oversight

Audit of the Inventory and Management of The U.S. Office of Personnel Management's Sensitive Property

Published by the Office of Personnel Management, Office of Inspector General on 2009-06-15.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                                                      U.S. OFFICE OF PERSONNEL MANAGEMENT
                                                           , OFFICE OF THE INSPECTOR GENERAL
                                                                              OFFICE OF AUDITS




.Final Audit. Report
Subject:


 AUDIT OF THE INVENTORY ANI> MANAGEMENT OF
 l'HEtLS~OFFICE OF PERSONNEL MANAGEMENT'S
      ........ ·SENSITIVF>PROPE.RTY'·· .. ..                                                                                .




                                           ReportNo.             4A~CAROOR08~036



                                           Date:         Juile15 ,           2009




                                                           --'CAUTION-­
This ·audit report )las. been distributed to Federal officials who are ~espoDsible for the administralion of Ihe audited program, This a·udit
report ritaycon:l~inproprietilryiiata which is protected by Feder<lllaw (18 U.S.C. l?05);ther~fore, while ihis audilreport is available
urider the Freedom. of lnformatioD Act, caulion. needs to tie exercised before reieasing the report lothe general public.
                        UNITED STATES OFFICE OF PERSONNEL MANAGEMENT 

                                          Washington, DC 20415 



  Office of the
Inspector General
                                        AUDIT REPORT




                    AUDIT OF THE INVENTORY AND MANAGEMENT OF 

                    THE U.S. OFFICE OF PERSONNEL MANAGEMENT'S 

                                 SENSITIVE PROPERTY 





                      Report No. 4A-CA-OO-08-036        Da~:       June 15, 2009




                                                        Michael R. Esser
                                                        Assistant Inspector General
                                                          for Audits




        www.opm.gov                                                                   www.usajobs.gov
                             UNITED STATES OFFICE OF PERSONNEL MANAGEMENT 

                                                  Washington, DC 20415 



   Office of the
Inspector General


                                           EXECUTIVE SUMMARY



                         AUDIT OF THE INVENTORY AND MANAGEMENT OF 

                         THE U.S. OFFICE OF PERSONNEL MANAGEMENT'S 

                                      SENSITIVE PROPERTY 




                          Report No. 4A-CA-OO-08-036              Date: June 15, 2009


       The Office of the Inspector General has completed a perfonnance audit of the Inventory and
       Management of the U.S. Office of Personnel Management's (OPM's) Sensitive Property. Our
       main objective was to detennine whether OPM has effective controls in place to safeguard and
       ensure accountability of sensitive property. In order to make this determination, our audit
       included the following specific objectives: (1) detennine the completeness of OPM' s laptop
       inventory; (2) assess compliance with OPM property management procedures for sensitive
       property; and (3) determine the physical existence of sampled sensitive property.

       Our audit was conducted from September 11,2008 through February 19,2009 at OPM
       headquarters in Washington D.C. Our audit identified five areas requiring improvement.

             A. OrM's Laptop Inventory

                    1.    Incomplete Laptop Inventory

                          The Network Management Group's inventory ofOPM
                          laptops is incomplete.

                    2.    Inadequate Controls Over the Laptop Inventory

                          OPM does not have adequate controls to account for its
                          laptop inventory.




        www.opm.goY                                                                      . www.usajob$.goy
     3. 	    Inventory Management Controls Not Followed

             The Network Management Group is not compliant with
             inventory management controls as stated in the Asset
             Management Plan.


B. OPM's BlackBerry Inventory

     1.      Lack of Controls Over OPM's BlackBerry Inventory

             OPM does not have adequate controls to account for its
             BlackBerry inventories.


c.   OPM's Disposal of Excess Sensitive Property

      1. 	   Lack of Controls for the Disposal of Excess Sensitive
             Property

             CCFAS does not have adequate controls in place to ensure
             that excess sensitive property is disposed of in accordance
             with federal property regulations.




                                              11
                                    TABLE OF CONTENTS




       EXECUTIVE SUMMARy .......................................................... . 


  J. INTRODUCTION AND BACKGROUND ................ ..... ........ ...... ..... 
                      1

 II.   OBJECTIVES, SCOPE, AND METHODOLOGy............................                                3


III. AUDIT FINDINGS AND RECOMMENDAnONS ..... _............. ......                                   6


       A. OPM's Laptop Inventory
          1. Incomplete Laptop Inventory.. .. .. .. .. .. . .. .. .. .. .. .... ..... .. .. . ...    6

          2. Inadequate Controls Over the Laptop Inventory... . .. . . . . . . . . . . . .           7

          3. Inventory Management Controls Not Followed.. .... .............                         8


       B. OPM's BlackBerry Inventory
          1. Lack of Controls Over OPM's BlackBerry Inventory............                            9


       C. OPM's Disposal of Excess Sensitive Property
          1. Lack of Controls for Disposal of Excess Sensitive Property....                         10 



IV.    MAJOR CONTRIBUTORS TO THIS REPORT.................... ....                                   12 


       APPENDIX A              (Center for Contracting, Facilities, and Administrative Service's
                                Response, dated Apri1 17, 2009 to our draft report)
       APPENDIX B             (Center for Information Services' Response, dated.
                               April 20, 2009 to our draft report)
                      I. INTRODUCTION AND BACKGROUND 


Introduction

This final audit report details the findings, conclusions, and recommendations resulting from our
performance audit of the Inventory and Management of the U.S. Office of Personnel
Management's (OPM's) Sensitive Property.

The audit was performed by OPM's Office of the Inspector General (OIG) as authorized by the
Inspector General Act of 1978, as amended.

Background

Securing mobile information technology (IT) devices (sensitive property), such as laptops or
BlackBerries, has become an important PaIt of federal agencies' asset management
responsibilities in recent years due to reports ofloss or theft oflaptops at various federal
agencies and the risk that personally identifiable infonnation may be compromised.

41 Code of Federal Regulations (CFR) 101-27.101 states that "Each agency shall establish and
maintain control of personal property inventories ...." OPM's Center for Contracting, Facilities,
and Administrative Services (CCFAS) formulates the overall personal property guidance for the
agency. OPM's Personal Property Handbook (Handbook) developed by CCFAS provides the
policies and procedures to ensure the effective management of its personal property and
establishes the roles and responsibilities of program offices. Each OPM office has a designated
property custodian who is responsible for the management of the property assigned to their
office.

Section III D (4) of the Handbook defines sensitive property as property that is controlled,
regardless of unit acquisition cost, because it is highly susceptible to theft or abuse or is vital to
mission accomplishment. Examples of sensitive property per OPM's definition are laptops and
BlackBerries. OPM laptops are centrally managed by the Management Services Division's
(MSD), Center for Information Services' (CIS), Network Management Group (NMG). Some
offices, like the OIG, have a business case exception for maintaining their IT inventory
separately from the agency because of their unique IT resource needs.

NMG's Asset Management Plan (AMP) provides a framework of policies and procedures to
account for, manage, and protect the integrity of OPM IT assets. NMG works with the OPM
divisions' property custodians (with the exception of the OIG) to keep the laptop inventory
records complete and accurate. NMG uses a tool called Remedy Asset Manager (RAM) to track
asset accountability, location, maintenance, asset owners and lifecyc1e status processes. The
Configuration Management Database (CMDB) is a database used by NMG to detail the histories
and relationships of all IT assets, and is the central source of information on all IT assets. The
OIG has its own system for recording and maintaining its laptop inventory.

If an agency has excess personal property that is no longer needed, 41 CFR 102-36 requires the
agency to submit that information to the General Services Administration (GSA) via standard
form (SF) 120A. Excess property is defined in 41 CFR 102-36.30 as property that is no longer
needed by the activities within an agency to carry out the functions of official programs, as
determined by the agency head or designee. 40 U.S. Code Section 524 states that agencies are to
continuously survey property to detennine which is excess and to transfer or dispose of such
property as promptly as possible. Each OPM program division is responsible for identifying the
excess property for disposal. The property custodians for the program divisions coordinate with
CCFAS to prepare the SF-120A itemizing the excess property and submit the forms and the
property to CCF AS for disposal through GSA .
                                              .

No previous audits ofOPM's controls over sensitive property have been performed.

The initial results of our audit were discussed with OPM officials during an exit conference. A
draft report was issued on March 19, 2009. CCFAS' and CIS' responses to the draft report were
considered for this final report and are included as Appendices.




                                               2

               II. OBJECTIVES, SCOPE, AND METHODOLOGY 


Objectives·

The primary objective of our audit was to detennine if OPM has effective controls in place to
safeguard and ensure accountability of sensitive property. Specifically, our objectives were to:

   • 	 Detennine the completeness ofOPM's laptop inventory;
   • 	 Assess compliance with OPM property management procedures for sensitive property;
       and
   • 	 Determine the physical existence of sampled sensitive property.

The recommendations included in this final report address these obj ectives.

Scope and Methodology

Our performance audit was conducted in accordance with generally accepted government
auditing standards as established by the Comptroller General of the United States. Those
standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to
provide a reasonable basis for our findings and conclusions based on our audit objectives. We
believe that the evidence obtained provides a reasonable basis for our findings and conclusions
based on our audit objectives.

The scope of our audit covered policies and procedures for fiscal year (FY) 2008 governing
OPM's management and inventory of the following sensitive property: laptops, BlackBerries
and Federal Investigative Services Division (FISD) Global Positioning Systems (OPS). The
current laptop inventory scope consisted of OPM' s FY 2007 inventory. The scope of OPM' s
new laptop purchases made by NMG was March 2008. The scope ofOPM's BlackBerry
inventory, FISD's GPS inventory, and OPM's disposed BlackBerries and laptops was FY 2008.

We performed this audit from September 11, 2008 through February 19,2009 at OPM
headquarters in Washington, D.C.

To accomplish the audit objectives noted above, we:

   • 	 Reviewed applicable laws and regulations governing OPM's inventory and property
       management;
   • 	 Reviewed OPM's internal property management policies and procedures;
   • 	 Reviewed OPM's program offices' processes for handling sensitive property;
   • 	 Sampled and tested laptops, Blackberries, and GPS units for physical existence; and
   • 	 Interviewed key representatives from OPM's program offices and the sampled program
       offices responsible for inventory and management of sensitive property.




                                                3

In planning our work and gaining an understanding of the internal controls over OPM's
management and inventory of sensitive property, we considered the internal control structure to
the extent necessary to develop our audit procedures. These procedures were mainly substantive
in nature, although we did gain an understanding of management procedures and controls to the
extent necessary to achieve our audit objectives. The purpose of our audit was not to provide an
opinion on internal controls, but merely to evaluate controls over the processes that were
included in the scope of our audit. Our audit included such tests of OPM's sensitive property
inventory records and other auditing procedures as we considered necessary under the
circumstances. The results of our tests indicate that, with respect to the items tested, CCFAS,
NMG, and the sampled OPM program offices did not have effective controls in place for the
inventory and management of sensitive property, as set forth in the details of this audit report.

In conducting our audit, we judgmentally selected six out of eight program divisions to perform
our detailed audit procedures. We used Interactive Data Extraction Analysis software to select
random samples of sensitive property for testing. Samples were selected to verify physica1
existence as follows:


                            Laptop_s            BlackBerries              GPS Units
       Divisions       Sampled Universe       Sampled Universe       Sampled Universe
 Federal               15             444      9              54     150             1572
 Investigative
 Services Division
 (FISD)
 Office of the         10             167     11              44
 Inspector General
 (OIG)
 Human Resources       18             221     43             168
 Products· and
 Services (HRPS)
 Human Capital          4               56     2                16
 Leadership and
 Melit System
 Accountability
JHCLMSA)
 Office of the Chief    5               48     4              29
 Financial Officer
 (OCFO)
~-.-


 Strategic Human       13               42    13              38
 Resources Policy
 (SHRP)
 Total                 65               978 82                 349 150               1572




                                                4

In addition, we selected the seven laptops purchased by NMG in March 2008 to test for
compliance with their policies for recording new laptop purchases in inventory. We also
selected the 17 BlackBerries excised by HCLMSA and OCFO, and 6 laptops excised by OCFO
and SHRP during FY 2008 to test for comp1iance with federal regulations and OPM procedures
for disposal of excess property.

The results from the various samples were not projected to the population.




                                                5

                   III. AUDIT FINDINGS AND RECOMMENDATIONS 

Our audit disclosed that with respect to the items tested, OPM does not have effective controls in place
for the inventory and management of sensitive property. The areas requiring improvement are
described below.

A.       OPM's Laptop Inventory

     1. Incomplete Laptop Inventory

         Network Management Group's (NMG's) inventory of OPM laptops is incomplete. We
         found that the inventories for the offices sampled contained incomplete information.
         Specifically, 48 of 65 laptop inventory records provided by NMG were missing identifying
         information, such as asset tag numbers, acquisition dates, locations, and serial numbers. In
         addition, we noted that tlrree program offices were omitted from the inventories provided.

         41 Code of Federal Regulations 101-27.101 states t~at "Each agency shall establish and
         maintain control of personal property inventories ... " and "inventories may be considered to
         be composed of active inventory which is that portion carried to satisfy average expected
         demand."

         OPM's Personal Property Handbook states that "The General Services Administration
         (GSA), the Office of Management and Budget (OMB), and the Government Accountability
         Office (GAO) require Federal agencies to establish and maintain an automated system
         capable of controlling physical assets and managing all persona] property."

          NMG's Asset Management Plan (AMP) states that all IT assets are to be tracked within an
        . automated tool and the asset management team is responsible for maintaining inventory.

         NMG does not maintain a complete and up-to-date centralized laptop inventory database
         incorporating the inventory data obtained from the OPM property custodians.

         By not maintaining a centralized laptop inventory of all OPM owned laptops, there is an
         increased risk for theft, loss, or misappropriation to occur without detection.

         Recommendation 1

         We recommend that OPM's NMG perform a comprehensive inventory of all OPM-owned
         laptops to ensure that the inventory is complete and accurate.

         Center for Information Services' (CIS) Response:

         "CIS accepts the OIG recommendation. As planned, we began to update an inventory of the
         assets in February. The inventory is expected to be completed by June 26,2009. CISfNMG
         will also conduct spot inventory checks during quarterly security audits. CISfNMG will



                                                      6
     contact all Program Offices and update the centralized laptop inventory database with
     inventory data obtained from the OPM property custodians by June 26,2009."

2.   Inadequate Controls Over the Laptop Inventory

     NMG and OPM program divisions do not have adequate controls in place to account for
     OPM's laptop inventory. Specifically, NMG and OPM program offices could not produce
     evidence to verify the physical existence of 19 of 65 laptops in our sample. We identified a
     lack of a comprehensive inventory of program offices' laptops and consistent updating of
     inventory records in the Remedy Asset Manager (RAM) tool as changes occur.

     41 Code of Federal Regulations 101-27.101 states that "Each agency shall establish and
     maintain control of personal property inventories ... " and "inventories may be considered to
     be composed of active inventory which is that portion carried to satisfy average expected
     demand."

     OPM is unable to detennine whether miSSing laptops represent recordkeeping errors, loss,
     theft, or misappropriation of equipment. In addition, missing laptops increases the risk that
     Personally Identifiable Infonnation may be compromised. The details of the inventory in
     question have been provided to NMG and the program divisions separate from this report.

     Recommendation 2

     We recommend that NMG and aPM program divisions work together to conduct a
     comprehensive inventory ofOPM program offices' laptops and timely update the RAM to
     record changes, including turn-ins, transfers, replacement of equipment, and disposals.

     CIS'Response:

     "CIS accepts the OIG recommendation and will work to implement a solution with the OPM
     program offices. See also response to Reconunendation I."

     Center for Contracting, Facilities, and Administrative Services' (CCFAS) Response:

     "We concur with the recommendation that OPM program divisions work together to conduct
     a comprehensive inventory oflaptops with timely update ofrecord changes, including turn­
     ins, transfers, replacement of equipment and disposal. In addition, in order to further
     strengthen internal controls over sensitive property items, we have formed a Personal
     Property Task Team with representation from several program offices to identify actions we
     can take to ensure appropriate accountability for all property items."

     Recommendation 3

     We recommend that NMG work with the program divisions' property custodians to research
     the 19 missing laptops. lfthe laptops cannot be accounted for, NMG and the program




                                                  7
   divisions should detennine if the laptops contain Personally Identifiable Infollnation (PH)
   and take the appropriate reporting action.

   CIS' Response:

   "CIS accepts the OIG recommendation and will work with the property custodians to locate
   any missing laptops and determine ifPII is likely to have been lost. Appropriate action wil1
   be taken once a loss is detennined."

3. 	 Inventory Management Controls Not Followed

   NMG is not compliant with inventory management controls as stated in its AMP.
   Specifically:

       • 	 42 of the 65 laptops sampled did not have OPM asset tags, and
       • 	 All seven of the new laptop purchases in March 2008 were not recorded in inventory
           within one hour of delivery.

   In addition, we noted that the OIG does not inventory laptops upon delivery and receipt
   because the laptops are tested by the IT staff first, which takes approximately one to two
   weeks.

   NMG's AMP Section 2.6, Equipment Management, states that all IT assets costing more than
   $100 require an OPM asset tag and delivered assets must be verified, inventoried, and stored
   by NMG's asset management team within one hour of delivery.

   Based on this finding and the previous two, our conclusion is that a weak IT asset control
    environment exists within OPM. As a result, the risk of theft increases when assets are not
  _	tagged for identification and new purchases are not verified, inventoried, and stored in a 

   timely manner. 


   Recommendation 4 .

   We recommend that NMG develop internal controls to ensure that asset tags are placed on all
   OPM laptops (existing and new) and update the RAM accordingly.

   CIS'Response:

   "CIS accepts the OIG recommendation. Part of the help desk imaging and configuration
   process for laptops includes a step to place an asset tag on all laptops they service or deploy.
   CISfNMG will also schedule the work to place asset tags on laptops missing the asset tags
   and update the RAM accordingly."




                                                 8

        Recommendation 5

        We recommend that NMG develop internal controls to ensure that all new laptop purchases
        are verified, inventoried, and stored within one hour of delivery, as stated in the AMP.

        CIS'Response:

        "CIS accepts the OIG recorrunendation and factual finding. Placing laptops in the Asset
        Management Plan (AMP) [RAM] within an hour after arrival is not always practical or
        realistic. Given the asset team staffing level and hours of operation, adding new laptops into
        the AMP [RAM] within an hour may not always be possible. On occasion laptop shipments
        arrive in large quantities or late in the day. The sheer volume and time of delivery are among
        other variables that prove to be barriers getting each new laptop entered in the RAM within
        one hour. CIStNMG will update the AMP modifying help desk procedures. The updated
        procedure will state that new laptops are added to the AMP [RAM] within 8 hours. We do
        not believe these assets will be at risk with this approach. The storage area is monitored or
        locked. The laptops will be in a safe location."

B.      OPM's BlackBerry Inventory

     1. Lack of Controls Over OPM's BlackBerry Inventory

        OPM's program divisions do not have adequate controls to account for their BlackBerry
        inventories. Specifically, OPM was unable to support the physical existence of 15 out of 105
        BlackBerries sampled. The inventory details pertaining to this finding have been provided to
        CCFAS and the affected program divisions separately from this report.

        41 Code of Federal Regulations 101-27.101 states that "Each agency shall establish and
        maintain control of personal property inventories ...."

        OPM's Personal Property Management Handbook (Handbook), section III D (4), states that
        OPM program offices will maintain appropriate controls over sensitive property.
        BlackBerries are defined as sensitive property in OPM's Handbook.

        OPM's program divisions did not maintain appropriate controls over their BlackBerry
        inventories. They were unable to determine whether missing BlackBerries represent
        recordkeeping errors, loss, theft, or misappropriation of equipment. OPM's Handbook does
        not provide specific inventory management guidance for OPM program divisions to follow.

        Recommendation 6

        We recommend that CCFAS develop and implement guidance to ensure proper controls over
        OPM BlackBenies.




                                                    9

        CCFAS' Response:

        "CCFAS concurs that controls over OPM's Blackberry inventory are not adequate. The
        Personal Property Task Team is developing recommendations to improve procedures and
        controls, which will include OPM's Blackberry inventory."

        CIS' Response:

        "CIS accepts the recommendation. CIS has no comments."

C.      OPM's Disposal of Excess Sensitive Property

     1. 	 Lack of Controls for Disposal of Excess Sensitive Property

        CCFAS does not have adequate controls in place to ensure that OPM's excess sensitive
        property is disposed of in accordance with federal property regulations. Our interviews with
        program divisions' representatives revealed the following control weaknesses with respect to
        disposal of excess sensitive property:

            • 	 Several program divisions were unclear of the process for disposing of excess
                sensitive property; and,
            • 	 One program division disposes of its own excess property instead of coordinating the
                disposal through CCFAS.

        Our testing of the excess sensitive property, identified as being disposed of during FY 2008,
        revealed the following control weaknesses:

            • 	 CCFAS and NMG could not support the disposal of the six laptops; and,
            • 	 Two program divisions and CCFAS could not support the disposal of 17
                BlackBerries.

        41 CFR 102-36.30 states that personal property is excess when it is no longer needed by an
        agency to carry out the functions of official programs, as determined by the agency head or
        designee. Subsection 35 ofthe same section states that agencies declare property not needed
        as excess and report it to GSA for possible transfer to eligible recipients.

        CCFAS' property management policy lacks detailed guidance for the disposal of excess
        OPM property. In addition, OPM program divisions have an imidequate understanding of
        NMG's excess laptop disposal procedures. As a result, OPM is not in compliance with
        41 CFR 102-36.

        Recommendation 7

        We recommend that CCFAS develop and implement specific procedures and controls to
        ensure compliance with the disposal of excess sensitive property in accordance with
        41 CFR 102-36.



                                                    10 

CCFAS' Response:

"We concur with the recommendation that CCFAS develop and implement specific
procedures and controls to ensure compliance with the disposal of excess sensitive property,
in accordance with 41 CFR 102-36. The aforementioned Personal Property Task Team is
also developing recommendations to tighten procedures and controls associated with the
handling of excess sensitive property."

CIS'Response:

"CIS accepts the recommendation. CIS has no comments."




                                           11 

             IV. MAJOR CONTRIBUTORS TO THIS REPORT

Internal Audits Group

                 uditor-In-Charge/Lead Auditor
                 Lead Auditor
                Senior Team Leader
                    Chief




                                           12 

                                                                                                                  APPENDIX A 




                     UNITED STATES OFFICE OF PERSONNEL MANAGEMENT
                                                   Washington, DC 20415


agement Services
  Division                                        APR 1 J 2111
     MEMORANDUM FOR 

                                       Chief, Internal Audits Group
                                                                                                   o
     FROM:                             TINA B. McGUIRE.:Jt 1~                    .J3 . i5Y\ll}~
                                       Deputy Associate Director
                                       Center for Contracting, Facilities and Administrative Services

     SUBJECT:                          Draft Report on the Audit of the Inventory and Management
                                       of the U.S. Office of Personnel Management's Sensitive
                                       Property (Report No. 4A-CA-OO-08-036)


     In reply to your Memorandum, dated March] 9, 2009, subject as above, we offer the comments
     below.


                                                Deleted by OPM 

                                           Not Relevant to Final Report 



     Recommendation 2

     We concur with the recommendation that aPM program divisions work together to conduct a
     comprehensive inventory of laptops with timely update of record changes, including tum-ins,
     transfers, replacement of equipment and disposal. In addition, in order to further strengthen
     internal controls over sensitive property items, we have formed a Personal Property Task Team
     with representation from several program offices to identify actions we can take to ensure
     appropriate accountability for all property items.

     Recommendation 3




                                                Deleted by OPM 

                                           Not Relevant to Final Report 





     www.opm.gov     Our mission is   toensure the-F~dcr;jl Government has an effective civilian workforce   www.usaJobs.gov
WILLIAM W. SCOTT. JR.
Page 2 of2

Recommendation 6

As noted in Current Status under this recommendation in the Draft Report)_CCF AS concurs that
controls over OPM's Blackberry inventory are not adequate. The Personal Property Task Team
is developing recommendations to improve procedures and controls, which will include OPM's
Blackberry inventory.

Recommendation 7

We concur with the recommendation that CCFAS develop and implement specific procedures
and controls to ensure compliance with the disposal of excess sensitive property,
in accordance with 41 CFR 102-36. The aforementioned Personal Property Task Team is also
developing recommendations to tighten procedures and controls associated with the handling of
excess sensitive property.

Thank you for the opportunity to provide comments. If you have questions, please contact
Charles Mace, Chief, Facilities Services Branch, at 202-606-2502.
                                                                                                                       APPENDIXB 




                           UNITED STATES OFFICE OF PERSONNEL MANAGEMENT 

                                                       Washington, DC 20415 



Management Services
     Division

                                                           April 20, 2009




              MEMORANDUM FOR WILLIAM W. SCOTT, JR. 

                            Chief, Internal Audits Group 


                                                ,	                        1·,        j~l~
              FROM: 	                     JANET L. BARNES                r\ r>< L'WtA/I- \
                                          Chief Information Officer


              SUBJECT: 	                  Program Office Response to Draft Report 4A-CA-00-08-036,
                                          "Audit of the Inventory and Management of the U.S. Office of
                                          Personnel Management's Sensitive Property"

              Thank you for the opportunity to comment on the Office of the Inspector General (DIG)
              Draft Report 4A-CA-OO-08-036, "Audit of the Inventory and Management of the U.S.
              Office of Personnel Management's Sensitive Property"

              The Center for Information Services (CIS) has reviewed the report and agrees with the
              findings, conclusions, and recommendations presented. CIS will take the following
              actions to address the 01G recommendations.

              Recommendation 1: (Incomplete Laptop Inventory)
              We recommend that OPM's NMG perform a comprehensive inventory of all OPM 

              owned laptops to ensure that the inventory is complete and accurate. 


              CIS Response: 

              CIS accepts the DIG recommendation. As planned, we began to update an inventory of 

              the assets in February. The inventory is expected to be completed by June 26, 2009. 

              CISINMG will also conduct spot inventory checks during quarterly security audits. 

              CISINMG will contact all Program Offices and update the centralized laptop inventory 

              database with inventory data obtained from the OPM property custodians by June 26, 

              2009. 




              Recommendation 2: (Inadequate Laptop Inventory Controls)




         www.opm.gov       Our mission is 10 ensure the Federal Government has an effective civilian workforce   www.usaJobs.gov
 We recommend that NMG and OPM program divisions work together to conduct a 

 comprehensive inventory ofOPM program offices' laptops and timely update the 

 Remedy Access Manager (RAM) to record changes, including turn-ins, transfers, 

 replacement of equipment, and disposal. 


 CIS Response: 

 CIS accepts the OIG recommendation and will work to implement a solution with the 

 OPM program offices. See also response to Recommendation 1. 


       ----------------~----------------------------------------------~---~---------------------------

 Recommendation 3: (Inadequate Laptop Inventory Controls)
 We recommend that NMG work with the program divisions' property custodiansto
 research the 19 missing laptops. lfthe laptops cannot be accounted for, NMG and the
 program divisions should determine if the laptops contain Personally Identifiable
 Information and take the appropriate reporting action.

 "CIS Response: 

 CIS accepts the OIG recommendation and will work with the property custodians to 

 locate any missing laptops and determine if PII is likely to have been lost. Appropriate 

 action will be taken once a loss is determined. 




 Recommendation 4:         (NMG~s      Asset Management Controls not Followed) 

 We recommend that NMG develop internal controls to ensure that asset tags are placed 

 on all OPM laptops (existing and new) and update the RAM accordingly. 


__CIScResponse;
··CIS accepts the OIG recommendation. Part ofthe help desk imaging and configuration
  process for laptops includes a step to place an aSSet tag on all laptops they service or
  deploy. CISINMG wj]} also schedule the work to place asset tags on laptops missing the
  asset tags and update the RAM accordingly.



 Recommendation 5: (NMG's Asset Management Controls not Followed) 

 We recommend that NMG develop internal controls to ensure that all new laptop 

 purchases are verified, inventoried, and stored within one hour of delivery as stated in the 

 AMP. 


 CIS Response: 

 CIS accepts the OIG recommendation and factual finding. Placing laptops in the Asset 

 Management Plan (AMP) within an hour after arrival is not always practical or realistic. 

 Given the asset team staffing level and hours of operation, adding new laptops into the 

 AMP within an hour may not always be possible. On occasion laptop shipments arrive in 

large quantities or late in the day. The sheer volume and time of delivery are among other 

variables that prove to be barriers getting each new laptop entered in the RAM within one 

houT. CISINMG will update the AMP modifying help desk procedures. The updated 

procedure will state that new laptops are added to the AMP within 8 hours. We do not 

believe these assets will be at risk with this approach. The storage area is monitored or 

locked. The laptops will be in a safe location. 




Recommendation 6: (Lack of Controls over OPM's BlackBerry Inventory) 

We recommend that CCFAS develop and implement guidance to ensure proper controls 

over OPM BlackBerries. 


CIS Response:                 .

CIS accepts the recommendation. CIS has no comments. 


Recommendation 7:                                                _

We recommend that CCFAS develop and implement specific procedures and controls to 

ensure compliance with the disposal of excess sensitive property in accordance with 41 

CFR 102-36. 


CIS Response: 

CIS accepts the recommendation. CIS has no comments. 





cc: 	          TINA B. McGUIRE
               Deputy Associate Director
               Center for Contracting, Facilities, and Administrative Services

               DAVID M. CUSHING 

               Deputy Chief Financial Officer 


               BRADLEY A. EGGERS
               Senior Agency Information Security Officer (SAl SO), Acting