Assessing Information System Vulnerabilities and Risk

User Generated

zzz2012

Writing

Description

I need APA Citations 6 References for both SAR and RAR papers.

  • Security Assessment Report (SAR): This should be an 8-10 page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations.
  • Risk Assessment Report (RAR): This report should be a 5-6 page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations

______________________________________________________

Attached is OIG Audit Report. This OIG Audit Report and recommendations on the OPM Breach should help to develop Enterprise Level Security Plans.

Attached is a suggested outline and alternative templates for the Project 3 SAR and RAR. Again, these are just guidelines, you can adapt them anyway you like, as long as you address the questions/requirements for the project. I hope these help.

You are an Information Assurance Management Officer, IAMO, at an organization of your choosing. One morning, as you're getting ready for work, you see an email from Karen, your manager. She asks you to come to her office as soon as you get in. When you arrive to your work, you head straight to Karen's office. “Sorry for the impromptu meeting,” she says, “but we have a bit of an emergency. There's been a security breach at the Office of Personnel Management.” We don't know how this happened, but we need to make sure it doesn't happen again, says Karen. You'll be receiving an email with more information on the security breach. Use this info to assess the information system vulnerabilities of the Office of Personnel Management. At your desk, you open Karen's email. She's given you an OPM report from the Office of the Inspector General, or OIG. You have studied the OPM OIG report and found that the hackers were able to gain access through compromised credentials. The security breach could have been prevented, if the Office of Personnel Management, or OPM, had abided by previous auditing reports and security findings. In addition, access to the databases could have been prevented by implementing various encryption schemas and could have been identified after running regularly scheduled scans of the systems. Karen and the rest of the leadership team want you to compile your findings into a Security Assessment Report or SAR. You will also create a Risk Assessment Report, or RAR, in which you identify threats, vulnerabilities, risks, and likelihood of exploitation and suggested remediation.

The security posture of the information systems infrastructure of an organization should be regularly monitored and assessed (including software, hardware, firmware components, governance policies, and implementation of security controls). The monitoring and assessment of the infrastructure and its components, policies, and processes should also account for changes and new procurements that are sure to follow in order to stay in step with ever-changing information system technologies.

The data breach at the Office of Personnel Management (OPM) is one of the largest in US government history. It provides a series of lessons learned for other organizations in industry and the public sector. Some critical security practices, such as lack of diligence to security controls and management of changes to the information systems infrastructure were cited as contributors to the massive data breach in the OPM Office of the Inspector General's (OIG) Final Audit Report, which can be found in open source searches. Some of the findings in the report include: weak authentication mechanisms; lack of a plan for life-cycle management of the information systems; lack of a configuration management and change management plan; lack of inventory of systems, servers, databases, and network devices; lack of mature vulnerability scanning tools; lack of valid authorizations for many systems, and lack of plans of action to remedy the findings of previous audits.

The breach ultimately resulted in removal of OPM's top leadership. The impact of the breach on the livelihoods of millions of people is ongoing and may never be fully known. There is a critical need for security programs that can assess vulnerabilities and provide mitigations.

There are nine steps that will help you create your final deliverables. The deliverables for this project are as follows:

  • Security Assessment Report (SAR): This should be an 8-10 page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations.
  • Risk Assessment Report (RAR): This report should be a 5-6 page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations.
  • In a Word document, share your lab experience and provide screen prints to demonstrate that you performed the lab.

When you submit your project, your work will be evaluated using the competencies listed below. You can use the list below to self-check your work before submission.

  • 1.1: Organize document or presentation clearly in a manner that promotes understanding and meets the requirements of the assignment.
  • 1.2: Develop coherent paragraphs or points so that each is internally unified and so that each functions as part of the whole document or presentation.
  • 1.3: Provide sufficient, correctly cited support that substantiates the writer’s ideas.
  • 1.4: Tailor communications to the audience.
  • 1.5: Use sentence structure appropriate to the task, message and audience.
  • 1.6: Follow conventions of Standard Written English.
  • 5.2: Knowledge of architectural methodologies used in the design and development of information systems and knowledge of standards that either are compliant with or derived from established standards or guidelines.
  • 5.6: Explore and address cybersecurity concerns, promote awareness, best practice, and emerging technology.
  • 7.3: Knowledge of methods and tools used for risk management and mitigation of risk.
  • 8.1: Demonstrate the abilities to detect, identify, and resolve host and network intrusion incidents.
  • 8.2: Possess knowledge and skills to categorize, characterize, and prioritize an incident as well as to handle relevant digital evidence appropriately.

Step 1: Enterprise Network Diagram

During Project One, you researched a hypothetical or actual organization of your choice. You had to understand the goals of the organization and the types of systems that would fulfill those goals. You will now research and learn about types of networks and their secure constructs that may be used in organizations to accomplish the functions of the organization’s mission. You will propose a local area network (LAN) and a wide area network (WAN) for the organization, define the systems environment, and incorporate this information in a network diagram. Discuss the security benefits of your chosen network design.

Read about the following computing platforms available for networks and discuss how these platforms could be implemented in your organization. Include the rationale for all platforms you choose to include in your network design.

  • common computing platforms
  • cloud computing
  • distributed computing
  • centralized computing
  • secure programming fundamentals

Step 2: Enterprise Threats

Review the OIG report on the OPM breach that you were asked to research and read about at the beginning of the project. The OIG report included numerous security deficiencies that likely left OPM networks vulnerable to being breached. In addition to those external threats, the report also describes the ways OPM was vulnerable to insider threats. The information about the breach could be classified as threat intelligence. Define threat intelligence and explain what kind of threat intelligence is known about the OPM breach.

You just provided detailed background information on your organization. Next, you’ll describe threats to your organization’s system. Before you get started, select and explore the contents of the following link: insider threats (also known as internal threats). As you’re reading, take note of which insider threats are a risk to your organization.

Now, differentiate between the external threats to the system and the insider threats. Identify where these threats can occur in the previously created diagrams. Relate the OPM threat intelligence to your organization. How likely is it that a similar attack will occur at your organization?

Step 3: Scanning the Network

Note: You will use the tools in Workspace for this step. If you need help outside the classroom to complete this project, register for CLAB 699 Cyber Computing Lab Assistance (go to the Discussions List for registration information). Primary lab assistance is available from a team of lab assistants. Lab assistants are professionals and are trained to help you.

Click here to access the instructions for Navigating the Workspace and the Lab Setup.

Select the following link to enter Workspace. and complete the lab activities related to network vulnerabilities.

You will now investigate network traffic, and the security of the network and information system infrastructure overall. Past network data has been logged and stored, as collected by a network analyzer tool such as Wireshark. Explore the tutorials and user guides to learn more about the tools you will use. Click the following link to read more about these network monitoring tools: Tools to Monitor and Analyze Network Activities.

You will perform a network analysis on the Wireshark files provided to you in Workspace and assess the network posture and any vulnerability or suspicious information you are able to obtain. Include this information in the SAR.

You will then return to the lab in order to identify any suspicious activities on the network, through port scanning and other techniques. You will revisit the lab and lab instructions in Step 7: Suspicious Activity.

Click here to access the Project 3 Workspace Exercise Instructions.

In order to validate the assets and devices on the organization's network, run scans using security and vulnerability assessment analysis tools such as MBSA, OpenVAS, Nmap, or Nessus depending on the operating systems of your organization's networks. Live network traffic can also be sampled and scanned using Wireshark on either the Linux or Windows systems. Wireshark allows you to inspect all OSI layers of traffic information. Further analyze the packet capture for network performance, behavior, and any suspicious source and destination addresses on the networks.

In the previously created Wireshark files, identify if any databases had been accessed. What are the IP addresses associated with that activity? Include this information in the SAR.

Step 4: Identifying Security Issues

You have a suite of security tools, techniques, and procedures that can be used to assess the security posture of your organization's network in a SAR.

Now it's time to identify the security issues in your organization's networks. You have already used password cracking tools to crack weak and vulnerable passwords. Provide an analysis of the strength of passwords used by the employees in your organization. Are weak passwords a security issue for your organization?

Step 5: Firewalls and Encryption

Next, examine these resources on firewalls and auditing–RDBMS related to the use of the Relational Database Management System (i.e., the database system and data) RDBMS. Also review these resources related to access control.

Determine the role of firewalls and encryption, and auditing – RDBMS that could assist in protecting information and monitoring the confidentiality, integrity, and availability of the information in the information systems.

Reflect any weaknesses found in the network and information system diagrams previously created, as well as in the developing SAR.

Step 6: Threat Identification

You know of the weaknesses in your organization's network and information system. Now you will determine various known threats to the organization's network architecture and IT assets.

Get acquainted with the following types of threats and attack techniques. Which are a risk to your organization?

  • IP address spoofing/cache poisoning attacks
  • denial of service attacks (DoS)
  • packet analysis/sniffing
  • session hijacking attacks
  • distributed denial of service attacks

In identifying the different threats, complete the following tasks:

  • Identify the potential hacking actors of these threat attacks on vulnerabilities in networks and information systems and the types of remediation and mitigation techniques available in your industry, and for your organization.
  • Identify the purpose and function of firewalls for organization network systems, and how they address the threats and vulnerabilities you have identified.
  • Also discuss the value of using access control, database transaction and firewall log files.
  • Identify the purpose and function of encryption, as it relates to files and databases and other information assets on the organization's networks.

Include these in the SAR.

Step 7: Suspicious Activity

Note: You will utilize the tools in Workspace for this step.

Hackers frequently scan the Internet for computers or networks to exploit. An effective firewall can prevent hackers from detecting the existence of networks. Hackers continue to scan ports, but if the hacker finds there is no response from the port and no connection, the hacker will move on. The firewall can block unwanted traffic and NMap can be used to self-scan to test the responsiveness of the organization's network to would-be hackers.

Select the following link to enter Workspace and conduct the port scanning. Return to the lab instructions by clicking here to access the Project 3 Workspace Exercise Instructions.

Step 8: Risk and Remediation

What is the risk and what is the remediation? What is the security exploitation? You can use the OPM OIG Final Audit Report findings and recommendations as a possible source for methods to remediate vulnerabilities.

Read this risk assessment resource to get familiar with the process, then prepare the risk assessment. Be sure to first list the threats, then the vulnerabilities, and then pairwise comparisons for each threat and vulnerability, and determine the likelihood of that event occurring, and the level of impact it would have on the organization. Use the OPM OIG Final Audit Report findings as a possible source for potential mitigations. Include this in the risk assessment report (RAR).

Step 9: Creating the SAR and RAR

Your research and Workspace exercise have led you to this moment: creating your SAR and RAR. Consider what you have learned in the previous steps as you create your reports for leadership.

Prepare a Security Assessment Report (SAR) with the following sections:

  • Purpose
  • Organization
  • Scope
  • Methodology
  • Data
  • Results
  • Findings

The final SAR does not have to stay within this framework, and can be designed to fulfill the goal of the security assessment.

Prepare a Risk Assessment Report (RAR) with information on the threats, vulnerabilities, likelihood of exploitation of security weaknesses, impact assessments for exploitation of security weaknesses, remediation, and cost/benefit analyses of remediation. Devise a high-level plan of action with interim milestones (POAM), in a system methodology, to remedy your findings. Include this high-level plan in the RAR. Summarize the results you obtained from the vulnerability assessment tools (i.e., MBSA and OpenVas) in your report.

The deliverables for this project are as follows:

  • Security Assessment Report (SAR): This should be an 8-10 page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations.
  • Risk Assessment Report (RAR): This report should be a 5-6 page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations.
  • In a Word document, share your lab experience and provide screen prints to demonstrate that you performed the lab.

Submit your deliverables to the assignment folder.



Before you submit your assignment, review the competencies below, which your instructor will use to evaluate your work. A good practice would be to use each competency as a self-check to confirm you have incorporated all of them in your work.

  • 1.1: Organize document or presentation clearly in a manner that promotes understanding and meets the requirements of the assignment.
  • 1.2: Develop coherent paragraphs or points so that each is internally unified and so that each functions as part of the whole document or presentation.
  • 1.3: Provide sufficient, correctly cited support that substantiates the writer’s ideas.
  • 1.4: Tailor communications to the audience.
  • 1.5: Use sentence structure appropriate to the task, message and audience.
  • 1.6: Follow conventions of Standard Written English.
  • 5.2: Knowledge of architectural methodologies used in the design and development of information systems and knowledge of standards that either are compliant with or derived from established standards or guidelines.
  • 5.6: Explore and address cybersecurity concerns, promote awareness, best practice, and emerging technology.
  • 7.3: Knowledge of methods and tools used for risk management and mitigation of risk.
  • 8.1: Demonstrate the abilities to detect, identify, and resolve host and network intrusion incidents.
  • 8.2: Possess knowledge and skills to categorize, characterize, and prioritize an incident as well as to handle relevant digital evidence appropriately.

Unformatted Attachment Preview

U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS Final Audit Report Federal Information Security Modernization Act Audit FY 2015 Report Number 4A-CI-00-15-011 November 10, 2015 -- CAUTION -This audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit report may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available under the Freedom of Information Act and made available to the public on the OIG webpage (http://www.opm.gov/our-inspector-general), caution needs to be exercised before releasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy. EXECUTIVE SUMMARY Federal Information Security Modernization Act Audit – FY 2015 Report No. 4A-CI-00-15-011 November 10, 2015 Why Did We Conduct the Audit? What Did We Find? Our overall objective was to evaluate OPM’s security program and practices, as required by the Federal Information Security Modernization Act (FISMA). Specifically, we reviewed the status of OPM’s information technology security program in accordance with the Department of Homeland Security’s (DHS) FISMA Inspector General reporting instructions. In FY 2015 OPM was the victim of a massive data breach that involved the theft of sensitive personal information of millions of individuals. For many years we have reported critical weaknesses in OPM’s ability to manage its information technology (IT) environment, and warned that the agency was at an increased risk of a data breach. In the wake of this data breach, OPM is finally focusing its efforts on improving its IT security posture. Unfortunately, as indicated by the variety of findings in this audit report, OPM continues to struggle to meet many FISMA requirements. What Did We Audit? The Office of the Inspector General (OIG) has completed a performance audit of OPM’s general FISMA compliance efforts in the specific areas defined in DHS’s guidance and the corresponding reporting instructions. Our audit was conducted from April through September 2015 at OPM headquarters in Washington, D.C. During this audit we did close a long-standing recommendation related to OPM’s information security management structure. However, this audit also determined that there has been a regression in OPM’s management of its system Authorization program, which we classified as a material weakness in the FY 2014 FISMA audit report. In April 2015, the Chief Information Officer issued a memorandum that granted an extension of the previous Authorizations for all systems whose Authorization had already expired, and for those scheduled to expire through September 2016. Should this moratorium on Authorizations continue, the agency will have up to 23 systems that have not been subject to a thorough security controls assessment. We continue to believe that OPM’s management of system Authorizations represents a material weakness in the internal control structure of the agency’s IT security program. The moratorium on Authorizations will result in the IT security controls of OPM’s systems being neglected. Combined with the inadequacy and non-compliance of OPM’s continuous monitoring program, we are very concerned that the agency’s systems will not be protected against another attack. Additionally, OPM’s inability to accurately inventory its systems and network devices drastically diminishes the effectiveness of its security controls. OPM has implemented a large number of improved security monitoring tools, but without a complete understanding of its network, it cannot adequately monitor its environment and therefore the usefulness of these tools is reduced. The following page outlines the additional issues that we identified during this FY 2015 FISMA audit. _______________________ Michael R. Esser Assistant Inspector General for Audits i EXECUTIVE SUMMARY Federal Information Security Modernization Act Audit – FY 2015 Summary of FY 2015 FISMA Results  The significant deficiency related to information security governance has been dropped due to the reorganization of the Office of the Chief Information Officer (OCIO).  OPM’s system development life cycle policy is not enforced for all system development projects.  OPM does not maintain a comprehensive inventory of servers, databases, and network devices.  Up to 23 major OPM information systems are operating without a valid Authorization. This represents a material weakness in the internal control structure of OPM’s IT security program.  OPM does not have a mature continuous monitoring program. Also, security controls for all OPM systems are not adequately tested in accordance with OPM policy.  The OCIO has implemented an agency-wide information system configuration management policy; however, configuration baselines have not been created for all operating platforms. Also, all operating platforms are not routinely scanned for compliance with configuration baselines.  We are unable to independently attest that OPM has a mature vulnerability scanning program.  Multi-factor authentication is not required to access OPM systems in accordance with OMB memorandum M-11-11.  OPM has established an Enterprise Network Security Operations Center that is responsible for incident detection and response.  OPM has not fully established a Risk Executive Function.  Many individuals with significant information security responsibility have not taken specialized security training in accordance with OPM policy.  Program offices are not adequately incorporating known weaknesses into Plans of Action and Milestones (POA&M) and the majority of systems contain POA&Ms that are over 120 days overdue.  OPM has not configured its virtual private network servers to automatically terminate remote sessions in accordance with agency policy.  Not all OPM systems have reviewed their contingency plans or conducted contingency plan tests in FY 2015.  Several information security agreements between OPM and contractor-operated information systems have expired. ii ABBREVIATIONS Authorization CDM CISO DHS DSO ENSOC FIPS FISMA FY IOC ISA ISCM ISSO IT LAN MOU/A NIST Security Assessment and Authorization Continuous Diagnostic and Mitigation Chief Information Security Officer Department of Homeland Security Designated Security Officer Enterprise Network Security Operations Center Federal Information Processing Standards Federal Information Security Modernization Act Fiscal year Internal Oversight and Compliance Interconnection Security Agreements Information Systems Continuous Monitoring Information System Security Officer Information Technology Local area network Memorandum of Understanding/Agreement National Institute for Standards and Technology OCIO OIG OMB OPM POA&M SDLC SIEM SP US-CERT VPN Office of the Chief Information Officer Office of the Inspector General Office of Management and Budget Office of Personnel Management Plan of Action and Milestones System Development Life Cycle Security information and event management Special Publication United States Computer Emergency Readiness Team Virtual private network iii TABLE OF CONTENTS IV. MAJOR CONTRIBUTORS TO THIS REPORT Page EXECUTIVE SUMMARY ......................................................................................... i ABBREVIATIONS .................................................................................................... iii I. BACKGROUND ..........................................................................................................1 II. OBJECTIVES, SCOPE, AND METHODOLOGY ..................................................2 III. AUDIT FINDINGS AND RECOMMENDATIONS.................................................5 A. Information Security Governance ...........................................................................6 B. Security Assessment and Authorization ..................................................................9 C. Continuous Monitoring..........................................................................................12 D. Configuration Management ...................................................................................14 E. Identity and Access Management ..........................................................................19 F. Incident Response and Reporting ..........................................................................21 G. Risk Management ..................................................................................................23 H. Security Training ..................................................................................................25 I. Plan of Action & Milestones..................................................................................26 J. Remote Access Management.................................................................................28 K. Contingency Planning............................................................................................29 L. Contractor Systems ................................................................................................31 IV. MAJOR CONTRIBUTORS TO THIS REPORT ..................................................33 APPENDIX I: Status of Prior OIG Audit Recommendations APPENDIX II: The Office of the Chief Information Officer’s October 22, 2015 response to the draft audit report, issued September 30, 2015. APPENDIX III: FY 2015 Inspector General FISMA reporting metrics REPORT FRAUD, WASTE, AND MISMANAGEMENT BACKGROUND I.I.BACKGROUND On December 17, 2002, the President signed into law the E-Government Act (Public Law 107-347), which includes Title III, the Federal Information Security Management Act. This Act requires (1) annual agency program reviews, (2) annual Inspector General (IG) evaluations, (3) agency reporting to the Office of Management and Budget (OMB) the results of IG evaluations for unclassified systems, and (4) an annual OMB report to Congress summarizing the material received from agencies. On December 18, 2014 President Obama signed Public Law 113-283, the Federal Information Security Modernization Act (FISMA), which reiterates the need for an annual IG evaluation. In accordance with FISMA, we conducted an evaluation of OPM’s security program and practices. As part of our evaluation, we reviewed OPM’s FISMA compliance strategy and documented the status of its compliance efforts. FISMA requirements pertain to all information systems supporting the operations and assets of an agency, including those systems currently in place or planned. The requirements also pertain to IT resources owned and/or operated by a contractor supporting agency systems. FISMA reemphasizes the Chief Information Officer’s strategic, agency-wide security responsibility. At OPM, security responsibility is assigned to the agency’s Office of the Chief Information Officer (OCIO). FISMA also clearly places responsibility on each agency program office to develop, implement, and maintain a security program that assesses risk and provides adequate security for the operations and assets of programs and systems under its control. To assist agencies and IGs in fulfilling their FISMA evaluation and reporting responsibilities, the Department of Homeland Security (DHS) Office of Cybersecurity and Communications issued the Fiscal Year (FY) 2015 Inspector General FISMA Reporting Instructions. This document provides a consistent form and format for agencies to report FISMA audit results to DHS. It identifies a series of reporting topics that relate to specific agency responsibilities outlined in FISMA. Our audit and reporting strategies were designed in accordance with the above DHS guidance. 1 Report No. 4A-CI-00-15-011 IVII.. OBJECTIVE, MAJOR CONTRIBUTORS TO THIS REPORT SCOPE, AND METHODOLOGY Objective Our overall objective was to evaluate OPM’s security program and practices, as required by FISMA. Specifically, we reviewed the status of the following areas of OPM’s information technology (IT) security program in accordance with DHS’s FISMA IG reporting requirements:           Continuous Monitoring Management; Configuration Management; Identity and Access Management; Incident Response and Reporting; Risk Management; Security Training; Plan of Action & Milestones (POA&M); Remote Access Management; Contingency Planning; and Contractor Systems. In addition, we evaluated the status of OPM’s IT security governance structure and the agency’s system Authorization process, areas that have represented a material weakness in OPM’s IT security program in prior FISMA audits. We also audited the security controls of four major applications/systems at OPM (see the Scope and Methodology section below for details of these audits), and followed-up on outstanding recommendations from prior FISMA audits (see Appendix I). Scope and Methodology We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. The audit covered OPM’s FISMA compliance efforts throughout FY 2015. We reviewed OPM’s general FISMA compliance efforts in the specific areas defined in DHS’s guidance and the corresponding reporting instructions. We also performed information security audits on the following major information systems:  Multi-State Plan Program Portal (Report No. 4A-RI-00-15-013, issued May 11, 2015);  USA Performance System (Report No. 4A-HR-00-15-018, issued July 20, 2015); 2 Report No. 4A-CI-00-15-011  Annuitant Health Benefits Open Season System (Report No. 4A-RI-00-15-019, issued July 29, 2015); and,  GP Plateau Baseline 6 Learning Management System (Report No. 4A-HR-00-15-015, issued July 31, 2015). We considered the internal control structure for various OPM systems in planning our audit procedures. These procedures were mainly substantive in nature, although we did gain an understanding of management procedures and controls to the extent necessary to achieve our audit objectives. Accordingly, we obtained an understanding of the internal controls for these various systems through interviews and observations, as well as inspection of various documents, including information technology and other related organizational policies and procedures. This understanding of these systems’ internal controls was used to evaluate the degree to which the appropriate internal controls were designed and implemented. As appropriate, we conducted compliance tests using judgmental sampling to determine the extent to which established controls and procedures are functioning as required. In conducting our audit, we relied to varying degrees on computer-generated data provided by OPM. Due to time constraints, we did not verify the reliability of the data generated by the various information systems involved. However, we believe that the data was sufficient to achieve the audit objectives, and nothing came to our attention during our audit to cause us to doubt its reliability. Since our audit would not necessarily disclose all significant matters in the internal control structure, we do not express an opinion on the set of internal controls for these various systems taken as a whole. The criteria used in conducting this audit included:  DHS Office of Cybersecurity and Communications FY 2015 Inspector General Federal Information Security Modernization Act Reporting Instructions;  OPM Information Technology Security and Privacy Policy Handbook;  OPM Information Technology Security FISMA Procedures;  OPM Security Assessment and Authorization Guide;  OPM Plan of Action and Milestones Standard Operating Procedures;  OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources;  OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information;  OMB Memorandum M-11-11: Continued Implementation of Homeland Security Presidential Directive 12;  P.L. 107-347, Title III, Federal Information Security Management Act of 2002; 3 Report No. 4A-CI-00-15-011  P.L. 113-283, Federal Information Security Modernization Act of 2014;  National Institute for Standards and Technology (NIST) Special Publication (SP) 800-12, An Introduction to Computer Security;  NIST SP 800-18 Revision 1, Guide for Developing Security Plans for Federal Information Systems;  NIST SP 800-30 Revision 1, Guide for Conducting Risk Assessments;  NIST SP 800-34 Revision 1, Contingency Planning Guide for Federal Information Systems;  NIST SP 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems;  NIST SP 800-39, Managing Information Security Risk – Organization, Mission, and Information System View;  NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems;  NIST SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations;  NIST SP 800-60 Volume 2, Guide for Mapping Types of Information and Information Systems to Security Categories;  Federal Information Processing Standards (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systems;  FIPS Publication 140-2, Security Requirements for Cryptographic Modules; and,  Other criteria as appropriate. The audit was performed by the OIG at OPM, as established by the Inspector General Act of 1978, as amended. Our audit was conducted from April through September 2015 in OPM’s Washington, D.C. office. Compliance with Laws and Regulations In conducting the audit, we performed tests to determine whether OPM’s practices were consistent with applicable standards. While generally compliant, with respect to the items tested, OPM’s OCIO and other program offices were not in complete compliance with all standards, as described in section III of this report. 4 Report No. 4A-CI-00-15-011 III. AUDIT FINDINGS AND RECOMMEDATIONS Introduction In FY 2015 OPM was the victim of a massive data breach that involved the theft of sensitive personal information of millions of individuals. This was an advanced attack that may have been impossible to prevent in even the most advanced network environment. However, for many years we have reported critical weaknesses in OPM’s ability to manage its IT environment, and warned that the agency was at an increased risk of a data breach. OPM continuously failed a variety of FISMA metrics and carried material weaknesses in the annual FISMA reports. Our recommendations appeared to garner little attention, as the same findings were repeated year after year. In the wake of this data breach, OPM is finally focusing its efforts on improving its IT security posture. Unfortunately, as indicated by the variety of findings in this audit report, OPM continues to fail to meet FISMA requirements, and we now have additional concerns with the manner in which the agency is attempting to quickly fix problems that were decades in the making. OPM has determined that in order to best secure the sensitive data it maintains, it must create an entirely new technical infrastructure and migrate all of the agency’s systems into this new environment (referred to as the ‘Shell’). OPM faces enormous hurdles in reaching its desired outcome – many of which we do not believe the agency is adequately prepared to address. This infrastructure improvement project has an impact on a variety of the FY 2015 FISMA reporting metrics and will be referenced throughout this report. However, our specific concerns with this project are detailed through separate reporting mechanisms. 1 Of particular concern in this year’s FISMA audit results is the overall lack of compliance that seems to permeate the agency’s IT security program. For example, OPM’s decision to put system Security Assessment and Authorizations on hold until applications are migrated into the Shell is an extremely poor decision, and makes it likely that the IT security controls of OPM’s systems will remain neglected during the time that it takes to move the systems to the new environment (probably many years – see section B below). Combined with the inadequacy and non-compliance of OPM’s continuous monitoring program, we are very concerned that the agency’s systems will not be protected against another attack. 1 Flash Audit Alert – U.S. Office of Personnel Management’s Infrastructure Improvement Project (Report No. 4ACI-00-15-055) and Interim Status Report on OPM’s Responses to Flash Audit Alert – U.S. Office of Personnel Management’s (OPM) Infrastructure Improvement Project (Report No. 4A-CI-00-15-055) 5 Report No. 4A-CI-00-15-011 Additionally, OPM’s inability to accurately inventory its systems and network devices drastically diminishes the effectiveness of its security controls. OPM has implemented a large number of improved security monitoring tools, but without a complete understanding of its network, it cannot adequately monitor its environment and therefore the usefulness of these tools is reduced. This same concern extends to OPM’s vulnerability scanning program (see section D below). 21 of the 27 In its response to our draft audit report, the OPM Office of the Chief recommendations in Information Officer (OCIO) stated “I am proud that OCIO has closed this report are at 77% of the recommendations for the FY 2007 through FY 2014 OIG least one year old. FISMA Audits, as well as OIG system audits.” Although this number is technically accurate, the vast majority of those recommendations were closed many years ago, and are no longer relevant to the current cybersecurity threats that the agency faces. A more relevant statistic is that OPM has closed only 43% of the FISMA recommendations issued in the FY 2013 and FY 2014 FISMA audits. In addition, 21 of the 27 recommendations in this FY 2015 report are at least one year old2. We acknowledge that OPM has recently placed additional focus on addressing OIG audit recommendations, and has sought our input in implementing controls to protect its technical environment. Significant work remains for the agency to secure its IT systems, and we are hopeful that this trend continues through the next fiscal year. A. Information Security Governance Information security governance is the overall framework and supporting management structure and processes that are the foundation of a successful information security program. Proper governance involves a variety of activities, challenges, and requirements, but three primary elements include a well-defined security management structure, maintaining a comprehensive inventory of information systems, and managing systems development projects in a disciplined and consistent manner. The following sections provide additional details from the OIG’s review of IT security governance at OPM. a) Security Management Structure For many years, we have reported increasing concerns about the state of OPM’s information security management structure. Our Federal Information Security Management Act audit reports from FY 2009 through FY 2013 reported this issue as a material weakness, and our recommendation was that the agency recruit a staff of information security professionals to 2 Two of the 27 recommendations in this report were implemented by the OCIO in early FY 2016, including one recommendation that was more than one year old, and will be closed upon issuance of this report. 6 Report No. 4A-CI-00-15-011 act as Information System Security Officers (ISSO) that report to the OCIO. Our FY 2014 FISMA report reduced the severity of the material weakness to a significant deficiency based on OPM’s plan to imminently hire enough ISSOs to manage the security for 100 percent of the agency’s information systems. Throughout FY 2015, OPM was successful in filling the vacant ISSO positions, effectively centralizing IT security responsibility under the Chief Information Officer (CIO) and fulfilling our audit recommendation. OPM has made progress With this new governance structure in place, we are closing the in addressing security audit recommendation related to security management structure governance issues by and removing the significant deficiency from our report. centralizing IT security However, the reorganization of IT security responsibility is responsibility. only the first step in addressing OPM’s security governance issues. We will closely monitor the effectiveness of this new management structure and will issue additional audit recommendations as necessary. b) Infrastructure and Inventory In addition to the decentralization of personnel with IT responsibility, OPM has historically maintained a fragmented and decentralized technical infrastructure that is spread over six data centers and is maintained by different organizations within the agency. OPM’s various program offices would procure, configure, and manage their own information systems, and the OCIO had little control over them – assuming it knew they existed. OPM has several initiatives underway to improve its inventory management program, but it is a monumental task. During this audit we reviewed OPM’s inventory of major information systems (i.e., those subject to FISMA reporting requirements) and compared it to a “comprehensive inventory” that was developed in preparation for migrating systems to the new Shell environment. There are significant discrepancies between the two lists, and our primary concern is that there are still unidentified systems residing on OPM’s network, and that existing applications are not appropriately classified as major or minor. Over the past several years, the agency has procured a variety of tools to help automate efforts to secure the OPM network. However, our FY 2014 FISMA audit determined that all of these tools are not being utilized to their fullest capacity, as the agency was having difficulty implementing and enforcing the new controls on all endpoints of the decentralized network. In the wake of the data breach, OPM procured even more security tools to help further secure the network. We agree that these tools add value, but OPM continues to face the challenge of implementing them into a fragmented environment where it continues to lack a comprehensive inventory of information systems, computer hardware, and network devices. Despite this major investment in security software and hardware, OPM cannot fully 7 Report No. 4A-CI-00-15-011 leverage the capability of these tools without knowing which assets must be protected, and therefore continues to remain vulnerable to security breaches. OPM’s issues with its system inventory also have a major impact on the infrastructure improvement project. Without knowing exactly how many and what type of systems need to be migrated to the new environment, there is no way to adequately plan the time and money that will be required. Failure to maintain an up-to-date inventory and appropriately classify all systems in the environment undermines all other attempts at oversight, risk management, and securing the agency’s information systems. Failure to maintain an accurate IT inventory undermines all attempts at securing OPM’s information systems. Recommendation 1 (Rolled Forward from 2014) We recommend that the OCIO develop and maintain a comprehensive inventory of all servers, databases, and network devices that reside on the OPM network. OCIO Response: “OCIO concurs with the recommendation. Asset inventory tools were installed on the network in FY 2015 and are being further configured to address gaps in network coverage. Additionally, network access control appliances have been installed to prevent unauthorized equipment from logging onto or being installed on the network. These tools will be aggressively implemented to provide additional assurance that a comprehensive inventory of assets is maintained.” OIG Comment: As part of the audit resolution process, we recommend that the OCIO provide evidence to OPM’s Internal Oversight and Compliance (IOC) office that is has developed a comprehensive inventory and has also implemented a process to maintain it. This statement applies to all subsequent audit recommendations that OCIO agrees to implement. c) Systems Development Lifecycle Methodology OPM has a history of troubled system development projects. In our opinion, the root causes of these issues are related to the lack of centralized oversight of systems development. Despite multiple attempts and hundreds of millions of dollars invested, OPM has encountered well publicized failures to modernize its retirement claims processing system. OPM has also faced struggles in modernizing its financial systems and its applications supporting the background investigation process. OPM’s current infrastructure improvement project will be far more complex than these examples or anything the agency has attempted in the past. 8 Report No. 4A-CI-00-15-011 At the end of FY 2013, the OCIO published a new Systems Development Lifecycle (SDLC) policy, which was a significant first step in implementing a centralized SDLC methodology at OPM. The new SDLC policy incorporated several prior OIG recommendations related to a centralized review process of system development projects. However, this new SDLC is only applicable to major investment projects, and thus is not actively enforced for all IT projects in the agency. Of further concern, OPM has not been following this SDLC for its infrastructure overhaul. This initiative requires a disciplined project management and systems development approach – not only for the overall project, but for the process of upgrading and migrating each individual information system. Recommendation 2 (Rolled Forward from 2013) We continue to recommend that the OCIO develop a plan and timeline to enforce the new SDLC policy to all of OPM’s system development projects. OCIO Response: “OCIO concurs with the recommendation. An enhanced policy is being developed to update the Systems Development Life Cycle (SDLC) requirements. A plan and timeline for implementation of the policy for all Development, Modernization and Enhancement (DM&E) projects is also being developed.” B. Security Assessment and Authorization Information system Security Assessment and Authorization (Authorization) is a comprehensive assessment that evaluates whether a system’s security controls are meeting the security requirements of that system. The Authorization packages reviewed as part of last year’s FY 2014 FISMA audit were generally of satisfactory quality. However , 11 out of OPM’s 47 major information systems had not been through the Authorization process in over three years, and several of these systems are critical to OPM’s mission and/or process extremely sensitive data. Due to the volume and sensitivity of the OPM systems that were operating without an active Authorization, we classified this issue as a material weakness in the FY 2014 FISMA report. Unfortunately, our FY 2015 FISMA audit work indicates that OPM’s management of system Authorizations has deteriorated even further. In April 2015, the CIO issued a memorandum that granted an extension of the previous Authorizations for all systems whose Authorization had already expired, and for those scheduled to expire through September 2016. Should this moratorium on Authorizations continue throughout FY 2016, the agency will have up to 23 systems that have not been subject to a thorough security controls assessment. The justification for this action was that OPM is in the process of modernizing its IT infrastructure, and that once this modernization is complete, all systems would have to receive new Authorizations anyway. 9 Report No. 4A-CI-00-15-011 However, the migration to OPM’s new technical environment is at least five years away from completion. This is enough time for all systems to go through nearly two full Authorization cycles, and does not justify delaying the process. It is irresponsible to Federal agencies also have the option of continuously monitoring their allow information systems IT security controls in lieu of performing formal systems to operate Authorizations every three years. However, it will also take significant indefinitely without time before OPM has a continuous monitoring program in place that is subjecting them to a mature enough to mitigate the necessity of system Authorizations. thorough security OPM is planning to implement DHS’s Continuous Diagnostic and controls assessment, Mitigation (CDM) program. However, the CDM tools are not as OPM is doing. scheduled to be installed until mid-FY 2016, and it will take some time after that for the program to mature. Although the new infrastructure and the use of CDM will certainly impact the way OPM handles Authorizations in the future, we believe that in the interim it is critical that OPM continue to subject all of its systems to this assessment process. The Office of Management and Budget's (OMB) Circular A-130, Appendix III mandates that all Federal information systems have a valid Authorization. According to OMB, information systems should not be operating in a production environment without an Authorization, and agencies should consider shutting down systems that do not have a current and valid Authorization. We acknowledge that the lack of an Authorization does not, by definition, mean that a system is insecure. However, it absolutely does mean that a system is at a significantly higher risk of containing unidentified security vulnerabilities. The authorization process - nearly without exception - identifies significant issues that must be addressed. If the agency does not know what weaknesses and vulnerabilities exist in its IT environment, it cannot take steps to address and remove those weaknesses, or develop a proactive and comprehensive IT security strategy. Considering the rapidly changing pace of technology, it is irresponsible to allow these systems to operate without routinely subjecting them to a thorough security controls assessment. We continue to believe that OPM’s management of system Authorizations represents a material weakness in the internal control structure of the agency's IT security program. Recommendation 3 (Rolled Forward from 2014) We recommend that all active systems in OPM’s inventory have a complete and current Authorization. OCIO Response: “OCIO concurs with the recommendation. OCIO made a risk-based cost-effective decision in FY 2014 to extend the authorizations for all systems in the current enterprise network. Upon 10 Report No. 4A-CI-00-15-011 migration to the new environment, all systems will undergo a full security assessment and authorization as this constitutes a major change. As part of our analysis and planning for migration to the new infrastructure, OCIO will conduct a full assessment of the existing authorization package for systems that may remain in the legacy environment for a prolonged period of time.” OIG Comment: Although the OCIO states that it concurs with our recommendation, its response to our draft report makes it clear that it has no intention of actually addressing this issue. We are well aware of the decision to extend Authorizations for all systems in the current enterprise network until they are migrated to the new environment. While the OCIO is presenting this extension as some sort of compensating control, we view it as the core of the problem. The OCIO could not have made a “risk-based” decision to extend the authorizations of these systems because it has not done any assessment to determine what risks actually exist within these systems. We maintain that it is irresponsible to allow these systems to operate without routinely subjecting them to a thorough security controls assessment. Recommendation 4 (Rolled Forward from 2014) We recommend that the performance standards of all OPM system owners be modified to include a requirement related to FISMA compliance for the information systems they own. At a minimum, system owners should be required to ensure that their systems have valid Authorizations. OCIO Response: “OCIO concurs with the recommendation. OCIO established and implemented these performance standards for the OCIO IT Project Managers (IT PM) in FY 2015. In FY 2016, OCIO will improve these standards and create a new policy to require these standards for IT PMs not positioned within OCIO.” Recommendation 5 (Rolled Forward from 2014) We recommend that the OPM Director consider shutting down information systems that do not have a current and valid Authorization. OCIO Response: “OCIO partially concurs with the recommendation. OCIO will establish a policy and process for managing authorizations to include documenting a risk-based decision by the authorizing officials to continue operations when authorizations expire.” 11 Report No. 4A-CI-00-15-011 OIG Comment: The recommendation is that the OPM Director place consideration on shutting down information systems that do not have a current and valid Authorization – this includes a large number of systems whose Authorizations have already expired. If the Director decides to keep these systems operational even though no assessment has been done to determine what risks exist within them, then this decision should be formally documented. C. Continuous Monitoring The following sections detail our review of OPM’s efforts to continuously monitor the security controls of its information systems. a) Continuous Monitoring Methodology In FY 2015, the Council of the Inspectors General on Integrity and Efficiency (CIGIE) developed a Continuous Monitoring Maturity Model that provides a framework for evaluating an agency’s information security program and ranking the maturity of its security control monitoring program on a 5-level scale (level 1 being the least mature and effective). We utilized this maturity model to conduct our review of OPM’s information systems continuous monitoring program (ISCM). Our review determined that OPM’s ISCM is currently operating at level 1, “Ad-Hoc.” Through interviews with OCIO personnel we were informed that the ISCM policies and procedures are currently being restructured to better suit the current OPM environment. These new policies and procedures will also help create a more transparent ISCM program, as the previous iteration of ISCM policies did not prove to be very effective. The policies are currently in draft form and the OCIO did not provide an estimated completion date. We were also informed that the software platform currently used for continuous monitoring submissions and reporting has not been meeting the needs of the ISCM program. The OCIO currently has a project underway to acquire a new software package that will better integrate with OPM’s environment and the requirements of the ISCM program. Defining the technology needed to support a continuous monitoring program is a critical element of CIGIE’s ISCM Maturity Model. Implementation of our recommendation will help the agency reach the next level of continuous monitoring maturity. As mentioned above, OPM is not currently performing Authorizations on many of its systems. Failure to assess the IT security controls of information systems significantly increases the risk that a system vulnerability will remain undetected and exploited. 12 Report No. 4A-CI-00-15-011 Recommendation 6 We recommend that the new ISCM policies and procedures being developed utilize and incorporate the controls identified in the CIGIE Information Security Continuous Monitoring Maturity Model. At a minimum the policies and procedures should:  Document key stakeholders and their responsibilities;  Implement continuous monitoring submissions standardization;  Develop requirements for personnel with significant ISCM responsibilities to have the necessary skill, knowledge, and training to complement their role;  Develop qualitative and quantitative measures for assessing the effectiveness of the ISCM program;  Define how ISCM information is routinely shared with top management and personnel with significant ISCM responsibilities, and  Define the technology needed to support the ISCM program. OCIO Response: “OCIO partially concurs with the recommendation. We agree that policies and procedures should be developed to address the items listed in the recommendation, and will meet OPM’s ISCM responsibilities in accordance with Federal laws, regulations, directives, and policies. While OPM does not have a requirement to follow the CIGIE ISCM Maturity Model, we will consider using the CIGIE ISCM Maturity Model where desirable and practicable.” OIG Comment: While the OCIO states that it only partially agrees with the recommendation, its planned action of implementing the minimum items outlined above and leveraging the ISCM Maturity model while developing its ISCM program will address the audit recommendation. b) Assessment of Individual System Security Controls Not only did we determine that OPM’s continuous monitoring program is inadequate, we found that many system owners are not even in compliance with it. OPM’s existing policy requires all OPM operated system owners to submit evidence of continuous monitoring activities at least quarterly. Security control testing is currently required only once a year for OPM systems operated by a contractor. We requested the security control testing documentation for all OPM systems in order to review them for quality and consistency. We determined that only 20 out of 29 systems operated by OPM were subject to adequate security control continuous monitoring activity in FY 2015, and only 10 of the 17 systems operated by a contractor were subject to an adequate annual security control testing exercise. 13 Report No. 4A-CI-00-15-011 The following program offices own information systems that failed the security control testing metric in FY 2015.        Office of the Chief Financial Officer (two systems); Office of the Chief Information Officer (one system); Employee Services (two systems); Healthcare and Insurance (three systems); Human Resources Solutions (two systems); Office of the Inspector General (three systems); and Retirement Services (three systems). It has been over nine years since OPM has assessed the security controls of all of its systems in a single fiscal year. Between contractor and agency-operated information systems, only 30 out of 46 systems were subject to adequate security controls testing in FY 2015. Failure to continuously monitor and assess security controls increases the risk that agency officials are unable to make informed judgments to appropriately mitigate risks to an acceptable level. It has been over nine years since all OPM systems were subject to an adequate security controls test within a single fiscal year. Recommendation 7 (Rolled forward from 2008) We recommend that OPM ensure that an annual test of security controls has been completed for all systems. OCIO Response: “OCIO concurs with the recommendation and will ensure all systems have security controls testing performed at least annually and in accordance with OPM ISCM policy.” D. Configuration Management The sections below detail the controls that the OCIO has in place to manage the technical configuration of OPM servers, databases, and workstations. a) Agency-wide security configuration policy OPM’s Information Security and Privacy Policy Handbook contains policies and procedures related to agency-wide configuration management. The handbook requires the establishment of secure baseline configurations and the monitoring and documenting of all configuration changes. b) Configuration baselines Our FY 2014 FISMA audit determined that OPM did not have formal baseline configurations in place for all of the operating platforms and databases used in its environment. In FY 2015, 14 Report No. 4A-CI-00-15-011 we again reviewed OPM’s progress toward establishing formal baseline configurations and determined that OPM has not made progress in implementing our recommendation. In fact it appears OPM has regressed, as we only received current baseline configurations for two operating systems ( and ), fewer than we reported in FY 2014. Furthermore, as mentioned in Section A, Information Security Governance, OPM has not developed a comprehensive server, database and applications inventory. As a result, we are not able to independently verify whether OPM has created baseline configurations for all of the operating platforms it uses. However, we do know from our test work that the following operating platforms do exist in OPM’s environment, but do not have a documented baseline: , , , and . OPM has not documented baseline configurations for all operating platforms used in its environment. NIST SP 800-53 Revision 4 requires agencies to develop, document, and maintain a current baseline configuration of the information system. A baseline should serve as a formally approved standard outlining how to securely configure various operating platforms. Without an approved baseline, there is no standard against which actual configuration settings can be measured, increasing the risk that insecure systems exist in the operating environment. Recommendation 8 (Rolled Forward from 2014) We recommend that the OCIO develop and implement a baseline configuration for all operating platforms in use by OPM including, but not limited to, , , and . , OCIO Response: “OCIO partially concurs with the recommendation. While we agree that a baseline configuration should be developed for all operating platforms on the network, all of the operating platforms identified specifically in the recommendation do not exist as operating platforms on the network. OCIO will use the comprehensive asset inventory developed in conjunction with recommendation 1 to [develop] baseline configurations for the applicable operating platforms. Further, implementation of network access control appliances will prevent unauthorized devices with unauthorized operating systems from connecting to the OPM network.” OIG Comment: All of the operating platforms listed in the recommendation did exist in the OPM environment at some point in the past year. If these platforms are no longer used at OPM, then yes, we agree that there is no need to develop a baseline configuration for them. Once OPM has developed a comprehensive asset inventory and developed baselines for all 15 Report No. 4A-CI-00-15-011 operating platforms that the agency does use, it should provide IOC with relevant supporting documentation. c) United States Government Computer Baseline Configuration OPM user workstations are built with a standard image that is compliant with the United States Government Baseline Configuration. Any deviations deemed necessary by the agency from the configurations are documented within each operating platform’s baseline configuration. We conducted an automated scan of the standard image to independently verify compliance with OPM’s baseline. Nothing came to our attention to indicate that there are weaknesses in OPM’s methodology to securely configure user workstations. d) Compliance with baselines The OCIO uses automated scanning tools to conduct routine compliance audits on many of the operating platforms used in OPM’s server environment. These tools compare the actual configuration of servers and workstations to the approved baseline configuration. However, as mentioned above, there are operating platforms used by OPM that do not have documented baseline configurations, and therefore it is impossible to subject these systems to adequate compliance audits. NIST SP 800-53 Revision 4 requires agencies to audit activities associated with information system configurations. Recommendation 9 (Rolled Forward from 2014) We recommend the OCIO conduct routine compliance scans against established baseline configurations for all servers and databases in use by OPM. This recommendation cannot be addressed until Recommendation 8 has been completed. OCIO Response: “OCIO concurs with the recommendation. OCIO currently conducts routine compliance scans for existing baseline configurations and will extend scans to cover new baselines identified by remediating recommendation 8 once new operating systems and databases are identified and baselines are established.” e) Documented change management process The OCIO has developed a Configuration Change Control Policy that outlines a formal process to approve and document all computer software and hardware changes. OPM utilizes a software 16 OPM has a documented change management process. Report No. 4A-CI-00-15-011 application to manage, track, and document change requests. In FY 2015, OPM acquired and implemented a software product that has the capability to detect, approve, and revert all changes made to information systems. Nothing came to our attention to indicate that there are weaknesses in OPM’s software and hardware change procedures. However, as mentioned above, no software tool can be fully effective if OPM does not have a good grasp of the inventory of assets that the tool must be applied against. f) OPM’s vulnerability scanning program We detected a variety of issues with OPM’s vulnerability management program. OPM performs some form of automated network vulnerability scanning on a bi-weekly basis. However, as mentioned throughout this report, OPM’s lack of a complete system inventory makes it impossible to attest that controls of this nature are adequate and comprehensive. Furthermore, our test work identified issues with the inventory documentation that OPM does maintain for vulnerability scanning purposes, as we found information systems residing in areas of the network that were labeled as empty by OPM. Without a complete inventory, OPM is unable to ensure that all systems within the network environment are being scanned routinely for weaknesses. In addition to our concerns that OPM is not conducting vulnerability scans on its entire environment, we also identified issues with the scans that do take place. OPM runs vulnerability scans using the credentials of a “service level” account. However, the scanning tool used by OPM actually requires “administrator” credentials to be fully effective. This access level is necessary to conduct the scanning, as it allows the automated tool to run a full uninhibited check for any vulnerabilities that are present within the information system. Without this level of access, an organization cannot ensure that the tool completed all of its checks and that the results from the scans are reliable. We reviewed reports that indicate numerous OPM systems are being routinely scanned with credentials that do not have sufficient access rights for a comprehensive vulnerability check. In addition, while the OCIO has documented “accepted” weaknesses for OPM user workstations, it has not fully documented accepted weaknesses (i.e., vulnerabilities whose risk has been accepted due to a business need) for servers or databases. A recommendation related to this issue remains open from FY 2011 and is rolled forward again this year. Finally, OPM has not implemented a process to centrally track the current status of security weaknesses identified during vulnerability scans to remediation or risk acceptance, and we have concerns that OPM is not remediating known vulnerabilities in a timely manner. 17 Report No. 4A-CI-00-15-011 In conclusion, we remain unable to independently attest that OPM has a mature vulnerability scanning program, and must indicate as such on the FISMA metrics provided to OMB. Recommendation 10 (Rolled Forward from 2014) We recommend that the OCIO implement a process to ensure routine vulnerability scanning is conducted on all network devices documented within the inventory. OCIO Response: “OCIO concurs with the recommendation. OCIO will use the inventory created by remediating recommendation 1 to help ensure that vulnerability scanning is performed on all network devices and errors are corrected in a timely manner.” Recommendation 11 (Rolled Forward from 2014) We recommend that the OCIO implement a process to centrally track the current status of security weaknesses identified during vulnerability scans to remediation or risk acceptance. OCIO Response: “OCIO concurs with the recommendation. OCIO is working with the Department of Homeland Security (DHS), as part of the Continuous Diagnostics and Mitigation (CDM) Program, to implement and integrate the tools necessary to meet this recommendation.” Recommendation 12 (Rolled Forward from 2011) We recommend that the OCIO document “accepted” weaknesses identified in vulnerability scans. OCIO Response: “OCIO concurs with the recommendation. OCIO will follow its standard process for documenting acceptances of risk for weaknesses identified in vulnerability scans.” OIG Comment: We are not aware of an existing standard process for documenting acceptance of risks for weaknesses identified in vulnerability scans. If such a process exists, we recommend that the OCIO provide IOC with relevant supporting documentation. g) Vulnerabilities identified through OIG scanning We worked with OCIO personnel to conduct independent vulnerability scans of OPM’s information systems. The results and findings of our vulnerability scanning test work is detailed below. 18 Report No. 4A-CI-00-15-011 Unsupported software The results of our vulnerability scans indicated that OPM’s production environment contains severely out-of-date and unsupported software and operating platforms. This means that the vendor no longer provides patches, security fixes, or updates for the software. Recommendation 13 We recommend the OCIO implement a process to ensure that only supported software and operating platforms are utilized within the network environment. OCIO Response: “OCIO concurs with the recommendation. In FY 2016, OCIO will implement a software configuration management tool in support of Enterprise Architecture that prevents unapproved software and operating platforms from being implemented within the network environment. OCIO currently has several controls that assist in preventing unapproved software from being implemented in the network, such as requiring administrator privileges to download software.” Patch management The OCIO has implemented a process to apply operating system patches on all devices within OPM’s network on a weekly basis. The OCIO also utilizes a third party patching software management program to manage and maintain all non-operating system software. However, our scans determined that although the problems are less severe than in prior years, numerous servers are not patched in a timely fashion. Once again, OPM’s lack of a comprehensive inventory makes it impossible for us or the OCIO to determine how many servers are not receiving timely patches. Recommendation 14 (Roll Forward from 2014) We recommend the OCIO implement a process to apply operating system and third party vendor patches in a timely manner, which is defined within the OPM Information Security and Privacy Policy Handbook. OCIO Response: “OCIO concurs with the recommendation. Significant progress was made in FY 2015 to apply available patches, and OCIO recognizes additional work is necessary to build a sustainable and measurable process. OCIO will continue to refine its processes for patch management.” E. Identity and Access Management The following sections detail OPM’s account and identity management program. 19 Report No. 4A-CI-00-15-011 a) Policies for account and identity management OPM maintains policies and procedures for agency-wide account and identity management within the OCIO Information Security and Privacy Policy Handbook. The policies contain procedures for creating user accounts with the appropriate level of access as well as procedures for removing access for terminated employees. b) Terminated employees OPM maintains policies related to management of user accounts for its local area network (LAN) and its mainframe environments. Both policies contain procedures for creating user accounts with the appropriate level of access as well as procedures for removing access for terminated employees. We conducted a test comparing the current Windows and mainframe active user lists against a list of terminated employees from the past year. Nothing came to our attention to indicate that there are weaknesses in OPM’s procedures for removing system access for terminated employees. c) Multi-factor authentication with PIV OMB Memorandum M-11-11 required all Federal information No OPM systems to be upgraded to use PIV credentials for multi-factor applications require authentication by the beginning of FY 2012. In addition, the PIV authentication. memorandum stated that all new systems under development must be PIV compliant prior to being made operational, and that agencies must be compliant with the memorandum prior to using technology refresh funds to complete other activities. Approximately 97 percent of laptops procured and configured by OPM require PIV authentication to log into that device. However, throughout FY 2015 there were no controls enforced that require two-factor authentication to connect other devices to the network. In other words, users could gain access to OPM’s network without two-factor authentication by simply connecting with a personal device. Therefore, very few, if any, OPM users were technically required to log onto the network with two-factor PIV authentication. The only exception would be users that exclusively telework and do not have physical access to any OPM facility. In early FY 2016 (after our draft audit report was issued), OPM began rolling out controls that would prevent non-OPM issued devices from connecting to the network. This control closes the loophole that allowed users to gain access to the network without PIV authentication. 20 Report No. 4A-CI-00-15-011 Although OPM has made some progress in requiring PIV authentication to unlock OPMissued devices, this does not meet OMB mandates related to two-factor authentication. OMB Memorandum M-11-11 states that PIV credentials must be used to gain authorized access to an agency’s 1) facilities, 2) network, and 3) information systems. Even if OPM implements controls that prevent the connection of personal devices to its network, it is not fully PIV compliant until all of its information systems (applications) can be accessed only via PIV authentication in lieu of a username and password. Our audit work indicated that none of OPM’s 46 major applications enforced PIV authentication. This is a critical component because without enforcing PIV authentication at the application level, users of the network (either authorized or unauthorized) could still gain access to applications that they are not authorized to use, and public-facing systems are more vulnerable to remote attack. Recommendation 15 We recommend that the OCIO require PIV authentication to access the OPM network. OCIO Response: “This recommendation has been remediated and verified by the OIG.” In early FY 2016 OPM implemented controls that enforce PIV authentication to access the network. OIG Comment: OPM has addressed this recommendation, no further action is required. Recommendation 16 (Rolled Forward from 2012) We recommend that the OCIO meet the requirements of OMB M-11-11 by upgrading its major information systems to require multi-factor authentication using PIV credentials. OCIO Response: “OCIO concurs with the recommendation. OCIO will follow its planned schedule for enforcing multi-factor authentication, including the use of PIV credentials wherever feasible.” F. Incident Response and Reporting OPM’s Incident Response and Reporting Guide outlines the responsibilities of OPM’s Situation Room and documents procedures for reporting all IT security events to the appropriate entities. We evaluated the degree to which OPM is following its internal procedures and FISMA requirements for reporting security incidents internally, to the United States Computer Emergency Readiness Team (US-CERT), and to appropriate law enforcement authorities. 21 Report No. 4A-CI-00-15-011 a) Identifying and reporting incidents internally OPM’s Incident Response and Reporting Guide requires any user of the agency’s IT resources to immediately notify OPM’s Situation Room when IT security incidents occur. OPM reiterates this requirement in an annual mandatory IT security and privacy awareness training course. b) Reporting incidents to US-CERT and law enforcement OPM’s Incident Response and Reporting policy states that OPM’s OPM’s Acting Situation Room is responsible for sending incident reports to USDirector has taken CERT on security incidents. OPM notifies US-CERT within one steps to ensure that hour of a reportable security incident occurrence. OIG is timely The Incident Response and Reporting policy also states that notified about any security incidents should be reported to law enforcement future security authorities, where appropriate. The OIG’s Office of Investigations incidents. is part of the incident response notification distribution list, and should be notified when security incidents occur. However, the OIG was not notified on a timely basis of the major data breach that occurred in FY 2015. Failure to notify OIG investigators and auditors about the incidents in a timely manner had a negative impact on our ability to coordinate with other law enforcement organizations and conduct audit oversight activity. We brought this issue to the attention of OPM’s new Acting Director, and she assured us that steps have been taken to ensure we will be directly and immediately informed of any future incidents on a timely basis. c) Detecting, monitoring, and responding to security incidents OPM owns a security information and event management (SIEM) tool with the technical ability to automatically detect, analyze, and correlate potential security incidents over time. We noted in the FY 2014 FISMA audit report that the tool only received event data from approximately 80 percent of major OPM information systems. In FY 2015, the SIEM now receives event data from all known OPM systems. We also reported last year that the tool needs to be configured to collect relevant and meaningful data so the potential security alerts contain fewer false-positives. The OPM systems currently providing data to the SIEM are over-reporting log and event data, which results in an excessive amount of data for security analysts to review. The number of alerts that security analysts must review and identify as false-positive creates a backlog that could cause a delay in identifying and responding to actual incidents. We have not been provided any evidence that this issue has been resolved. The recent data breach was a clear indictor that OPM could improve its incident detecting and monitoring capabilities. In response to the breach, OPM procured many new security tools that are intended to better prevent and detect incidents. While it is good that OPM is 22 Report No. 4A-CI-00-15-011 attempting to improve its incident detection and monitoring capabilities, we learned that all of these tools have not been fully implemented or optimized. We believe that it is too early to tell if these tools are actually improving OPM’s incident response capabilities. We will follow up on the implementation of security tools in next year’s FISMA audit. NIST 800-53 Revision 4 states that an organization must implement “an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery.” The organization should also employ “automated mechanisms to support the incident handling process.” Recommendation 17 (Rolled Forward from FY 2014) We recommend that OCIO configure its security information and event management tool to collect and report meaningful data, while reducing the volume of non-sensitive log and event data. OCIO Response: “OCIO concurs with the recommendation. We will configure the filtering capability of the security information and event management tool to meet OPM requirements, reducing unnecessary event logs and event data where possible.” OIG Comment: OPM addressed this recommendation in early FY 2016 (after the draft audit report was issued); no further action is required. G. Risk Management NIST SP 800-37 Revision 1 “Guide for Applying the Risk Management Framework to Federal Information Systems” (Guide) provides Federal agencies with a framework for implementing an agency-wide risk management methodology. The Guide suggests that risk be assessed in relation to the agency’s goals and mission from a three-tiered approach:    Tier 1: Organization (Governance); Tier 2: Mission/Business Process (Information and Information Flows); and, Tier 3: Information System (Environment of Operation). NIST SP 800-39 “Managing Information Security Risk – Organization, Mission, and Information System View” provides additional details of this three-tiered approach. 23 Report No. 4A-CI-00-15-011 a) Agency-wide Risk Management NIST SP 800-39 states that agencies should establish and implement “Governance structures [that] provide oversight for the risk management activities conducted by organizations and include: (i) (ii) the establishment and implementation of a risk executive (function); the establishment of the organization’s risk management strategy including the determination of risk tolerance; and, (iii) the development and execution of organization-wide investment strategies for information resources and information security.” In FY 2011 the OCIO organized a group comprised of several IT security professionals to fulfill the Risk Executive Function. However, as of the end of FY 2015, the group still does not have an approved charter, and therefore does not have clearly defined responsibility and authority for risk management activity at OPM. In addition, the 12 primary elements of the Risk Executive Function as described in NIST SP 800-39 are not all fully implemented. Key elements still missing from OPM’s approach to managing risk at an agency-wide level include: conducting a risk assessment, maintaining a risk registry, communicating the agency-wide risks down to the system owners, and ensuring proper authorization of agency information systems. Recommendation 18 (Rolled Forward from 2011) We recommend that OPM continue to develop its Risk Executive Function to meet all of the intended requirements outlined in NIST SP 800-39, section 2.3.2 Risk Executive (Function). OCIO Response: “OCIO partially concurs with this finding. While we believe the Risk Executive Function is important for OPM-wide risk management, OCIO can only manage risk associated with its portfolio. To that end, OCIO will use its IT governance processes and other governance processes, such as the annual Federal Financial Managers’ Integrity Act (FMFIA) internal control processes, to manage risks within the OCIO portfolio.” OIG Comment: The OCIO should continue its efforts to manage risks associated with OPM’s technology portfolio, and the OPM Director should assign responsibility for implementing the elements of an agency-wide risk management program that are not covered by the OCIO. b) System Specific Risk Management NIST SP 800-37 Revision 1 outlines a risk management framework (RMF) that contains six primary steps, including “(i) the categorization of information and information systems; (ii) 24 Report No. 4A-CI-00-15-011 the selection of security controls; (iii) the implementation of security controls; (iv) the assessment of security control effectiveness; (v) the authorization of the information system; and (vi) the ongoing monitoring of security controls and the security state of the information system.” The OCIO has implemented the six-step RMF into its system-specific risk management activities through the Authorization process. In addition, OPM policy requires each major information system to be subject to routine security controls testing though a continuous monitoring program (see Continuous Monitoring section C). H. Security Training FISMA requires all government employees and contractors to take IT security awareness training on an annual basis. In addition, employees with IT security responsibility are required to take additional specialized training. a) IT security awareness training Over 99 percent of The OCIO provides annual IT security and privacy awareness OPM employees and training to all OPM employees through an interactive web-based contractors completed course. The course introduces employees and contractors to the IT security awareness basic concepts of IT security and privacy, including topics such as training. the importance of information security, security threats and vulnerabilities, viruses and malicious code, privacy training, telework, mobile devices, Wi-Fi guidance, and the roles and responsibilities of users. Over 99 percent of OPM’s employees and contractors completed the security awareness training course in FY 2015. b) Specialized IT security training OPM employees with significant information security responsibilities are required to take specialized security training in addition to the annual awareness training. The OCIO has developed a table outlining the security training requirements for specific job roles. The OCIO uses a spreadsheet to track the security training taken by employees that have been identified as having security responsibility. Only 65 percent of employees identified as having significant security responsibilities completed special IT training in FY 2015. 25 Report No. 4A-CI-00-15-011 Recommendation 19 We recommend that the OCIO ensure that all employees with significant information security responsibility take meaningful and appropriate specialized security training on an annual basis. OCIO Response: “OCIO concurs with this recommendation. OCIO will establish training plans for personnel with significant information security responsibility and track progress toward completion of approved classes.” I. Plan of Action & Milestones (POA&M) A POA&M is a tool used to assist agencies in identifying, assessing, prioritizing, and monitoring the progress of corrective efforts for IT security weaknesses. The sections below detail OPM’s effectiveness in using POA&Ms to track the agency’s security weaknesses. a) POA&Ms incorporate all known IT security weaknesses In November 2014, the OIG issued the FY 2014 FISMA audit report with 29 audit recommendations. However, only 13 of the 29 recommendations were appropriately incorporated into the OCIO master POA&M. We have not seen how or if the remaining 16 recommendations were documented. Failure to incorporate all known IT security weaknesses into the associated POA&M limits the agency’s ability to effectively identify, assess, prioritize, and monitor the progress of the corrective efforts to remediate identified weaknesses. The following program offices failed to update their system’s POA&Ms to document all known security weaknesses:    Federal Investigative Services (three systems); Office of the Inspector General (one system); and Human Resource Solutions (one system). Recommendation 20 (Rolled Forward from 2014) We recommend that the OCIO and program offices that own information systems ensure that all known security weaknesses are incorporated into the appropriate POA&M. OCIO Response: “OCIO concurs with the recommendation. While the vast majority of weaknesses were incorporated into the appropriate POA&M, we acknowledge that a few weaknesses were not added timely. We will update our POA&M process accordingly to assure that weaknesses are added timely in the future.” 26 Report No. 4A-CI-00-15-011 b) Prioritize Weaknesses Each program office at OPM is required to prioritize the security weaknesses on their POA&Ms to help ensure significant IT issues are addressed in a timely manner. We verified the POA&Ms that were provided did identify and prioritize each security weakness. c) Effective Remediation Plans and Adherence to Remediation Deadlines Many system owners are not meeting the self-imposed remediation deadlines listed on the POA&Ms. Only 5 of OPM’s 46 systems do not have POA&M items that are greater than 120 days overdue. We issued an audit recommendation in FY 2012 related to overdue POA&M items, and that recommendation was closed during this fiscal year based on evidence provided at the time. However, our subsequent test work determined that adherence to POA&M deadlines continues to be an issue, therefore we are issuing this recommendation once again for FY 2015. The 41 systems with overdue POA&M items are owned by:         Office of the Chief Financial Officer (two systems); Office of the Chief Information Officer (nine systems); Employee Services (three systems); Federal Investigative Services (seven systems); Healthcare and Insurance (three systems); Human Resource Solutions (seven systems); Office of the Inspector General (four systems); and Retirement Services (six systems). Recommendation 21 We recommend that the OCIO and system owners develop formal corrective action plans to remediate all POA&M weaknesses that are over 120 days overdue. OCIO Response: “OCIO concurs with the recommendation. OCIO will create a corrective action plan for weaknesses that are more than 120 days overdue.” d) Identifying Resources to Remediate Weaknesses Only 40 of OPM’s 46 systems appropriately identify the resources needed to address POA&M weaknesses, as required by OPM’s POA&M policy. We issued an audit recommendation in FY 2014 related to resources not being identified to resolve POA&M items, and that recommendation was closed during this fiscal year based on evidence provided at that time. However, on our subsequent test work we determined that 27 Report No. 4A-CI-00-15-011 the necessary resources to remediate vulnerabilities are still not being identified on system POA&Ms for systems owned by:    Office of the Chief Information Officer (two systems); Human Resource Solutions (two systems); Federal Investigative Services (two systems). Recommendation 22 We recommend that all POA&Ms list the specific resources required to address each security weakness identified. OCIO Response: “OCIO concurs with the recommendation. OCIO will include in its POA&Ms resources required to remediate security weaknesses.” e) Supporting Documentation for Closing POA&Ms The OCIO requires program offices to provide the evidence, or “proof of closure,” that security weaknesses have been resolved before officially closing the related POA&M. When the OCIO receives a proof of closure document from the program offices for a POA&M item, an OCIO staff member will judgmentally review the documentation to determine whether or not the evidence provided was appropriate. Nothing came to our attention to indicate problems with the OCIO’s process for closing POA&M items. J. Remote Access Management OPM has implemented policies and procedures related to authorizing, monitoring, and controlling all methods of accessing the agency’s network resources from a remote location. In addition, OPM has issued agency-wide telecommuting policies and procedures, and all employees are required to sign a Rules of Behavior document that outlines their responsibility for the protection of sensitive information when working remotely. OPM utilizes a Virtual Private Network (VPN) client to facilitate secure remote access to the agency’s network environment. The OPM VPN requires the use of an individual’s PIV card and password authentication to uniquely identify users. The OIG has reviewed the VPN access list to ensure that there are no shared accounts and that each user account has been tied to an individual. The agency maintains logs of individuals who remotely access the network, and the logs are reviewed on a monthly basis for unusual activity or trends. Although there are still a small number of authorized network devices that are not compliant with PIV cards (e.g., ), these devices still require multi-factor authentication for remote access through the use of RSA tokens and password authentication. 28 Report No. 4A-CI-00-15-011 In previous years, we discovered that remote access sessions do not terminate or lock out after 30 minutes of inactivity as required by FISMA. OPM has acknowledged the issue and stated that the weakness has not been remediated and a project is in place to address this. The scheduled completion date for the project is May 2016. Recommendation 23 (Rolled Forward from 2012) We recommend the OCIO configure the VPN servers to terminate VPN sessions after 30 minutes of inactivity. OCIO Response: “OCIO concurs with the recommendation. We have thoroughly analyzed and investigated this matter. Virtual Private Network (VPN) appliances are configured and have been validated to terminate connections to the network after 30 minutes of inactivity. Some applications, agents, and software purposefully run in the background because they take a prolonged period of time to complete or because they periodically refresh data to the device. This is valid and authorized activity. Thus, OCIO believes the VPN appliance is working in accordance with the intended configuration setting.” OIG Comment: As part of the audit resolution process, we recommend that the OCIO provide IOC with a list of the applications, agents, and software that prevents a VPN session from terminating after 30 minutes. We will work with IOC to evaluate whether it is appropriate to close this recommendation. K. Contingency Planning OPM’s Information Security Privacy and Policy Handbook requires a contingency plan to be in place for each information system and that each system’s contingency plan be tested on an annual basis. The sections below detail our review of contingency planning activity in FY 2015. a) Documenting contingency plans of individual OPM systems We received contingency plans for 23 out of 46 information systems on OPM’s master system inventory. The following program offices failed to submit adequate contingency planning documentation for one or more systems that they own:       Office of the Chief Financial Officer (two systems); Office of the Chief Information Officer (six systems); Employee Services (three systems); Federal Investigative Services (one system); Office of Healthcare and Insurance (two systems); Human Resource Solutions (four systems); and 29 Report No. 4A-CI-00-15-011  Office of Retirement Services (five systems). According to OPM’s Information Security and Privacy Policy Handbook, “Contingency Plans shall be reviewed, updated, and tested at least annually to ensure its effectiveness.” Failure to document contingency plans increases the risk that agency information systems will not be recovered in a timely manner and that critical data could be lost. Recommendation 24 (Rolled Forward from FY2014) We recommend that the OCIO ensure that all of OPM’s major systems have Contingency Plans in place and that they are reviewed and updated annually. OCIO Response: “OCIO concurs with the recommendation. OCIO will ensure contingency plans are reviewed and updated annually.” b) Testing contingency plans of individual OPM systems OPM’s Information Security Privacy and Policy Handbook requires that the contingency plan for each information system be tested at least annually using information system specific tests and exercises. We received evidence that contingency plans were tested for only 18 of OPM’s 46 systems in FY 2015. This is a significant decrease from the number of systems that were tested in FY 2014. The following program offices failed to submit adequate documentation for one or more systems that they own:        Office of the Chief Financial Officer (two systems); Office of the Chief Information Officer (seven systems); Employee Services (three systems); Federal Investigative Services (three systems); Healthcare and Insurance (two systems); Human Resources Solutions (six systems); and Retirement Services (five systems). Of the contingency plan tests we did receive, we noted improved quality in documentation as it relates to the analysis or “lessons learned” section of the report. However, due to the significantly low number of tests received, we cannot conclude that OPM has improved the overall quality and consistency of its contingency plan testing methodology. NIST SP 800-34 Revision 1 states that following a contingency plan test, “results and lessons learned should be documented and reviewed by test participants and other personnel as appropriate. Information collected during the test and post-test reviews that improve plan effectiveness should be incorporated into the contingency plan.” 30 Report No. 4A-CI-00-15-011 Recommendation 25 (Rolled Forward from 2008) We recommend that OPM’s program offices test the contingency plans for each system on an annual basis. The contingency plans should be immediately tested for the 29 systems that were not subject to adequate testing in FY 2015. OCIO Response: “OCIO concurs with the recommendation. OCIO will test contingency plans annually.” c) Testing contingency plans of OPM general support systems In the FY 2011 FISMA audit report we recommended that the OCIO implement a centralized (agency-wide) approach to contingency plan testing. The intent of the recommendation is to ensure that all elements of the general support systems are subject to a full functional disaster recovery test each year. This recommendation has been remediated in FY 2015 and is now closed. OPM conducted tests of its general support system contingency plans. Many OPM systems reside on one of the agency’s general support systems. The OCIO typically conducts a full recovery test at the backup location of the Enterprise Server Infrastructure general support system (i.e., the mainframe and associated systems) on an annual basis. In FY 2015 a successful functional contingency plan test was conducted and documented that involved OPM’s Enterprise Server Infrastructure and the LAN/WAN general support system. L. Contractor Systems We evaluated the methods that the OCIO and various program offices use to maintain oversight of their systems operated by contractors on behalf of OPM. a) Contractor system documentation OPM’s master system inventory indicates that 17 of the agency’s 46 major applications are operated by a contractor. In the past, the OCIO maintained a separate spreadsheet documenting interfaces between OPM and contractor-operated systems and the related Interconnection Security Agreements (ISA). However, we were told that the spreadsheet was not maintained in FY 2015. NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems, states that improperly designed interconnections could result in security failures that compromise the connected systems and the data that they store, process, or transmit. Failure to maintain valid ISAs could introduce risks similar to improperly designed interconnections. 31 Report No. 4A-CI-00-15-011 The OCIO did not provide evidence that they track Memoranda of Understanding/Agreement (MOU/A). These documents outline the terms and conditions for sharing data and information resources in a secure manner. The OCIO should track MOU/As to ensure that valid agreements are in place for each documented ISA. Recommendation 26 (Rolled Forward from 2014) We recommend that the OCIO ensure that all ISAs are valid and properly maintained. OCIO Response: “OCIO concurs with the recommendation. OCIO will update its processes for identifying, controlling, and maintaining interconnections and their associated documentation.” Recommendation 27 (Rolled Forward from 2014) We recommend that the OCIO ensure that a valid MOU/A exists for every interconnection. OCIO Response: Recommendation 27 was combined with Recommendation 26 in the draft audit report. The OCIO response to Recommendation 26 applies to this recommendation as well. 32 Report No. 4A-CI-00-15-011 IV. MAJOR CONTRIBUTORS TO THIS REPORT Information Systems Audit Group , Lead IT Auditor-In-Charge , Lead IT Auditor , Lead IT Auditor , IT Auditor , IT Auditor , IT Auditor , IT Auditor , IT Auditor ______________________________________________________________________________ , Group Chief 33 Report No. 4A-CI-00-15-011 Appendix I page 1 of 4 Status of Prior OIG Audit Recommendations The tables below outline the current status of prior audit recommendations issued in FY 2014 by the Office of the Inspector General. Report No. 4A-CI-00-14-016: FY 2014 Federal Information Security Management Act Audit, issued November 12, 2014 Rec # 1 Original Recommendation We recommend that OPM implement a centralized information security governance structure where all information security practitioners, including designated security officers, report to the CISO. Adequate resources should be assigned to the OCIO to create this structure. Existing designated security officers who report to their program offices should return to their program office duties. The new staff that reports to the CISO should consist of experienced information security professionals. Recommendation History Current Status Roll-forward from OIG Reports:  4A-CI-00-10-019 Recommendation 4,  4A-CI-00-11-009 Recommendation 2, CLOSED 9/30/2015  4A-CI-00-12-016 Recommendation 1, and  4A-CI-00-13-021 Recommendation 1 Roll-forward from OIG Report:  4A-CI-00-13-021 Recommendation 2, OPEN: Rolled-forward as Report 4A-CI-00-15-011 Recommendation 2 Recommendation new in FY 2014 OPEN: Rolled-forward as Report 4A-CI-00-15-011 Recommendation 3 4 We recommend that the performance standards of all OPM system owners be modified to include a requirement related to FISMA compliance for the information systems they own. At a minimum, system owners should be required to ensure that their systems have valid Authorizations. Recommendation new in FY 2014 OPEN: Rolled-forward as Report 4A-CI-00-15-011 Recommendation 4 5 We recommend that the OPM Director consider shutting down information systems that do not have a current and valid Authorization. Recommendation new in FY 2014 OPEN: Rolled-forward as Report 4A-CI-00-15-011 Recommendation 5 6 We recommend that the OCIO continue to develop its Risk Executive Function to meet all of the intended requirements outlined in NIST SP 800-39, section 2.3.2 Risk Executive (Function). 2 3 We recommend that the OCIO develop a plan and timeline to enforce the new SDLC policy to all of OPM’s system development projects. We recommend that all active systems in OPM’s inventory have a complete and current Authorization. Roll-Forward from OIG Report:  4A-CI-00-11-009 Recommendation 6,  4A-CI-00-12-016 Recommendation 2, and  4A-CI-00-13-021 Recommendation 3 OPEN: Rolled-forward as Report 4A-CI-00-15-011 Recommendation 18 page 2 of 4 Status of Prior OIG Audit Recommendations 7 8 9 10 11 12 13 We recommend that the OCIO develop and implement a baseline configuration for all operating platforms in use by OPM including, but not limited to, , , , and . We recommend the OCIO conduct routine compliance scans against established baseline configurations for all servers and databases in use by OPM. This recommendation cannot be addressed until Recommendation 7 has been completed. We recommend the OCIO implement technical controls that prevent configuration changes without proper documentation and approvals. We recommend that the OCIO develop and maintain a comprehensive inventory of all servers, databases, and network devices that reside on the OPM network. We recommend that the OCIO implement a process to ensure routine vulnerability scanning is conducted on all network devices documented within the inventory. We recommend that the OCIO implement a process to centrally track the current status of security weaknesses identified during vulnerability scans to remediation or risk acceptance. We recommend that the OCIO document “accepted” weaknesses identified in vulnerability scans. Recommendation new in 2014 OPEN: Rolled-forward as Report 4A-CI-00-15-011 Recommendation 8 Recommendation new in 2014 OPEN: Rolled-forward as Report 4A-CI-00-15-011 Recommendation 9 Recommendation new in 2014 CLOSED 8/26/2015 Recommendation new in 2014 OPEN: Rolled-forward as Report 4A-CI-00-15-011 Recommendation 1 Recommendation new in 2014 OPEN: Rolled-forward as Report 4A-CI-00-15-011 Recommendation 10 Recommendation new in 2014 OPEN: Rolled-forward as Report 4A-CI-00-15-011 Recommendation 11 Roll-forward from OIG Reports:  4A-CI-00-11-009 Recommendation 9,  4A-CI-00-12-016 Recommendation 4, and OPEN: Rolled-forward as Report 4A-CI-00-15-011 Recommendation 12  4A-CI-00-13-021 Recommendation 6 14 15 We recommend the OCIO implement a process to apply operating system and third party vendor patches in a timely manner, which is defined within the OPM Information Security and Privacy Policy Handbook. Recommendation new in 2014 OPEN: Rolled-forward as Report 4A-CI-00-15-011 Recommendation 14 We recommend that the OCIO expand the capabilities of the ENSOC to ensure that security incidents from all OPM-operated information systems are centrally analyzed and correlated. Recommendation new in 2014 CLOSED: 9/30/2015 page 3 of 4 Status of Prior OIG Audit Recommendations 16 17 18 19 20 We recommend that OCIO configure its security information and event management tool to collect and report meaningful data, while reducing the volume of non-sensitive log and event data. We recommend that the OCIO and program offices that own information systems ensure that all known security weaknesses are incorporated into the appropriate POA&M. We recommend that the OCIO and system owners develop formal corrective action plans to remediate all POA&M weaknesses that are over 120 days overdue. Recommendation new in 2014 Recommendation new in 2014 OPEN: Rolled-forward as Report 4A-CI-00-15-011 Recommendation 20 Roll-forward from OIG Reports: CLOSED: 1/16/15  4A-CI-00-12-016 Recommendation 8 and  4A-CI-00-13-021 Recommendation 8 We recommend that all POA&Ms list the specific resources required to address each security weakness identified. Recommendation new in 2014 We recommend the OCIO configure the VPN servers to terminate VPN sessions after 30 minutes of inactivity. Roll-forward from OIG Reports: 4A-CI-00-12-016 Recommendation 10 and 21 22 We recommend that the OCIO expand its continuous monitoring program to include mandatory continuous monitoring for contractoroperated systems and implementation of the DHS Continuous Diagnostic and Mitigation program as outlined in the OCIO’s continuous monitoring strategy. Reissued as 4A-CI-00-15-011 Recommendation 21 CLOSED: 11/12/14 4A-CI-00-13-021 Recommendation 10 We recommend that the OCIO meet the requirements of OMB M-11-11 by upgrading its major information systems to require multi-factor authentication using PIV credentials. CLOSED: 11/06/15 Roll-forward from OIG Reports: 4A-CI-00-12-016 Recommendation 11 and 4A-CI-00-13-021 Recommendation 11 Recommendation new in 2014 Reissued as 4A-CI-00-15-011 Recommendation 22 OPEN: Rolled-forward as Report 4A-CI-00-15-011 Recommendation 23 OPEN: Rolled-forward as Report 4A-CI-00-15-011 Recommendation 16 CLOSED: 9/30/2015 page 4 of 4 Status of Prior OIG Audit Recommendations We recommend that OPM ensure that an annual test of security controls has been completed for all systems. Roll-forward from OIG Reports:  4A-CI-00-08-022 Recommendation 1,  4A-CI-00-09-031 Recommendation 6,  4A-CI-00-10-019 Recommendation 10, 23  4A-CI-00-11-009 Recommendation 11, OPEN: Rolled-forward as Report 4A-CI-00-15-011 Recommendation 7  4A-CI-00-12-016 Recommendation 14, and  4A-CI-00-13-021 Recommendation 13 24 We recommend that the OCIO ensure that all of OPM’s major systems have contingency plans in place and are reviewed and updated annually. We recommend that OPM’s program offices test the contingency plans for each system on an annual basis. The contingency plans should be immediately tested for the eight systems that were not subject to adequate testing in FY 2014. Recommendation new in 2014 Roll-forward from OIG Reports:  4A-CI-00-08-022 Recommendation 2,  4A-CI-00-09-031 Recommendation 9,  4A-CI-00-10-019 Recommendation 30, 25 OPEN: Rolled-forward as Report 4A-CI-00-15-011 Recommendation 24  4A-CI-00-11-009 Recommendation 19, OPEN: Rolled-forward as Report 4A-CI-00-15-011 Recommendation 25  4A-CI-00-12-016 Recommendation 15, and  4A-CI-00-13-021 Recommendation 14 We recommend that the OCIO implement and document a centralized (agency-wide) approach to contingency plan testing. 26 Roll-forward from OIG Reports:  4A-CI-00-11-009 Recommendation 21,  4A-CI-00-12-016 Recommendation 16, and CLOSED: 9/30/2015  4A-CI-00-13-021 Recommendation 15 28 We recommend that the OCIO identify agency systems that reside in a public cloud and document those systems on the master system inventory. We recommend that the OCIO ensure that all ISAs are valid and properly maintained. 29 We recommend that the OCIO ensure that a valid MOU/A exists for every interconnection. 27 Recommendation new in 2014 CLOSED: 11/12/2014 Recommendation new in 2014 OPEN: Rolled-forward as Report 4A-CI-00-15-011 Recommendation 26 Recommendation new in 2014 OPEN: Rolled-forward as Report 4A-CI-00-15-011 Recommendation 27 Appendix II UNITED STATES OFFICE OF PERSONNEL MANAGEMENT Washington DC 20415 Chief Information Officer October 22, 2015 MEMORANDUM FOR: Chief, Information Systems Audit Group Office of the Inspector General FROM: DONNA K. SEYMOUR Chief Information Officer SUBJECT: Office of the Chief Information Officer Response to the Office of the Inspector General Federal Information Security Modernization Act Audit – FY 2015 (Report No. 4A-CI-00-15-011) Thank you for the opportunity to provide comments to the Office of the Inspector General (OIG) draft report for the Fiscal Year (FY) 2015 Federal Information Security Modernization Act (FISMA) Audit for the U.S. Office of Personnel Management (OPM). The OIG comments are valuable to the office of the Chief Information Officer (OCIO) as they afford us an independent assessment of our operations and help guide our improvements to enhance the security of the data furnished to OPM by the Federal workforce, the Federal agencies, our private industry partners, and the public. We welcome a collaborative dialogue to help ensure we fully understand the OIG’s recommendations as we plan our remediation efforts so that our actions and the closure of the recommendations thoroughly address the underlying issues. I look forward to continued discussions during our monthly reviews to help ensure we remain aligned. As a practice we have established in our monthly meetings, OCIO intends to track these recommendations in our dashboards to facility the aggressive pursuit of remediations, and we will provide updates at each meeting. I am proud that OCIO has closed 77% of the recommendations for the FY 2007 through FY 2014 OIG FISMA Audits, as well as OIG system audits. We believe this progress during the past year demonstrates that OPM takes the recommendations seriously and is focused on protecting its data and information technology (IT) systems. Each of the recommendations provided in the draft report is discussed below: Recommendation 1 (Rolled Forward from 2014) We recommend that the OCIO develop and maintain a comprehensive inventory of all servers, databases, and network devices that reside on the OPM network. CIO Response: OCIO concurs with the recommendation. Asset inventory tools were installed on the network in FY 2015 and are being further configured to address gaps in network coverage. Additionally, network access control appliances have been installed to prevent unauthorized equipment from logging onto or being installed on the network. These tools will be aggressively implemented to provide additional assurance that a comprehensive inventory of assets is maintained. Recommendation 2 (Rolled Forward from 2013) We continue to recommend that the OCIO develop a plan and timeline to enforce the new SDLC policy to all of OPM’s system development projects. CIO Response: OCIO concurs with the recommendation. An enhanced policy is being developed to update the Systems Development Life Cycle (SDLC) requirements. A plan and timeline for implementation of the policy for all Development, Modernization and Enhancement (DM&E) projects is also being developed. Recommendation 3 (Rolled Forward from 2014) We recommend that all active systems in OPM’s inventory have a complete and current Authorization. CIO Response: OCIO concurs with the recommendation. OCIO made a risk-based costeffective decision in FY 2014 to extend the authorizations for all systems in the current enterprise network. Upon migration to the new environment, all systems will undergo a full security assessment and authorization as this constitutes a major change. As part of our analysis and planning for migration to the new infrastructure, OCIO will conduct a full assessment of the existing authorization package for systems that may remain in the legacy environment for a prolonged period of time. Recommendation 4 (Rolled Forward from 2014) We recommend that the performance standards of all OPM system owners be modified to include a requirement related to FISMA compliance for the information systems they own. At a minimum, system owners should be required to ensure that their systems have valid Authorizations. CIO Response: OCIO concurs with the recommendation. OCIO established and implemented these performance standards for the OCIO IT Project Managers (IT PM) in FY 2015. In FY 2016, OCIO will improve these standards and create a new policy to require these standards for IT PMs not positioned within OCIO. Recommendation 5 (Rolled Forward from 2014) We recommend that the OPM Director consider shutting down information systems that do not have a current and valid Authorization. CIO Response: OCIO partially concurs with the recommendation. OCIO will establish a policy and process for managing authorizations to include documenting a risk-based decision by the authorizing officials to continue operations when authorizations expire. Recommendation 6 We recommend that the new ISCM policies and procedures being developed utilize and incorporate the controls identified in the CIGIE In...
Purchase answer to see full attachment
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

Attached.

Running head: Security Assessment Report (systems network)

Security Assessment Report (systems network)
Student’s Name:
Institutional Affiliation:

1

Security Assessment Report (systems network)

2

Abstract
A summary of the security assessment that I will conduct about the organization network as the
Information Assurance Management Officer is resulted by an occurrence of a security breach
that turned out in the Office of Personnel Management (OPM).Cyber-attacks especially attacks
government and cooperate agencies is at a higher rate recently compared to the same attacks
back in time. These attacks inflict the organization with severe negative impacts like data loss on
unauthorized personnel hence the security threats, and vulnerabilities should be assessed and
remedied accordingly preventing similar attacks. The report will contain more in-depth
information about the purpose of the research, its scope, security assessment methodologies, data
findings, recommendation, and conclusions. The most security breach can be prevented if the
organization, in this case, OPM has enacted some of the easy-to-learn preventive measures
(encryption).
Purpose
The essential reason for the security audit or network assessments is to necessitate quality
security control measures against security breaches to any designed and implemented
organizational projects available in the computer system. Assessing and monitoring the entire
computer systems and organizations infrastructure (processes and policies) should regularly be
conducted inclusive of when changing to a new system or additional infrastructures to be ahead
of any possible future threats. The assessment is for ensuring that the organizations Information
Systems (IT) resources meet the requirements of the Federal Information Security Modernization
Act (FISMA).

Security Assessment Report (systems network)

3

Organization.
It is a medium sized legal entity that has a common goal of providing quality products and
services to the consumers. It has a functional organizational structure with divided roles,
responsibilities, and power to different sectors each sector being led by its manager. The
structure of the organization will be provided at the end of this document.
Scope; Enterprise network
Data or computer network in other terms is the interconnection of different computers with the
primary reason of sharing resources using data links connections (Wireless Fidelity (Wi-Fi),
Ethernet and fiber-optic cables) between nodes. Networking enhances communications and
sharing among devices. It helps in extensive number computer applications and services like use
of other hardware devices (printers, fax machines, and storage devices) and in accessing the
internet. There are different common types of computer networks;


Wireless Local Area Network (WLAN)- It is a local network supported by Wi-Fi
technology



Local Area Network (LAN) - a network that covers a short distance, for example, a
networked school, home or office building.



Wide Area Network (WAN)- it is a geographically widely distributed groups of LANs



Metropolitan Area Network (MAN) - it is a network covering a larger area than LAN but
smaller than WAN.

Given this is a medium-sized organization I propose the use of both LAN and WAN networks
for efficiency because each has its advantages and disadvantages and one can supplement the

Security Assessment Report (systems network)

4

other in case of difficulties or threats. The advantages and disadvantages of LAN and WAN are
noted at the end of the document in Fig.3 and Fig. 4 respectively.
Computer networking can be termed as the most significant source of cybercrimes as it's easy for
the hackers to gain unauthorized access of the organization's data by deploying a computer worm
or viruses to attack the system or by directly hacking into the network and gain access. Worms
and viruses can be voluntary be downloaded as system software's from unsecured sources or
through links. But with strong encryption and security policies LAN and WAN networks cyber
threats can be prevented (Keshav, 1997).
Other networking computing platforms that can be implemented in our network systems and are
available are;
Cloud computing- this is the use of internet-hosted remote servers over local server/computer
systems in managing, accessing, processing and storing data, information, and programs.
Distributed computing- has distributed systems located in different networks but achieves a
common goal through passing information to each other. Example of a distributed system is a
multiplayer online game.
Centralized computing- involves using a central computer in all computing process as long as the
computer peripherals are connected to the central computer which is in control either using
terminal servers or physically.
These computing platforms achieve the same goals of communica...


Anonymous
Very useful material for studying!

Studypool
4.7
Trustpilot
4.5
Sitejabber
4.4

Similar Content

Related Tags