IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

Google Ads





 
Prepared Witness Testimony
The Committee on Energy and Commerce
W.J. "Billy" Tauzin, Chairman

 

 

 

 

How Secure is Sensitive Commerce Department Data and Operations? A Review of the Department's Computer Security Policies and Practices.
Subcommittee on Oversight and Investigations
August 3, 2001
09:30 AM
2123 Rayburn House Office Building

 


The Honorable Johnnie E. Frazier
Inspector General
U.S. Department of Commerce
14th Street and Constitution Avenue, N.W.
Washington, DC, 20230

Note:  This testimony is also available in Adobe Acrobat format.  You can obtain the free Adobe Reader here.


Mr. Chairman and Members of the Committee, I am pleased to appear before you today to discuss the Office of Inspector General's (OIG) work and other activities related to the security and protection of the Department's critical information technology (IT) systems, programs, and activities.

The Department of Commerce has numerous complex computer systems that provide essential services to the public and support critical mission activities, such as the nation's weather services, environmental stewardship, promotion of trade and economic growth, scientific research, and technological development. As the Department's systems have become more interconnected, vulnerabilities have also increased, thus increasing the need to continuously improve IT security measures. Strong IT security measures are vital to (1) protecting the privacy of information, (2) safeguarding the integrity of computer systems and their networks, and.2 (3) ensuring the availability of services to the American public and other users. I cannot emphasize too much how important these measures are.

Indeed, in our recent Semiannual Reports to the Congress, we have identified "Strengthening Department-wide Information Security" as one of the top 10 management challenges facing the Department of Commerce because of that issue's: 1. Importance to the Department's mission and the nation's well-being, 2. Complexity and sizable expenditures, and 3. Need for significant management improvements.

During the past year, we have engaged in a number of audit, inspection, evaluation, and other activities involving Commerce IT security matters-all aimed at strengthening IT security Commerce-wide. We have completed evaluations of the Department's efforts to implement its Critical Infrastructure Protection (CIP) plans. We also have assessed the Office of the Chief Information Officer's (CIO) IT security policy and the effectiveness of its oversight of the Department's IT security program. In addition, we have evaluated the use of persistent Internet "cookies" and "web bugs" on Commerce Internet sites. Furthermore, in support of the OIG's fiscal year 2000 financial statement audits, we have conducted security reviews of the Department's financial management systems and their related networks.

Moreover, assessments of IT security policies and practices are often an integral part of the operational inspections we conduct of Commerce activities, units, and offices domestically and overseas. These inspections are intended to provide operating unit managers with useful, timely information about their operations, including IT security issues. IT security problems have also.3 been identified through our investigative work. In addition, we have worked closely with many of the Department's key IT managers, top security personnel, and senior program officials in an effort to identify the most critical IT security issues and help craft corrective measures. Let me briefly summarize the results of some of our recent efforts.

Early Progress Made in Critical Infrastructure Protection, but Planning and Implementation Have Slowed

Last year, we evaluated the Department's CIP plan, identification of minimum essential infrastructure (MEI) assets, and vulnerability assessments of its cyber-based assets. MEI assets are the physical and cyber-based assets essential to the minimum operations of the economy and the government. Our evaluation found that although the Department had made initial progress by developing a Department-wide CIP plan, identifying critical infrastructure assets, and initiating vulnerability assessments, there were several areas that warranted management attention: . The Department's CIP plan needed to be strengthened because several of its elements were outdated or missing, and important milestones had slipped. The asset inventory, vulnerability assessment framework, and budget estimates included in the plan were not current. The plan also did not include requirements for reviewing new assets to determine whether they should be included as MEI assets, periodically updating vulnerability assessments, or developing a system for responding to infrastructure attacks. . The MEI asset inventory needed to be reevaluated because of limitations in data gathering. In most cases, asset managers were neither interviewed nor given adequate.4 guidance before filling out complex questionnaires used to gather asset information, and the officials most knowledgeable about the assets were seldom interviewed because of logistical problems and limited resources. Establishing a reliable MEI inventory is important because it forms the basis for later activities, such as selecting the highest risk assets for vulnerability assessments and taking remedial actions.

. Vulnerability assessments, remediation plans, and budget justifications needed to be completed. Reportedly due to resource constraints, the Department had current vulnerability assessments for less than 10 percent of MEI assets and had not developed any remediation plans.

The CIO's office agreed with our findings and stated that the Department's focus would be on the broad spectrum of IT security, which emphasizes assets critical to the Department's mission and includes most cyber-based MEI assets. Short-term actions were identified to improve guidance to operating unit personnel involved in vulnerability assessments and increase their involvement in the MEI asset inventory, revise the MEI asset list, and evaluate new assets to determine whether they should be included as MEI assets.

Additional Focus Needed on IT Security Policy and Oversight

The CIO is responsible for developing and implementing a departmental IT security program to ensure the confidentiality, integrity, and availability of information and IT resources. The CIO's responsibilities include developing policies, procedures, and directives for IT security and providing oversight of the IT security programs of the Department's operating units..5 We conducted an evaluation to assess the CIO's policies and the effectiveness of his oversight of the Department's IT security program. Our review focused on the CIO's compliance with laws and regulations governing IT security and his actions in recent years to oversee the Department's IT security program.

We found that although in the past IT security did not receive adequate attention, in more recent years, the CIO's office had expanded its focus on and increased the resources devoted to IT security. For example, the office conducted its first Department-wide assessment of IT security planning in 1999 and reviewed operating unit self-assessments in 2000, which resulted in increased compliance with security requirements. Nevertheless, policy and oversight need further improvements. Specifically:

. IT security policy needs to be revised and expanded. The Department's IT security policy is out of date because it was developed in 1993 and 1995, prior to a significant revision of OMB Circular A-130, which communicates policy on the security of federal automated information resources. The policy is also missing important components because it has not kept pace with recent trends in technology and related security threats. The Department's policy must be kept current and complete because the operating units use it as the foundation for their general and system-specific policies. We recommended that the CIO's office update and expand its IT security policy as soon as possible.

. Additional IT security compliance procedures are needed. Security for many of the Department's systems has not been adequately planned, and security reviews have not been performed. In addition, several operating units do not have adequate awareness and.6 training programs or adequate capabilities for responding to IT security incidents. The Government Information Security Reform Act (GISRA) requires the CIO's office to conduct annual IT security evaluations in 2001 and 2002 similar to the self-assessments it monitored in 2000. We recommended that the office commit to a program of reviews that extends beyond GISRA's 2-year review requirement. Moreover, the CIO's office should work with the Department's acquisition and budget managers to ensure that IT-related procurement specifications include security requirements, and that funds for meeting these requirements are included in operating unit budgets.

During our evaluation of the Department's IT security policy, we provided the Department with a written analysis that identified weaknesses and deficiencies in the policy, and made recommendations for specific changes to bring the policy into compliance with applicable laws and regulations.

The CIO's office agreed with all of our recommendations and cited a number of corrective actions it planned to take to implement them. Among other things, it agreed to revise, expand, and update the Department's IT security policy; continue its compliance review program beyond the 2-year period required by GISRA; and begin security reviews as soon as possible.

Use of Internet "Cookies" and "Web Bugs" Raised Privacy and Security Concerns

We evaluated the use of persistent Internet cookies and web bugs by departmental Internet sites, as well as the adequacy of the privacy statements posted on the main web pages of the Department and its operating units. We conducted our evaluation in response to Public Law 106-.7 554, the Consolidated Appropriations Act of 2001, which required the Inspector General of each agency to submit a report to the Congress disclosing any activity regarding the collection of information relating to any individual's access or viewing habits on the agency's Internet sites. Persistent Internet cookies are data stored on web users' hard drives that can identify users' computers and track their browsing habits. Web bugs are software code that can monitor who is reading a web page. These technologies are capable of being employed in ways that could violate the privacy of individuals visiting the Department's web sites and can also pose security threats.

Web bugs are considered security threats because they can perform malicious actions, including searching for the existence of specific information, such as financial information, on a user's hard drive, and downloading files from, or uploading files to, a user's computer. A web user would be unaware of the presence of web bugs without using detection software. Even if such software were used, the malicious actions performed by identified web bugs could go undetected. We found that most of the Department's Internet sites do not use either persistent cookies or web bugs. However, we did find several instances in which persistent cookies were being used without a compelling reason or the approval of the Secretary, as required by Department and OMB policy. We also found a number of web pages using web bugs. At the time we began our evaluation, the Department did not have a policy regulating web bug use, but it promptly developed and issued one when informed of the problem. Finally, we found that many of the operating units' privacy statements did not provide all of the information required by the Department's privacy policy..8

We recommended that the Department's CIO direct operating unit CIOs and senior management to implement a strategy to control the use of persistent cookies and web bugs and to certify annually that the operating unit is in compliance with the Department's applicable policies. We also recommended that the CIO direct operating unit CIOs and senior managers to revise their privacy policy statements to make them compliant with the Department's policy. The CIO's office agreed with our findings and worked with us to help ensure that the cookies we had identified were removed. The Secretary of Commerce's new Special Assistant for Privacy is working to remove all web bugs and develop a uniform privacy policy statement.

Systems Security Audits of Departmental Financial Management Systems Reveal Problems

Our audits of Commerce operating units' financial statements, performed by certified public accounting (CPA) firms under contract with us, include security reviews of the Department's financial management systems and related networks that support the statements. Our CPA contractors use GAO's Federal Information System Controls Audit Manual (FISCAM) as a guide in performing these reviews. FISCAM provides guidance on assessing the reliability of computer-generated data that supports financial statements, including physical security and logical access controls designed to prevent or detect unauthorized access or intrusion into systems and networks.

In 1999 we adopted a systems security review strategy that provides for full coverage of each financial management system and its related networks on a two-year basis. Every two years, a review addresses the six systems security areas identified in FISCAM: (1) entitywide security program planning and management, (2) access controls, (3) application software development.9 and change control, (4) systems software, (5) segregation of duties, and (6) service continuity. In the alternate years, we routinely conduct penetration testing (in which someone playing the role of a hostile attacker tries to compromise systems security) and application-level testing. Review of the system environment for significant changes and follow-up on open recommendations occurs annually.

The audits of operating units' individual fiscal year 2000 financial statements included reviews of the general system controls over the major financial management systems at the seven data processing locations. In the reports on our audits of the Department's fiscal year 1999 and 2000 consolidated financial statements, we noted that these systems security reviews disclosed weaknesses in controls over major financial management systems at all seven locations that provide data processing support. Specifically, these reviews found that:

1. Entitywide security program planning and management needed improvement at all seven locations. This control is the foundation of an entity's security control structure and a reflection of senior management's commitment to addressing security risks. It is intended to ensure that security controls are adequate, consistently applied, and monitored, and that responsibilities are clear and properly implemented.

2. Access controls for both operating systems and the financial management systems needed strengthening at all seven locations, and monitoring of external and internal access to systems needed strengthening at five locations. These controls should limit or monitor access to computer resources to guard against unauthorized modification, loss, and disclosure..10

3. Applications software development and change control needed improvement at four locations. These controls should help prevent the implementation of unauthorized programs or modifications to existing programs.

4. Systems software improvements were needed at four locations. Controls in this area should limit and monitor access to the important software programs that operate computer hardware.

5. Segregation of duties improvements were needed at five locations. Appropriate controls in this area include policies, procedures, and an organizational structure to prevent one individual from controlling key aspects of computer-related operations, thus deterring unauthorized actions or access to assets.

6. To ensure service continuity, contingency plans needed to be prepared, updated, or improved at all seven locations. Appropriate controls in this area include procedures for continuing critical operations, without interruption and with prompt resumption of those operations, when unexpected events occur.

Of particular note, among the weaknesses identified by the CPA firms in the area of entitywide security program planning and management, was the fact that formal comprehensive security plans either did not exist, were outdated, or were not approved for the major financial management systems and associated general support systems on which the applications were processed. In addition, risk assessments needed to be completed and approved, and security monitoring needed to be performed..11

At four locations, penetration testing was also performed on the network that supports the financial management systems to identify weaknesses in access controls. As part of the penetration testing, the CPA firms reviewed the adequacy of access controls, which include logical and physical controls. Logical access controls involve the use of computer hardware and software to prevent or detect unauthorized access, such as by hackers, to networks, systems, and sensitive files by requiring users to input user ID numbers, passwords, and other identifiers that are linked to predetermined access privileges. Physical controls involve keeping computers in locked rooms to limit physical access. The firms' penetration testing of logical controls found that in some cases:

. Open modems and ports were accessible to potential hackers. 

. Sensitive information on websites was readily accessible. 

. Sensitive active system services could allow unauthorized access, downloading of files, and gathering of information. 

. Firewall configurations could allow a hacker to introduce a destructive virus. In addition, physical access controls over networks and financial management systems needed strengthening. For example, at one location, automated exterior locking systems had not been installed on doors to restrict access, and the key card lock for the data center's computer room was inappropriately placed on the inside of the door, rather than the outside. In addition, personnel did not consistently lock and secure their work areas. At another location, hardware that processed very sensitive information was located in an area accessible by numerous employees and contractors and was not segregated in an individually secure area

 For fiscal year 2000, the CPA firms concluded that four operating units had system security weaknesses that rose to the level of "reportable conditions." Taken together, these conditions, combined with the Department's lack of an integrated financial management system, constituted a material weakness in the audit of the consolidated financial statements. In our report on the audit of the consolidated statements, we recommended that the CIO's office continue to develop and implement a database for tracking and reporting on corrective actions planned and taken to address the outstanding general controls recommendations. We also recommended that the office review, monitor, and provide guidance to the reporting entities on their corrective actions planned and taken in response to our current and prior years' audit reports on general controls. We issued audit reports with recommendations to correct the control weaknesses identified at each of the seven data processing locations, and the operating units generally agreed with our recommendations. The Department and its operating units are required to provide us with audit action plans that address each of our recommendations. We have reviewed the plans submitted to date and concur with the actions taken or planned. Moreover, we are in the process of performing our annual follow-up of the adequacy of the corrective actions planned or taken.

IT Security Issues Have Also Been Identified Through OIG Inspections and Investigations

We have also identified IT security issues through our inspections and investigative work. Our inspections unit, for example, conducted a 1999 assessment of the Bureau of Export Administration's (BXA) Export Control Automated Support System as part of a larger review of BXA's administration of the federal export licensing process for dual-use commodities. While we determined that most of the system's general and application controls were adequate, we.13 found that BXA's IT security controls could be enhanced by improving database access controls, preparing a security plan, performing periodic security reviews, officially assigning the security duties to its security officer, providing all users with current security training, and restricting the number of BXA employees with file manager access. BXA management implemented some corrective actions immediately and agreed to take action on our other recommendations dealing with the IT security of its licensing system.

We are also conducting a series of inspections of the National Weather Service's weather forecast offices (WFOs) that have identified a number of IT security issues that need to be addressed by local managers. Among other problems, we noted that one WFO we visited did not have a designated security officer, and office personnel did not follow the Weather Service's policy on IT security. We found other problems, which I cannot describe in detail in a public hearing, that highlight how vulnerable some systems can be without proper management attention. Fortunately, the Weather Service has greatly improved its IT security both locally and nationally since the start of our review. During the past nine months, we visited two other WFOs. Although we continued to identify some IT security problems, we have found that designated security officers have been named and are receiving necessary training on IT security. More importantly, WFO personnel appear to better understand IT security concepts and requirements.

IT security problems have also been identified through our investigative work. Through our OIG Hotline and other information channels, specific incidents or allegations involving IT security weaknesses, vulnerabilities, or threats have been brought to our attention and examined. For example:.14

. In one incident, a foreign hacker penetrated a network server and installed software without the knowledge of the system administrator. Had the software been activated, the server would have been prevented from performing its normal network services and would have been one of many computers simultaneously activated to overload a designated Internet site. As a result of the incident, the number of points of access to the network was reduced to a bare minimum, and existing monitoring software was activated. 

. In another incident, a hacker caused extensive damage to an operating unit server, and it took more than 5 work days to repair the server and restore operations. Because the software on the server was destroyed, the system administrator was not able to determine how the attack had occurred. Security features were added when the software was restored, to reduce the risk of another shutdown.

. In a third incident, an after-hours contract cleaning employee used a computer that had not been properly secured to gain access to the Internet via a network system and view pornographic materials. Coordination with the contracting officer, property manager, and president of the contract company resulted in the employee's immediate removal from the facility contract and subsequent termination. In addition, the practice of routinely leaving the computer on overnight was discontinued.

Additional OIG Reviews of IT Security Matters Are Either Underway or Planned

We are currently conducting IT security evaluations related to (1) the Economics and Statistics Administration's and the Census Bureau's preparation and release of the Advance Retail Sales.15 Principal Economic Indicator, (2) the Department's classified information systems, and (3) the Department's IT security program and practices, as required by the Government Information Security Reform Act.

The objective of our security evaluation of the Advance Retail Sales indicator is to determine whether adequate internal controls and system safeguards are in place to prevent the unauthorized disclosure or use of the economic indicator data before its release to the public. We have found that employees dealing with the indicator do not always have appropriate background investigations and that their positions are not always assigned the appropriate level of risk as required by Title 5, Part 731, of the Code of Federal Regulations and OMB Circular A-130. In some instances, the Department's records did not identify the type of investigation done, if any, for personnel working on Principal Economic Indicators. We also noted a lack of guidance from the Office of Human Resources Management, as well as from the Office of Security, suggesting that the problems associated with assigning appropriate risk levels to positions and ensuring that background investigations are performed may exist throughout Commerce. We are conducting additional work to examine this issue.

Our review of the Department's classified information systems will assess the adequacy of its policies for protecting classified information and the effectiveness of its oversight of these systems.

The GISRA-mandated review is the annual evaluation of the Department's IT security program and practices. This evaluation will incorporate information from our security reviews, as well as results of related evaluations performed by operating units, GAO, and contractors. We are also continuing our security reviews of Commerce's financial management systems and related.16 networks as part of our fiscal year 2001 financial statements audits. These reviews will be in line with our IT security review strategy and will include penetration testing of the U.S. Patent and Trademark Office and FISCAM reviews for the other operating units.

The need for the OIG to provide oversight and evaluation of IT security will be increasingly critical in the coming years. Our independent evaluation of the Department's IT security program being performed under GISRA and our security reviews of the Department's financial management systems show that although the Department is giving greater attention to IT security, serious issues remain to be resolved. These issues appear to be the result of an earlier lack of attention to IT security, limited resources, and an environment in which the risks, threats, and vulnerabilities have continued to escalate in number and complexity. The weaknesses identified by GAO's recent network vulnerability analysis of the Department underscore our concerns.

In our independent GISRA evaluation for the next fiscal year, we plan to evaluate the effectiveness of operating unit IT security programs and to conduct security evaluations of specific general support systems and major applications. We will use the findings of our current GISRA evaluation and of GAO's security audit to assist us in identifying specific operating units, general support systems, and major applications to evaluate in the future.

Cooperative Efforts Needed to Address IT Security Weaknesses

I am pleased to note that, just last month, my office entered into a memorandum of agreement with the Department's Office of the CIO and Office of Security to define our respective roles and.17 responsibilities relating to the development, implementation, and management of the Commerce IT security program. This agreement is intended to promote a partnership among the three offices that both ensures complete coverage of IT security matters and prevents wasteful duplication of effort.

Under the agreement, the CIO's office has the basic responsibility for developing and implementing the Commerce-wide IT security program, which includes developing IT security policies and procedures, promoting IT security awareness and training, serving as the Department's critical infrastructure assurance officer, and convening a meeting of the incident response group when incidents or intrusions occur. Commerce's Office of Security has the primary responsibility for security for the Department's classified systems and, in conjunction with the Department of State, for IT security at Commerce overseas posts. My office is responsible for conducting investigations of IT incidents and intrusions, and for conducting reviews of the Department's IT security program and individual systems, including the annual independent evaluations of the program required by GISRA.

In closing, it is clear that cooperative, continuous, and concerted efforts are needed by each of us-and I mean each of us-if we are to address IT security weaknesses. These efforts are needed if we are to have any chance of staying at least one step ahead of the hackers and others that see IT security as some sort of cat-and-mouse game.

I am confident that the senior management of the Department and its operating units increasingly recognize the need to take a proactive approach to do this. For example, the Secretary's recent directive increasing the authority of operating unit CIOs and making them a more integral part of the management team is an important initiative. Likewise, the recent appointment of a Senior.18 Advisor to the Secretary for Privacy should be instrumental in addressing such issues as cookies, web bugs, and other security/privacy matters. And program officials are also being strongly reminded that they too have key IT security responsibilities and need to work closely with operating unit CIOs and security officials to ensure an effective security program. We intend to continue our partnership with all of these managers by identifying weaknesses and potential vulnerabilities in IT security and by searching for ways to improve it. Through this relationship, I believe we can help strengthen IT security within the Department.

This concludes my statement. A list highlighting some of the reports we have issued that address IT security issues is included as an attachment. Mr. Chairman, I would be happy to answer any questions you or other members of the Committee might have

ATTACHMENT 

U.S. Department of Commerce 
Office of Inspector 
General Recent Audit, Inspection, and Evaluation Reports 
on Information Technology Security Matters Evaluations

Evaluations

1 Office of the Chief Information Officer: Use of Internet "Cookies" and "Web Bugs" on Commerce Web Sites Raises Privacy and Security Concerns, OSE-14257, April 2001

2 Office of the Chief Information Officer: Additional Focus Needed on Information Technology Security Policy and Oversight, OSE-13573, March 2001

3 Office of the Chief Information Officer: Critical Infrastructure Protection: Early Strides Were Made, but Planning and Implementation Have Slowed, OSE-12680, August 2000

4 Bureau of the Census: Computer Security for Transmission of Sensitive Data Should Be Strengthened, OSE-10773, September 1998

Financial Statements Audits

[Note: These audits are performed annually; listed below are only the reports covering FY 2000. In addition, the reports on security reviews are not publicly available documents.]

5 Department of Commerce: Consolidated Financial Statements, FY 2000, FSD-12849-1, March 2001

6 National Institute of Standards and Technology, Improvements Needed in the General Controls Associated with Financial Management Systems, FSD-12859-1, February 2001

7 Economic Development Administration, Improvements Needed in the General Controls Associated with Financial Management Systems, FSD-12851-1, January 2001

8 Bureau of the Census, Improvements Needed in the General Controls Associated with Financial Management Systems, FSD-12850-1, January 2001

9 National Technical Information Service, Improvements Needed in the General Controls Associated with Financial Management Systems, FSD-12857-1, January 2001

10 Office of the Secretary, Follow-up Review of the General Controls Associated with the Office of Computer Services/Financial Accounting and Reporting System, FSD-12852-1, January 2001

11 International Trade Administration, Review of General and Application System Controls Associated with the Fiscal Year 2000 Financial Statements, FSD-12854-1, January 2001

2 National Oceanic and Atmospheric Administration, Improvements Needed in the General Controls Associated with Financial Management Systems, FSD-12855-1, December 2000

13 United States Patent and Trademark Office, Improvements Needed in the General Controls Associated with Financial Management Systems, FSD-12858-1, December 2000

Inspections

14 National Oceanic and Atmospheric Administration: San Angelo Weather Forecast Office Performs Its Core Responsibilities Well, but Office Management and Regional Oversight Need Improvement, IPE-13531, June 2001

15 National Oceanic and Atmospheric Administration: Raleigh Weather Forecast Office Provides Valuable Services, but Needs Improved Management and Internal Controls, IPE-12661, September 2000

16 Bureau of Export Administration: Improvements Are Needed to Meet the Export Licensing Requirements of the 21st Century, IPE-11488, June 1999

17 Office of Security: Vulnerabilities in the Department's Classified Tracking System Need to Be Corrected, IPE-11630, March 1999

U.S. House Seal
The Committee on Energy and Commerce
2125 Rayburn House Office Building
Washington, DC 20515
(202) 225-2927
Feedback

IWS Mailing Lists






Mailing Lists Overview