FBI systems still need work, IG says

[InfoSec News <isn () c4i org>]

http://www.fcw.com/fcw/articles/2003/1013/web-ig-10-15-03.asp

By Sara Michael 
Oct. 15, 2003

The FBI's technology systems still suffer from weak security planning 
and management and inefficient access controls, according to a Justice 
Department Inspector General report released Oct. 14.

The bureau has been the subject of numerous information technology 
audits listing hundreds of recommendations over the years, and it 
needs a process to ensure those studies are followed up, the report 
says.

"For years, reviews have found major weaknesses associated with the 
FBI's IT," Inspector General Glenn Fine said in the report. "The FBI 
has made upgrading its [IT] one of its top 10 priorities."

Since September 2002, the FBI has been developing ways to document the 
audits and follow-up procedures, the report said. The FBI's Inspection 
Division developed a database -- the Automated Response and Compliance 
System -- to document and track data requests from auditors and 
provide the status of improvements.

FBI officials should develop procedures to follow up audit 
recommendations, and ensure the compliance system is complete, Fine 
said. The bureau should show that managers are held accountable for 
making changes by quickly closing auditors' recommendations, the 
report states.

The office interviewed personnel with the FBI, inspector general and 
General Accounting Office and reviewed more than 100 documents on the 
process for tracking the resolution of the recommendations, the report 
states.

Although the FBI has implemented many recommendations from inspector 
general reports since 1990, recent reviews found "repeated 
deficiencies" in compliance with information security requirements, 
the report states. As of April, the FBI had weaknesses in protecting 
sensitive information and guarding against fraudulent financial 
transactions or unauthorized software changes.

The inspector general also found the FBI fixed about one-fourth of the 
deficiencies cited in a fiscal 2001 audit on compliance with the 
Government Information Security Reform Act of 2000. However, the 
bureau still has problems with security policies, network backup and 
restoration controls, password management, log-on management, and 
system patches, Fine wrote.

The report also identifies two factors that could affect the success 
of the FBI's Virtual Case File system, the automated case support 
system to be completed in December as part of the bureau's Trilogy 
modernization project. The technical requirements have not been 
defined for the system's second and third releases, which could pose a 
problem, the report said.

"We believe the lack of technical, cost and schedule baselines not 
only creates uncertainties for how much the [system] will cost and 
when it will be completed, but also how it will perform upon 
implementation," Fine wrote.

Meeting the technical requirements and ensuring the system's 
acceptance by agents are necessary for its success, the report states.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.