U.S. OFFICE OF PERSONNEL MANAGEMENT , OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS .Final Audit. Report Subject: AUDIT OF THE INVENTORY ANI> MANAGEMENT OF l'HEtLS~OFFICE OF PERSONNEL MANAGEMENT'S ........ ·SENSITIVF>PROPE.RTY'·· .. .. . ReportNo. 4A~CAROOR08~036 Date: Juile15 , 2009 --'CAUTION- This ·audit report )las. been distributed to Federal officials who are ~espoDsible for the administralion of Ihe audited program, This a·udit report ritaycon:l~inproprietilryiiata which is protected by Feder<lllaw (18 U.S.C. l?05);ther~fore, while ihis audilreport is available urider the Freedom. of lnformatioD Act, caulion. needs to tie exercised before reieasing the report lothe general public. UNITED STATES OFFICE OF PERSONNEL MANAGEMENT Washington, DC 20415 Office of the Inspector General AUDIT REPORT AUDIT OF THE INVENTORY AND MANAGEMENT OF THE U.S. OFFICE OF PERSONNEL MANAGEMENT'S SENSITIVE PROPERTY Report No. 4A-CA-OO-08-036 Da~: June 15, 2009 Michael R. Esser Assistant Inspector General for Audits www.opm.gov www.usajobs.gov UNITED STATES OFFICE OF PERSONNEL MANAGEMENT Washington, DC 20415 Office of the Inspector General EXECUTIVE SUMMARY AUDIT OF THE INVENTORY AND MANAGEMENT OF THE U.S. OFFICE OF PERSONNEL MANAGEMENT'S SENSITIVE PROPERTY Report No. 4A-CA-OO-08-036 Date: June 15, 2009 The Office of the Inspector General has completed a perfonnance audit of the Inventory and Management of the U.S. Office of Personnel Management's (OPM's) Sensitive Property. Our main objective was to detennine whether OPM has effective controls in place to safeguard and ensure accountability of sensitive property. In order to make this determination, our audit included the following specific objectives: (1) detennine the completeness of OPM' s laptop inventory; (2) assess compliance with OPM property management procedures for sensitive property; and (3) determine the physical existence of sampled sensitive property. Our audit was conducted from September 11,2008 through February 19,2009 at OPM headquarters in Washington D.C. Our audit identified five areas requiring improvement. A. OrM's Laptop Inventory 1. Incomplete Laptop Inventory The Network Management Group's inventory ofOPM laptops is incomplete. 2. Inadequate Controls Over the Laptop Inventory OPM does not have adequate controls to account for its laptop inventory. www.opm.goY . www.usajob$.goy 3. Inventory Management Controls Not Followed The Network Management Group is not compliant with inventory management controls as stated in the Asset Management Plan. B. OPM's BlackBerry Inventory 1. Lack of Controls Over OPM's BlackBerry Inventory OPM does not have adequate controls to account for its BlackBerry inventories. c. OPM's Disposal of Excess Sensitive Property 1. Lack of Controls for the Disposal of Excess Sensitive Property CCFAS does not have adequate controls in place to ensure that excess sensitive property is disposed of in accordance with federal property regulations. 11 TABLE OF CONTENTS EXECUTIVE SUMMARy .......................................................... . J. INTRODUCTION AND BACKGROUND ................ ..... ........ ...... ..... 1 II. OBJECTIVES, SCOPE, AND METHODOLOGy............................ 3 III. AUDIT FINDINGS AND RECOMMENDAnONS ..... _............. ...... 6 A. OPM's Laptop Inventory 1. Incomplete Laptop Inventory.. .. .. .. .. .. . .. .. .. .. .. .... ..... .. .. . ... 6 2. Inadequate Controls Over the Laptop Inventory... . .. . . . . . . . . . . . . 7 3. Inventory Management Controls Not Followed.. .... ............. 8 B. OPM's BlackBerry Inventory 1. Lack of Controls Over OPM's BlackBerry Inventory............ 9 C. OPM's Disposal of Excess Sensitive Property 1. Lack of Controls for Disposal of Excess Sensitive Property.... 10 IV. MAJOR CONTRIBUTORS TO THIS REPORT.................... .... 12 APPENDIX A (Center for Contracting, Facilities, and Administrative Service's Response, dated Apri1 17, 2009 to our draft report) APPENDIX B (Center for Information Services' Response, dated. April 20, 2009 to our draft report) I. INTRODUCTION AND BACKGROUND Introduction This final audit report details the findings, conclusions, and recommendations resulting from our performance audit of the Inventory and Management of the U.S. Office of Personnel Management's (OPM's) Sensitive Property. The audit was performed by OPM's Office of the Inspector General (OIG) as authorized by the Inspector General Act of 1978, as amended. Background Securing mobile information technology (IT) devices (sensitive property), such as laptops or BlackBerries, has become an important PaIt of federal agencies' asset management responsibilities in recent years due to reports ofloss or theft oflaptops at various federal agencies and the risk that personally identifiable infonnation may be compromised. 41 Code of Federal Regulations (CFR) 101-27.101 states that "Each agency shall establish and maintain control of personal property inventories ...." OPM's Center for Contracting, Facilities, and Administrative Services (CCFAS) formulates the overall personal property guidance for the agency. OPM's Personal Property Handbook (Handbook) developed by CCFAS provides the policies and procedures to ensure the effective management of its personal property and establishes the roles and responsibilities of program offices. Each OPM office has a designated property custodian who is responsible for the management of the property assigned to their office. Section III D (4) of the Handbook defines sensitive property as property that is controlled, regardless of unit acquisition cost, because it is highly susceptible to theft or abuse or is vital to mission accomplishment. Examples of sensitive property per OPM's definition are laptops and BlackBerries. OPM laptops are centrally managed by the Management Services Division's (MSD), Center for Information Services' (CIS), Network Management Group (NMG). Some offices, like the OIG, have a business case exception for maintaining their IT inventory separately from the agency because of their unique IT resource needs. NMG's Asset Management Plan (AMP) provides a framework of policies and procedures to account for, manage, and protect the integrity of OPM IT assets. NMG works with the OPM divisions' property custodians (with the exception of the OIG) to keep the laptop inventory records complete and accurate. NMG uses a tool called Remedy Asset Manager (RAM) to track asset accountability, location, maintenance, asset owners and lifecyc1e status processes. The Configuration Management Database (CMDB) is a database used by NMG to detail the histories and relationships of all IT assets, and is the central source of information on all IT assets. The OIG has its own system for recording and maintaining its laptop inventory. If an agency has excess personal property that is no longer needed, 41 CFR 102-36 requires the agency to submit that information to the General Services Administration (GSA) via standard form (SF) 120A. Excess property is defined in 41 CFR 102-36.30 as property that is no longer needed by the activities within an agency to carry out the functions of official programs, as determined by the agency head or designee. 40 U.S. Code Section 524 states that agencies are to continuously survey property to detennine which is excess and to transfer or dispose of such property as promptly as possible. Each OPM program division is responsible for identifying the excess property for disposal. The property custodians for the program divisions coordinate with CCFAS to prepare the SF-120A itemizing the excess property and submit the forms and the property to CCF AS for disposal through GSA . . No previous audits ofOPM's controls over sensitive property have been performed. The initial results of our audit were discussed with OPM officials during an exit conference. A draft report was issued on March 19, 2009. CCFAS' and CIS' responses to the draft report were considered for this final report and are included as Appendices. 2 II. OBJECTIVES, SCOPE, AND METHODOLOGY Objectives· The primary objective of our audit was to detennine if OPM has effective controls in place to safeguard and ensure accountability of sensitive property. Specifically, our objectives were to: • Detennine the completeness ofOPM's laptop inventory; • Assess compliance with OPM property management procedures for sensitive property; and • Determine the physical existence of sampled sensitive property. The recommendations included in this final report address these obj ectives. Scope and Methodology Our performance audit was conducted in accordance with generally accepted government auditing standards as established by the Comptroller General of the United States. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. The scope of our audit covered policies and procedures for fiscal year (FY) 2008 governing OPM's management and inventory of the following sensitive property: laptops, BlackBerries and Federal Investigative Services Division (FISD) Global Positioning Systems (OPS). The current laptop inventory scope consisted of OPM' s FY 2007 inventory. The scope of OPM' s new laptop purchases made by NMG was March 2008. The scope ofOPM's BlackBerry inventory, FISD's GPS inventory, and OPM's disposed BlackBerries and laptops was FY 2008. We performed this audit from September 11, 2008 through February 19,2009 at OPM headquarters in Washington, D.C. To accomplish the audit objectives noted above, we: • Reviewed applicable laws and regulations governing OPM's inventory and property management; • Reviewed OPM's internal property management policies and procedures; • Reviewed OPM's program offices' processes for handling sensitive property; • Sampled and tested laptops, Blackberries, and GPS units for physical existence; and • Interviewed key representatives from OPM's program offices and the sampled program offices responsible for inventory and management of sensitive property. 3 In planning our work and gaining an understanding of the internal controls over OPM's management and inventory of sensitive property, we considered the internal control structure to the extent necessary to develop our audit procedures. These procedures were mainly substantive in nature, although we did gain an understanding of management procedures and controls to the extent necessary to achieve our audit objectives. The purpose of our audit was not to provide an opinion on internal controls, but merely to evaluate controls over the processes that were included in the scope of our audit. Our audit included such tests of OPM's sensitive property inventory records and other auditing procedures as we considered necessary under the circumstances. The results of our tests indicate that, with respect to the items tested, CCFAS, NMG, and the sampled OPM program offices did not have effective controls in place for the inventory and management of sensitive property, as set forth in the details of this audit report. In conducting our audit, we judgmentally selected six out of eight program divisions to perform our detailed audit procedures. We used Interactive Data Extraction Analysis software to select random samples of sensitive property for testing. Samples were selected to verify physica1 existence as follows: Laptop_s BlackBerries GPS Units Divisions Sampled Universe Sampled Universe Sampled Universe Federal 15 444 9 54 150 1572 Investigative Services Division (FISD) Office of the 10 167 11 44 Inspector General (OIG) Human Resources 18 221 43 168 Products· and Services (HRPS) Human Capital 4 56 2 16 Leadership and Melit System Accountability JHCLMSA) Office of the Chief 5 48 4 29 Financial Officer (OCFO) ~-.- Strategic Human 13 42 13 38 Resources Policy (SHRP) Total 65 978 82 349 150 1572 4 In addition, we selected the seven laptops purchased by NMG in March 2008 to test for compliance with their policies for recording new laptop purchases in inventory. We also selected the 17 BlackBerries excised by HCLMSA and OCFO, and 6 laptops excised by OCFO and SHRP during FY 2008 to test for comp1iance with federal regulations and OPM procedures for disposal of excess property. The results from the various samples were not projected to the population. 5 III. AUDIT FINDINGS AND RECOMMENDATIONS Our audit disclosed that with respect to the items tested, OPM does not have effective controls in place for the inventory and management of sensitive property. The areas requiring improvement are described below. A. OPM's Laptop Inventory 1. Incomplete Laptop Inventory Network Management Group's (NMG's) inventory of OPM laptops is incomplete. We found that the inventories for the offices sampled contained incomplete information. Specifically, 48 of 65 laptop inventory records provided by NMG were missing identifying information, such as asset tag numbers, acquisition dates, locations, and serial numbers. In addition, we noted that tlrree program offices were omitted from the inventories provided. 41 Code of Federal Regulations 101-27.101 states t~at "Each agency shall establish and maintain control of personal property inventories ... " and "inventories may be considered to be composed of active inventory which is that portion carried to satisfy average expected demand." OPM's Personal Property Handbook states that "The General Services Administration (GSA), the Office of Management and Budget (OMB), and the Government Accountability Office (GAO) require Federal agencies to establish and maintain an automated system capable of controlling physical assets and managing all persona] property." NMG's Asset Management Plan (AMP) states that all IT assets are to be tracked within an . automated tool and the asset management team is responsible for maintaining inventory. NMG does not maintain a complete and up-to-date centralized laptop inventory database incorporating the inventory data obtained from the OPM property custodians. By not maintaining a centralized laptop inventory of all OPM owned laptops, there is an increased risk for theft, loss, or misappropriation to occur without detection. Recommendation 1 We recommend that OPM's NMG perform a comprehensive inventory of all OPM-owned laptops to ensure that the inventory is complete and accurate. Center for Information Services' (CIS) Response: "CIS accepts the OIG recommendation. As planned, we began to update an inventory of the assets in February. The inventory is expected to be completed by June 26,2009. CISfNMG will also conduct spot inventory checks during quarterly security audits. CISfNMG will 6 contact all Program Offices and update the centralized laptop inventory database with inventory data obtained from the OPM property custodians by June 26,2009." 2. Inadequate Controls Over the Laptop Inventory NMG and OPM program divisions do not have adequate controls in place to account for OPM's laptop inventory. Specifically, NMG and OPM program offices could not produce evidence to verify the physical existence of 19 of 65 laptops in our sample. We identified a lack of a comprehensive inventory of program offices' laptops and consistent updating of inventory records in the Remedy Asset Manager (RAM) tool as changes occur. 41 Code of Federal Regulations 101-27.101 states that "Each agency shall establish and maintain control of personal property inventories ... " and "inventories may be considered to be composed of active inventory which is that portion carried to satisfy average expected demand." OPM is unable to detennine whether miSSing laptops represent recordkeeping errors, loss, theft, or misappropriation of equipment. In addition, missing laptops increases the risk that Personally Identifiable Infonnation may be compromised. The details of the inventory in question have been provided to NMG and the program divisions separate from this report. Recommendation 2 We recommend that NMG and aPM program divisions work together to conduct a comprehensive inventory ofOPM program offices' laptops and timely update the RAM to record changes, including turn-ins, transfers, replacement of equipment, and disposals. CIS'Response: "CIS accepts the OIG recommendation and will work to implement a solution with the OPM program offices. See also response to Reconunendation I." Center for Contracting, Facilities, and Administrative Services' (CCFAS) Response: "We concur with the recommendation that OPM program divisions work together to conduct a comprehensive inventory oflaptops with timely update ofrecord changes, including turn ins, transfers, replacement of equipment and disposal. In addition, in order to further strengthen internal controls over sensitive property items, we have formed a Personal Property Task Team with representation from several program offices to identify actions we can take to ensure appropriate accountability for all property items." Recommendation 3 We recommend that NMG work with the program divisions' property custodians to research the 19 missing laptops. lfthe laptops cannot be accounted for, NMG and the program 7 divisions should detennine if the laptops contain Personally Identifiable Infollnation (PH) and take the appropriate reporting action. CIS' Response: "CIS accepts the OIG recommendation and will work with the property custodians to locate any missing laptops and determine ifPII is likely to have been lost. Appropriate action wil1 be taken once a loss is detennined." 3. Inventory Management Controls Not Followed NMG is not compliant with inventory management controls as stated in its AMP. Specifically: • 42 of the 65 laptops sampled did not have OPM asset tags, and • All seven of the new laptop purchases in March 2008 were not recorded in inventory within one hour of delivery. In addition, we noted that the OIG does not inventory laptops upon delivery and receipt because the laptops are tested by the IT staff first, which takes approximately one to two weeks. NMG's AMP Section 2.6, Equipment Management, states that all IT assets costing more than $100 require an OPM asset tag and delivered assets must be verified, inventoried, and stored by NMG's asset management team within one hour of delivery. Based on this finding and the previous two, our conclusion is that a weak IT asset control environment exists within OPM. As a result, the risk of theft increases when assets are not _ tagged for identification and new purchases are not verified, inventoried, and stored in a timely manner. Recommendation 4 . We recommend that NMG develop internal controls to ensure that asset tags are placed on all OPM laptops (existing and new) and update the RAM accordingly. CIS'Response: "CIS accepts the OIG recommendation. Part of the help desk imaging and configuration process for laptops includes a step to place an asset tag on all laptops they service or deploy. CISfNMG will also schedule the work to place asset tags on laptops missing the asset tags and update the RAM accordingly." 8 Recommendation 5 We recommend that NMG develop internal controls to ensure that all new laptop purchases are verified, inventoried, and stored within one hour of delivery, as stated in the AMP. CIS'Response: "CIS accepts the OIG recorrunendation and factual finding. Placing laptops in the Asset Management Plan (AMP) [RAM] within an hour after arrival is not always practical or realistic. Given the asset team staffing level and hours of operation, adding new laptops into the AMP [RAM] within an hour may not always be possible. On occasion laptop shipments arrive in large quantities or late in the day. The sheer volume and time of delivery are among other variables that prove to be barriers getting each new laptop entered in the RAM within one hour. CIStNMG will update the AMP modifying help desk procedures. The updated procedure will state that new laptops are added to the AMP [RAM] within 8 hours. We do not believe these assets will be at risk with this approach. The storage area is monitored or locked. The laptops will be in a safe location." B. OPM's BlackBerry Inventory 1. Lack of Controls Over OPM's BlackBerry Inventory OPM's program divisions do not have adequate controls to account for their BlackBerry inventories. Specifically, OPM was unable to support the physical existence of 15 out of 105 BlackBerries sampled. The inventory details pertaining to this finding have been provided to CCFAS and the affected program divisions separately from this report. 41 Code of Federal Regulations 101-27.101 states that "Each agency shall establish and maintain control of personal property inventories ...." OPM's Personal Property Management Handbook (Handbook), section III D (4), states that OPM program offices will maintain appropriate controls over sensitive property. BlackBerries are defined as sensitive property in OPM's Handbook. OPM's program divisions did not maintain appropriate controls over their BlackBerry inventories. They were unable to determine whether missing BlackBerries represent recordkeeping errors, loss, theft, or misappropriation of equipment. OPM's Handbook does not provide specific inventory management guidance for OPM program divisions to follow. Recommendation 6 We recommend that CCFAS develop and implement guidance to ensure proper controls over OPM BlackBenies. 9 CCFAS' Response: "CCFAS concurs that controls over OPM's Blackberry inventory are not adequate. The Personal Property Task Team is developing recommendations to improve procedures and controls, which will include OPM's Blackberry inventory." CIS' Response: "CIS accepts the recommendation. CIS has no comments." C. OPM's Disposal of Excess Sensitive Property 1. Lack of Controls for Disposal of Excess Sensitive Property CCFAS does not have adequate controls in place to ensure that OPM's excess sensitive property is disposed of in accordance with federal property regulations. Our interviews with program divisions' representatives revealed the following control weaknesses with respect to disposal of excess sensitive property: • Several program divisions were unclear of the process for disposing of excess sensitive property; and, • One program division disposes of its own excess property instead of coordinating the disposal through CCFAS. Our testing of the excess sensitive property, identified as being disposed of during FY 2008, revealed the following control weaknesses: • CCFAS and NMG could not support the disposal of the six laptops; and, • Two program divisions and CCFAS could not support the disposal of 17 BlackBerries. 41 CFR 102-36.30 states that personal property is excess when it is no longer needed by an agency to carry out the functions of official programs, as determined by the agency head or designee. Subsection 35 ofthe same section states that agencies declare property not needed as excess and report it to GSA for possible transfer to eligible recipients. CCFAS' property management policy lacks detailed guidance for the disposal of excess OPM property. In addition, OPM program divisions have an imidequate understanding of NMG's excess laptop disposal procedures. As a result, OPM is not in compliance with 41 CFR 102-36. Recommendation 7 We recommend that CCFAS develop and implement specific procedures and controls to ensure compliance with the disposal of excess sensitive property in accordance with 41 CFR 102-36. 10 CCFAS' Response: "We concur with the recommendation that CCFAS develop and implement specific procedures and controls to ensure compliance with the disposal of excess sensitive property, in accordance with 41 CFR 102-36. The aforementioned Personal Property Task Team is also developing recommendations to tighten procedures and controls associated with the handling of excess sensitive property." CIS'Response: "CIS accepts the recommendation. CIS has no comments." 11 IV. MAJOR CONTRIBUTORS TO THIS REPORT Internal Audits Group uditor-In-Charge/Lead Auditor Lead Auditor Senior Team Leader Chief 12 APPENDIX A UNITED STATES OFFICE OF PERSONNEL MANAGEMENT Washington, DC 20415 agement Services Division APR 1 J 2111 MEMORANDUM FOR Chief, Internal Audits Group o FROM: TINA B. McGUIRE.:Jt 1~ .J3 . i5Y\ll}~ Deputy Associate Director Center for Contracting, Facilities and Administrative Services SUBJECT: Draft Report on the Audit of the Inventory and Management of the U.S. Office of Personnel Management's Sensitive Property (Report No. 4A-CA-OO-08-036) In reply to your Memorandum, dated March] 9, 2009, subject as above, we offer the comments below. Deleted by OPM Not Relevant to Final Report Recommendation 2 We concur with the recommendation that aPM program divisions work together to conduct a comprehensive inventory of laptops with timely update of record changes, including tum-ins, transfers, replacement of equipment and disposal. In addition, in order to further strengthen internal controls over sensitive property items, we have formed a Personal Property Task Team with representation from several program offices to identify actions we can take to ensure appropriate accountability for all property items. Recommendation 3 Deleted by OPM Not Relevant to Final Report www.opm.gov Our mission is toensure the-F~dcr;jl Government has an effective civilian workforce www.usaJobs.gov WILLIAM W. SCOTT. JR. Page 2 of2 Recommendation 6 As noted in Current Status under this recommendation in the Draft Report)_CCF AS concurs that controls over OPM's Blackberry inventory are not adequate. The Personal Property Task Team is developing recommendations to improve procedures and controls, which will include OPM's Blackberry inventory. Recommendation 7 We concur with the recommendation that CCFAS develop and implement specific procedures and controls to ensure compliance with the disposal of excess sensitive property, in accordance with 41 CFR 102-36. The aforementioned Personal Property Task Team is also developing recommendations to tighten procedures and controls associated with the handling of excess sensitive property. Thank you for the opportunity to provide comments. If you have questions, please contact Charles Mace, Chief, Facilities Services Branch, at 202-606-2502. APPENDIXB UNITED STATES OFFICE OF PERSONNEL MANAGEMENT Washington, DC 20415 Management Services Division April 20, 2009 MEMORANDUM FOR WILLIAM W. SCOTT, JR. Chief, Internal Audits Group , 1·, j~l~ FROM: JANET L. BARNES r\ r>< L'WtA/I- \ Chief Information Officer SUBJECT: Program Office Response to Draft Report 4A-CA-00-08-036, "Audit of the Inventory and Management of the U.S. Office of Personnel Management's Sensitive Property" Thank you for the opportunity to comment on the Office of the Inspector General (DIG) Draft Report 4A-CA-OO-08-036, "Audit of the Inventory and Management of the U.S. Office of Personnel Management's Sensitive Property" The Center for Information Services (CIS) has reviewed the report and agrees with the findings, conclusions, and recommendations presented. CIS will take the following actions to address the 01G recommendations. Recommendation 1: (Incomplete Laptop Inventory) We recommend that OPM's NMG perform a comprehensive inventory of all OPM owned laptops to ensure that the inventory is complete and accurate. CIS Response: CIS accepts the DIG recommendation. As planned, we began to update an inventory of the assets in February. The inventory is expected to be completed by June 26, 2009. CISINMG will also conduct spot inventory checks during quarterly security audits. CISINMG will contact all Program Offices and update the centralized laptop inventory database with inventory data obtained from the OPM property custodians by June 26, 2009. Recommendation 2: (Inadequate Laptop Inventory Controls) www.opm.gov Our mission is 10 ensure the Federal Government has an effective civilian workforce www.usaJobs.gov We recommend that NMG and OPM program divisions work together to conduct a comprehensive inventory ofOPM program offices' laptops and timely update the Remedy Access Manager (RAM) to record changes, including turn-ins, transfers, replacement of equipment, and disposal. CIS Response: CIS accepts the OIG recommendation and will work to implement a solution with the OPM program offices. See also response to Recommendation 1. ----------------~----------------------------------------------~---~--------------------------- Recommendation 3: (Inadequate Laptop Inventory Controls) We recommend that NMG work with the program divisions' property custodiansto research the 19 missing laptops. lfthe laptops cannot be accounted for, NMG and the program divisions should determine if the laptops contain Personally Identifiable Information and take the appropriate reporting action. "CIS Response: CIS accepts the OIG recommendation and will work with the property custodians to locate any missing laptops and determine if PII is likely to have been lost. Appropriate action will be taken once a loss is determined. Recommendation 4: (NMG~s Asset Management Controls not Followed) We recommend that NMG develop internal controls to ensure that asset tags are placed on all OPM laptops (existing and new) and update the RAM accordingly. __CIScResponse; ··CIS accepts the OIG recommendation. Part ofthe help desk imaging and configuration process for laptops includes a step to place an aSSet tag on all laptops they service or deploy. CISINMG wj]} also schedule the work to place asset tags on laptops missing the asset tags and update the RAM accordingly. Recommendation 5: (NMG's Asset Management Controls not Followed) We recommend that NMG develop internal controls to ensure that all new laptop purchases are verified, inventoried, and stored within one hour of delivery as stated in the AMP. CIS Response: CIS accepts the OIG recommendation and factual finding. Placing laptops in the Asset Management Plan (AMP) within an hour after arrival is not always practical or realistic. Given the asset team staffing level and hours of operation, adding new laptops into the AMP within an hour may not always be possible. On occasion laptop shipments arrive in large quantities or late in the day. The sheer volume and time of delivery are among other variables that prove to be barriers getting each new laptop entered in the RAM within one houT. CISINMG will update the AMP modifying help desk procedures. The updated procedure will state that new laptops are added to the AMP within 8 hours. We do not believe these assets will be at risk with this approach. The storage area is monitored or locked. The laptops will be in a safe location. Recommendation 6: (Lack of Controls over OPM's BlackBerry Inventory) We recommend that CCFAS develop and implement guidance to ensure proper controls over OPM BlackBerries. CIS Response: . CIS accepts the recommendation. CIS has no comments. Recommendation 7: _ We recommend that CCFAS develop and implement specific procedures and controls to ensure compliance with the disposal of excess sensitive property in accordance with 41 CFR 102-36. CIS Response: CIS accepts the recommendation. CIS has no comments. cc: TINA B. McGUIRE Deputy Associate Director Center for Contracting, Facilities, and Administrative Services DAVID M. CUSHING Deputy Chief Financial Officer BRADLEY A. EGGERS Senior Agency Information Security Officer (SAl SO), Acting
Audit of the Inventory and Management of The U.S. Office of Personnel Management's Sensitive Property
Published by the Office of Personnel Management, Office of Inspector General on 2009-06-15.
Below is a raw (and likely hideous) rendition of the original report. (PDF)