U.S. OFFICE OF PERSONNEL MANAGEMENT
, OFFICE OF THE INSPECTOR GENERAL
OFFICE OF AUDITS
.Final Audit. Report
Subject:
AUDIT OF THE INVENTORY ANI> MANAGEMENT OF
l'HEtLS~OFFICE OF PERSONNEL MANAGEMENT'S
........ ·SENSITIVF>PROPE.RTY'·· .. .. .
ReportNo. 4A~CAROOR08~036
Date: Juile15 , 2009
--'CAUTION-
This ·audit report )las. been distributed to Federal officials who are ~espoDsible for the administralion of Ihe audited program, This a·udit
report ritaycon:l~inproprietilryiiata which is protected by Feder<lllaw (18 U.S.C. l?05);ther~fore, while ihis audilreport is available
urider the Freedom. of lnformatioD Act, caulion. needs to tie exercised before reieasing the report lothe general public.
UNITED STATES OFFICE OF PERSONNEL MANAGEMENT
Washington, DC 20415
Office of the
Inspector General
AUDIT REPORT
AUDIT OF THE INVENTORY AND MANAGEMENT OF
THE U.S. OFFICE OF PERSONNEL MANAGEMENT'S
SENSITIVE PROPERTY
Report No. 4A-CA-OO-08-036 Da~: June 15, 2009
Michael R. Esser
Assistant Inspector General
for Audits
www.opm.gov www.usajobs.gov
UNITED STATES OFFICE OF PERSONNEL MANAGEMENT
Washington, DC 20415
Office of the
Inspector General
EXECUTIVE SUMMARY
AUDIT OF THE INVENTORY AND MANAGEMENT OF
THE U.S. OFFICE OF PERSONNEL MANAGEMENT'S
SENSITIVE PROPERTY
Report No. 4A-CA-OO-08-036 Date: June 15, 2009
The Office of the Inspector General has completed a perfonnance audit of the Inventory and
Management of the U.S. Office of Personnel Management's (OPM's) Sensitive Property. Our
main objective was to detennine whether OPM has effective controls in place to safeguard and
ensure accountability of sensitive property. In order to make this determination, our audit
included the following specific objectives: (1) detennine the completeness of OPM' s laptop
inventory; (2) assess compliance with OPM property management procedures for sensitive
property; and (3) determine the physical existence of sampled sensitive property.
Our audit was conducted from September 11,2008 through February 19,2009 at OPM
headquarters in Washington D.C. Our audit identified five areas requiring improvement.
A. OrM's Laptop Inventory
1. Incomplete Laptop Inventory
The Network Management Group's inventory ofOPM
laptops is incomplete.
2. Inadequate Controls Over the Laptop Inventory
OPM does not have adequate controls to account for its
laptop inventory.
www.opm.goY . www.usajob$.goy
3. Inventory Management Controls Not Followed
The Network Management Group is not compliant with
inventory management controls as stated in the Asset
Management Plan.
B. OPM's BlackBerry Inventory
1. Lack of Controls Over OPM's BlackBerry Inventory
OPM does not have adequate controls to account for its
BlackBerry inventories.
c. OPM's Disposal of Excess Sensitive Property
1. Lack of Controls for the Disposal of Excess Sensitive
Property
CCFAS does not have adequate controls in place to ensure
that excess sensitive property is disposed of in accordance
with federal property regulations.
11
TABLE OF CONTENTS
EXECUTIVE SUMMARy .......................................................... .
J. INTRODUCTION AND BACKGROUND ................ ..... ........ ...... .....
1
II. OBJECTIVES, SCOPE, AND METHODOLOGy............................ 3
III. AUDIT FINDINGS AND RECOMMENDAnONS ..... _............. ...... 6
A. OPM's Laptop Inventory
1. Incomplete Laptop Inventory.. .. .. .. .. .. . .. .. .. .. .. .... ..... .. .. . ... 6
2. Inadequate Controls Over the Laptop Inventory... . .. . . . . . . . . . . . . 7
3. Inventory Management Controls Not Followed.. .... ............. 8
B. OPM's BlackBerry Inventory
1. Lack of Controls Over OPM's BlackBerry Inventory............ 9
C. OPM's Disposal of Excess Sensitive Property
1. Lack of Controls for Disposal of Excess Sensitive Property.... 10
IV. MAJOR CONTRIBUTORS TO THIS REPORT.................... .... 12
APPENDIX A (Center for Contracting, Facilities, and Administrative Service's
Response, dated Apri1 17, 2009 to our draft report)
APPENDIX B (Center for Information Services' Response, dated.
April 20, 2009 to our draft report)
I. INTRODUCTION AND BACKGROUND
Introduction
This final audit report details the findings, conclusions, and recommendations resulting from our
performance audit of the Inventory and Management of the U.S. Office of Personnel
Management's (OPM's) Sensitive Property.
The audit was performed by OPM's Office of the Inspector General (OIG) as authorized by the
Inspector General Act of 1978, as amended.
Background
Securing mobile information technology (IT) devices (sensitive property), such as laptops or
BlackBerries, has become an important PaIt of federal agencies' asset management
responsibilities in recent years due to reports ofloss or theft oflaptops at various federal
agencies and the risk that personally identifiable infonnation may be compromised.
41 Code of Federal Regulations (CFR) 101-27.101 states that "Each agency shall establish and
maintain control of personal property inventories ...." OPM's Center for Contracting, Facilities,
and Administrative Services (CCFAS) formulates the overall personal property guidance for the
agency. OPM's Personal Property Handbook (Handbook) developed by CCFAS provides the
policies and procedures to ensure the effective management of its personal property and
establishes the roles and responsibilities of program offices. Each OPM office has a designated
property custodian who is responsible for the management of the property assigned to their
office.
Section III D (4) of the Handbook defines sensitive property as property that is controlled,
regardless of unit acquisition cost, because it is highly susceptible to theft or abuse or is vital to
mission accomplishment. Examples of sensitive property per OPM's definition are laptops and
BlackBerries. OPM laptops are centrally managed by the Management Services Division's
(MSD), Center for Information Services' (CIS), Network Management Group (NMG). Some
offices, like the OIG, have a business case exception for maintaining their IT inventory
separately from the agency because of their unique IT resource needs.
NMG's Asset Management Plan (AMP) provides a framework of policies and procedures to
account for, manage, and protect the integrity of OPM IT assets. NMG works with the OPM
divisions' property custodians (with the exception of the OIG) to keep the laptop inventory
records complete and accurate. NMG uses a tool called Remedy Asset Manager (RAM) to track
asset accountability, location, maintenance, asset owners and lifecyc1e status processes. The
Configuration Management Database (CMDB) is a database used by NMG to detail the histories
and relationships of all IT assets, and is the central source of information on all IT assets. The
OIG has its own system for recording and maintaining its laptop inventory.
If an agency has excess personal property that is no longer needed, 41 CFR 102-36 requires the
agency to submit that information to the General Services Administration (GSA) via standard
form (SF) 120A. Excess property is defined in 41 CFR 102-36.30 as property that is no longer
needed by the activities within an agency to carry out the functions of official programs, as
determined by the agency head or designee. 40 U.S. Code Section 524 states that agencies are to
continuously survey property to detennine which is excess and to transfer or dispose of such
property as promptly as possible. Each OPM program division is responsible for identifying the
excess property for disposal. The property custodians for the program divisions coordinate with
CCFAS to prepare the SF-120A itemizing the excess property and submit the forms and the
property to CCF AS for disposal through GSA .
.
No previous audits ofOPM's controls over sensitive property have been performed.
The initial results of our audit were discussed with OPM officials during an exit conference. A
draft report was issued on March 19, 2009. CCFAS' and CIS' responses to the draft report were
considered for this final report and are included as Appendices.
2
II. OBJECTIVES, SCOPE, AND METHODOLOGY
Objectives·
The primary objective of our audit was to detennine if OPM has effective controls in place to
safeguard and ensure accountability of sensitive property. Specifically, our objectives were to:
• Detennine the completeness ofOPM's laptop inventory;
• Assess compliance with OPM property management procedures for sensitive property;
and
• Determine the physical existence of sampled sensitive property.
The recommendations included in this final report address these obj ectives.
Scope and Methodology
Our performance audit was conducted in accordance with generally accepted government
auditing standards as established by the Comptroller General of the United States. Those
standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to
provide a reasonable basis for our findings and conclusions based on our audit objectives. We
believe that the evidence obtained provides a reasonable basis for our findings and conclusions
based on our audit objectives.
The scope of our audit covered policies and procedures for fiscal year (FY) 2008 governing
OPM's management and inventory of the following sensitive property: laptops, BlackBerries
and Federal Investigative Services Division (FISD) Global Positioning Systems (OPS). The
current laptop inventory scope consisted of OPM' s FY 2007 inventory. The scope of OPM' s
new laptop purchases made by NMG was March 2008. The scope ofOPM's BlackBerry
inventory, FISD's GPS inventory, and OPM's disposed BlackBerries and laptops was FY 2008.
We performed this audit from September 11, 2008 through February 19,2009 at OPM
headquarters in Washington, D.C.
To accomplish the audit objectives noted above, we:
• Reviewed applicable laws and regulations governing OPM's inventory and property
management;
• Reviewed OPM's internal property management policies and procedures;
• Reviewed OPM's program offices' processes for handling sensitive property;
• Sampled and tested laptops, Blackberries, and GPS units for physical existence; and
• Interviewed key representatives from OPM's program offices and the sampled program
offices responsible for inventory and management of sensitive property.
3
In planning our work and gaining an understanding of the internal controls over OPM's
management and inventory of sensitive property, we considered the internal control structure to
the extent necessary to develop our audit procedures. These procedures were mainly substantive
in nature, although we did gain an understanding of management procedures and controls to the
extent necessary to achieve our audit objectives. The purpose of our audit was not to provide an
opinion on internal controls, but merely to evaluate controls over the processes that were
included in the scope of our audit. Our audit included such tests of OPM's sensitive property
inventory records and other auditing procedures as we considered necessary under the
circumstances. The results of our tests indicate that, with respect to the items tested, CCFAS,
NMG, and the sampled OPM program offices did not have effective controls in place for the
inventory and management of sensitive property, as set forth in the details of this audit report.
In conducting our audit, we judgmentally selected six out of eight program divisions to perform
our detailed audit procedures. We used Interactive Data Extraction Analysis software to select
random samples of sensitive property for testing. Samples were selected to verify physica1
existence as follows:
Laptop_s BlackBerries GPS Units
Divisions Sampled Universe Sampled Universe Sampled Universe
Federal 15 444 9 54 150 1572
Investigative
Services Division
(FISD)
Office of the 10 167 11 44
Inspector General
(OIG)
Human Resources 18 221 43 168
Products· and
Services (HRPS)
Human Capital 4 56 2 16
Leadership and
Melit System
Accountability
JHCLMSA)
Office of the Chief 5 48 4 29
Financial Officer
(OCFO)
~-.-
Strategic Human 13 42 13 38
Resources Policy
(SHRP)
Total 65 978 82 349 150 1572
4
In addition, we selected the seven laptops purchased by NMG in March 2008 to test for
compliance with their policies for recording new laptop purchases in inventory. We also
selected the 17 BlackBerries excised by HCLMSA and OCFO, and 6 laptops excised by OCFO
and SHRP during FY 2008 to test for comp1iance with federal regulations and OPM procedures
for disposal of excess property.
The results from the various samples were not projected to the population.
5
III. AUDIT FINDINGS AND RECOMMENDATIONS
Our audit disclosed that with respect to the items tested, OPM does not have effective controls in place
for the inventory and management of sensitive property. The areas requiring improvement are
described below.
A. OPM's Laptop Inventory
1. Incomplete Laptop Inventory
Network Management Group's (NMG's) inventory of OPM laptops is incomplete. We
found that the inventories for the offices sampled contained incomplete information.
Specifically, 48 of 65 laptop inventory records provided by NMG were missing identifying
information, such as asset tag numbers, acquisition dates, locations, and serial numbers. In
addition, we noted that tlrree program offices were omitted from the inventories provided.
41 Code of Federal Regulations 101-27.101 states t~at "Each agency shall establish and
maintain control of personal property inventories ... " and "inventories may be considered to
be composed of active inventory which is that portion carried to satisfy average expected
demand."
OPM's Personal Property Handbook states that "The General Services Administration
(GSA), the Office of Management and Budget (OMB), and the Government Accountability
Office (GAO) require Federal agencies to establish and maintain an automated system
capable of controlling physical assets and managing all persona] property."
NMG's Asset Management Plan (AMP) states that all IT assets are to be tracked within an
. automated tool and the asset management team is responsible for maintaining inventory.
NMG does not maintain a complete and up-to-date centralized laptop inventory database
incorporating the inventory data obtained from the OPM property custodians.
By not maintaining a centralized laptop inventory of all OPM owned laptops, there is an
increased risk for theft, loss, or misappropriation to occur without detection.
Recommendation 1
We recommend that OPM's NMG perform a comprehensive inventory of all OPM-owned
laptops to ensure that the inventory is complete and accurate.
Center for Information Services' (CIS) Response:
"CIS accepts the OIG recommendation. As planned, we began to update an inventory of the
assets in February. The inventory is expected to be completed by June 26,2009. CISfNMG
will also conduct spot inventory checks during quarterly security audits. CISfNMG will
6
contact all Program Offices and update the centralized laptop inventory database with
inventory data obtained from the OPM property custodians by June 26,2009."
2. Inadequate Controls Over the Laptop Inventory
NMG and OPM program divisions do not have adequate controls in place to account for
OPM's laptop inventory. Specifically, NMG and OPM program offices could not produce
evidence to verify the physical existence of 19 of 65 laptops in our sample. We identified a
lack of a comprehensive inventory of program offices' laptops and consistent updating of
inventory records in the Remedy Asset Manager (RAM) tool as changes occur.
41 Code of Federal Regulations 101-27.101 states that "Each agency shall establish and
maintain control of personal property inventories ... " and "inventories may be considered to
be composed of active inventory which is that portion carried to satisfy average expected
demand."
OPM is unable to detennine whether miSSing laptops represent recordkeeping errors, loss,
theft, or misappropriation of equipment. In addition, missing laptops increases the risk that
Personally Identifiable Infonnation may be compromised. The details of the inventory in
question have been provided to NMG and the program divisions separate from this report.
Recommendation 2
We recommend that NMG and aPM program divisions work together to conduct a
comprehensive inventory ofOPM program offices' laptops and timely update the RAM to
record changes, including turn-ins, transfers, replacement of equipment, and disposals.
CIS'Response:
"CIS accepts the OIG recommendation and will work to implement a solution with the OPM
program offices. See also response to Reconunendation I."
Center for Contracting, Facilities, and Administrative Services' (CCFAS) Response:
"We concur with the recommendation that OPM program divisions work together to conduct
a comprehensive inventory oflaptops with timely update ofrecord changes, including turn
ins, transfers, replacement of equipment and disposal. In addition, in order to further
strengthen internal controls over sensitive property items, we have formed a Personal
Property Task Team with representation from several program offices to identify actions we
can take to ensure appropriate accountability for all property items."
Recommendation 3
We recommend that NMG work with the program divisions' property custodians to research
the 19 missing laptops. lfthe laptops cannot be accounted for, NMG and the program
7
divisions should detennine if the laptops contain Personally Identifiable Infollnation (PH)
and take the appropriate reporting action.
CIS' Response:
"CIS accepts the OIG recommendation and will work with the property custodians to locate
any missing laptops and determine ifPII is likely to have been lost. Appropriate action wil1
be taken once a loss is detennined."
3. Inventory Management Controls Not Followed
NMG is not compliant with inventory management controls as stated in its AMP.
Specifically:
• 42 of the 65 laptops sampled did not have OPM asset tags, and
• All seven of the new laptop purchases in March 2008 were not recorded in inventory
within one hour of delivery.
In addition, we noted that the OIG does not inventory laptops upon delivery and receipt
because the laptops are tested by the IT staff first, which takes approximately one to two
weeks.
NMG's AMP Section 2.6, Equipment Management, states that all IT assets costing more than
$100 require an OPM asset tag and delivered assets must be verified, inventoried, and stored
by NMG's asset management team within one hour of delivery.
Based on this finding and the previous two, our conclusion is that a weak IT asset control
environment exists within OPM. As a result, the risk of theft increases when assets are not
_ tagged for identification and new purchases are not verified, inventoried, and stored in a
timely manner.
Recommendation 4 .
We recommend that NMG develop internal controls to ensure that asset tags are placed on all
OPM laptops (existing and new) and update the RAM accordingly.
CIS'Response:
"CIS accepts the OIG recommendation. Part of the help desk imaging and configuration
process for laptops includes a step to place an asset tag on all laptops they service or deploy.
CISfNMG will also schedule the work to place asset tags on laptops missing the asset tags
and update the RAM accordingly."
8
Recommendation 5
We recommend that NMG develop internal controls to ensure that all new laptop purchases
are verified, inventoried, and stored within one hour of delivery, as stated in the AMP.
CIS'Response:
"CIS accepts the OIG recorrunendation and factual finding. Placing laptops in the Asset
Management Plan (AMP) [RAM] within an hour after arrival is not always practical or
realistic. Given the asset team staffing level and hours of operation, adding new laptops into
the AMP [RAM] within an hour may not always be possible. On occasion laptop shipments
arrive in large quantities or late in the day. The sheer volume and time of delivery are among
other variables that prove to be barriers getting each new laptop entered in the RAM within
one hour. CIStNMG will update the AMP modifying help desk procedures. The updated
procedure will state that new laptops are added to the AMP [RAM] within 8 hours. We do
not believe these assets will be at risk with this approach. The storage area is monitored or
locked. The laptops will be in a safe location."
B. OPM's BlackBerry Inventory
1. Lack of Controls Over OPM's BlackBerry Inventory
OPM's program divisions do not have adequate controls to account for their BlackBerry
inventories. Specifically, OPM was unable to support the physical existence of 15 out of 105
BlackBerries sampled. The inventory details pertaining to this finding have been provided to
CCFAS and the affected program divisions separately from this report.
41 Code of Federal Regulations 101-27.101 states that "Each agency shall establish and
maintain control of personal property inventories ...."
OPM's Personal Property Management Handbook (Handbook), section III D (4), states that
OPM program offices will maintain appropriate controls over sensitive property.
BlackBerries are defined as sensitive property in OPM's Handbook.
OPM's program divisions did not maintain appropriate controls over their BlackBerry
inventories. They were unable to determine whether missing BlackBerries represent
recordkeeping errors, loss, theft, or misappropriation of equipment. OPM's Handbook does
not provide specific inventory management guidance for OPM program divisions to follow.
Recommendation 6
We recommend that CCFAS develop and implement guidance to ensure proper controls over
OPM BlackBenies.
9
CCFAS' Response:
"CCFAS concurs that controls over OPM's Blackberry inventory are not adequate. The
Personal Property Task Team is developing recommendations to improve procedures and
controls, which will include OPM's Blackberry inventory."
CIS' Response:
"CIS accepts the recommendation. CIS has no comments."
C. OPM's Disposal of Excess Sensitive Property
1. Lack of Controls for Disposal of Excess Sensitive Property
CCFAS does not have adequate controls in place to ensure that OPM's excess sensitive
property is disposed of in accordance with federal property regulations. Our interviews with
program divisions' representatives revealed the following control weaknesses with respect to
disposal of excess sensitive property:
• Several program divisions were unclear of the process for disposing of excess
sensitive property; and,
• One program division disposes of its own excess property instead of coordinating the
disposal through CCFAS.
Our testing of the excess sensitive property, identified as being disposed of during FY 2008,
revealed the following control weaknesses:
• CCFAS and NMG could not support the disposal of the six laptops; and,
• Two program divisions and CCFAS could not support the disposal of 17
BlackBerries.
41 CFR 102-36.30 states that personal property is excess when it is no longer needed by an
agency to carry out the functions of official programs, as determined by the agency head or
designee. Subsection 35 ofthe same section states that agencies declare property not needed
as excess and report it to GSA for possible transfer to eligible recipients.
CCFAS' property management policy lacks detailed guidance for the disposal of excess
OPM property. In addition, OPM program divisions have an imidequate understanding of
NMG's excess laptop disposal procedures. As a result, OPM is not in compliance with
41 CFR 102-36.
Recommendation 7
We recommend that CCFAS develop and implement specific procedures and controls to
ensure compliance with the disposal of excess sensitive property in accordance with
41 CFR 102-36.
10
CCFAS' Response:
"We concur with the recommendation that CCFAS develop and implement specific
procedures and controls to ensure compliance with the disposal of excess sensitive property,
in accordance with 41 CFR 102-36. The aforementioned Personal Property Task Team is
also developing recommendations to tighten procedures and controls associated with the
handling of excess sensitive property."
CIS'Response:
"CIS accepts the recommendation. CIS has no comments."
11
IV. MAJOR CONTRIBUTORS TO THIS REPORT
Internal Audits Group
uditor-In-Charge/Lead Auditor
Lead Auditor
Senior Team Leader
Chief
12
APPENDIX A
UNITED STATES OFFICE OF PERSONNEL MANAGEMENT
Washington, DC 20415
agement Services
Division APR 1 J 2111
MEMORANDUM FOR
Chief, Internal Audits Group
o
FROM: TINA B. McGUIRE.:Jt 1~ .J3 . i5Y\ll}~
Deputy Associate Director
Center for Contracting, Facilities and Administrative Services
SUBJECT: Draft Report on the Audit of the Inventory and Management
of the U.S. Office of Personnel Management's Sensitive
Property (Report No. 4A-CA-OO-08-036)
In reply to your Memorandum, dated March] 9, 2009, subject as above, we offer the comments
below.
Deleted by OPM
Not Relevant to Final Report
Recommendation 2
We concur with the recommendation that aPM program divisions work together to conduct a
comprehensive inventory of laptops with timely update of record changes, including tum-ins,
transfers, replacement of equipment and disposal. In addition, in order to further strengthen
internal controls over sensitive property items, we have formed a Personal Property Task Team
with representation from several program offices to identify actions we can take to ensure
appropriate accountability for all property items.
Recommendation 3
Deleted by OPM
Not Relevant to Final Report
www.opm.gov Our mission is toensure the-F~dcr;jl Government has an effective civilian workforce www.usaJobs.gov
WILLIAM W. SCOTT. JR.
Page 2 of2
Recommendation 6
As noted in Current Status under this recommendation in the Draft Report)_CCF AS concurs that
controls over OPM's Blackberry inventory are not adequate. The Personal Property Task Team
is developing recommendations to improve procedures and controls, which will include OPM's
Blackberry inventory.
Recommendation 7
We concur with the recommendation that CCFAS develop and implement specific procedures
and controls to ensure compliance with the disposal of excess sensitive property,
in accordance with 41 CFR 102-36. The aforementioned Personal Property Task Team is also
developing recommendations to tighten procedures and controls associated with the handling of
excess sensitive property.
Thank you for the opportunity to provide comments. If you have questions, please contact
Charles Mace, Chief, Facilities Services Branch, at 202-606-2502.
APPENDIXB
UNITED STATES OFFICE OF PERSONNEL MANAGEMENT
Washington, DC 20415
Management Services
Division
April 20, 2009
MEMORANDUM FOR WILLIAM W. SCOTT, JR.
Chief, Internal Audits Group
, 1·, j~l~
FROM: JANET L. BARNES r\ r>< L'WtA/I- \
Chief Information Officer
SUBJECT: Program Office Response to Draft Report 4A-CA-00-08-036,
"Audit of the Inventory and Management of the U.S. Office of
Personnel Management's Sensitive Property"
Thank you for the opportunity to comment on the Office of the Inspector General (DIG)
Draft Report 4A-CA-OO-08-036, "Audit of the Inventory and Management of the U.S.
Office of Personnel Management's Sensitive Property"
The Center for Information Services (CIS) has reviewed the report and agrees with the
findings, conclusions, and recommendations presented. CIS will take the following
actions to address the 01G recommendations.
Recommendation 1: (Incomplete Laptop Inventory)
We recommend that OPM's NMG perform a comprehensive inventory of all OPM
owned laptops to ensure that the inventory is complete and accurate.
CIS Response:
CIS accepts the DIG recommendation. As planned, we began to update an inventory of
the assets in February. The inventory is expected to be completed by June 26, 2009.
CISINMG will also conduct spot inventory checks during quarterly security audits.
CISINMG will contact all Program Offices and update the centralized laptop inventory
database with inventory data obtained from the OPM property custodians by June 26,
2009.
Recommendation 2: (Inadequate Laptop Inventory Controls)
www.opm.gov Our mission is 10 ensure the Federal Government has an effective civilian workforce www.usaJobs.gov
We recommend that NMG and OPM program divisions work together to conduct a
comprehensive inventory ofOPM program offices' laptops and timely update the
Remedy Access Manager (RAM) to record changes, including turn-ins, transfers,
replacement of equipment, and disposal.
CIS Response:
CIS accepts the OIG recommendation and will work to implement a solution with the
OPM program offices. See also response to Recommendation 1.
----------------~----------------------------------------------~---~---------------------------
Recommendation 3: (Inadequate Laptop Inventory Controls)
We recommend that NMG work with the program divisions' property custodiansto
research the 19 missing laptops. lfthe laptops cannot be accounted for, NMG and the
program divisions should determine if the laptops contain Personally Identifiable
Information and take the appropriate reporting action.
"CIS Response:
CIS accepts the OIG recommendation and will work with the property custodians to
locate any missing laptops and determine if PII is likely to have been lost. Appropriate
action will be taken once a loss is determined.
Recommendation 4: (NMG~s Asset Management Controls not Followed)
We recommend that NMG develop internal controls to ensure that asset tags are placed
on all OPM laptops (existing and new) and update the RAM accordingly.
__CIScResponse;
··CIS accepts the OIG recommendation. Part ofthe help desk imaging and configuration
process for laptops includes a step to place an aSSet tag on all laptops they service or
deploy. CISINMG wj]} also schedule the work to place asset tags on laptops missing the
asset tags and update the RAM accordingly.
Recommendation 5: (NMG's Asset Management Controls not Followed)
We recommend that NMG develop internal controls to ensure that all new laptop
purchases are verified, inventoried, and stored within one hour of delivery as stated in the
AMP.
CIS Response:
CIS accepts the OIG recommendation and factual finding. Placing laptops in the Asset
Management Plan (AMP) within an hour after arrival is not always practical or realistic.
Given the asset team staffing level and hours of operation, adding new laptops into the
AMP within an hour may not always be possible. On occasion laptop shipments arrive in
large quantities or late in the day. The sheer volume and time of delivery are among other
variables that prove to be barriers getting each new laptop entered in the RAM within one
houT. CISINMG will update the AMP modifying help desk procedures. The updated
procedure will state that new laptops are added to the AMP within 8 hours. We do not
believe these assets will be at risk with this approach. The storage area is monitored or
locked. The laptops will be in a safe location.
Recommendation 6: (Lack of Controls over OPM's BlackBerry Inventory)
We recommend that CCFAS develop and implement guidance to ensure proper controls
over OPM BlackBerries.
CIS Response: .
CIS accepts the recommendation. CIS has no comments.
Recommendation 7: _
We recommend that CCFAS develop and implement specific procedures and controls to
ensure compliance with the disposal of excess sensitive property in accordance with 41
CFR 102-36.
CIS Response:
CIS accepts the recommendation. CIS has no comments.
cc: TINA B. McGUIRE
Deputy Associate Director
Center for Contracting, Facilities, and Administrative Services
DAVID M. CUSHING
Deputy Chief Financial Officer
BRADLEY A. EGGERS
Senior Agency Information Security Officer (SAl SO), Acting
Audit of the Inventory and Management of The U.S. Office of Personnel Management's Sensitive Property
Published by the Office of Personnel Management, Office of Inspector General on 2009-06-15.
Below is a raw (and likely hideous) rendition of the original report. (PDF)