Department of Homeland Security Ofﬁce of Inspector General · Homeland Security Act of 2002 (Public Law 107-296) by amendment to the Inspector General Act of 1978. This is one of

Department of Homeland SecurityOffice of Inspector General

Information Technology Management Letter for the Federal Emergency Management Agency Component of the FY 2008 DHS

Financial Statement Audit

(Redacted)

Notice: The Department of Homeland Security, Office of Inspector General has redacted the report for public release. A review under the Freedom of Information Act will be conducted upon request.

OIG-09-48 March 2009

Office of Inspector General

U.S. Department of Homeland Security Washington, DC 25028

March 27, 2009

Preface

The Department of Homeland Security (DHS) Office of Inspector General (OIG) was established by the Homeland Security Act of 2002 (Public Law 107-296) by amendment to the Inspector General Act of 1978. This is one of a series of audit, inspection, and special reports prepared as part of our oversight responsibilities to promote economy, efficiency, and effectiveness within the department.

This report presents the information technology (IT) management letter for the Federal Emergency Management Agency component of the FY 2008 DHS financial statement audit as of September 30, 2008. It contains observations and recommendations related to information technology internal control that were not required to be reported in the financial statement audit report (OIG-09-09, November 2008) and represents the separate restricted distribution report mentioned in that report. The independent accounting firm KPMG LLP (KPMG) performed the audit of DHS’ FY 2008 financial statements and prepared this IT management letter. KPMG is responsible for the attached IT management letter dated December 5, 2008, and the conclusions expressed in it. We do not express opinions on DHS’ financial statements or internal control or make conclusion on compliance with laws and regulations.

The recommendations herein have been developed to the best knowledge available to our office, and have been discussed in draft with those responsible for implementation. We trust this report will result in more effective, efficient, and economical operations. We express our appreciation to all of those who contributed to the preparation of this report.

Richard L. Skinner Inspector General

KPMG LLP 2001 M Street, NW Washington, DC 20036

December 5, 2008

Inspector General U.S. Department of Homeland Security

Chief Information Officer Federal Emergency Management Agency

Chief Financial Officer Federal Emergency Management Agency

Ladies and Gentlemen:

We were engaged to audit the consolidated balance sheet of the U.S. Department of Homeland Security (DHS) as of September 30, 2008, and the related statement of custodial activity for the year then ended (referred to herein as “financial statements”). We were not engaged to audit the statements of net cost, changes in net position, and budgetary resources for the year ended September 30, 2008 (referred to herein as “other financial statements”). Due to matters discussed in our Independent Auditors’ Report, dated November 14, 2008, the scope of our work was not sufficient to enable us to express, and we did not express, an opinion on the financial statements.

In connection with our fiscal year (FY) 2008 engagement, we considered the Federal Emergency Management Agency’s (FEMA) internal control over financial reporting by obtaining an understanding of FEMA’s internal control, determining whether internal controls had been placed in operation, assessing control risk, and performing tests of controls in order to determine our procedures. We limited our internal control testing to those controls necessary to achieve the objectives described in Government Auditing Standards and Office of Management and Budget (OMB) Bulletin No. 07-04, Audit Requirements for Federal Financial Statements. We did not test all internal controls relevant to operating objectives as broadly defined by the Federal Managers’ Financial Integrity Act of 1982 (FMFIA). The objective of our engagement was not to provide an opinion on the effectiveness of DHS’ internal control over financial reporting. Accordingly, we do not express an opinion on the effectiveness of DHS’ internal control over financial reporting. Further, other matters involving internal control over financial reporting may have been identified and reported had we been able to perform all procedures necessary to express an opinion on the DHS balance sheet as of September 30, 2008, and the related statement of custodial activity for the year then ended, and had we been engaged to audit the other FY 2008 financial statements.

A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis. A significant deficiency is a control deficiency, or combination of control deficiencies, that adversely affects DHS’ ability to initiate, authorize, record, process, or report financial data reliably in accordance with U.S. generally accepted accounting principles such that there is more than a remote likelihood that a misstatement of DHS’ financial statements that is more than inconsequential will not be prevented or detected by DHS’ internal control over financial reporting. A material weakness is a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected by the entity’s internal control.

KPMG LLP, a U.S. limited liability partnership, is the U.S. member firm of KPMG International, a Swiss cooperative.

During our audit engagement, we noted certain matters with respect to FEMA’s financial systems’ information technology (IT) general controls which we believe contribute to a DHS-level significant deficiency that is considered a material weakness in IT general and application controls. These matters are described in the IT General Control Findings by Audit Area section of this letter.

The material weakness described above is presented in our Independent Auditors’ Report, dated November 14, 2008. This letter represents the separate restricted distribution report mentioned in that report.

Although not considered to be material weaknesses, we also noted certain other matters during our audit engagement which we would like to bring to your attention. These matters are also described in the IT General Control Findings by Audit Area section of this letter.

The material weakness and other comments described herein have been discussed with the appropriate members of management, or communicated through a Notice of Finding and Recommendation (NFR), and are intended For Official Use Only. We aim to use our knowledge of DHS’ organization gained during our audit engagement to make comments and suggestions that we hope will be useful to you. We have not considered internal control since the date of our Independent Auditors’ Report.

The Table of Contents on the next page identifies each section of the letter. In addition, we have provided: a description of key FEMA financial systems and IT infrastructure within the scope of the FY 2008 DHS financial statement audit engagement in Appendix A; a description of each internal control finding in Appendix B; and the current status of the prior year NFRs in Appendix C. Our comments related to financial management and reporting internal controls have been presented in a separate letter to the Office of Inspector General and the DHS Chief Financial Officer dated December 5, 2008.

This report is intended solely for the information and use of DHS management, DHS Office of Inspector General, OMB, U.S. Government Accountability Office, and the U.S. Congress, and is not intended to be and should not be used by anyone other than these specified parties.

Very truly yours,

Department of Homeland Security Federal Emergency Management Agency Information Technology Management Letter

September 30, 2008

INFORMATION TECHNOLOGY MANAGEMENT LETTER

TABLE OF CONTENTS Page

Objective, Scope and Approach 1

Summary of Findings and Recommendations 3

IT General Control Findings by Audit Area 4

Findings Contributing to a Material Weakness in IT 4

Access Controls 4

Application Software Development and Change Controls 4

System Software 4

Service Continuity 4

Entity-wide Security Program Planning and Management 4

Other Findings in IT General Controls 6

Access Controls 6

Service Continuity 6

System Software 6

Entity-wide Security Program Planning and Management 6

Segregation of Duties 6

Application Control Findings 9

Management Comments and OIG Response 9

APPENDICES

Appendix Subject Page

Description of Key Federal Emergency Management Agency Financial Systems and Information Technology Infrastructure within the Scope of A 10the FY 2008 Department of Homeland Security Financial Statement Audit Engagement

FY 2008 Notices of Information Technology Findings and B 12Recommendations at the Federal Emergency Management Agency


September 30, 2008

C Status of Prior Year Notices of Findings and Recommendations and Comparison to Current Year Notices of Findings and Recommendations at the Federal Emergency Management Agency

26

D Management Comments 34


September 30, 2008

OBJECTIVE, SCOPE AND APPROACH

We were engaged to perform audit procedures over Department of Homeland Security (DHS) information technology (IT) general controls in support of the fiscal year (FY) 2008 DHS balance sheet and statement of custodial activity audit engagement. The overall objective of our engagement was to evaluate the effectiveness of IT general controls of DHS’ financial processing environment and related IT infrastructure as necessary to support the engagement. The Federal Information System Controls Audit Manual (FISCAM), issued by the Government Accountability Office (GAO), formed the basis of our audit procedures. The scope of the IT general controls assessment performed at the Federal Emergency Management Agency (FEMA) is described in Appendix A.

FISCAM was designed to inform financial auditors about IT controls and related audit concerns to assist them in planning their audit work and to integrate the work of auditors with other aspects of the financial audit. FISCAM also provides guidance to IT auditors when considering the scope and extent of review that generally should be performed when evaluating general controls and the IT environment of a federal agency. FISCAM defines the following six control functions to be essential to the effective operation of the IT general controls environment.

�

�

�

�

�

�

Entity-wide security program planning and management (EWS) – Controls that provide a framework and continuing cycle of activity for managing risk, developing security policies, assigning responsibilities, and monitoring the adequacy of computer-related security controls. Access control (AC) – Controls that limit and/or monitor access to computer resources (data, programs, equipment, and facilities) to protect against unauthorized modification, loss, and disclosure. Application software development and change control (ASDCC) – Controls that help to prevent the implementation of unauthorized programs or modifications to existing programs. System software controls (SS) – Controls that limit and monitor access to powerful programs that operate computer hardware and secure applications supported by the system. Segregation of duties (SD) – Controls that constitute policies, procedures, and an organizational structure to prevent one individual from controlling key aspects of computer-related operations, thus deterring unauthorized actions or access to assets or records. Service continuity (SC) – Controls that involve procedures for continuing critical operations without interruption, or with prompt resumption, when unexpected events occur.

To complement our IT general controls audit procedures, we also performed technical security testing for key network and system devices, as well as testing over key financial application controls. The technical security testing was performed both over the Internet and from within select FEMA facilities, and focused on test, development, and production devices that directly support FEMA’s financial processing and key general support systems.

In addition to testing FEMA’s IT general control environment, we performed testing of automated application controls on a limited number of FEMA’s financial systems and applications. The application control testing was performed to assess the controls that support the financial systems’ internal controls over the input, processing, and output of financial data and transactions.

1 Information Technology Management Letter for the FEMA Component of the FY 2008 DHS



September 30, 2008

� Application controls (APC) - Application controls are the structure, policies, and procedures that apply to separate, individual application systems, such as accounts payable, inventory, payroll, grants, or loans.




September 30, 2008

SUMMARY OF FINDINGS AND RECOMMENDATIONS

During FY 2008, FEMA took corrective action to address prior year IT control weaknesses. For example, FEMA made improvements by restricting access to offline account tables, implementing an alternate processing site for one of its financial applications, and improving the process for retaining National Flood Insurance Program (NFIP) change control documentation. However, during FY 2008, we continued to identify IT general control weaknesses at FEMA. The most significant weaknesses from a financial statement audit perspective related to controls over access to programs and data and controls over program changes. Collectively, the identified IT control weaknesses limited FEMA’s ability to ensure that critical financial and operational data were maintained in such a manner to ensure confidentiality, integrity, and availability. In addition, these weaknesses negatively impacted the internal controls over FEMA financial reporting and its operation, and we consider them to collectively represent a material weakness for FEMA under standards established by the American Institute of Certified Public Accountants (AICPA). The applicable IT findings were combined into one material weakness regarding IT in our Independent Auditors’ Report, dated November 14, 2008, on the DHS consolidated financial statements.

Of the 26 findings identified during our FY 2008 testing, 15 were repeat findings, either partially or in whole from the prior year, and 11 were new findings. These findings were representative of five of the six key FISCAM control areas, and the majority were inherited from the lack of properly designed, detailed, and consistent guidance over financial system controls to enforce DHS 4300A, Information Technology Security Program, requirements and National Institute of Standards and Technology (NIST) guidance. Specifically, the findings stem from: 1) inadequately designed and operating access control policies and procedures relating to the granting of access to systems and supervisor re-certifications of user access privileges, 2) lack of properly monitored audit logs, 3) inadequately designed and operating change control policies and procedures, 4) patch and configuration management weaknesses within the system, and 5) the lack of tested contingency plans. These weaknesses may increase the risk that the confidentiality, integrity, and availability of system controls and FEMA financial data could be exploited, thereby compromising the integrity of financial data used by management and reported in the DHS financial statements.

While the recommendations made by KPMG should be considered by FEMA, it is the ultimate responsibility of FEMA management to determine the most appropriate method(s) for addressing the weaknesses identified based on system capabilities and available resources.




September 30, 2008

IT GENERAL CONTROL FINDINGS BY AUDIT AREA

Conditions: In FY 2008, the following IT and financial system control weaknesses were identified at FEMA and contribute to a DHS-level significant deficiency that is considered a material weakness in IT general and application controls:

1. Access controls – we noted:

�

�

�

�

User account lists were not periodically reviewed for appropriateness, resulting in inappropriate authorizations and excessive user access privileges;

Accounts were not disabled or removed promptly upon personnel termination;

Audit logs were not reviewed or evidence of audit log reviews was not retained; and

Security patch management and configuration weaknesses exist on hosts supporting the key financial applications and general support systems.

2. Application software development and change controls – we noted:

� Emergency and non-emergency changes were made prior to management approval. Additionally, changes made to the system did not always follow established procedures. Specifically,

, test plans, test results, approvals, and software modifications were not consistently performed or documented.

3. System software – we noted:

� Evidence of system software audit log reviews is not retained.

4. Service continuity – we noted:

� An alternate processing site is not operational for one of the FEMA financial systems.

5. Entity-wide security program planning and management – we noted:

� Vulnerabilities identified from periodic scans are not reported and tracked via the Plan of Action and Milestones (POA&M) process.

Recommendations: We recommend that the FEMA Office of the Chief Information Officer (OCIO) and Office of the Chief Financial Officer (OCFO), in coordination with the DHS OCIO and OCFO, make the following improvements to FEMA’s financial management systems and associated IT security program:




September 30, 2008

1. For access controls:

�

�

�

�

�

Develop and appropriately implement an access authorization process that ensures that a request is completed and documented for each individual prior to granting him/her access to a financial application or database;

Implement an account management certification process within FEMA to ensure the periodic review of user accounts for appropriate access and ensure that current user profiles are appropriately documented;

Implement a process to ensure that all system accounts of terminated employees and contractors are immediately removed/end-dated/disabled upon their departure;

Develop and implement detailed procedures requiring the consistent and timely review of operating system and application logs for suspicious activity and the maintenance of documentation supporting such reviews; and

Conduct periodic vulnerability assessments, whereby systems are periodically reviewed for access controls related to patch management and configuration management not in compliance with DHS and other Federal guidance, and ensure that corrective action is developed, tracked, and performed to remediate any security weaknesses identified.

2. For application software development and change control:

� Further develop and enforce policies that require changes and emergency changes to the application software to be approved, tested, and documented prior to implementation, and related documentation to be appropriately maintained.

3. For system software:

� Actively monitor the use of and changes related to operating systems and other sensitive utility software and hardware, and maintain evidence of this monitoring.

4. For service continuity:

� Ensure that alternate processing sites are established and made operational.

5. For entity-wide security program planning and management:

� Ensure that all vulnerabilities and weaknesses are reported and tracked via the POA&M process.




September 30, 2008

Other Findings in IT General Controls

Although not considered to be a material weakness, we also noted the following other matters related to IT and financial system control deficiencies during the FY 2008 audit engagement:

1. Access controls – we noted:

�

�

�

�

Interconnection Security Agreements (ISA) between FEMA and external parties were not in place or not finalized;

A formalized process does not exist to guide staff in the modification of system accounts to ensure that appropriate privileges are created, documented, and approved for a specific function;

Instances of inadequate or weak passwords that existed on key systems, servers and databases that house financial data; and

Workstations were configured without up-to-date anti-virus software.

2. Service continuity – we noted:

�

�

Full testing of a current and finalized contingency plan was not conducted; and Backup tapes are not tested on a quarterly basis.

3. System software – we noted:

�

�

Procedures for identifying and installing patches are in draft and have not been implemented; and

Developer changes to the directory and sub-directories of one financial application are not monitored to review and validate implemented changes.

4. Entity-wide security program planning and management – we noted:

� The system security plan for one financial system is not accurate and up-to-date.

5. Segregation of duties – we noted:

� Documentation surrounding incompatible roles and responsibilities does not exist over a key financial application, and policies and procedures for properly segregating incompatible duties within the system are not documented.

Recommendations: We recommend that the FEMA OCIO and FEMA OCFO, in coordination with the DHS OCIO and OCFO, make the following improvements to FEMA’s financial management systems:




September 30, 2008

1. For access controls:

�

�

Ensure that ISAs are documented and finalized between FEMA and all applicable external parties;

Develop and implement policies and procedures that document the process of adding, deleting, and modifying functions to ensure that the proper controls are in place for modifying user account privileges;

�

�

Enforce password controls that meet DHS’ password requirements on all key financial systems; and

Develop procedures to regularly review and monitor workstations to ensure that the most up-todate virus protection software is installed.

2. For service continuity:

�

�

Perform testing of key service continuity capabilities, including contingency planning. Ensure that all contingency plans and related documentation are updated upon completion of testing; and

Test backup tapes at least quarterly.

3. For system software:

�

�

Implement a patch management policy and enforce the requirement that systems are periodically tested for vulnerabilities by FEMA and the DHS OCIO; and

Establish a process within existing procedures for retaining documented evidence that developer changes to a financial application directory and sub-directories are monitored to verify that only authorized changes are implemented into production.

4. For entity-wide security program planning and management:

� Finalize and implement the comprehensive system security plans for all key financial systems in accordance with DHS and NIST guidance.

5. For segregation of duties:

� Document duties that are incompatible, and develop and implement policies and procedures for properly segregating incompatible duties within the system.

Cause/Effect: Many of these weaknesses originate from policy and system development activities that did not incorporate strong security controls from the outset and will take several years to fully remediate. While FEMA has made improvements in addressing the root cause of some IT weaknesses and has worked to improve security controls, we found that focus is often still placed on the tracking of responses




September 30, 2008

to audit recommendations, instead of on developing the most effective method of addressing the actual control weakness. When weaknesses in controls or processes are identified, we noted that corrective actions implemented address the symptom of the problem and do not always correct the root cause, resulting in a temporary fix. Further, detection of these temporary fixes through self-evaluation is not effective, due to insufficient testing of IT controls and remediation activities. Finally, FEMA has undertaken several high priority and competing IT initiatives to improve its control environment and does not always have sufficient resources to direct towards the implementation of security controls in a consistent manner.

Reasonable assurance should be provided that financial system user access levels are limited and monitored for appropriateness and that all user accounts belong to current employees and contractors. Furthermore, monitoring of the more highly privileged accounts is essential. The weaknesses identified within FEMA’s access controls increase the risk that employees and contractors may have access to a system that is outside the realm of their job responsibilities or that a separated individual, or another person with knowledge of an active account of a terminated employee or contractor, could use the account to alter the data contained within the application or database without being detected. This may also increase the risk that the confidentiality, integrity, and availability of system controls and the financial data could be exploited, thereby compromising the integrity of financial data used by management and reported in the DHS financial statements.

Furthermore, the lack of fully implemented security configuration management controls may result in security responsibilities communicated to system developers improperly as well as the improper implementation and monitoring of system changes. This also increases the risk of unsubstantiated changes and changes that may introduce errors or data integrity issues that are not easily traceable back to the changes. In addition, it increases the risk of undocumented and unauthorized changes to critical or sensitive information and systems, which may reduce the reliability of information produced by these systems.

Criteria: The Federal Information Security Management Act (FISMA), passed as part of the Electronic Government Act of 2002, mandates that Federal entities maintain IT security programs in accordance with OMB and NIST guidance. OMB Circular No. A-130, Management of Federal Information Resources, and various NIST guidelines describe specific essential criteria for maintaining effective IT general controls. In addition, OMB Circular No. A-127, Financial Management Systems, prescribes policies and standards for Executive Branch departments and agencies to follow in developing, operating, evaluating, and reporting on financial management systems. For this year’s IT audit procedures, we also assessed FEMA’s compliance with DHS Sensitive Systems Policy Directive 4300A, Information Technology Security Program.




September 30, 2008

APPLICATION CONTROL FINDINGS

No application control weaknesses were identified during our FY 2008 testing of IT controls.

MANAGEMENT COMMENTS AND OIG RESPONSE

We obtained written comments on a draft of this report from FEMA Management. Generally, FEMA agreed with all of our findings and recommendations. FEMA has developed a remediation plan to address these findings and recommendations. We have incorporated these comments where appropriate and included a copy of the comments at Appendix D.

OIG Response

We agree with the steps that FEMA management is taking to satisfy these recommendations.



Appendix A


September 30, 2008

Appendix A

Description of Key Federal Emergency Management Agency Financial Systems and Information Technology Infrastructure within the Scope of the

FY 2008 Department of Homeland Security Financial Statement Audit Engagement



�

�

�

�

Appendix A


September 30, 2008

Below is a description of significant Federal Emergency Management Agency (FEMA) financial management systems and supporting information technology (IT) infrastructure included in the scope of the engagement to perform the financial statement audit.

Locations of Audit: FEMA .; the in ; the National Flood Insurance Program (NFIP) in

; and the NFIP contractor location in .

Key Systems Subject to Audit:

– is the key financial reporting system, and has several feeder subsystems (budget, procurement, accounting, and other administrative processes and reporting).

– is an integrated system to provide FEMA, the states, and certain other federal agencies with automation to perform disaster related operations. supports all phases of emergency management and provides financial-related data to via an automated interface.

( - The application acts as a central repository of all data submitted by the Write Your Own (WYO) companies and Direct Servicing Agent. also supports the NFIP, primarily by ensuring the quality of financial data submitted by the WYO companies and the Direct Servicing Agent to . is a

-based application that runs on the NFIP logical partition in

- The general ledger application used by to generate the NFIP financial statements. is a client-server application that runs on a server in , which is secured in the room. The client is installed on the desktop computers of the Bureau of Financial Statistical Control group members.

is a web-based application which was developed by specifically for FEMA grants. allows grantees to access their grant funds and upload SF 269s online. Draw down transaction information from is interfaced with . then interfaces with the U.S. Department of the Treasury (Treasury) to transfer payment information to Treasury, resulting in a disbursement of funds to the grantee.



Appendix B


September 30, 2008

Appendix B

FY 2008 Notices of Information Technology Findings and Recommendations at the Federal Emergency Management Agency



Appendix B


September 30, 2008

Notice of Findings and Recommendations – Definition of Risk Ratings**:

The Notices of Findings and Recommendations (NFR) were risk ranked as High, Medium, and Low** based upon the potential impact that each weakness could have on Federal Emergency Management Agency’s (FEMA) information technology (IT) general control environment and the integrity of the financial data residing on FEMA’s financial systems, and the pervasiveness of the weakness.

** The risk ratings are intended only to assist management in prioritizing corrective actions, considering the potential benefit of the corrective action to strengthen the IT general control environment and/or the integrity of the DHS consolidated financial statements. The risk ratings, used in this context, are not defined by Government Auditing Standards, issued by the Comptroller General of the United States, or the American Institute of Certified Public Accountants (AICPA) Professional Standards, and do not necessarily correlate to a significant deficiency, as defined by the AICPA Professional Standards and reported in our Independent Auditors’ Report on the DHS consolidated financial statements, dated November 14, 2008.

Correction of some higher risk findings may help mitigate the severity of lower risk findings, and possibly function as a compensating control. In addition, analysis was conducted collectively on all NFRs to assess connections between individual NFRs, which when joined together could lead to a control weakness occurring with more likelihood and/or higher impact potential.

High Risk**: A control weakness that is more serious in nature affecting a broader range of financial IT systems, or having a more significant impact on the IT general control environment and /or the integrity of the financial statements as a whole.

Medium Risk**: A control weakness that is less severe in nature, but in conjunction with other IT general control weaknesses identified, may have a significant impact on the IT general control environment and / or the integrity of the financial statements as a whole.

Low Risk**: A control weakness minimal in impact to the IT general control environment and / or the integrity of the financial statements.



App

endi

x B

Dep

artm

ent o

f Hom

elan

d Se

curi

ty

Fede

ral E

mer

genc

y M

anag

emen

t Age

ncy

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

008

Fede

ral E

mer

genc

y M

anag

emen

t Age

ncy

FY

200

8 N

otic

es o

f Inf

orm

atio

n T

echn

olog

y

Not

ices

of F

indi

ngs a

nd R

ecom

men

datio

ns –

Det

ail

14

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FE

MA

Com

pone

nt o

f the

FY

200

8 D

HS

Fina

ncia

l Sta

tem

ent A

udit

App

endi

x B

Dep

artm

ent o

f Hom

elan

d Se

curi

ty

Fede

ral E

mer

genc

y M

anag

emen

t Age

ncy

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

008

NFR

#

Con

ditio

n R

ecom

men

datio

n N

ew Is

sue

Rep

eat

Issu

e R

isk

Rat

ing*

FE

MA

-IT-

08

02

FEM

A-I

T-08

03

Dur

ing

our v

ulne

rabi

lity

asse

ssm

ent t

echn

ical

te

stin

g, c

erta

in c

onfig

urat

ion

man

agem

ent

wea

knes

ses w

ere

iden

tifie

d on

and

data

base

inst

ance

s and

on

key

supp

ort s

erve

rs.

Spec

ifica

lly, s

erve

rs w

ere

iden

tifie

d w

ith p

assw

ord

and

audi

ting

conf

igur

atio

n w

eakn

esse

s.

acc

ount

use

rs d

id n

ot c

ompl

ete

a ne

w F

EMA

Fo

rm 2

0-24

in re

spon

se to

the

rece

rtific

atio

n pr

oces

s.

FEM

A sh

ould

impl

emen

t the

cor

rect

ive

actio

ns

liste

d in

the

NFR

for e

ach

tech

nica

l con

trol

wea

knes

s ide

ntifi

ed.

Ensu

re th

at th

e O

ffic

e of

Chi

ef F

inan

cial

Off

icer

(O

CFO

) Pro

cedu

res f

or G

rant

ing

Acc

ess t

o ar

e co

nsis

tent

ly fo

llow

ed b

y co

ntin

uing

to

per

form

and

doc

umen

t a re

view

of a

ll ac

coun

ts in

acc

orda

nce

with

DH

S po

licy,

in

clud

ing

supe

rvis

or v

erifi

catio

n of

all

acce

ss

priv

ilege

s gra

nted

thro

ugh

the

subm

issi

on o

f a

new

FEM

A F

orm

20-

24 b

y al

l fed

eral

em

ploy

ees a

nd c

ontra

ctor

s.

X

X H

igh

Hig

h

FEM

A-I

T-08

06

W

e no

ted

that

FEM

A h

as m

ade

a m

anag

emen

t de

cisi

on n

ot to

dev

elop

pol

icie

s and

pro

cedu

res o

ver

the

mod

ifica

tion

of

acco

unt f

unct

ions

unt

il th

e ne

w

syst

em u

pgra

de o

ccur

s. W

e no

ted

that

FEM

A h

as re

porte

d in

the

Plan

of A

ctio

n an

d M

ilest

ones

that

they

exp

ect t

o ad

dres

s cor

rect

ive

actio

n fo

r thi

s wea

knes

s in

FY 2

010.

As a

resu

lt, a

fo

rmal

ized

pro

cess

doe

s not

exi

st to

gui

de F

inan

cial

Se

rvic

es S

ectio

n (F

SS) s

taff

in th

e m

odifi

catio

n of

We

reco

mm

end

that

FEM

A d

evel

op a

nd

impl

emen

t pol

icie

s and

pro

cedu

res d

ocum

entin

g th

e pr

oces

s of a

ddin

g, d

elet

ing,

and

mod

ifyin

g sy

stem

func

tions

to e

nsur

e th

at th

e pr

oper

con

trols

are

in p

lace

for m

odify

ing

user

ac

coun

t priv

ilege

s.

X L

ow

15

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FE

MA

Com

pone

nt o

f the

FY

200

8 D

HS

Fina

ncia

l Sta

tem

ent A

udit

App

endi

x B

Dep

artm

ent o

f Hom

elan

d Se

curi

ty

Fede

ral E

mer

genc

y M

anag

emen

t Age

ncy

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

008

NFR

#

Con

ditio

n R

ecom

men

datio

n N

ew Is

sue

Rep

eat

Issu

e R

isk

Rat

ing*

th

e sy

stem

to e

nsur

e th

at a

ppro

pria

te p

rivile

ges a

re

crea

ted,

doc

umen

ted,

and

app

rove

d fo

r a sp

ecifi

c fu

nctio

n.

FEM

A-I

T-08

12

FEM

A-I

T-08

13

FEM

A in

form

ed u

s tha

t the

aut

omat

ed m

anag

er

certi

ficat

ion

proc

ess h

as n

ot y

et b

egun

. Th

eref

ore,

th

e FY

200

8 re

certi

ficat

ion

has n

ot b

een

com

plet

ed

and

the

risk

of u

naut

horiz

ed u

sers

acc

essi

ng

was

pre

sent

for a

maj

ority

of t

he fi

scal

yea

r.

KPM

G w

as in

form

ed th

at te

rmin

ated

us

ers

are

to h

ave

the

“ ”

role

app

lied

to

thei

r acc

ount

pro

file

prio

r to

bein

g re

mov

ed fr

om th

e ap

plic

atio

n, w

hich

ove

rrid

es a

ll ex

istin

g ro

les a

nd

deac

tivat

es a

ny e

xist

ing

priv

ilege

s with

in th

e ap

plic

atio

n al

thou

gh th

e in

divi

dual

can

still

log

into

th

e ac

coun

t. H

owev

er, F

EMA

Inst

ruct

ion

2200

.7

spec

ifies

that

per

sonn

el se

para

ting

from

FEM

A sh

all

have

all

acc

ess p

rivile

ges c

ance

lled

and

thei

r us

er a

ccou

nt re

mov

ed. C

onse

quen

tly, a

lthou

gh th

e ris

k is

miti

gate

d by

the

limite

d ac

cess

righ

ts o

n th

e ac

coun

ts w

ith th

e “

” pr

ivile

ge, t

hose

si

x ac

coun

ts d

emon

stra

te th

at th

e po

licie

s and

pr

oced

ures

surr

ound

ing

the

term

inat

ed u

ser

proc

ess a

re n

ot c

onsi

sten

tly a

pplie

d an

d th

e ac

coun

ts

� �

Ded

icat

e re

sour

ces t

o co

mpl

ete

the

revi

ew

of

use

r acc

ess f

or F

Y 2

008

and

cond

uct s

ubse

quen

t ann

ual r

evie

ws o

f u

ser a

cces

s by

perf

orm

ing

the

man

agem

ent c

ertif

icat

ion

proc

ess i

n ac

cord

ance

with

FEM

A a

nd D

HS

polic

ies

and

proc

edur

es.

Fully

impl

emen

t the

pol

icie

s and

pro

cedu

res

in p

lace

for t

he

rece

rtific

atio

n pr

oces

s and

reta

in a

udita

ble

reco

rds,

in

acco

rdan

ce w

ith D

HS

polic

y, th

at p

rovi

de

evid

ence

that

rece

rtific

atio

ns a

re c

ondu

cted

an

d co

mpl

eted

per

iodi

cally

with

tim

elin

ess.

En

sure

that

pol

icie

s and

pro

cedu

res o

ver

rem

oval

of s

epar

ated

use

r acc

ess t

o a

nd

are

con

sist

ently

follo

wed

by

rem

ovin

g ac

coun

ts fo

r any

sepa

rate

d us

ers i

mm

edia

tely

up

on n

otifi

catio

n of

sepa

ratio

n ac

cord

ing

to

FEM

A, D

HS

and

Nat

iona

l Ins

titut

e of

Sta

ndar

ds

and

Tech

nolo

gy g

uida

nce.

X X

Med

ium

Hig

h

16

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FE

MA

Com

pone

nt o

f the

FY

200

8 D

HS

Fina

ncia

l Sta

tem

ent A

udit

App

endi

x B

Dep

artm

ent o

f Hom

elan

d Se

curi

ty

Fede

ral E

mer

genc

y M

anag

emen

t Age

ncy

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

008

NFR

#

Con

ditio

n R

ecom

men

datio

n N

ew Is

sue

Rep

eat

Issu

e R

isk

Rat

ing*

ha

ve n

ot b

een

rem

oved

. Add

ition

ally

, fou

r (4)

out

of

the

ten

(10)

acc

ount

s rem

aine

d on

the

syst

em

with

an

activ

e st

atus

.

FEM

A-I

T-08

17

Th

ere

is n

o do

cum

ente

d ev

iden

ce to

supp

ort t

hat

mon

itorin

g of

the

“ d

irect

ory

and

sub

dire

ctor

ies o

f is

occ

urrin

g.

We

reco

mm

end

that

FEM

A e

stab

lish

a pr

oces

s w

ithin

exi

stin

g pr

oced

ures

for r

etai

ning

do

cum

ente

d ev

iden

ce th

at th

e “

” di

rect

ory

and

sub-

dire

ctor

ies a

re b

eing

m

onito

red

to v

erify

that

onl

y au

thor

ized

cha

nges

ar

e im

plem

ente

d in

to p

rodu

ctio

n.

X

Med

ium

FEM

A-I

T-08

19

W

hile

FEM

A in

form

ed u

s tha

t sys

tem

softw

are

activ

ity is

logg

ed, w

e w

ere

unab

le to

obt

ain

evid

ence

th

at th

e au

dit l

ogs w

ere

revi

ewed

on

a pe

riodi

c ba

sis.

We

reco

mm

end

that

FEM

A’s

pro

cess

for

mon

itorin

g se

nsiti

ve a

cces

s and

susp

icio

us

activ

ity o

n sy

stem

softw

are

incl

ude

rete

ntio

n of

evi

denc

e th

at a

udit

reco

rds a

re

proa

ctiv

ely

revi

ewed

.

X

Med

ium

FEM

A-I

T-08

22

Pe

r ins

pect

ion

of th

e Pl

an o

f Act

ions

and

Mile

ston

es,

we

note

d th

at c

orre

ctiv

e ac

tion

was

initi

ated

by

FEM

A to

impl

emen

t an

alte

rnat

e pr

oces

sing

faci

lity

for

but t

hat t

he a

ltern

ate

site

has

not

bee

n es

tabl

ishe

d.

Due

to th

e m

agni

tude

of t

he p

roje

ct sc

ope,

im

plem

enta

tion

of a

n al

tern

ate

proc

essi

ng si

te w

ill

not b

e ac

hiev

ed w

ithin

twel

ve (1

2) m

onth

s. C

onsi

sten

t with

DH

S po

licy

for c

orre

ctiv

e ac

tions

th

at c

anno

t be

impl

emen

ted

with

in tw

elve

(12)

m

onth

s, a

DH

S IT

Sec

urity

Pro

gram

Wai

ver

(num

ber W

R-2

008-

012)

was

app

rove

d by

the

DH

S C

hief

Info

rmat

ion

Secu

rity

Off

icer

in M

arch

200

8 to

pr

ovid

e FE

MA

with

add

ition

al ti

me

to p

lan

and

� �

Com

plet

e on

-goi

ng e

ffor

ts to

fully

est

ablis

h an

d im

plem

ent a

n al

tern

ate

proc

essi

ng si

te

for t

he sy

stem

acc

ordi

ng to

DH

S 43

00A

.

En

sure

that

redu

ndan

t ser

vers

are

cre

ated

at

the

alte

rnat

e pr

oces

sing

site

that

is

esta

blis

hed

for t

he

serv

ers l

ocat

ed a

t th

e du

ring

impl

emen

tatio

n of

the

alte

rnat

e pr

oces

sing

site

.

�

Upd

ate

the

exis

ting

wai

ver,

as re

quire

d,

acco

rdan

ce w

ith e

ffec

tive

DH

S po

licy

in

X

H

igh

17

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FE

MA

Com

pone

nt o

f the

FY

200

8 D

HS

Fina

ncia

l Sta

tem

ent A

udit

App

endi

x B

Dep

artm

ent o

f Hom

elan

d Se

curi

ty

Fede

ral E

mer

genc

y M

anag

emen

t Age

ncy

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

008

NFR

#

Con

ditio

n R

ecom

men

datio

n N

ew Is

sue

Rep

eat

Issu

e R

isk

Rat

ing*

FEM

A-I

T-08

23

deve

lop

an e

ffec

tive

alte

rnat

e pr

oces

sing

site

for

. Pe

r DH

S po

licy,

the

wai

ver m

ust b

e re

view

ed, u

pdat

ed, a

nd re

-app

rove

d by

the

appr

opria

te m

anag

emen

t off

icia

ls e

very

six

(6)

mon

ths.

As r

equi

red

by D

HS

polic

y, th

e ap

prov

ed w

aive

r de

scrib

es th

e m

itiga

ting

effo

rts, m

anag

emen

t’s

acce

ptan

ce o

f the

ass

ocia

ted

resi

dual

risk

, and

a p

lan

for a

ttain

ing

com

plia

nce

with

DH

S po

licy.

The

w

aive

r als

o do

cum

ents

the

com

pens

atin

g co

ntro

ls to

m

itiga

te ri

sk u

ntil

the

alte

rnat

e pr

oces

sing

site

is

impl

emen

ted.

The

com

pens

atin

g co

ntro

ls a

re to

be

deriv

ed b

y co

nduc

ting

annu

al ta

ble-

top

exer

cise

s and

en

surin

g th

at re

gula

r bac

kups

of c

ritic

al

data

an

d of

fsite

bac

kup

stor

age

are

perf

orm

ed.

How

ever

, a

fully

succ

essf

ul ta

ble-

top

test

of

has n

ot

been

con

duct

ed fo

r FY

200

8. T

he w

aive

r gra

nted

pr

ovid

es a

n ex

tens

ion

of ti

me

to im

plem

ent

corr

ectiv

e ac

tion,

but

the

asso

ciat

ed ri

sk st

ill

rem

ains

.

syst

em a

dmin

istra

tors

con

duct

ed a

d ho

c ba

ckup

tape

rest

ores

for s

yste

m u

sers

and

per

form

ed

a fu

ll da

taba

se re

stor

e in

Mar

ch 2

008

durin

g a

serv

er

upgr

ade.

How

ever

, the

re w

as n

o ev

iden

ce th

at

quar

terly

test

ing

was

con

duct

ed o

r tha

t FEM

A h

as a

fo

rmal

ized

pro

cess

to te

st b

acku

p ta

pes m

ore

freq

uent

ly th

an a

nnua

lly.

rega

rdin

g w

aive

rs, a

nd e

nsur

e th

at

com

pens

atin

g co

ntro

ls d

escr

ibed

in th

e w

aive

r are

eff

ectiv

e an

d do

cum

enta

tion

of

thei

r eff

ectiv

enes

s is m

aint

aine

d as

aud

itabl

e re

cord

s.

We

reco

mm

end

that

FEM

A d

evel

op a

nd

impl

emen

t pro

cedu

res t

o pe

riodi

cally

test

the

bac

kups

in a

ccor

danc

e w

ith D

HS

Info

rmat

ion

Tech

nolo

gy S

ecur

ity P

rogr

am

Publ

icat

ion

4300

A re

quire

men

ts.

X

Low

FEM

A IT

-08

24

We

note

d th

at th

e ta

pe re

stor

e sc

hedu

le re

quire

s qu

arte

rly te

stin

g of

bac

kup

tape

s beg

inni

ng n

o ea

rlier

th

an F

Y 2

009.

We

reco

mm

end

that

FEM

A p

erio

dica

lly te

st

bac

kups

on

a qu

arte

rly b

asis

in

com

plia

nce

with

FEM

A a

nd D

HS

polic

y.

X

Low

18

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FE

MA

Com

pone

nt o

f the

FY

200

8 D

HS

Fina

ncia

l Sta

tem

ent A

udit

App

endi

x B

Dep

artm

ent o

f Hom

elan

d Se

curi

ty

Fede

ral E

mer

genc

y M

anag

emen

t Age

ncy

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

008

NFR

#

Con

ditio

n R

ecom

men

datio

n N

ew Is

sue

Rep

eat

Issu

e R

isk

Rat

ing*

Add

ition

ally

, we

dete

rmin

ed th

at th

e C

ontin

genc

y Pl

an w

as n

ot te

sted

and

con

sequ

ently

a

full

bac

kup

tape

rest

ore

did

not o

ccur

in F

Y

2008

. R

athe

r, sy

stem

adm

inis

trato

rs

cond

ucte

d ad

hoc

bac

kup

tape

rest

ores

at t

he re

ques

t of

syst

em u

sers

dur

ing

the

fisca

l yea

r.

FEM

A-I

T-08

25

D

ue to

the

mag

nitu

de o

f the

pro

ject

scop

e to

es

tabl

ish

a “r

eal-t

ime”

alte

rnat

e pr

oces

sing

site

for

FEM

A w

as u

nabl

e to

impl

emen

t cor

rect

ive

actio

ns to

fully

rem

edia

te th

e pr

ior y

ear f

indi

ng

with

in tw

elve

(12)

mon

ths.

Con

sist

ent w

ith D

HS

polic

y fo

r fin

ding

s tha

t can

not b

e re

med

iate

d w

ithin

tw

elve

(12)

mon

ths,

a D

HS

IT S

ecur

ity P

rogr

am

Wai

ver (

num

ber W

R-2

008-

012)

was

app

rove

d by

th

e D

HS

Chi

ef In

form

atio

n Se

curit

y O

ffic

er in

M

arch

200

8 to

pro

vide

FEM

A w

ith a

dditi

onal

tim

e to

pla

n an

d de

velo

p an

eff

ectiv

e al

tern

ate

proc

essi

ng

site

for

Per D

HS

polic

y, th

e w

aive

r mus

t be

revi

ewed

, upd

ated

, and

re-a

ppro

ved

by th

e ap

prop

riate

man

agem

ent o

ffic

ials

eve

ry si

x (6

) m

onth

s. T

he w

aive

r ide

ntifi

es th

at u

ntil

the

alte

rnat

e pr

oces

sing

site

is im

plem

ente

d an

d fu

ll sc

ale

test

ing

can

be c

ondu

cted

, com

pens

atin

g co

ntro

ls w

ill b

e im

plem

ente

d by

con

duct

ing

annu

al ta

ble-

top

exer

cise

s.

Add

ition

ally

, at t

he c

lose

of o

ur a

udit

test

wor

k, w

e de

term

ined

that

ann

ual t

able

-top

test

ing

had

not b

een

cond

ucte

d an

d do

cum

ente

d. W

e de

term

ined

that

the

mos

t rec

ently

con

duct

ed ta

ble-

top

revi

ew o

f the

� � � �

Con

tinue

to d

edic

ate

reso

urce

s tow

ards

co

mpl

etin

g on

-goi

ng c

orre

ctiv

e ac

tions

to

impl

emen

t a “

real

-tim

e” a

ltern

ate

proc

essi

ng si

te fo

r

Upd

ate

the

exis

ting

wai

ver,

as re

quire

d, in

ac

cord

ance

with

eff

ectiv

e D

HS

polic

y re

gard

ing

wai

vers

, and

ens

ure

that

co

mpe

nsat

ing

cont

rols

des

crib

ed in

the

wai

ver a

re e

ffec

tive

and

docu

men

tatio

n of

th

eir e

ffec

tiven

ess i

s mai

ntai

ned

as a

udita

ble

reco

rds.

In

the

even

t tha

t an

upda

ted

wai

ver i

s den

i or

whe

n th

e al

tern

ate

proc

essi

ng si

te is

es

tabl

ishe

d, c

ondu

ct d

ocum

ente

d an

nual

ed

test

s of t

he

con

tinge

ncy

plan

that

ad

dres

s all

criti

cal p

hase

s of t

he p

lan.

p or

full-

scal

e te

stin

g re

sults

, as n

eces

sary

.

Upd

ate

the

con

tinge

ncy

plan

bas

ed

on th

e le

sson

s lea

rned

from

tabl

e-to

X

Med

ium

19

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FE

MA

Com

pone

nt o

f the

FY

200

8 D

HS

Fina

ncia

l Sta

tem

ent A

udit

App

endi

x B

Dep

artm

ent o

f Hom

elan

d Se

curi

ty

Fede

ral E

mer

genc

y M

anag

emen

t Age

ncy

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

008

NFR

#

Con

ditio

n R

ecom

men

datio

n N

ew Is

sue

Rep

eat

Ris

k Is

sue

Rat

ing*

co

ntin

genc

y pl

an o

ccur

red

on Ju

ly 2

1, 2

00

and

was

con

duct

ed fo

r pro

cess

es, p

roce

dure

s, an

d sc

enar

ios i

dent

ified

in th

e co

ntin

genc

y pl

an d

ated

Ju

ne 2

9, 2

007.

We

note

d th

at th

e do

cum

ente

d re

sults

of

the

July

200

7 te

st st

ated

that

FEM

A w

as u

nabl

e to

su

cces

sful

ly c

ompl

ete

step

s tha

t wer

e pl

anne

d to

be

cond

ucte

d du

ring

the

Rec

over

y Pr

oced

ure

Act

ivat

ion

phas

e du

e to

mat

eria

l wea

knes

ses a

nd d

efic

ienc

ies 7

cite

d in

the

reco

very

pro

cedu

res.

FEM

A-I

T-08

28

D

urin

g ou

r FY

200

8 fo

llow

up

test

wor

k, w

e te

sted

a

sele

ctio

n of

40

non-

emer

genc

y ap

plic

atio

n le

vel

that

had

oc

curr

ed si

nce

Oct

ober

1, 2

007.

Of t

he 4

0 es

ted,

we

note

d th

e fo

llow

ing

exce

ptio

ns:

t

� � �

29

did

not h

ave

test

ing

docu

men

tatio

n at

tach

ed to

the

;

36

did

not h

ave

appr

oval

; an

d

32

did

not h

ave

appr

oval

We

reco

mm

end

that

FEM

A, i

n ac

cord

ance

w

ith D

HS

and

FEM

A p

olic

y, e

nsur

e th

at

non-

emer

genc

y ap

plic

atio

n le

vel

chan

ges o

btai

n al

l req

uire

d ap

prov

als p

rior t

o im

plem

enta

tion

into

pro

duct

ion

and

that

te

stin

g do

cum

enta

tion

is a

ppro

pria

tely

et

aine

d.r

X

M

ediu

m

FEM

A-I

T-08

29

W

e no

ted

that

a

ppro

vals

for

app

licat

ion

leve

l em

erge

ncy

chan

ges d

id n

ot c

onsi

sten

tly fo

llow

FE

MA

and

DH

S gu

idan

ce.

Spec

ifica

lly, w

e de

term

ined

that

of 2

5 em

erge

ncy

cha

nges

se

lec

dte

for t

estin

g:

� �

22 c

hang

es d

id n

ot h

ave

docu

men

ted

appr

oval

;

4 di

d no

t hav

e ap

prov

al p

rior t

o

We

reco

mm

end

that

FEM

A, i

n ac

cord

ance

w

ith D

HS

and

FEM

A p

olic

y, e

nsur

e th

at

app

licat

ion

leve

l em

erge

ncy

chan

ges

obta

in a

ll re

quire

d ap

prov

als p

rior t

o im

plem

enta

tion

into

pro

duct

ion

and

that

te

stin

g do

cum

enta

tion

is a

ppro

pria

tely

et

aine

d.r

X

M

ediu

m

20

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FE

MA

Com

pone

nt o

f the

FY

200

8 D

HS

Fina

ncia

l Sta

tem

ent A

udit

App

endi

x B

Dep

artm

ent o

f Hom

elan

d Se

curi

ty

Fede

ral E

mer

genc

y M

anag

emen

t Age

ncy

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

008

NFR

#

Con

ditio

n R

ecom

men

datio

n N

ew Is

sue

Rep

eat

Issu

e R

isk

Rat

ing*

FEM

A-I

T-08

38

impl

emen

tatio

n in

to p

rodu

ctio

n;

� �

16 d

id n

ot h

ave

app

rova

l; an

d

6 di

d no

t hav

e re

late

d te

stin

g do

cum

enta

tion

atta

ched

. W

e w

ere

refe

rred

to S

ectio

n 2.

2.1

of th

e N

FIP

Adm

inis

trativ

e M

anua

l as g

uida

nce

on se

greg

atin

g in

com

patib

le d

utie

s. B

ased

on

our r

evie

w o

f the

m

anua

l, w

e no

ted

that

it d

oes n

ot in

clud

e po

licie

s an

d pr

oced

ures

rega

rdin

g se

greg

atin

g in

com

patib

le

dutie

s with

in

Add

ition

ally

, whi

le w

e no

ted

that

syst

em ro

les a

nd re

spon

sibi

litie

s hav

e be

en

docu

men

ted,

d

utie

s tha

t are

inco

mpa

tible

ar

e no

t doc

umen

ted.

We

reco

mm

end

that

NFI

P do

cum

ent

dutie

s tha

t are

inco

mpa

tible

and

dev

elop

and

im

plem

ent p

olic

ies a

nd p

roce

dure

s for

pro

perly

se

greg

atin

g in

com

patib

le d

utie

s with

in th

e sy

stem

.

X

Med

ium

FEM

A-I

T-08

39

FEM

-0

845

A

-IT

Dur

ing

our t

est w

ork,

we

note

d th

at a

pla

nned

upd

ate

and

subs

eque

nt te

stin

g of

the

Con

tinge

ncy

Plan

was

not

con

duct

ed a

nd th

at sy

stem

fail-

over

ca

pabi

lity

at th

e al

tern

ate

proc

essi

ng si

te h

ad n

ot

been

test

ed

Add

ition

ally

the

NFI

P )

was

not

upd

ated

to in

clud

e th

e a

nd

alte

rnat

e pr

oces

sing

faci

lity

or

criti

cal d

ata

files

and

rest

orat

ion

prio

ritie

s.

use

r acc

ess i

s not

man

aged

in a

ccor

danc

e w

ith a

ccou

nt m

anag

emen

t pro

cedu

res.

�

Upd

ate

and

test

the

Con

tinge

ncy

Plan

, cov

erin

g al

l crit

ical

pha

ses o

f the

pla

n in

acc

orda

nce

with

DH

S po

licy.

In

addi

tio

NFI

P sh

ould

con

duct

a te

st o

f the

syst

em

fail-

over

cap

abili

pr

oces

sing

site

.

n,

ty a

t the

alte

rnat

e

� R

evis

e th

e D

isas

ter R

ecov

ery

and

to

inco

rpor

ate

the

and

a

ltern

ate

proc

essi

ng fa

cilit

y an

d th

e cr

itica

l da

ta fi

les,

as w

ell a

s upd

ate

the

plan

s with

le

sson

s lea

rned

from

the

test

ing.

�

In su

ppor

t of t

he O

CFO

Pro

cedu

res f

or

Gra

ntin

g A

cces

s to

con

tinue

to

ensu

re th

e pr

oces

s for

gra

ntin

g or

mod

ifyin

g ac

cess

is m

onito

red

and

that

cha

nges

mad

e to

use

r pro

files

out

side

of t

he re

certi

ficat

ion

X

X

Med

ium

Hig

h

21

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FE

MA

Com

pone

nt o

f the

FY

200

8 D

HS

Fina

ncia

l Sta

tem

ent A

udit

App

endi

x B

Dep

artm

ent o

f Hom

elan

d Se

curi

ty

Fede

ral E

mer

genc

y M

anag

emen

t Age

ncy

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

008

NFR

#

Con

ditio

n R

ecom

men

datio

n N

ew Is

sue

Rep

eat

Issu

e R

isk

Rat

ing*

pr

oces

s are

doc

umen

ted

and

auth

oriz

su

perv

isor

s, pr

ogra

m m

anag

ers,

and

Con

tract

ing

Off

icer

’s T

echn

ical

ed b

y

Rep

rese

ntat

ives

. � �

Ensu

re th

at th

e D

atab

ase

Use

r A

cces

s Ins

truct

ion

is im

plem

ente

d co

nsis

tent

ly b

y re

quiri

ng th

at a

ll ex

istin

g an

d ne

w

use

rs c

ompl

ete

a cu

rren

t D

atab

ase

Use

r A

Com

plet

e th

e de

velo

pmen

t and

im

plem

enta

tion

of p

olic

ies a

nd p

roce

dure

s ov

er p

erio

dic

rece

rtific

atio

n of

all

user

cces

s For

m.

acce

ss to

the

dat

abas

e, a

nd

reta

in a

udita

ble

reco

rds i

n ac

cord

ance

with

D

HS

polic

es a

nd p

roce

dure

s as e

vide

nce

that

rece

rtific

atio

ns a

re c

ondu

cted

and

co

mpl

eted

per

iodi

cally

with

tim

elin

ess.

FEM

A-I

T-08

46

Th

e ex

istin

g M

emor

andu

m o

f Und

erst

andi

ng (M

OU

) w

ith th

e D

epar

tmen

t of T

reas

ury

expi

red

in O

ctob

er

2007

.

We

reco

mm

end

that

FEM

A c

ompl

ete

the

revi

ew, r

eaut

horiz

atio

n, a

nd re

-issu

ance

of a

cu

rren

t MO

U a

nd In

terc

onne

ctio

n Se

curit

y A

gree

men

t (IS

A) b

etw

een

the

Trea

sury

’s

Fina

ncia

l Man

agem

ent S

ervi

ce a

nd F

EMA

.

X L

ow

FEM

A-I

T-08

47

FEM

A-I

T-08

Bas

ed u

pon

our r

evie

w, w

e de

term

ined

that

the

ISA

bet

wee

n FE

MA

and

the

Smal

l Bus

ines

s A

dmin

istra

tion

(SB

A) e

xpire

d in

July

200

7 an

d ha

s not

bee

n re

auth

oriz

ed a

nd re

issu

ed, a

s req

uire

d by

DH

S po

licy.

The

vuln

erab

ilitie

s ide

ntifi

ed fr

om th

e sc

ans

Com

plet

e th

e re

auth

oriz

atio

n an

d re

issu

ance

of a

re

new

ed IS

A b

etw

een

FEM

A a

nd S

BA

, and

en

sure

that

the

ISA

is su

bseq

uent

ly re

view

ed,

upda

ted

as n

eces

sary

, and

reis

sued

tim

ely,

as

requ

ired

by D

HS

polic

y an

d/or

the

term

s of t

he

agre

emen

t.

We

reco

mm

end

that

FEM

A im

plem

ent a

pro

cess

X

X

Low

Med

ium

22

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FE

MA

Com

pone

nt o

f the

FY

200

8 D

HS

Fina

ncia

l Sta

tem

ent A

udit

App

endi

x B

Dep

artm

ent o

f Hom

elan

d Se

curi

ty

Fede

ral E

mer

genc

y M

anag

emen

t Age

ncy

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

008

NFR

#

Con

ditio

n R

ecom

men

datio

n N

ew Is

sue

Rep

eat

Issu

e R

isk

Rat

ing*

48

re

not

repo

rted

and

track

ed v

ia D

HS’

PO

A&

M

oces

s. a pr

to

ens

ure

that

wea

knes

ses i

dent

ified

dur

ing

vuln

erab

ility

ass

essm

ent s

cans

of

are

form

ally

repo

rted

and

that

ass

ocia

ted

corr

ectiv

e ac

tions

are

dev

elop

ed a

nd tr

acke

d vi

a D

HS’

PO

A&

M p

roce

ss.

FEM

A

T-08

49

-I

foll

n

We

note

d th

at th

e so

ftwar

e w

as im

prop

erly

co

fn ig

ured

so th

at th

e us

er’s

abi

lity

to c

hang

e th

e ow

i g

setti

ngs h

ad n

ot b

een

disa

bled

: � � � �

viru

ses,

and

wor

ms o

n a

cont

inuo

us b

asi

whe

n W

indo

ws i

s sta

rted;

for a

utom

atic

ally

sc

anni

ng sy

stem

file

s for

thre

ats,

know

n s

auto

mat

ical

ly sc

anni

ng O

utlo

ok a

nd/o

r O

utlo

ok E

xpre

ss m

essa

ges f

or v

iruse

s.

for

ly

scan

ning

inco

min

g an

d ou

tgoi

ng L

otus

N

otes

mes

sage

s; a

nd

for a

utom

atic

al

inco

min

g an

d ou

tgoi

ng e

-mai

l mes

s ot

her t

han

Out

look

and

/or O

utlo

ok E

xpre

s

for s

cann

ing

all

ages

s.

knes

s rth

er

reco

mm

enda

tion

is re

quire

d.

Act

ion

was

take

n to

cor

rect

this

wea

ur

ing

the

audi

t per

iod.

No

fu

d X

M

ediu

m

FEM

A

T-08

50

-I

�

On

a da

ily b

asis

, an

auto

mat

ed re

port

of

dat

abas

e ac

tivity

con

duct

ed b

y us

ers

with

ele

vate

d “s

uper

user

” pr

ivile

ges i

s ge

nera

ted

and

emai

led

to th

e D

atab

ase

Adm

inis

trato

rs (D

BA

) and

FSS

per

sonn

el fo

r re

view

. H

owev

er, w

hile

this

repo

rt is

di

strib

uted

for r

evie

w b

y th

e D

BA

s and

FSS

staf

f, no

evi

denc

e th

at th

e re

view

s are

co

nduc

ted

is re

tain

ed.

the

We

reco

mm

end

that

FEM

A, i

n ac

cord

ance

with

FE

MA

and

DH

S po

licy,

con

tinue

to im

plem

ent

proc

edur

es o

ver a

udit

logg

ing

proc

esse

s for

app

licat

ion

and

data

base

and

reta

in

evid

ence

that

aud

it re

cord

s are

pro

activ

ely

revi

ewed

. Sp

ecifi

cally

, the

evi

denc

e sh

ould

pr

ovid

e a

reco

rd o

f rev

iew

that

at a

min

imum

no

tes t

he id

entit

y of

the

indi

vidu

al th

at re

view

he

log

(e.g

., in

itial

s), t

he d

ate

of re

vi

ed

ew, a

ndt

X

Med

ium

23

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FE

MA

Com

pone

nt o

f the

FY

200

8 D

HS

Fina

ncia

l Sta

tem

ent A

udit

App

endi

x B

Dep

artm

ent o

f Hom

elan

d Se

curi

ty

Fede

ral E

mer

genc

y M

anag

emen

t Age

ncy

Info

rmat

ion

Tech

nolo

gy M

anag

emen

t Let

ter

Sept

embe

r 30,

200

8

Rep

eat

Ris

kN

FR #

C

ondi

tion

Rec

omm

enda

tion

New

Issu

e Is

sue

Rat

ing*

fo

llow

up

actio

ns ta

ken,

if re

quire

d.

2200

.7,

�

We

note

d th

at w

hile

FEM

A In

stru

ctio

n U

ser A

cces

s Ins

truc

tion,

as

sign

s the

resp

onsi

bilit

y of

con

duct

ing

this

w

eekl

y re

view

to F

SS, F

EMA

per

sonn

el d

o

not f

orm

ally

doc

umen

t tha

t the

revi

ew is

co

nduc

ted.

FEM

A-I

T-08

W

e re

com

men

d th

at F

EMA

revi

se e

xist

ing

X

Hig

h �

We

note

d th

at th

e St

anda

rd O

pera

ting

51

proc

edur

es fo

r a

udit

logg

ing

to in

clud

e A

udit

Logs

doe

s not

com

preh

ensi

vely

add

ress

Pr

oced

ures

(SO

P) fo

r Han

dlin

g of

a

revi

ew o

f hig

hly-

priv

ilege

d an

d ad

min

istra

to r-

requ

irem

ents

of F

EMA

Dire

ctiv

e 14

0-1,

le

vel a

ctiv

ities

as r

equi

red

by F

EMA

and

DH

S FE

MA

Info

rmat

ion

Tech

nolo

gy S

ecur

ity

polic

y an

d en

sure

impl

emen

tatio

n of

all

Po

licy.

Spe

cific

ally

, the

SO

P do

es n

ot re

qu ire

re

quire

men

ts, i

nclu

ding

rete

ntio

n of

evi

denc

e of

th

e m

onito

ring

of m

odifi

catio

ns to

acc

ount

re

view

s of a

udit

logs

. ta

bles

and

oth

er h

ighl

y-pr

ivile

ged

and

ad

min

istra

tor-

leve

l act

iviti

es.

�

We

note

d th

at th

e SO

P re

quire

s dat

abas

e

adm

inis

trato

rs to

initi

al a

nd re

tain

prin

ted

logs

as

evi

denc

e th

at re

view

s are

con

duct

ed a

s re

quire

d. H

owev

er, F

EMA

info

rmed

us t

hat

this

por

tion

of th

e SO

P w

as n

ot b

eing

pe

rfor

med

.

FEM

A-I

T-08

Ex

istin

g pr

oced

ures

do

not p

rovi

de a

tim

efra

me

for

We

reco

mm

end

that

FEM

A fi

naliz

e an

d X

M

ediu

m

52

inst

allin

g pa

tche

s. Fi

naliz

atio

n an

d im

plem

ent p

roce

dure

s tha

t def

ine

the

timef

ram

e

impl

emen

tatio

n of

the

in

whi

ch se

curit

y pa

tche

s sho

uld

be in

stal

led.

-

FEM

A In

form

atio

n Se

curit

y V

ulne

rabi

lity

Man

agem

ent,

whi

ch sp

ecifi

es th

e tim

efra

me

for i

nsta

lling

secu

rity

patc

hes,

has b

een

dela

yed

due

to o

rgan

izat

iona

l cha

nges

. FE

MA

-IT-

08

Upo

n in

spec

tion

of th

e S

yste

m S

ecur

ity P

lan

We

reco

mm

end

that

FEM

A e

nsur

e th

at

X

Med

ium

24

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FE

MA

Com

pone

nt o

f the

FY

200

8 D

HS

Fina

ncia

l Sta

tem

ent A

udit

App

endi

x B

Dep

artm

ent o

f Hom

elan

d Se

curi

ty

Fede

ral E

mer

genc

y M

anag

emen

t Age

ncy

Info

rmat

ion

Tech

nolo

gy M

anag

emen

t Let

ter

Sept

embe

r 30,

200

8

Rep

eat

Ris

kN

FR #

C

ondi

tion

Rec

omm

enda

tion

New

Issu

e Is

sue

Rat

ing*

53

(S

SP) t

hat i

s a p

art o

f the

SS

P is

upd

ated

in a

ccor

danc

e w

ith D

HS

polic

y pa

ckag

e, w

e no

ted

that

the

serv

er

so th

at c

urre

nt sy

stem

com

pone

nts a

nd sy

stem

an

d ho

st n

ames

list

ed in

App

endi

x B

of t

he S

SP a

re

owne

rs a

re c

ompr

ehen

sive

ly d

ocum

ente

d in

the

no

t acc

urat

e. S

peci

fical

ly, t

he li

stin

g of

syst

em

plan

. co

mpo

nent

s is n

ot c

ompr

ehen

sive

, and

por

t ions

of

info

rmat

ion,

such

as s

yste

m o

wne

rs, a

re n

ot u

p to

da

te.

FEM

A-I

T-08

In

FY

200

8, w

e de

term

ined

that

NFI

P ha

d W

e re

com

men

d th

at N

FIP

ensu

re th

at te

stin

g X

M

ediu

m

54

docu

men

ted

and

impl

emen

ted

the

Syst

em

docu

men

tatio

n fo

r ch

ange

s is r

etai

ned

C

hang

e C

ontro

l Pro

cedu

res.

Dur

ing

the

audi

t, w

e

on fi

le in

acc

orda

nce

with

DH

S po

licy.

de

term

ined

that

two

(2)

cha

nges

had

bee

n

impl

emen

ted

sinc

e O

ctob

er 1

, 200

7. W

e ob

tain

ed

chan

ge d

ocum

enta

tion

for b

oth

chan

ges a

nd n

oted

th

at te

stin

g do

cum

enta

tion

was

not

reta

ined

for t

hese

ch

ange

s.

FEM

A-I

T-08

D

urin

g ou

r FY

200

8 te

st w

ork,

we

note

d th

at N

FIP

We

reco

mm

end

that

NFI

P en

sure

that

test

ing

of

X

Med

ium

55

do

cum

ente

d an

d im

plem

ente

d th

e N

FIP

Te ch

nica

l al

l cha

nges

is d

ocum

ente

d an

d re

tain

ed o

n fil

e in

Se

rvic

es D

epar

tmen

t Pro

duct

ion

Syst

ems C

ontro

l ac

cord

ance

with

DH

S an

d N

FIP

requ

irem

ents

. U

nit P

roce

dure

s tha

t pro

vide

gui

danc

e on

im

plem

entin

g ch

ange

s int

o th

e pr

oduc

tion

en

viro

nmen

t. W

e se

lect

ed fo

r tes

ting

eigh

t (8)

ch

ange

s tha

t had

bee

n im

plem

ente

d si

nce

Oct

ober

1,

2007

. O

f the

eig

ht (8

) tes

ted,

we

iden

tifie

d th

at te

st

resu

lts w

ere

not a

vaila

ble

for o

ne (1

) cha

nge.

* R

isk

ratin

gs a

re o

nly

inte

nded

to a

ssis

t man

agem

ent i

n pr

iori

tizin

g co

rrec

tive

actio

ns.

Ris

k ra

tings

in th

is c

onte

xt d

o no

t cor

rela

te to

de

finiti

ons o

f con

trol

def

icie

ncie

s as i

dent

ified

by

the

AIC

PA.

25

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FE

MA

Com

pone

nt o

f the

FY

200

8 D

HS

Fina

ncia

l Sta

tem

ent A

udit

Appendix C


September 30, 2008

Appendix C

Status of Prior Year Notices of Findings and Recommendations and Comparison To Current Year Notices of Findings and Recommendations

26 Information Technology Management Letter for the FEMA Component of the FY 2008 DHS Financial

Statement Audit

Appendix C


September 30, 2008

Disposition

NFR No. Description Closed Repeat

FEMA-IT07-01

During our technical testing, patch management weaknesses were identified on Integrated , and systems.

X

FEMA-IT07-02

During our technical testing, configuration management weaknesses were identified on , and key support servers.

FEMA-IT08-02

FEMA-IT07-03

We determined that the Financial Services Section (FSS) has created procedures to review user access on a semi-annual basis for appropriateness of access privileges granted to employees or contractors within their organization. Additionally, we noted that a recertification of all

users, which is also their semi-annual review of user access, began in June 2007. Currently, FSS is in the process of validating access for users who responded to FSS’ recertification request. In addition, FSS is locking out the users who did not respond. We determined that the recertification of all existing users has not been completed for FY 2007.

FEMA-IT08-03

FEMA-IT07-04

The FEMA alternate processing site located in is not operational for FEMA is in the process of setting up a

) to replicate data from the production server at and send it to the servers in . Currently the is not complete and therefore, the facility does not have the capability of functioning as the alternate processing site for if a disaster were to occur.

X

FEMA-IT07-05

The Security Test & Evaluation did not provide adequate documentation of the results to the accrediting authority and that the prior year weakness still exists.

X

FEMA-IT07-06

There are not formal, documented procedures in place to require updates to the system documentation as functions are added, deleted, or modified.

FEMA-IT08-06

FEMA-IT07-07

We determined that FEMA has identified the ) as the alternate processing facility for ;

however, it will not be fully operational until September 2007. Therefore, we determined that the contingency plan has not undergone a full-scale test to show that the system can be brought back to an operational state at the designated alternate site.

X

FEMA-IT07-08

We determined that the FEMA has not been updated to include the new listing of FEMA mission critical IT systems as outlined in the Information Technology Services Directorate

X


Statement Audit

Appendix C


September 30, 2008

Disposition


Implementation Plan.

FEMA-IT07-09

We noted that FEMA has begun to standardize all user workstations to with installed, which would ensure

that all settings are properly applied to all users. Currently, FEMA is upgrading older user workstations to or providing users with new workstations. However, we noted that this process will not be fully complete until January 2008. This weakness impacts

We noted that FEMA users are locked out of the system at the domain level after three (3) consecutive failed login attempts; however, the user account becomes unlocked and active again after five (5) minutes of inactivity.

X

FEMA-IT07-10

We determined that FEMA has begun to standardize all user workstations to with installed, which would ensure

that all settings are properly applied to all users. Currently, FEMA is upgrading older user workstations to or providing users with new workstations. However, we noted that this process is not fully completed, and FEMA has estimated this process will not be completed until January 2008.

This weakness impacts

X

FEMA-IT- We noted that passwords for the application can be re-used after six (6) X 07-11 iterations which is not in compliance with DHS 4300A.

FEMA-IT07-12

We determined that the FEMA Chief Information Officer (CIO) provided procedures to all Office Directors, Regional Directors and FEMA Coordinating Officers for the periodic review of all accounts and position assignments on June 28, 2007. We noted that detailed procedures are listed for the review of accounts; however, the procedures do not state the frequency of this review.

We noted that this review began on June 29, 2007 with a deadline of July 26, 2007 for accepting responses from users recertifying their accounts. Therefore, risk of unauthorized users accessing was present for a majority of the fiscal year.

FEMA-IT08-12

FEMA-IT- We determined that the FSS has created procedures to review user FEMA-IT07-13 access on a semi-annual basis for appropriateness of access privileges granted 08-13

to employees or contractors within their organization. Additionally, we noted that a recertification of all users was performed in June 2007.


Statement Audit

Disposition


Currently, FSS is in the process of validating access for the users who responded to FSS’ recertification request and locking out the users who did not respond. We determined that the recertification of all existing

users is not yet complete for FY 2007.

We determined that the FEMA CIO provided procedures to all Office Directors, Regional Directors and FEMA Coordinating Officers for the

periodic review of all accounts and position assignments on June 2 8, 2007. However, the procedures do not state the frequency of this review .

Furthermore, we noted that this review began on June 29, 2007 with a deadline of July 26, 2007 for accepting responses from users recertifying their

accounts. Therefore, the risk of unauthorized users accessing was present for a majority of the fiscal year.

We noted that twenty-seven (27) terminated or separated FE MA employees and contractors maintain active user accounts.

We noted that seven hundred seventy (770) terminated or separated FEMA employees and contractors maintain active user accounts.

FEMA-IT We determined that IT Operations has created backup procedures entitled, X07-14 , for and dated July 27,

2007. However, we noted that the procedures were finalized on July 27, 2007, and that the risk was present for a majority of the fiscal year.

We noted that both and backup tapes are not rotated off-site to the .

We noted that the FEMA alternate processing site located in is not operational for We also noted that the back-up facility has

redundant servers in place for the Database in June 2007. Therefore, the risk was present for a majority of the fiscal year.

FEMA-IT - We determined that FEMA created the X 07 -15 , , dated June 29, 2007. We noted that this plan was in draft

form and that it does not fully identify the configuration management process of

We determined that FEMA created the Supplemental Security Policy to the DHS 4300A and 4300B, which details policies for restricting access to the sy stem software of FEMA IT systems. However, we noted that the draft

policy is dated June 14, 2007.

We noted that procedures over restricting access to system software

Appendix C


September 30, 2008


Statement Audit

September 30, 2008

Disposition


entitled, Procedures, and management procedures were approved on June 29, 2007. Honoted that the risk was present for a majority of the fiscal year,the NFR will be re-issued for FY 2007.

patch wever, we and as a result,

FEMA-IT - FEMA created the Supplemental Security Policy to the DHS 4300A and X 07-16 4 300B, which details policies for restricting access to system software.

However, we noted that the policy is in draft and dated June 14, 2007.

FEMA has not documented procedures for restricting access to system software.

FEMA-IT - We determined that FEMA created a Standard FEMA-IT07 -17 Operating Procedures (SOP) for However, the

SOP was approved by the OCFO on June 29, 2007. Furthermore, we noted the evidence that the “ ” account was locked within the e nvironment on July 24, 2007. Therefore, we noted that the risk was present for a majority of the fiscal year.

08-17

FEMA-IT - FEMA created the Supplemental Security Policy to the DHS 4300A and X07 -18 4300B detailed policies for investigating and reportin g any suspicious

activity detected when reviewing audit logs. However, we noted that the policy is dated June 14, 2007 and is in draft form.

emFEMA has not documented specific procedures to review suspicious syst software activity and access controls for

FEMA-IT -07 -19

FEMA-IT07-20

FEMA created the Supplemental Security Policy to the DHS 4300A and 4300B detailed policies for monitoring sensitive access and investigating and reporting any suspicious activity detected when reviewing audit logs. However, we noted that the policy is dated June 14, 2007 and is in draft form.

t documented procedures to monitor and review sensitive access, FEMA has no ies system software utilities and suspicious system software and access activit

for

FEMA has adopted the DHS for This policy establishes required practices for managing DHS IT systems and infrastructure solutions through a progression of activities for initiation, planning, development, testing, implementation, operation, maintenance, and retirement. However, we noted that the policy is dated January 27, 2006 an dis in draft form.

FEMA-IT08-19

X

Appendix C



Statement Audit

Disposition


FEMA-IT07-21

FEMA has adopted the DHS for This policy establishes required practices for managing DHS IT systems and infrastructure solutions through a progression of activities for initiation,

lanning, development, testing, implementation, operation, maintenance, and p retirement. However, we noted that the policy is dated January 27, 2006 and is in draft form.

X

FEMA-IT07-22

FEMA did not have an operational alternate processing site for for a ajority of the fiscal year. We determined that the alternate processing site in m

has redundant servers in place for the Database effective as of June 2007.

FEMA-IT08-22

FEMA-IT07-23

FEMA lacks backup testing procedures. Additionally, we determined that the backups are not periodically tested.

FEMA-IT08-23

FEMA-IT07-24

FEMA lacks backup testing procedures. Additionally, we determined that the backups are not periodically tested.

FEMA-IT08-24

FEMA-IT07-25

We noted that the contingency plan has not been tested on an annu al basis, per DHS 4300A.

FEM -ITA 08-25

FEMA-IT07-26

During our review of user access rights for the approval of we noted that excessive access rights existed. Specifically,

we determined that three (3) people were authorized to approve s; however, one (1) individual was transferred to another DHS

agency. Therefore, this person’s job responsibilities no longer required this al a current FEMA employee. access nor was this individu

eUpon notification of this issue, FEMA took corrective action and removed th individual’s access rights.

X

FEMA-IT07-27

We noted that testing documentation for application level changes is not consistently documented or performed timely.

X

FEMA-IT Per DHS 4300A, all changes to major applications must be formally FEMA-IT07-28 approved, te sted and documented prior to the change being implemented. For

the test of this control, we selected a sample of nine (9) application level changes. We noted that one (1) out of the sample did not have testing

performed.

08-28

FEMA-IT We noted that the Technical Review Committee ( ) approvals for FEMA-IT07-29 application level emergency changes are not consistently documented.

Specifically, we determined that five (5) out of a sample of eight (8) application level emergency changes did not gain approval.

08-29

Appendix C


September 30, 2008


Statement Audit

Disposition


FEMA-IT- We determined that excessive access is designed to be permitted within X 07-30 to make offline changes to the general ledger account tables via the

Group. We identified six (6) users in the group that have the ability to make

offline changes to the general ledger account tables, which are not within their job responsibilities.

FEMA-IT does not timeout after a period of inactivity. Additionally, we X 07-31 determined that all workstations use a password protected screensaver

after fifteen (15) minutes of inactivity, which is not in compliance with DHS 4300A.

access is not reviewed on a periodic basis to determine if access is valid and commensurate with job responsibilities.

FEMA-IT While a standard form has been developed for documenting change X 07-32 requests, change management procedures have not been

documented.

System software change management procedures have not been devel oped or implemented. Additionally, installation of the operating system upgrade i n FY 2007 was not formally documented or approved.

FEMA-IT NFIP has made improvements in the area of Administrator account X 07-33 management. However, we noted that system activity logs are not being

reviewed. FEMA-IT NFIP has updated the X

07-34 baseline configuration document. However, we noted tha t procedures have not been developed which require approvals prior to

implementation. Additionally, of 30 changes selected, 14 changes did not have documented Operations Service Request forms or document ed approvals.

FEMA-IT A system programmer had write access to the X 07-35 and datasets of the

production member. NFIP removed the system programmer’s access shortly after this finding was identified.

FEMA-IT- Access to the excel files is excessive. Specifically, X 07-36 we identified that modify and write access permissions to the excel files a re

inappropriate for five individuals of the Bureau of Finance and Statistical Control group.

Appendix C


September 30, 2008


Statement Audit

September 30, 2008

Disposition


FEMA-IT-07-37

We noted there is excessive access to application software and support files. Specifically, we noted that all individuals within the Bureau of Finance and Statistical Control group have modify and write access to the

application software and support files.

X

FEMA-IT07-38

NFIP has not documented incompatible duties within developed policy and procedures regarding segregation of duties, or implemented segregation of duties controls within . All users of have f ull application level access.

FEMA-IT08-38

FEMA-IT The contingency plan has not been tested. As a result, the system FEMA-IT07-39 fail-over capability for the alternate processing site has not been

tested.

The NFIP Disaster Recovery and COOP does not identify the following:

The and alternate processing facility; and critical data files are not documented.

08-39

FEMA-IT-07-40

FEMA-IT-07-41

The rules of behavior (ROB) forms are not consistently signed prior to users gaining access to the NFIP Bureau ). Specifically, we determined that three (3) out of a sample of twelve (12) new NFIP Bureau

users did not sign the ROB prior to obtaining NFIP Bureau access.

We determined that policies and procedures over periodic review of access lists have been documented. However, we noted that the periodic review determining if logical user access is valid and consistent with job

responsibilities is not effective as an instance of excessive system developer access was identified within

X

X

FEMA-IT-07-42

We determined that periodic review policies and procedures have not been developed for access to the NFIP Bureau room. As a result, we noted that there are two (2) employees with excessive access to the NFIP Bureau

room.

X

FEMA-IT-07-43

The NFIP Bureau has been configured to permit users to reuse prior passwords after five (5) iterations which is not in compliance with the DHS 4300A.

X

FEMA-IT-07-44

We noted that proactive vulnerability scanning is not performed over backend database or the NFIP Bureau .

X

Appendix C



Statement Audit

Appendix D


September 30, 2008

Appendix D

Management Comments


Statement Audit

Appendix D


September 30, 2008


Statement Audit


September 30, 2008

Report Distribution

Department of Homeland Security

Secretary Acting Deputy Secretary Chief of Staff for Operations Chief of Staff for Policy Acting General Counsel Executive Secretariat Under Secretary, Management Acting Administrator, FEMA DHS Chief Information Officer DHS Chief Financial Officer Chief Financial Officer, FEMA Chief Information Officer, FEMA Chief Information Security Officer Assistant Secretary, Policy Assistant Secretary for Public Affairs Assistant Secretary for Legislative Affairs DHS GAO OIG Audit Liaison Chief Information Officer, Audit Liaison FEMA Audit Liaison

Office of Management and Budget

Chief, Homeland Security Branch DHS OIG Budget Examiner

Congress

Congressional Oversight and Appropriations Committees as Appropriate


Statement Audit

ADDITIONAL INFORMATION AND COPIES

To obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4199, fax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig.

OIG HOTLINE

To report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal misconduct relative to department programs or operations:

• Call our Hotline at 1-800-323-8603;

• Fax the complaint directly to us at (202) 254-4292;

• Email us at [email protected]; or

• Write to us at: DHS Office of Inspector General/MAIL STOP 2600, Attention: Office of Investigations - Hotline, 245 Murray Drive, SW, Building 410, Washington, DC 20528.

The OIG seeks to protect the identity of each writer and caller.

Documents

Department of Homeland Security Ofﬁce of Inspector General · Homeland Security Act of 2002 (Public Law 107-296) by amendment to the Inspector General Act of 1978. This is one of