U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS Final Audit Report Subject: AUDIT OF THE INFORMATION TECHNOLOGY SECURITY CONTROLS OF THE U.S. OFFICE OF PERSONNEL MANAGEMENT’S DEVELOPMENT TEST PRODUCTION GENERAL SUPPORT SYSTEM FY 2014 Report No. 4A-CI-00-14-015 Date: June 6, 2014 --CAUTION-- This audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit report may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available under the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be exercised before releasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy. Audit Report U.S. OFFICE OF PERSONNEL MANAGEMENT ------------------------------------------------------------- AUDIT OF THE INFORMATION TECHNOLOGY SECURITY CONTROLS OF THE U.S. OFFICE OF PERSONNEL MANAGEMENT’S DEVELOPMENT TEST PRODUCTION GENERAL SUPPORT SYSTEM FY 2014 -------------------------------- WASHINGTON, D.C. Report No. 4A-CI-00-14-015 Date: June 6, 2014 Michael R. Esser Assistant Inspector General for Audits --CAUTION-- This audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit report may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available under the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be exercised before releasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy. Executive Summary U.S. OFFICE OF PERSONNEL MANAGEMENT ------------------------------------------------------------- AUDIT OF THE INFORMATION TECHNOLOGY SECURITY CONTROLS OF THE U.S. OFFICE OF PERSONNEL MANAGEMENT’S DEVELOPMENT TEST PRODUCTION GENERAL SUPPORT SYSTEM FY 2014 -------------------------------- WASHINGTON, D.C. Report No. 4A-CI-00-14-015 Date: June 6, 2014 This final audit report discusses the results of our audit of the information technology security controls of the U.S. Office of Personnel Management’s (OPM) Development Test Production General Support System (DTP). Our conclusions are detailed in the “Results” section of this report. Security Assessment and Authorization (SA&A) DTP does not have a current SA&A package, nor an active authorization to operate. Federal Information Processing Standards (FIPS) 199 Analysis A FIPS199 analysis was last performed on DTP as a part of the 2010 SA&A package that expired in August 2013. System Security Plan (SSP) A SSP was last developed for DTP as a part of the 2010 SA&A that expired in August 2013. Risk Assessment A risk assessment was last conducted for DTP as a part of the 2010 SA&A that expired in August 2013. i Independent Security Control Testing Security controls were not independently assessed for DTP within the past three years, as required by National Institute of Standards and Technology (NIST) and OPM policy. Security Control Continuous Monitoring The owners of DTP did not submit continuous monitoring security reports in March or September, 2013, as required by OPM policy. However, a report has been submitted in April 2014. Contingency Planning and Contingency Plan Testing A contingency plan was developed for DTP that is in compliance with NIST, however the contingency plan for DTP has not been tested in the past year. Privacy Impact Assessment (PIA) A privacy threshold analysis was conducted for DTP that determined that a PIA was not required. Plan of Action and Milestones (POA&M) Process The DTP POA&M follows the format of the OPM POA&M guide, and has been routinely submitted to the OCIO for evaluation. NIST Special Publication 800-53 Revision 4 Evaluation We evaluated the degree to which a subset of the IT security controls outlined in NIST SP 800- 53 Revision 4 was implemented for DTP. We determined that one area of controls related to the change management process could be improved. System Organization and Classification The production environment of DTP resides on OPM’s Local Area Network/Wide Area Network (LAN/WAN) General Support System, and is not segregated from the production applications hosted on LAN/WAN. Essentially there are two production environments. While there are clearly defined technical boundaries segregating the development and test environments from the production environment within DTP, there should only be one production environment in OPM’s infrastructure. ii Contents Page Executive Summary.............................................................................................................................. i Introduction ..........................................................................................................................................1 Background...........................................................................................................................................1 Objectives .............................................................................................................................................1 Scope and Methodology .......................................................................................................................1 Compliance with Laws and Regulations ..............................................................................................3 Results ..................................................................................................................................................4 I. Security Assessment and Authorization ...........................................................................4 II. FIPS 199 Analysis.............................................................................................................4 III. System Security Plan ........................................................................................................5 IV. Risk Assessment ...............................................................................................................5 V. Independent Security Control Testing ..............................................................................5 VI. Security Control Continuous Monitoring .........................................................................6 VII. Contingency Planning and Contingency Plan Testing......................................................6 VIII. Privacy Impact Assessment ..............................................................................................7 IX. Plan of Action and Milestones Process .............................................................................7 X. NIST SP 800-53 Revision 4 Evaluation ...........................................................................8 XI. System Organization and Classification ...........................................................................9 Major Contributors to this Report ......................................................................................................11 Appendix: The Office of the Chief Information Officer’s May 20, 2014 response to the draft audit report, issued April 15, 2014. Introduction On December 17, 2002, President Bush signed into law the E-Government Act (P.L. 107‑347), which includes Title III, the Federal Information Security Management Act (FISMA). It requires (1) annual agency program reviews, (2) annual Inspector General (IG) evaluations, (3) agency reporting to the Office of Management and Budget (OMB) the results of IG evaluations for unclassified systems, and (4) an annual OMB report to Congress summarizing the material received from agencies. In accordance with FISMA, we audited the information technology (IT) security controls related to the Office of Personnel Management’s (OPM) Development Test Production General Support System (DTP). Background The DTP environment is a general support system that was designed to be a separate technical environment from OPM’s Local Area Network / Wide Area Network (LAN/WAN) production environment. DTP is intended to host the testing and development of applications, while LAN/WAN is designed to hose production applications. Objectives Our objective was to perform an evaluation of the security controls for DTP to ensure that the Office of the Chief Information Officer (OCIO) has implemented IT security policies and procedures in accordance with standards established by FISMA, the National Institute of Standards and Technology (NIST), the Federal Information System Controls Audit Manual and OPM’s OCIO. The audit objective was accomplished by reviewing the degree to which a variety of security program elements have been implemented for DTP, including: Security Assessment and Authorization; FIPS 199 Analysis; System Security Plan; Risk Assessment; Independent Security Control Testing; Security Control Continuous Monitoring; Contingency Planning and Contingency Plan Testing; Privacy Impact Assessment; Plan of Action and Milestones Process; and NIST Special Publication 800-53 Revision 4 Security Controls. Scope and Methodology This performance audit was conducted in accordance with Government Auditing Standards, issued by the Comptroller General of the United States. Accordingly, the audit included an evaluation of related policies and procedures, compliance tests, and other auditing procedures that we considered necessary. The audit covered FISMA compliance efforts of the OCIO, including IT security controls in place as of March 2014. 1 We considered the DTP internal control structure in planning our audit procedures. These procedures were mainly substantive in nature, although we did gain an understanding of management procedures and controls to the extent necessary to achieve our audit objectives. To accomplish our objectives, we interviewed OPM personnel with security responsibilities for DTP. We reviewed relevant OPM IT policies and procedures, federal laws, OMB policies and guidance, and NIST guidance. As appropriate, we conducted compliance tests to determine the extent to which established controls and procedures are functioning as required. Details of the security controls protecting the confidentiality, integrity, and availability of DTP are located in the “Results” section of this report. Since our audit would not necessarily disclose all significant matters in the internal control structure, we do not express an opinion on the DTP system of internal controls taken as a whole. The criteria used in conducting this audit include: OPM Information Security and Privacy Policy Handbook; OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources; E-Government Act of 2002 (P.L. 107-347), Title III, Federal Information Security Management Act of 2002; The Federal Information System Controls Audit Manual; NIST SP 800-12, An Introduction to Computer Security; NIST SP 800-18 Revision 1, Guide for Developing Security Plans for Federal Information Systems; NIST SP 800-30 Revision 1, Guide for Conducting Risk Assessments; NIST SP 800-34 Revision 1, Contingency Planning Guide for Federal Information Systems; NIST SP 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems; NIST SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations; NIST SP 800-60 Volume II, Guide for Mapping Types of Information and Information Systems to Security Categories; NIST SP 800-84, Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities; Federal Information Processing Standards (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systems; and Other criteria as appropriate. In conducting the audit, we relied to varying degrees on computer-generated data. Due to time constraints, we did not verify the reliability of the data generated by the various information systems involved. However, nothing came to our attention during our audit testing utilizing the computer-generated data to cause us to doubt its reliability. We believe that the data was sufficient to achieve the audit objectives. Except as noted above, the audit was conducted in accordance with generally accepted government auditing standards issued by the Comptroller General of the United States. 2 The audit was performed by the OPM Office of the Inspector General, as established by the Inspector General Act of 1978, as amended. The audit was conducted from October 2013 through March 2014 in OPM’s Washington, D.C. office. This was our first audit of the security controls surrounding DTP. Compliance with Laws and Regulations In conducting the audit, we performed tests to determine whether OCIO’s management of DTP is consistent with applicable standards. Nothing came to our attention during this review to indicate that the OCIO is in violation of relevant laws and regulations. 3 Results I. Security Assessment and Authorization DTP does not have a current Security Assessment and Authorization (SA&A) package, nor an active authorization to operate. The most recent SA&A of DTP was completed in August 2010, and expired in August 2013. NIST SP 800-37 Guide for the Security Certification and Accreditation of Federal Information Systems, provides guidance to federal agencies in meeting security accreditation requirements. Although the 2010 SA&A is no longer valid, it appears to have been conducted in compliance with NIST requirements. Recommendation 1 We recommend that the DTP environment be subject to a complete and current SA&A process. OCIO Response: “OCIO intends to make the DTP environment a sub-system of the LAN/WAN GSS within the next four months. The LAN/WAN GSS will have a new SA&A completed at that time. Many of the weaknesses identified within this OIG audit with the DTP environment will be remediated as a result of that SA&A process.” OIG Reply: As part of the audit resolution process, we recommend that the OCIO provide OPM’s Internal Oversight and Compliance (IOC) division with evidence that DTP has been migrated under the LAN/WAN as a sub-system. Furthermore, the OCIO should provide IOC with an updated LAN/WAN System Security Plan that includes DTP as a minor application and documents the security controls that DTP inherits from the LAN/WAN. II. FIPS 199 Analysis FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, requires federal agencies to categorize all federal information and information systems in order to provide appropriate levels of information security according to a range of risk levels. NIST SP 800-60 Volume II, Guide for Mapping Types of Information and Information Systems to Security Categories, provides an overview of the security objectives and impact levels identified in FIPS Publication 199. The OCIO leveraged FIPS 199 to analyze the information processed by the system and its corresponding potential impacts on confidentiality, integrity, and availability. As of June 24, 2010 DTP is categorized with a low impact level for confidentiality and availability, and a moderate impact level for integrity, resulting in an overall categorization of moderate. 4 The security categorization of DTP appears to be consistent with FIPS 199 and NIST SP 800-60 requirements, and the OIG agrees with the categorization of moderate. However, the most recent FIPS 199 analysis performed on DTP was part of the previous SA&A package that, as mentioned in section I above, expired in August 2013. III. System Security Plan Federal agencies must implement on each information system the security controls outlined in NIST SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations. NIST SP 800-18 Revision 1, Guide for Developing Security Plans for Federal Information Systems, requires that these controls be documented in a SSP for each system, and provides guidance for doing so. The SSP for DTP contains the majority of the elements outlined in NIST SP 800-18. However, the most recent SSP developed for DTP was part of the previous SA&A package that, as mentioned in section I above, expired in August 2013. IV. Risk Assessment A risk assessment is used as a tool to identify security threats, vulnerabilities, potential impacts, and probability of occurrence. In addition, a risk assessment is used to evaluate the effectiveness of security policies and recommend countermeasures to ensure adequate protection of information technology resources. NIST SP 800-30 Revision 1, Guide for Conducting Risk Assessments, offers a nine step systematic approach to conducting a risk assessment that includes: (1) system characterization; (2) threat identification; (3) vulnerability identification; (4) control analysis; (5) likelihood determination; (6) impact analysis; (7) risk determination; (8) control recommendation; and (9) results documentation. A risk assessment was conducted for DTP as a part of its 2010 SA&A that addressed all major elements outlined in the NIST guidance. However, the most recent risk assessment performed on DTP was part of the previous SA&A package that, as mentioned in section I above, expired in August 2013. V. Independent Security Control Testing An independent security control assessment was completed for DTP in August 2010 as a part of the system’s SA&A process. The security assessment was conducted by another government entity, the Bureau of Public Debt. We reviewed the documentation resulting from this test to ensure that it included a review of the appropriate management, operational, and technical controls required for a system with a “moderate” security categorization according to NIST SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations. 5 Independent security control testing is part of the SA&A process and should be performed at least every three years. DTP was due for independent security control testing in August 2013. VI. Security Control Continuous Monitoring FISMA requires that the IT security controls of each major application owned by a federal agency be tested on an annual basis. Furthermore, NIST SP 800-53 Revision 4 mandates the development of a security assessment plan and outlines the required inclusions. The most recent self-assessment of security controls for DTP was conducted in August 2012. All major elements outlined in the NIST guidance were addressed. OPM’s internal IT policies now require that the IT security controls of each major application owned by a federal agency be tested on a continual basis. In the years that an independent assessment is not being conducted as part of an SA&A, the system’s owner must test a subset of security controls twice per year in accordance with OPM’s continuous monitoring methodology. The owners of DTP did not submit continuous monitoring security reports in March or September, 2013, as required by OPM policy. Recommendation 2 We recommend that DTP be subject to continuous monitoring of security controls in accordance with OPM policy. OCIO Response: “OCIO completed and submitted the Information System Continuous Monitoring Report for the DTP environment on 04/16/14. This report encompassed all the moderate controls that ITSP required to be tested in Q1 and Q2 of FY14.” OIG Reply: The evidence provided by the OCIO in response to the draft audit report indicates that the FY 2014 quarter two continuous monitoring submission was in compliance with OPM requirements. As part of the audit resolution process, we recommend that OCIO provide OPM’s IOC division with evidence of the next continuous monitoring submission. VII. Contingency Planning and Contingency Plan Testing NIST SP 800-34 Revision 1, Contingency Planning Guide for Federal Information Systems, states that effective contingency planning, execution, and testing are essential to mitigate the risk of system and service unavailability. OPM’s security policies require all major applications to have viable and logical disaster recovery and contingency plans, and that these plans be annually reviewed, tested, and updated. Contingency Plan The DTP contingency plan documents the functions, operations, and resources necessary to restore and resume DTP operations when unexpected events or disasters occur. The DTP 6 contingency plan follows the format suggested by NIST SP 800-34 Revision 1 and contains a majority of the suggested elements. Contingency Plan Test NIST SP 800-34 Revision 1 also provides guidance for testing contingency plans and documenting the results. In addition, NIST SP 800-53 Revision 4, control CP-3, requires system owners to “train personnel in their contingency roles and responsibilities to the information system and provide refresher training.” The contingency plan for DTP has not been tested in the past year. Recommendation 3 We recommend that the owners of DTP test the system’s contingency plan annually. OCIO Response: “OCIO agrees that the DTP contingency plan has not been tested. OCIO is currently in the process of updating and testing the LAN/WAN GSS Contingency Plan. DTP will collapse in to the LAN/WAN GSS at which point the LAN/WAN contingency plan will encompass DTP.” OIG Reply: As part of the audit resolution process, we recommend that the OCIO provide OPM’s IOC division with evidence that the DTP contingency plan was tested as a part of the annual LAN/WAN contingency plan test. VIII. Privacy Impact Assessment FISMA requires agencies to perform a screening of federal information systems to determine if a Privacy Impact Assessment (PIA) is required for that system. OMB Memorandum M-03-22 outlines the necessary components of a PIA. The purpose of the assessment is to evaluate any vulnerabilities of privacy in information systems and to document any privacy issues that have been identified and addressed. The OPM Privacy Impact Assessment Guide states that “all OPM IT systems must have a Privacy Threshold Analysis (PTA) which is utilized to determine if a PIA is required.” The OCIO completed a PTA of DTP and determined that a PIA was not required for this system. IX. Plan of Action and Milestones Process A Plan of Action and Milestones (POA&M) is a tool used to assist agencies in identifying, assessing, prioritizing, and monitoring the progress of corrective efforts for IT security weaknesses. OPM has implemented an agency-wide POA&M process to help track known IT security weaknesses associated with the agency’s information systems. The OIG evaluated the DTP POA&M and verified that it follows the format of OPM’s standard template, and that updates are routinely submitted to the OCIO for evaluation. 7 We found no issues with the POA&M process for DTP. X. NIST SP 800-53 Revision 4 Evaluation NIST SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, provides guidance for implementing a variety of security controls for information systems supporting the federal government. As part of this audit, we evaluated whether a subset of these controls had been adequately implemented for DTP. These controls were evaluated by interviewing individuals with DTP security responsibilities, reviewing documentation and system screenshots, and viewing demonstrations of system capabilities. We determined that the controls described below could be improved. a) CM-3 Configuration Change Control & CM-5 Access Restrictions for Change DTP application programmers have the technical ability to develop a change and move it into production without following the appropriate change control process. NIST SP 800-53 Revision 4 requires organizations to appropriately control changes to the information system, ensuring all changes are formally approved prior to implementation and that the change process is reviewed. Logical access restrictions must be defined, documented, approved, and enforced for all changes to the information system. The OCIO must also ensure that it “tests, validates, and documents changes to the information system before implementing the changes on the operational system.” NIST SP 800-53 Revision 4 explains that “any changes to the . . . system can potentially have significant effects on the overall security of the system. Accordingly, only qualified and authorized individuals [should be] allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.” The size of the change should not justify a diversion from the approved System Development Life Cycle (SDLC). Furthermore, to ensure appropriate segregation of duties, a separate business unit should be responsible for moving code between development/test and production. No one individual should be able to migrate a change through the entire change control environment. Recommendation 4 We recommend that the OCIO make the appropriate system modifications to ensure appropriate segregation of duties are enforced within DTP. OCIO Response: “OCIO agrees that the DTP system segregation of duties is not adequate. The LAN/WAN GSS is in the process of reorganizing roles and functions within the environment to ensure segregation of duties. The LAN/WAN GSS is in the process of instituting technical controls between environments which would ensure that changes are not made without following the correct protocols. DTP will be able to leverage these changes as soon as it is converted in to a subsystem of the LAN/WAN GSS.” 8 OIG Reply: As part of the audit resolution process, we recommend that the OCIO provide OPM’s IOC division with evidence that roles and responsibilities are appropriately adjusted with the reorganization of the environment to ensure proper segregation of duties. Recommendation 5 We recommend that the OCIO make the appropriate organizational modification to ensure a business unit independent of the application developers migrates changes into production. That same business unit should be responsible for validating that all elements of the SDLC were followed, changes were appropriately tested, and all documentation is valid and approved prior to migrating changes into production. OCIO Response: “OCIO agrees that there are weaknesses within the SDLC process of the DTP environment. The LAN/WAN currently utilizes a change control board in order to facilitate any changes to the environment. The LAN/WAN plans to also put more stringent measures in place to ensure that the SDLC process is followed, changes are tested, and all documentation is valid prior to migration to the production environment. DTP will be able to leverage these changes as soon as it is converted in to a subsystem of the LAN/WAN GSS.” OIG Reply: As part of the audit resolution process, we recommend that the OCIO provide OPM’s IOC division with evidence that changes for DTP follow the approved SDLC with regard to both procedure and documentation, and that the individuals with the technical capability to migrate changes to production are independent of the developers, testers, and business users. b) CM-6 Configuration Settings We conducted vulnerability scans of the databases and servers supporting DTP using AppDetective Pro and Nessus scanning tools. Although the technical details of these settings will not be included in this report, the OCIO has been provided with this information. The vulnerability scans revealed that both the database and server generally contain settings configured in a manner compliant with OPM’s configuration policies. XI. System Organization and Classification a) Multiple Production Environments DTP is a general support system intended to be used for the development and testing of new and/or modified applications hosted in the LAN/WAN production environment. Currently, DTP is comprised of a development, test, and production environment. However, the production environment of DTP resides on the LAN/WAN and is not segregated from the production applications hosted on LAN/WAN. Essentially there are two production environments. 9 While there are clearly defined technical boundaries segregating the development and test environments from the production environment within DTP, there should only be one production environment in OPM’s infrastructure. Recommendation 6 We recommend that the OCIO make the appropriate system modification to ensure that there is only one production environment in OPM’s technical infrastructure. OCIO Response: “OCIO agrees that there should only be one production environment. OCIO intends to convert DTP in to a subsystem of the LAN/WAN GSS within the next four months. At that point there will only be one production environment.” OIG Reply: As part of the audit resolution process, we recommend that the OCIO provide OPM’s IOC division with evidence that the conversion of DTP to a subsystem of the LAN/WAN GSS results in only one production environment. b) Reclassification of DTP DTP is currently classified as a “major application” and is included on OPM’s master inventory of major systems. During the course of the audit we were informed that it is the intention of the OCIO to reclassify the development and test elements of DTP as subsystems under the LAN/WAN, and to consolidate the production elements of DTP into the LAN/WAN production environment. OPM’s LAN/WAN general support system (also owned and operated by the OCIO) currently supports a variety of minor applications. Considering the OCIO currently provides technical support for DTP and the system already resides within the boundaries of the LAN/WAN, we believe this would be an appropriate way to address our audit concerns. As part of the reclassification process, the OCIO should update the LAN/WAN SSP to include DTP as a minor application and to document the security controls that DTP inherits from the general support system. Although reclassifying DTP as a minor application would alleviate some of the SA&A related requirements applicable to major systems, it does not absolve the OCIO from ensuring the remediation of the security weaknesses identified in prior security assessments and this audit report. 10 Major Contributors to this Report This audit report was prepared by the U.S. Office of Personnel Management, Office of Inspector General, Information Systems Audits Group. The following individuals participated in the audit and the preparation of this report: , Group Chief , Lead IT Auditor-in-Charge , IT Auditor 11 APPENDIX United States Office of Personnel Management U.S. Office of Personnel Management 1900 E Street, NW Washington D.C. 20415 MEMORANDUM FOR: - Lead IT Auditor FROM: Designated Security Officer SUBJECT: DTP Response to OIG Audit OIG Recommendation 1 We recommend that the DTP envirorunent be subject to a complete and current SA&A process. OCIO Response: OCIO intends to make the DTP environment a sub-system of the LAN/WAN GSS within the next four months. The LAN/WAN GSS will have a new SA&A completed at that time. Many of the weaknesses identified within this OIG audit with the DTP environment will be remediated as a result of that SA&A process. OIG Recommendation 2 We recommend that DTP be subject to continuous monitoring in accordance with OPM policy. OCIO Response: OCIO completed and submitted the Information System Continuous Monitoring Report for the DTP environment on 04/ 16/ 14. This repmt encompassed all the moderate controls that ITSP required to be tested in Ql and Q2 ofFY14. Recommendation 3 We recommend that the owners ofDTP test the system's contingency plan. OCIO Response: OCIO agrees that the DTP contingency plan has not been tested. OCIO is currently in the process of updating and testing the LAN/WAN GSS Contingency Plan. DTP will collapse in to the LAN/WAN GSS at which point the LAN/ WAN contingency plan will encompass DTP. Recommendation 4 We recommend that the OCIO make the appropriate system modifications to ensure appropriate segregation ofduties are enforced within DTP. OCIO Response: OCIO agrees that the DTP system segregation of duties is not adequate. The LAN/WAN GSS is in the process of reorganizing roles and functions within the environment to ensure segregation ofduties. The LAN/WAN GSS is in the process of instituting technical controls between environments which would ensure that changes are not made without following the correct protocols. DTP will be able to leverage these changes as soon as it is converted in to a subsystem of the LAN/WAN GSS. Recommendation 5 We recommend that the OCIO make the appropriate organizational modification to ensure a business unit independent ofthe change process migrates changes into production. That same business writ should be responsible for validating that all elements of the SDLC were followed, changes were appropriately tested, all documentation is valid and approved prior to migrating changes into production. OCIO Response: OCIO agrees that there are weaknesses within the SDLC process of the DTP environment. The LAN/WAN ctUTently utilizes a change control board in order to facilitate any changes to the environment. The LAN/WAN plans to also put more stringent measures in place to ensure that the SDLC process is followed, changes are tested, and all documentation is valid prior to migration to the production environment. DTP will be able to leverage these changes as soon as it is converted in to a subsystem of the LAN/WAN GSS. Recommendation 6 We recommend that the OCIO make the appropriate system modification to ensure that there is only one production environment. OCIO Response: OCIO agrees that there should only be one production environment. OCIO intends to convert DTP in to a subsystem of the LAN/WAN GSS within the next four months. At that point there ·will only be one production environment. S- Jo- Jt\ Date
Audit of the Information Technology Security Controls of the U.S. Office of Personnel Management's Development Test Production General Support System FY 2014
Published by the Office of Personnel Management, Office of Inspector General on 2014-06-06.
Below is a raw (and likely hideous) rendition of the original report. (PDF)