Information and Information
        Systems.” ''''''''' '''''''''''''''''''''''' '''''''''''''''''''''' '''''''' ''''''''''''''''''''' ''''''' '''''''''''''''''''''''''''''' ''''' ''''''''''''''''''''
        ''''''''''''''''' ''''''''' ''''''''''''' ''''''''''''''''''''''''''' ''''''''''''''''' ''''''''''''' ''''''''''''''''' ''''' '''''''' ''''''''''''''' '''''''''''''''''' '''''
        '''''''''''''' '''''''' '''''''''''''''''''''''''' ''''''''''''''''''''''' ''''''''''''''''''''''''''''''' '''''''''' '''''''''''''''''''' ''''' '''''''''''''''''''
        ''''''''''''''''''''''''''''' ''''' ''''''''''''''''''''''''''''''' ''''''''''''''''''''''''' ''''''''''''''' '''''''''''''''''' ''''''''' ''''' ''''''''''''''''' ''''''''''
        ''''''' ''''''''''''''''' ''''' ''''''''''''''''''''''''' '''''''''''''''''''''''''' '''''''''''''''''' '''''''''''' ''''''''' '''''' '''''''''''''''''' '''''''''''''''' '''''
        '''''''''''' '''''''''''''' '''''' '''''''''' '''''''''' ''''''' ''''''''''' '''''''''''''''''''''''''''''' ''''''' '''''''''''' '''''''''''''''''''' '''''''''' '''''''''''''''
        '''''''''''''''' ''''''''''''''''''''''' '''''''' ''''''''''' '''''''' ''''''''''' ''''' ''''''''''''''''' ''''''''''''''''''''''' ''''''''' '''''''''''''' ''''''''''
        '''''''''''' '''''''''''''''''''''''' '''''''''' '''''''' '''''''''' ''''''''''''''''' ''''''''' '''''''''''''''''''''''' '''''''''' ''''''''''''''''' ''''''''''''''
        '''''''''''''' ''''''''''' ''''''''''''' ''''''''''''''''''''''''''' ''''''''''' '''''''''''''''''' '''''''''''''' ''''''' ''''''' ''''''''''''' '''''' '''''''''''''''''' '''''
        '''''''''''' '''''''''' '''''''''''

        HUD Information Technology Security Policy, 2400.25, REV-2, CHG-1, also
        states that system owners are responsible for identifying events which require
        auditing ''''' '''''''''''''''' ''''''''''''''''''''''''''''''' '''''''''''''''''''''''''''''' '''''''''' ''''''' ''''''''''''''''' '''''''''''''''''


                                                                                8
                    ''''''''''''''''''''''''''' ''''''' '''''''''''''''' '''''''''''''' '''''''''''''''' ''''''' '''''' '''''''''' ''''' '''''''''''' '''''''''''''''''''
                    ''''''''''''''''''''''''''''' ''''''''' '''''''''''''' ''''''''''''''' ''''''''''''''''' '''''''''''''''


'''''''' '''''' ''''' ''''''''''''' ''''''''
'''''''''''''' ''' '''''' ''''''''' ''''''''''
''''''' '''''''''''' ''' ''''' ''''''''''''



                    '''''''''' '''''''''''''' ''''''''''''''''''''' '''''''''''''''''''' '''''''''''''''''''' ''''''''''''' '''''''' '''''''' ''''''''''''''' '''''''''''''''' '''''''''''
                    ''''''''''''''''' '''' '''''''' '''''''''''''''' ''''''''' '''''''''''''''''' ''''' '''''''' ''''''''''''''''' ''''''' '''''''' ''''''''''''''' '''''''''''''''
                    ''''''''''''''''' ''''' '''''''''''''''''''' ''''''''''''''''''''''''' '''''''''''' '''''''' '''''''''''''''''' ''''''''''''' ''''''''''''''''''' ''''''''''''' '''''''''''''''
                    ''''' ''''''''''' ''''''''''''''''' ''''''''''''''''' ''''''''' '''''''''''''''' ''''''''''''''' '''''''''''''''' '''''''''' ''''''''''''''''''' '''''''''''''''''''''
                    ''''''''''''' ''''''''''''''''' '''''''''''''''''''''''' '''''''''''''''''' '''''''''''''''''''''' '''''''''''''''''''''' ''''''''' ''''' ''''''''''''''''''''''''' ''''''''
                    '''''''''''''''''' ''''''''''''''''''''''''' '''''''' ''''' ''''' '''''''''''''' '''''''''''''''''''''' '''''''''''' '''''' ''''''''''''''''''''''''''
                    ''''''''''''''''''''''''''''''' The system owner stated that the information technology (IT)
                    budget had been used mainly to address new congressional requirements.

 Conclusion

                    ''''''''''' '''''''''''''' ''''' '''''''''''''''''''' '''''' '''''''''''' ''''''''''''''''' ''''''''''''''''''''''''''' ''''' '''''''''' '''''''''''''''''''''''' '''''''''''''
                    ''''''''''''''''''''''''''''' '''''' '''''''''' '''''''''''''''''' '''''''''''' '''''''''' ''''''''''''''''' ''''''' '''''''''''''''''''' '''' ''''''''' ''''''''
                    ''''''''''''''''''' ''''' ''''''''''''''''' '''''''''' ''''''''''' '''''''''''''''''' ''''' ''''''''''''''''' '''''''''''''''''' ''''''''''''''''''''''' '''''''''''''
                    ''''''''''''' ''''''''''''''' '''''''''' ''''''''''''''' '''''''''''''''''''' ''''' '''''''''''''''''''' ''''' '''''''''''' '''''''''''''''''' ''''' '''''''''''
                    '''''''''''''''''''''''''''''' ''''''''''''''''''''''' ''''''''''''' '''''''''' '''''''''''''''''''''''''' ''''''''''''''''' '''''''''''''''''''''''''' ''''' '''''''''''' '''''
                    ''''''''''''' '''''''''''''''''''' '''''''''''''''''''' '''''''''''''''''''''''' '''''''''' '''''''''''''' '''''' '''''''''''''''''''' ''''' '''''''''''''''''''''''''''''''''
                    '''''''''''' ''''''''''''''''''' '''''''''''''''''' '''''''''''''''''' '''''''''''''''''''''''''' '''''''''' ''''''' ''''''''''''''''''''''' ''''' ''''''''''''''''''' '''''''
                    '''''''''''''''''''''''''''''''''' ''''' '''''''''''''''' ''''''''' ''''''''''''''''''''''''''''''''' ''''''''''''''''''''''''''''''' ''''' '''''''''''''''''''' '''''''''''''''''''
                    ''''' ''''''''''''''''''''' '''''' ''''''''''' ''''''''''''''''''''''''' ''''''''''''''''''''''''' '''''''''''''''''' '''''''''''''''' ''''''''''''''''''''''' '''''''''''''''''''
                    ''''''''''''''''' ''''''''' '''''''''''''''''''' '''''''''''''''''''''''''''''


 Recommendations

                    We recommend that the Office of Community Planning and Development

                    1A. Modify the DRGR system’s '''''''''''' ''''''''''''''''''' '''''''''''''''''''''''''' ''''' '''''''''''''''' ''''''''
                        ''''''''''''''''''''''' ''''''''''''''''''''''''''''' '''''''' '''''''''''''''''''''''''''' '''''''''''''''''''''''''''''''' ''''' '''''''''''''''''''
                        '''''''''''''''''''' ''''''' ''''''''''''''''''''''''' '''''''''''' '''''''''''''''' '''' '''''''''''''''''''''''''''''''' ''''''' '''''''''''''' '''''''''
                        '''''''''''''''''''' '''''''''''''' '''''''''''''''''''''' ''''''''''''''''''' ''''''''''''''''''''''''''' '''''''''''' '''''''''''''''''''' ''''''''''''''''' ''''''''''
                        '''''''''''''''''''''''' '''''''''''''' ''''''''''''''''''''''''''''''''' '''''''''''''''''' '''''''''''''''''''''''''''''' ''''''''''''''''''''''''''''''
                        '''''''''''''''''''''' '''''''' '''''''''''''''''''''''''''''''' '''''''''' '''''''''''''''''''''''''' '''''''''''''''''''''




                                                                                            9
Finding 2: Weaknesses Existed in the Application Security
Management Program of the DRGR System
The DRGR program office’s application security management program had weaknesses.
Specifically'' '''''' '''''''''''''''''' '''''''''''' ''''''''''' ''''''''''''''''''''''' ''''''''''''''' ''''''''''''''''''''''''''''''' '''''''''''''''''''''' '''''''''''''''''''''''' '''''' '''''''
''''''''''''''' ''''' '''''' '''''''''''' ''''''''''''''''''''''''''' '''''''''''''''' ''''''''''''''''''' '''''''' ''''''''''''''''''''''''''''' ''''''''''''''' '''''''''''' '''''''''''''''''''''''''' ''''''''''''''''''''''
'''''' ''''''''''''''' ''''''''''''''''' '''''''''''''''' '''''''' ''''''' '''''''''''''''''' ''''''''''''''''' ''''''''''' '''''''''''''''' ''''''''' ''''''''''' ''''''''''''''''''''''''''''' ''''''''' '''''''''''''''''''''
''''''''''''''''''''' ''''''''''''' (2) the DRGR system security documentation had not been updated to reflect
current information about the system and its environment; and (3) although the DRGR system had
been classified as a mission-critical system, it was not tested during the most recent annual disaster
recovery test. These conditions occurred because DRGR program officials are responsible for
communicating with the OCIO to ensure that security controls of their system are adequate and their
system documentation is up to date, however they did not provide updated information to OCIO.
As a result, the necessary security controls may not have been implemented. In addition, since the
contingency plan had not been adequately tested the effectiveness of the plan or the system’s
readiness to deal with a potential disaster could not be determined.



   '''''' '''''''''''' '''''''''''' ''''''''''
   ''''''' ''''' ''''''''''''' '''''''''''''''
   ''''''''''''''''''''' '''''''''''' ''''''''
   '''''''''''''''''''' ''''''''''''''' ''''''''''''
   ''''''''' ''''''''''''''


                         In May 2009, OCIO completed a vulnerability scan analyzing several of the DRGR
                         system’s business processes. '''''''''''''''' ''''''''''' ''''''''''' '''''''''''''''''''''' ''''''''''''''''' '''''''' ''''''''''' ''''''''
                         ''''''''''''' '''''''' ''''' ''''' ''''''''''''''''''''''' '''''''''' '''''''''''''''''''' ''''''''''''''''' '''' '''''''''''''''' '''''''' ''''''''''''' ''''''''''''''''''''' '''''''
                         ''''''''''''''''''''''' ''''''''''''''' ''''''''' '''''''' ''''''''''''''''''' ''''''''''''''''''' '''''''''''''''''' ''''''''''''''''''''''''''' ''''''''''''''''''''''' ''''' ''''''''
                         ''''''''''''' '''''''' '''''''''' '''''''''''''''''' '''''''''''''''''''''''''' '''''''' '''''''''''''''''' ''''''''''''''''' ''''''''''''' '''''''' '''''''' ''''''''''''''''''''''''
                         ''''''''' '''''''''''''' '''' '''''''''''''''''' '' '''''''''''''''''''''' '''''''''''''''''''''''''''''' ''''''''' '''' '''''''''''''''''''''' ''''''''''''''''''' ''''''''''''''''''''''
                         ''''''''''''''''' '''''''''''''''''''''''''' '''''''''''' '''''''''''' '''''''''''''''''''''''

                         FISCAM states that organizations need to “Implement effective application security
                         management.” Elements of an effective plan include

                                  ·                “Periodically assess and validate application security risks
                                  ·                Document and implement application security policies and procedures
                                  ·                Monitor the effectiveness of the security program
                                  ·                Effectively remediate information security weaknesses”

                         The condition described above occurred because the DRGR system owner did not
                         monitor the effectiveness of the security management program '''''' ''''''''''''''''''''''''''''' '''''''''''''
                         ''''''''' '''''''''''''''''' ''''''' ''''''''''''''''' ''''''''''''' ''''''''' '''''''''''''''' ''''''''''''' '''''''''''''''''''' '''''''' ''''''''''''''''''''''''''' ''''''''''''''''


                                                                                                             10
      ''''''''' ''''''''''' '''''''''''''' '''''' ''''''' ''''''''''''''''''''''''' ''''''''''''' '''''''''''''''''''''''' ''''''''' ''''''''''''''''''''' ''''''' ''''''' '''''''''''''''''''
      ''''' ''''''''''''''''''''''''' '''''''''''''''''''''''''''''' '''''''''''''

      Without effective security management over the application, the DRGR system could
      not obtain reasonable assurance that the application was effectively secure.

The DRGR Program Office Did
Not Have Up-to-Date Security
Documentation for Its DRGR
System


      DRGR system security documentation (such as the security plan, risk assessment, and
      contingency plan) had not been updated for consistency and to address changes to the
      information system and its environment of operation. For example, the DRGR
      system’s risk assessment (V6.5.3) showed the application categorized as a high-risk
      system and not a mission-critical system. However, the DRGR system’s contingency
      plan (V6.5.3) categorized it as moderate risk and listed it as a mission-critical system.
      Also, the DRGR system’s security plan (V6.5.3) stated that the system interfaced
      externally with the Line of Credit Control System (LOCCS) and the drawdowns
      created in the DRGR system were reconciled with LOCCS to ensure accuracy of
      financial balances. However, the DRGR system owner confirmed that the system did
      not automatically reconcile with LOCCS; rather, the owner used the reports generated
      by a third-party software reporting tool to reconcile the DRGR system drawdown data
      to LOCCS.

      NIST SP 800-53, Revision 3, “Recommended Security Controls for Federal
      Information Systems and Organizations,” states that organizations should develop a
      security plan that “is consistent with the organization’s enterprise architecture.” It
      also states that organizations should “update the plan to address changes to the
      information system/environment of operation or problems identified during plan
      implementation or security control assessments.”

      The above condition occurred because the DRGR system owner and its system
      security officers were not aware of the inconsistency in the system’s security
      documentation. They explained that this inconsistency was a mistake and stated that
      they would review and update the documentation.

      Without up-to-date system security documentation, risks associated with the DRGR
      system may not have been properly identified and addressed. Mission-critical and
      high-risk systems have different security requirements, and if documentation is not
      current, these requirements will not be enforced.




                                                                                    11
       The DRGR Contingency Plan
       Had Not Been Adequately
       Tested



            The DRGR system was categorized as a HUD mission-critical system, yet the
            application was not adequately tested as required by HUD Information Technology
            Security Policy, 2400.25, REV-2, CHG-1. Contingency plan testing for the DRGR
            system was conducted in November 2010, however it was not tested under conditions
            that simulate a disaster or test the restoration of operations. The security policy stated
            that “Program Offices/System Owners shall ensure that plans for moderate and high-
            impact systems are tested/exercised at least annually in compliance with the HUD
            contingency planning guidance and NIST SP 800-34. 2 Testing should be coordinated
            with elements responsible for COOP (continuity of operations plan), CIP (critical
            infrastructure protection) and incident response.” Also, NIST SP 800-34 specifically
            requires that “each information system component should be tested to confirm the
            accuracy of individual recovery procedures. This includes the “restoration of normal
            operations.”

            The DRGR system had not been tested in the HUD disaster recovery test because its
            system classification had not been updated in the Cyber Security Assessment and
            Management system (CSAM) 3 to reflect that it is a mission-critical system. OCIO
            bases the list of systems to be tested for annual disaster recovery on CSAM data, and
            because DRGR system data were not complete in CSAM, the DRGR system was not
            tested during the most recent disaster recovery test. OCIO was working with the IT
            contractor to address contract issues that would allow the DRGR system to be
            included in the next disaster recovery test.

            By not conducting an adequate contingency plan test for the DRGR system the
            system owner could not determine the plan’s effectiveness and the organization’s
            readiness to execute the plan as intended in an emergency situation. Further, without
            validating one or more of the system components and the operability of the plan, the
            DRGR system owner would not be able to identify and address the deficiencies in the
            plan.




2
  NIST SP 800-34, “Contingency Planning Guide for Federal Information Systems”
3
 The CSAM C&A (certification and accreditation) Web originated as the U.S. Department of Justice (DOJ) in-
house application supporting the C&A process, plans of action and milestones management, and Federal
Information Security Management Act (FISMA) reporting. HUD selected this DOJ shared service center as its
FISMA reporting solution.


                                                      12
Conclusion


      The DRGR system owner needs to improve its application security management
      program to fully address Federal guidelines. The DRGR system owner did not
      update security documentation and adequately test its contingency plan that
      allows appropriate risks to be addressed and proper security controls to be
      implemented. '''''''''''' ''''''''''' '''''''''' ''''''' '''''''''''''' '''''''''''''''' '''''''''''''' ''''''''' '''''''''' ''''''''''''''''''''''''''' ''''''
      '''''''''''''''''' ''''''''' '''''''''''''''''''''''''''' ''''''''''''''' ''''''''''''''''''''''''' ''''' ''''''''''''''''''''''''' ''''' '''''''''' '''''''''''
      '''''''''''''''''''' ''''''''' ''''''''''''''''''''''''''''' '''''''''''''''''' '''''''''' ''''''''' '''''''''''''''''''''' '''''''''''''''''''''' '''
      '''''''''''''''''''''''''''' '''''''' ''''''''' ''''''' ''''''''''' ''''''''''''''''''''''' '''''''''''' '''''''''''' ''''''''' ''''' '''''''''''''''''''''''''''' '''''''''
      '''''''''''' ''''''''''''''''''''''' ''''' ''''''''''''''' ''''''' ''''''''''''''''' '''''''''''''''''''''''''''''' Further, the contingency
      plan had not been adequately tested, to determine whether the plan could be
      successfully executed in an emergency situation.


Recommendations


      We recommend that the Office of Community Planning and Development

      2A. ''''''''''''''''''''''''' '''''''''' ''''''''''' ''''''''''''' '''''''''''''''''''''''' ''''''''' '''' ''''''''''''''''''' ''''''''''''''''''''''''''''' '''''''''''''
          ''''' '''''''''''''''' ''''''''' ''''''' ''''''''''''''''''''''''' '''''''''''''''''''' '''''''''''''''''''''''''' '''''''''''''''''''' ''''' '''''''
          ''''''''''''''''''''' '''''''''''' '''''''''''''''''''''''''''' ''''' '''''''''''' ''''''''''''' ''''''' ''''''''''''''''''''''''' ''''''''' ''''''''' ''''''''''''
          '''''''''' ''''''' '''''''''''''''''''''''' ''''' '''''''' ''''''''''''' '''''''''''''''''''' ''''''''''''''''''''''''' ''''''''''''''''' '''''''' '''''''''''''''''''
          '''''''''''''''''''''

      2B. Ensure that the DRGR system owner reviews and updates DRGR system
          security documentation to ensure that it is consistent and to address changes
          to the information system environment.

      2C. Coordinate with HUD OCIO and contractors responsible for the disaster
          recovery test to perform the contingency plan test on the DRGR system that
          addresses restoration of normal operations.

      We recommend that the Office of the Chief Information Officer

      2D. Ensure that the DRGR system’s contingency plan is tested in compliance
          with the HUD contingency planning guidance and NIST SP 800-34.




                                                                         13
                                          SCOPE AND METHODOLOGY

We conducted the audit in accordance with generally accepted government auditing standards.
Those standards require that we plan and perform the audit to obtain sufficient, appropriate
evidence to provide a reasonable basis for our findings and conclusions based on our audit
objective(s). We believe that the evidence obtained provides a reasonable basis for our findings
and conclusions based on our audit objective.

We performed the audit
    ·   From February through June 2011.
    ·   At HUD headquarters, Washington, DC.

To accomplish our objective, we
    ·   Reviewed CPD’s DRGR system documentation (such as functional requirements, data
        requirements, system security plan, and risk assessment) to gain an understanding of the
        system configuration, policies and procedures, and drawdown processes.
    ·   Interviewed CPD management officials and users to understand the DRGR system
        processes, controls, and risks.
    ·   Obtained computer-processed disbursement data from the HUD Central Accounting
        Processing System (HUDCAPS) for the period October 1, 2010, through March 31, 2011.
        We assessed the reporting controls for the DRGR system interface by (1) reviewing
        existing information about the data and the system that produced the data, (2) comparing
        data between HUD’s financial reporting application system—HUDCAPS and the DRGR
        system, and (3) interviewing agency officials knowledgeable about the data. We
        determined that the data were sufficiently reliable for the purposes of this report.
    ·   Reviewed and assessed the audit and accountability controls for the DRGR system.
    ·   Assessed 77 business user activity features as described in the DRGR Operations Manual
        and Grantee User Manual. We selected 77 activities from a total of 103 business user
        activity features that were listed in the manuals. These 77 activities were objectively
        selected based on most common usability by the audit team ''''''' ''''''''''' ''''''''''''''''''''''''''' '''''
        '''''''''''''''''''''' ''''''''''''' ''''''''''''
    ·   Reviewed DRGR system documentation to obtain a basic understanding of business
        functions '''''''' '''''''' ''''''''''''''''''''' ''''''''''''''' '''' '''''''''''''''''' '''''''''''''''''''''''''''' '''''''''''''''''''''''''''''''''' ''''' ''''''''''''''''''
        '''''''''''''''''''''''
    ·   Determined whether the DRGR system grantees’ reporting methodology complied with
        Office of Management and Budget guidance.
    ·   Reviewed a subset of NSP2 grantees’ data in the DRGR system and compared it to the
        data reported in FederalReporting.gov 4 to determine whether the grantees’ reporting data

4
  FederalReporting.gov is the central nationwide data collection system for Federal Agencies and Recipients of
Federal awards under Section 1512 of the Recovery Act. Recipients will access www.FederalReporting.gov in order
to fulfill their reporting obligations. Federal Agency and Recipient users will be able to submit reports, view and
comment on reports (Federal Agency and Prime Recipient users), and update or correct reports.


                                                                                       14
    were accurate.
·   Reviewed the DRGR system corrective actions for vulnerability scans to determine
    whether identified risks had been remediated.
·   Evaluated applicable controls in the Federal Information System Controls Audit, NIST
    publications, and HUD’s Information Technology Security Policy, 2400.25, REV-2,
    CHG-1.




                                          15
                                        INTERNAL CONTROLS

Internal control is a process adopted by those charged with governance and management,
designed to provide reasonable assurance about the achievement of the organization’s mission,
goals, and objectives with regard to

     ·   Effectiveness and efficiency of operations,
     ·   Relevance and reliability of information, and
     ·   Compliance with applicable laws and regulations.

Internal controls comprise the plans, policies, methods, and procedures used to meet the
organization’s mission, goals, and objectives. Internal controls include the processes and
procedures for planning, organizing, directing, and controlling program operations as well as the
systems for measuring, reporting, and monitoring program performance.



 Relevant Internal Controls
                We determined that the following internal controls were relevant to our audit
                objective:
                    ·     Up-to-date written policies and procedures used for implementation of
                          controls.
                    ·     Managerial oversight and monitoring.
                    ·     Compliance with Federal requirements.

                We assessed the relevant controls identified above.

                A deficiency in internal control exists when the design or operation of a control does
                not allow management or employees, in the normal course of performing their
                assigned functions, the reasonable opportunity to prevent, detect, or correct (1)
                impairments to effectiveness or efficiency of operations, (2) misstatements in
                financial or performance information, or (3) violations of laws and regulations on a
                timely basis.

 Deficiencies



                Based on our review, we believe that the following items are deficiencies:

                ·   ''''''''''''' '''''''''''''''' '''' '''''''' '''''''''''''' ''''''''''''''''' '''''''' '''''''' ''''''''''''''''''''' (finding 1).
                ·   Application security management of the DRGR system had weaknesses
                    (finding 2).


                                                                        16
                   FOLLOW-UP ON PRIOR AUDITS


Review of Selected Controls
Within the Disaster Recovery
Grant Reporting System -
Audit Report 2009-DP-0007



           On September 30, 2009, the HUD Office of Inspector General (OIG) audited
           selected controls within the DRGR system (Audit Report 2009 DP 0007 - Review of
           Selected Controls Within the Disaster Recovery Grant Reporting System). The
           audit concluded that (1) access control policies and procedures for the DRGR
           system violated HUD policy, (2) the system authorization to operate was outdated
           and based upon inaccurate and untested documentation, (3) CPD did not adequately
           separate the DRGR system and security administration functions, and (4) CPD had
           not sufficiently tested interface transactions between the DRGR system and LOCCS.
           As a result, CPD could not ensure that only authorized users had access to the
           application, user access was limited to only the data that were necessary for users to
           complete their jobs, and users who no longer required access to the data in the
           system had their access removed.

           In addition, the application had been operating under an outdated security
           certification for 7 months. Although CPD had initiated the authorization process, it
           was initiated without updated accurate documentation; therefore, results would also
           be based upon inaccurate information. To address the issues cited, OIG issued
           recommendations that CPD (1) formalize the user access request process and
           strengthen access controls; (2) update and correct system documentation and
           resubmit the revised documentation for security certification and accreditation; (3)
           separate the duties of system and security administration and reassign the help desk
           functionality; and (4) work with its contractors to ensure that tests of drawdown
           controls and transaction processing reports are performed as stated in the functional
           requirements documentation or if other controls are used, remove from the system
           documentation stated controls that are not in use.

           CPD continued to address the recommendations through May 2011. Final actions to
           address the recommendations from this audit were taken, and all of the
           recommendations were closed as of May 31, 2011.




                                             17
Appendix A

        AUDITEE COMMENTS AND OIG’S EVALUATION


Ref to OIG Evaluation                     Auditee Comments
OIG received CPD responses on July 8, 2011 via e-mail.

                  It is important to distinguish which data is critical ''''''' '''''''''''' '''''''' '''''''''''''''''''''''''''''
                  '''''' ''''''''''''''''''''''''''' '''''''' ''''' ''''''' ''''''''''''''''''''''''''''''''''''''' ''''''''''''''''' ''''''''''''' All financial
                  disbursement requests from DRGR for funds to every organization under
                  every HUD approved activity have always been submitted to LOCCS at the
                  grant level and to be processed the grant banking information must match the
                  Tax Identification Numbers (TINs) from our grantee/grant profiles to get to
Comment 1         the bank routing info that is maintained by the HUD's CFO staff in Ft.
                  Worth. No HUD or grantee users can modify any banking information in
                  DRGR. If unauthorized users added activities, draws related to them would
                  still go to the grantee bank accounts based on bank routing that is
                  inaccessible from DRGR and any attempts to access these funds would still
                  have to be done through the grantee's own financial systems.

                  Consequently, DRGR considers draw approvals paramount to tracking data
                  on grantee oversight of money going to each funded organization. As
                  previously explained to the OIG, many DRGR system actions taken by HUD
                  staff and grantees each draw submission, approvals, rejections, and revision
                  only occur once each '''''' ''''' ''''''''''''''' '''''''''''' '''''''' '''''''''''''''' Each new action
                  creates a new record with a user and a time stamp. '''''' '''''''''''''''''''''''' ''''''''''''''''''''''
Comment 2         '''''''''' '''''''' ''''''''''''''' ''''''''''''''''' ''''' '''''''''''''''''''''''''' '''''''''''''''''' '''''' '''''''''''' ''''''''''''' '''''''''''' '''''''''''
                  ''''' '''''''''' '''''''''''''''''''''''''''''' '''''''''''''' '''''' ''''''''''''''''' Other actions such as DRGR Action
                  Plan and QPR report submission can also be archived '''''''''''''''''''''' ''''''''''''' '''''''
                  ''''''''' ''''''''' ''''''''' '''''''''' '''''''''''''' QPRs are typically only approved once and can
                  only be unapproved by superusers which are tracked through email requests.
                  CPD already tracks the comments of HUD staff reviews at the QPR level and
                  at the activity level for every quarterly review of grantee such financial,
                  performance, and program compliance issues '''''''''''' ''''''''''' '''''''''' ''''''''' '''''''''
                  '''''''''''''''''''

                  As also discussed, system development work requests already existed before
                  this OIG audit for modifying DRGR '''''''''''''''''''' ''''''''''''''''' ''''''''''''' ''''''' '''''''' ''''''''''
                  ''''''''''''''''''''' '''''' ''''''''''''''' ''''''''''''' ''''''''''''''' ''''' ''''''''''''' '''''''''''' ''''''''''''' '''''''''''''''''''''''' ''''''''
                  ''''''''''''''''''''''' ''''''''''' ''''' ''''''''''''''''' '''''''''''''''''''' CPD will use this work request to
                  modify '''''''''''' ''''''''''''''''' ''''''''''''' ''''''' ''''''''''''' key items related to user accounts.
                  Rather than keeping only the latest record which can be easily archived, '''''''
                  ''''''''' '''''''''''''''''''' '''''''''' '''''''''''''' '''''''''''''''''' '''''''''''''''''''''''''' ''''' ''''''''' ''''''''''''' ''''''' '''''' ''''''''''
                  '''''''''''''''''' ''''''''''''''''''' '''' ''''''''''''''' ''''''' ''''''''''''''''' '''''' ''''''''' ''''''''' ''''''''''''''''''' ''''''''' '''''''''''''''''''''
                  ''''''''''''' '''''''''''''''''
                                                                            18
Ref to OIG Evaluation                     Auditee Comments


                  However, beyond tracking activity drawdowns and obligation updates in
                  addition to CPD comments at the activity level during every quarterly QPR
                  review, CPD review of official grantee support records for compliance
                  monitoring at the activity level occurs during on-site monitoring. Grantee
                  iformation in DRGR is primarily used to facilitate risk assessments and to
Comment 3         help determine the scope of on-site monitoring. HUD already modified
                  DRGR to track every HUD action on grantee records using the grantee
                  simulator under the last OIG DRGR audit. Responsibility for compliance
                  with federal requirements is at the grantee level and repayment of any
                  noncompliant use of funds is from the grantee. All controlled monitoring
                  communications regarding non-compliance and any potential repayments are
                  directed to grantee managers.

                  CPD does not agree that our goal should be to increase the # of total data
                  elements tracked at the activity level through user, stamp and value changes.
                  CPD considers the tracking excess grantee data elements at the activity level
Comment 4         to have no value for audit and monitoring purposes. As explained above,
                  DRGR already tracks key user audit information through archives. CPD
                  already provided a detailed list of items to be modified in existing history
                  tables during the field work portion of this OIG audit. We have spent a great
                  deal of time and money recently tracking user certifications and improving
                  system performance. Adding excess data elements would degrade system
                  performance and responsiveness and serve no substantive monitoring/audit
                  purpose.




                                            19
            '
            ''
                 '''''''''''' ''''''''''''
                 '''''''''''''''' '''''''''''''''' ''''''''''''' ''''' '''''''''''''  ''''''''' ''''''''
                                                                                      '''''''' '''''''''''''''' ''''''''''' '''''''' '''''''' '''''''' '''''''''
                                                                                      ''''''''''' ''''''' ''''''' ''''''''''''''' '''''''''''' '''''''''
                 ''''''''''''''''''''''''''''' ''''' '''''''''''''''''                ''''''''''''' ''''''''''''''' ''''''''''''' '''''''''' '''' ''''''
                 '''''''''''''''' '''''''''''''                                       '''''''''''''''''''
                                                                                      '''''''' ''''''''''''''''' ''''''''''''''' '''''''''' ''''' ''''''''''''''
                                                                                      '''''''''''''' '''''''''''''''' '''''''''' ''''''''' ''''''''''' ''''''''
                 '''''''''''''' ''''''''' '''''''''''''''' ''''''''''''''''''         '''''''''
                                                                                      ''''''''''''''' ''''''''' ''''' ''''''''''''''' '''''''''''''''''''''
                                                                                      ''''''''''''''' ''''''''' '''''''''' '''''''' ''''''''''''' ''''''' '''''''''
                                                                                      '''''''' ''''''''' ''''''''''''''' ''''''''''' ''''''''' '''''''''''''''
Comment 5                                                                             '''''''''''' '''' ''''''''' '''''''' '''''''''' ''''''' ''''''''' '''''''
                                                                                      ''''''''''''' '''''''''''''''' ''''''''''' ''''' ''''''''''
                                                                                      '''''''''''''''''' ''''''''''' '''''''''' ''''''' ''''''''' '''''''''''''
                 '''''''''''''''' '''''''' '''''''''''''''' '''''''''''''''''''       ''''' '''''''''' '''''''' ''''''''''''''''' '''''' ''''''''''''''
                                                                                      '''''''' ''''''''''''''' ''''''''''' ''''''' '''''''' ''''''' '''''''''
                                                                                      ''''''''''' '''''''' '''''''' ''''''''''''' ''''''''''' ''''''''
                                                                                      '''''''''''''' '''''''''''''' ''''''''''''''' ''''''''''' '''' ''''''
                 ''''''''''''''' ''''''''' '''''''''''''' '''''''''''''' '''''''''''' '''''''''''''''''''
                                                                                      '''''''' ''''''''''''''''' '''''''''''''' '''''''''''''' ''' '''''''''
                                                                                      '''''''''''' ' ''''''''''' ''''''''''' ''''''' ''''''''''' ''''' ''''''''''
                 '''''''''''''' ''''''''''''                                          '''''''' ''''''''' ''''''''''''' '''''''' ''''''''''''''
                                                                                      ''''''' '''''''''''''''' '''''''''''''''' '''''''''''''' ''' '''''''''
                                                                                      '''''''''''' ' '''''''''''' ''''''''''' ''''''' ''''''''''''' ''''' '''''''''
                 '''''''''''''''''' '''''''''''''''''                                 '''''''' ''''''''' '''''''''''' ''''''' ''''''''''''
                                                                                      ''''''' '''''''''''''' ''''''''''' ''''''' '''''''' ''''''' '''''''''
                                                                                      ''''''''''' '''''''' ''''''' '''''''''''''''' ''''''''''' '''''''
                 '''''''''''''''' '''''''' '''''''''''''''' '''''''''''''''''         ''''''''''''' ''''''''''''''''' ''''''''''''' ''''''''' '''' ''''''
                 '''''''' ''''''''''''''''''''                                        ''''''''''''''''''
                                                                                      '''''''' ''''''''''''' '''''''''' ''''''' '''''''' ''''''' '''''''''
                 '''''''''''''' ''''''''' '''''''''''''''''' '''''''''' '''''''''     '''''''''''' ''''''' ''''''' ''''''''''''' ''''''''''' '''''''' ''''''''''''
                 ''''''''''''''''''' ''''''''''''''''''''''' ''''''''''''''''         '''''''''''''' ''''''''''''' ''''''''''' ''''' '''''' ''''''''''''''''''''
                 ''''''''''''''''''' ''''''''' ''''''''''''''''''''''''''' ''''''     ''''''' '''''''''''''' ''''''''' '''''''' '''''''' '''''''' '''''''''
                 '''''''''''''''''' '''''''''''''''''''''''''' ''''''''''''''         '''''''''' '''''''' '''''' ''''''''''''' '''''''''''' '''''''' ''''''''''''




                                                                        20
            ''
            ''
                 ''''''''' '''''''''''
                                                                                '''''''' ''''''''''''''' ''''''''''' '''''''' '''''''' ''''''' '''''''''
                                                                                ''''''''''' '''''''' ''''''' '''''''''''''''' '''''''''' '''''''' ''''''''''''
                                                                                ''''''''''''''' '''''''''''''' '''''''''' ''''' '''''' ''''''''''''''''''''
                 '''''''''''''''' ''''''''' ''''''''''''''' ''''''''            '''''''' ''''''''''''' '''''''''''' '''''' '''''''' ''''''''''''''''' '''''''''''
                 ''''''''''''''''''''                                           ''''''''''''''''''''''''' '''''''''''''
                                                                                '''''''' '''''''''''''''' '''''''''' ''''''' ''''''''' ''''''' '''''''''
                                                                                '''''''''''' '''''''' '''''''' ''''''''''''''' ''''''''''' '''''''' ''''''''''''
                                                                                '''''''''''''''' '''''''''''''' ''''''''' '''' '''''' '''''''''''''''''' ''''''''
                 ''''''''''''''' '''''''' ''''''''''''''''' ''''''''''''        '''''''''''''' '''''''''''' ''''' ''''''''' '''''''''''''''' ''''''''''
                 ''''''''' '''''''''''''''' ''''''''''''''''''                  '''''''''''''''''''''''''''' ''''''''''''
                                                                                '''''''' '''''''''''''''' ''''''''''''''' '''''''''' ''''' '''''''''''''''
                 '''''''''''''' '''''''' '''''''''''''''' '''''''''''''''''''   '''''''''''''' '''''''''''''''' ''''''''' '''''''' '''''''''''' '''''''' ''''''''
                                                                                ''''''' '''''''''''''' '''''''''''''' '''''''''''''''' ''' ''''''''' '''''''''''' '
                 ''''''''''''''''''' '''''''''''''''''''' '''''''''             ''''''''''' '''''''''' '''''''' ''''''''''''' ''''' ''''''''''' '''''''' '''''''''
                 ''''''''''''''''''''                                           ''''''''''''' '''''''' '''''''''''''
Comment 5        '''''''''''''' ''''''''''''''''''' ''''''''''''
                 '''''''''''''                                                  '''''''' ''''''''
                                                                                '''''''''''''' ''''''''''''''' ''' '''''''' '''''''' '''''''' ''''''''''''''
                                                                                '''''''''''''' '''''''' ''''''''''''' ''''''' '''''''' ''''''''''''' '''''''
                                                                                '''''''' '''''' ''''''''''''' ''''''''' '''''''' ''''''''' ''''''''''''
                 ''''''''''''''''''''' ''''''''''''''''''''''                   ''''''''''''''''''''' ''''' '''''' ''''''''''''''''''' ''''''' '''''''''''''
                 '''''''''''''''''''''''''' '''''''''''''''                     ''''''''' '''''' ''''' '''''''''''''''
                                                                                ''''''' ''''''''''''''' ''''''''''' '''''''' '''''''' '''''''' '''''''''
                 ''''''''''''''''' '''''''''''''''''                            ''''''''''' '''''''' ''''''' ''''''''''''''' '''''''''''' '''''''' '''''''''''''
                 '''''''''''''''''''''''''''''' ''''''''''''                    ''''''''''''''' '''''''''''' '''''''''' '''' ''''''' '''''''''''''''''
                                                                                '''''''' '''''''''''''' ''''''''' '''''''' ''''''''' '''''''' '''''''''
                                                                                '''''''''''' ''''''' ''''''' ''''''''''''''' ''''''''''' ''''''''' ''''''''''''
                 '''''''''''''''' '''''''''''' ''''''''''''''''''''             '''''''''''''''' ''''''''''''''' ''''''''' '''' '''''' '''''''''''''''''''
                 ''''''''''''''''''''''''''''' ''''' ''''''''''''''''''''
                 ''''''''''''''''''''''''''''' '''''''''''''''''''' ''''''''    ''''''''' ''''''''''''''' ''''''''' ''''''' '''''''' ''''''' ''''''''' '''''''''''
                 '''''''''''''''''''''''''''''''' ''''''''''''''''              ''''''' '''''''' '''''''''''''''' '''''''''''' '''''''' '''''''''''''''
                 ''''''''''''''''''''''''''''''''                               ''''''''''''''' ''''''''''''' '''''''''' '''' ''''''' '''''''''''''''''
                 '''''''''''''''''''''''''''''''' ''''' '''''''''''''''
                 '''''''''''''''''''''''''''''''' '''''''''''''''''''           '''''''' '''''''




                                                                           21
            Cause #3 is not accurately stated. CPD and CISO staff conducted a DRGR
            Contingency Plan test on November 10, 2010 at 10:00 am. DRGR was
Comment 6   declared a Mission Critical system October 6, 2010 and was updated as
            Mission Critical in CSAM; but did not get updated in HUD’s Inventory of
            Automated Systems (IAS). The HUD IT contract for FY 2011 was already
            underway and DRGR did not get include in the scope of systems to be tested
            during the spring 2011 Disaster Recovery Testing

            Office of Community Planning and Development:
            CPD Response to Recommendation #1: '''''''' ''''''''' ''''''''' '''''''''''''''''' ''' ''''''''''''''''' ''''''''
            '''' ''''''''''''''''''' ''''''''''' '''''''''''' '''''''''''''''''''''' '''''''''''''''' ''''''''''''' '''''''''''''' ''''' ''''''''' ''''' '''''''' ''''''''''''
            '''''''''''' ''''' ''''''''' '''''''''''' ''''''''''''''''''''''''''''' ''''' ''''''''''' '''''''''''''''' '''''' '''''''''''''''''''' ''''' '''''''' '''''''''
            ''''''''''''''''''''''' ''''''''''''''''''''''''''''' ''''''''''''' ''''' '''''''''' '''''' '''''''''''''' ''''''''''''''''''''' ''''''''''''' '''''''''' ''''''''
            ''''''''''''''''''''''''' ''''''''''''''''''''''''''' ''''''''''''''''' ''''''''' ''''''''''''''''' ''''''''''''''''' ''''''''''''''' '''''''' '''''''''''
            '''''''''''''''''''''''' ''''''''''''''''' '''''''''''''''''' '''''''''''''' '''''''''''''''''' ''' ''''''''''''''''' ''''' ''''''''''''''''''' '''
            '''''''''''''''''''''''''''''''' '''''''''' ''''' '''''''''''''''' '''' ''''''''' '''''''''''''' ''''''''''''' ''''''''''''''''' '''''''''''''''''''''' '''''''
Comment 7   ''''''''''''' '''''''''''''' '''''''' '''''''''''''''' '''' ''''''''''''''''''''' '''''' '''''''''''''''' '''''''''''''''''''''''''' ''''''''' ''''''''' '''''''
            ''''''''''''''''' '''''''' '''''''''''''''''''' '''''''''''' '''''''' '''''''''' '''''''''''' ''''' ''''''''''''''''''''''''''' '''''''' ''''''''''''''''''' '''''''
            '''''''''''''' '''''''''''''''''' ''''''' '''''''''''''''''''''''' ''''''''''''''''''''''''''''' '''''''''''''''' '''''' ''''''''' ''''''''''''' ''''''''''
            ''''''''''''''''''' ''''''''''''''''''''''''''''''''''''''' ''''''''' ''''''''''''' ''''' ''''''''''''''''''''''' ''''''''' ''''''' ''''''''''''''''''
            '''''''''''''''''''' '''''''''''''''''''''''''''' '''''''''' ''' '''''''' ''''''''''''''''''''''''' ''''''''''''''' ''''' ''''''''' ''''' '''''''' '''''''''''''''''
            ''''' '''''' '''''''''''''''''''' '''''''''''''' ''''''' ''''''''' ''''''''''''''''''''''''''' CPD plans are to conduct the
            next DRGR Vulnerability Scan in July 2011, immediately following the next
            scheduled application release. As part of that process, the system owner and
            information system security officer and IT operations will verify that that all
            information security weaknesses identified in the 2009 DRGR scan have
            been remediated and will ensure that any newly identified weaknesses as a
            result of the scan are mitigated.

            CPD Response to Recommendation #2: The DRGR system owner and its
            system security officers have updated the DRGR security documentation to
            consistently reflect DRGR’s Status as mission critical and security
Comment 8   categorization moderate in each document. The Contractor currently in the
            process of producing annual security documentation updates. CPD will
            ensure that the content of all future security documentation is consistent and
            reflects DRGR’s current condition and status.




                                                                     22
            CPD Response to Recommendation #3: DRGR was declared a Mission
            Critical system in October 2010 and was updated as Mission Critical in
            CSAM. The system was not updated as mission critical in the HUD’s
            Inventory of Automated Systems (IAS). Even so, the HUD IT contract for
            FY 2011 was already underway and did not foresee to include DRGR in the
            scope of the Disaster Recovery Testing). CPD coordinated with OCIO/Chief
Comment 9
            Information Security Officer (CISO) staff in October 2010 and arranged to
            have CISO staff conduct a DRGR Contingency Plan test on November 10,
            2010 at 10:00 am. CPD will continue to coordinate with HUD OCIO and
            responsible contractors to conduct the contingency plan test on DRGR. CPD
            will also insure that ensure that HUD OCIO and responsible contractors
            include DRGR when performing DR tests.




                                     23
                        U.S. DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT
                                  WASHINGTON, DC 20410-3000


CHIEF INFORMATION OFFICER



MEMORANDUM FOR: Hanh Do, Director, Information System Audit Division, GAA


FROM:                     Jerry E. Williams, Chief Information Officer, Q


SUBJECT:                  Draft Audit Report – The Disaster Recovery Grant Reporting
                          System that Maintained Recovery Act Information had
                          Application Security Control Deficiencies


      This memorandum is in response to your June 29, 2011 draft audit report entitled,
“The Disaster Recovery Grant Reporting System that Maintained Recovery Act Information
had Application Security Control Deficiencies.”

       The Office of the Chief Information Officer (OCIO) has carefully reviewed the report
and is providing comments on the report and its recommendations. The attachment lists the
recommendations issued by the Office of the Inspector General and OCIO’s response to the
recommendations. Once the final report is issued, we will then be able to provide you with a
definitive timeline and estimated completion date.

      We look forward to working with you and your staff to resolve and close out the
recommendations. Should you have any questions or need additional information, please
contact Joyce M. Little, Director, Office of Investment Strategies Policy and Management, at
202-402-7404.

Attachment(s)




                                24
                Draft               Office of the Chief Information Officer (OCIO) and
               Report                Management Comments for OIG’s Consideration
              Reference
             Page 13,     Request the OIG revise the recommendation by deleting “IT operations”
Comment 10   Rec. 2A      and replacing with “OCIO”.

             Page 13,     Request the OIG delete the recommendation in its entirety and replace with
             Rec. 2C      “Coordinate with the HUD OCIO to provide HUD Disaster Recovery Plan
Comment 11                for Service Continuity and Availability Management (DRPSCAM) support
                          for the DRGR system.


             Page 13,     Request the OIG delete the recommendation in its entirety and replace with
             Rec. 2D      “Ensure the DRGR system has HUD Disaster Recovery Plan for Service
Comment 11
                          Continuity and Availability Management (DRPSCAM) support.”




                                           25
OIG Evaluation of Auditee Comments

Comment 1   CPD states that grantee users cannot modify banking information in DRGR,
            however this type of information was not reviewed in the scope of our audit. ''''''''''
            '''''''''''''''''''''' '''''''' '''''''''''''''''''''''''' '''''''''''''''' '''''''' ''''''''''' '''''''''''''''' '''''''''''''''''''''''''' '''''''' ''''''''''''''''''' '''''''''
            '''''''''''''''''''''''' '''''''''''''''''''' '''''''''' ''''' '''''''' ''''''''''''''' ''''''''''''''''' '''''''''''''''''''' '''''''''''''''''' '''''''''''' ''''''''''''''
            '''''''' ''''' ''''''''' '''' '''''''''''''''' ''''''''''''' ''''''''''''''''' '''''' '''''''''' ''''''''' ''''''''''''''''''''' '''''''''''''''''''' ''''' ''''''''''' '''''
            ''''''''''''''''''''''' ''''''''' '''''''' '''''''''' '''''''''''''''''''''''''''' ''''''' ''''''''''''''' ''''''''''''' '''''''''''''''''''' ''''''' ''''''''''''''''' ''''''''
            '''''''''''''''''' ''''''''' '''''''''''''''''''''''''''''''' ''''' ''''''''''''''''' ''''''''''''''' ''''''''''''''' '''''' '''''''''''' ''''''' ''''' ''''''''''''''' ''''''''''
            '''''''''''''''''''''''

Comment 2   After receiving documentation from the auditee prior to issuance of the draft
            report, OIG removed the following elements from the draft report; 1) create
            draws, 2) approve draws, 3) approve vouchers over threshold, and 4) approve
            quarterly performance reports.

Comment 3   OIG disagrees that HUD has already modified DRGR to track every HUD action
            on grantee records. ''''''' '''''''''''''''''''' '''''' ''''''' '''''''''''''''' '''' ''''''' ''''''''''''' ''''''' '''''''''''''''''''' '''' '''''''''''
            '''''''' '''''''' '''''''''' '''''''''''''''''''' ''''''''' ''''''''''''''''' ''''''''''''' ''''''''''''''''' ''''''''''''''''''''''''''' '''''''' ''''''''''''' ''''''''
            '''''''''''' ''''''' ''''''''''''''''' ''''''''''' ''''''''''''''''''' ''''' ''''''' '''''''''''''''''''' ''''''' '''''''''' ''''''''''''''' '''''''''''''' '''''''''' '''''
            '''''''' ''''' ''''''' ''''''' ''''''' '''''''''' '''''''''''''''''' '' ''''''''''''''' ''''' ''''''' '''''''''''''''''' ''''''''' '''''''' ''''''''''''''

Comment 4   OIG agrees with CPD that not all data elements need to be tracked. OIG has
            modified the draft report to reflect CPD comments received on specific data
            elements needed and not needed. The data elements that are listed in this report
            would serve monitoring and audit purposes in the event of a security violation.

Comment 5   After receiving documentation from the auditee prior to issuance of the draft
            report, OIG removed data elements from the draft report. ''''''''' ''''''''''''''' ''''''''' ''''''''''''''''
            ''''''''''''''''''''' ''''''''' ''''''''''''''''' '''''''' ''''''''''''''''' ''''' '''''''' ''''''''''' '''''''''''''''' ''''''''''' '''''''''''''''''''''' ''''''''''''''
            '''''''' ''''''''''''''''''''''' '''''''

Comment 6   The auditee is referring to “Cause #3” as written in the Notification of Findings
            and Recommendations that were provided on June 14, 2011. OIG disagrees that
            the cause is not accurately stated. On page 12 in the audit report, OIG states the
            cause occurred because system information was not entered into CSAM. CPD
            states that the system was not updated in IAS. OIG received confirmation from
            OCIO that information was not completely entered into CSAM. As a result, the
            cause will remain unchanged in the report.

Comment 7   The auditee is referring to “Recommendation #1” as written in the Notification of
            Findings and Recommendations that were provided on June 14, 2011. This
            comment refers to recommendation 2A in the audit report. We acknowledge
            CPD’s response and are encouraged with their stated plan to address
            recommendation 2A.




                                                                                  26
Comment 8     The auditee is referring to “Recommendation #2” as written in the Notification of
              Findings and Recommendations that were provided on June 14, 2011. This
              comment refers to recommendation 2B in the audit report. We acknowledge
              CPD’s response and are encouraged with their stated plan to address
              recommendation 2B.

Comment 9     The auditee is referring to “Recommendation #3” as written in the Notification of
              Findings and Recommendations that were provided on June 14, 2011. This
              comment refers to recommendation 2C in the audit report. We acknowledge
              CPD’s response and are encouraged with their stated plan to address
              recommendation 2C.

Comment 10 OIG agrees to revise the recommendation based on OCIO comments.

Comment 11 OIG cannot revise the recommendation as suggested by OCIO. We did not
           review the HUD Disaster Recovery Plan for Service Continuity and Availability
           Management support for DRGR as it was not in the scope of our review. The plan
           was only mentioned after audit fieldwork was completed. We cannot determine
           whether the disaster test for DRGR will be included in the plan and how the test
           will be conducted for this mission critical system. As a result, the
           recommendation will remain unchanged in the report.




                                              27