Exhibit I – Significant Deficiency
Financial Management Systems Need Improvement (Repeat Condition)
Effective Information Technology (IT) general controls add assurance that data used to prepare and report financial information and statements is complete, reliable, and has integrity. Our fiscal year 2009 IT assessment, performed in support of the fiscal year 2009 financial statement audit, was focused on the IT general controls over the USPTO’s major financial management systems and supporting network infrastructure, using GAO’s Federal Information System Controls Audit Manual (FISCAM) that was revised in February 2009, as a guide. The five FISCAM IT general control review areas, and our related findings, are as follows:
- Security management. These controls provide a framework and continuing cycle of activity for assessing risk, developing and implementing effective security procedures, assigning responsibilities, and monitoring the effectiveness of these procedures. Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources, provides key guidance for establishing and maintaining an entity-wide information security program The Department of Commerce IT Security Program Policy and Minimum Implementation Standards, reiterates OMB Circular A-130 guidance, and implements key elements of such guidance as Department-wide policy.
During our fiscal year 2009 audit, we did not identify weaknesses related to security management controls.
- Access controls. In close concert with an organization’s security management, access controls for general support systems and financial systems should provide reasonable assurance that computer resources such as data files, application programs, and computer-related facilities and equipment are protected against unauthorized modification, disclosure, loss, or impairment. Access controls are facilitated by an organization’s entity-wide security program. Such controls include physical controls and logical controls.
The objectives of limiting access are to ensure that users have only the access needed to perform their duties; that access to very sensitive resources, such as security software programs, is limited to very few individuals; and that employees are restricted from performing incompatible functions or functions beyond their responsibility. This is reiterated by Federal guidelines. For example, OMB Circular A-130 and supporting NIST Special Publications provide guidance related to the maintenance of technical access controls. In addition, the Department of Commerce IT Security Program Policy and Minimum Implementation Standards contain many requirements for operating Department IT devices in a secure manner.
During fiscal year 2009, we noted that USPTO should improve access controls by (1) appropriately removing and periodically re-certifying viewing data center access, (2) consistently tracking visitors’ access to the data center, (3) strengthening network and financial database password controls, (4) preventing the use of shared user accounts and passwords, (5) disabling inactive network, financial application, and database user accounts, (6) disabling network, financial application, and database user permissions of terminated employees and contractors, (7) configuring audit settings so that they are consistent with approved baselines, (8) defining auditable events and activities and consistently monitoring audit logs, and (9) strengthening access authorizations and recertification efforts. We
recognize that USPTO has certain compensating controls in place to help reduce the risk of the
identified vulnerabilities, and we have considered such compensating controls as part of our financial
- Configuration management. Configuration management involves the identification and management of security features for all hardware, software, and firmware components of an information system at a given point and systematically controls configuration changes throughout the system’s life cycle. Establishing controls over modifications to information system components and related documentation helps to ensure that only authorized systems and related program modifications are implemented. This is accomplished by instituting policies, procedures, and techniques to help ensure that hardware, software and firmware programs and program modifications are properly authorized, tested, and approved, and that access to and distribution of programs is carefully controlled. Without proper controls, there is a risk that security features could be inadvertently or deliberately omitted or turned off, or that processing irregularities or malicious code could be introduced into the IT environment.
Effective configuration management prevents unauthorized changes to information system resources and provides reasonable assurance that systems are configured and operating securely and as intended. Without effective configuration management, users do not have adequate assurance that the system and network will perform as intended and to the extent needed to support missions.
During fiscal year 2009, we noted that configuration management controls should be improved by (1) consistently applying patches and configuring devices for the protection against external and internal vulnerabilities, (2) implementing documented and approved configuration management policy and procedures, and (3) maintaining up-to-date hardware and software libraries.
- Segregation of duties. Work responsibilities should be segregated so that an individual does not control more than one critical function within a process. Inadequately segregated duties increase the risk that erroneous or fraudulent transactions could be processed, improper program changes could be implemented, and computer resources could be damaged or destroyed. Key areas of concern for segregation of duties involve duties among major operating and programming activities, including duties performed by users, application programmers, and data center staff. Policies outlining individual responsibilities should be documented, communicated, and enforced. The prevention and/or detection of unauthorized or erroneous actions by personnel require effective supervision and review by management, as well as formal operating procedures.
During fiscal year 2009, we noted that segregation of duties controls should be improved by preventing developers and programmers from having conflicting access to the production environment.
- Contingency planning. Losing the capability to process, retrieve, and protect information maintained electronically can significantly affect an agency’s ability to accomplish its mission. For this reason, an agency should have: (1) procedures in place to protect information resources and minimize the risk of unplanned interruptions, and (2) a plan to recover critical operations should interruptions occur.
During fiscal year 2009, we noted that contingency planning controls should be improved by (1) maintaining up-to-date contingency plans that reflect the current processing environments, and (2) procuring an alternate processing site.
Specific recommendations are included in a separate limited distribution IT general controls report, issued as part of the fiscal year 2009 financial statement audit.
We agreed with your findings, conclusions, and recommendations related to improving the USPTO’s financial management systems controls. The USPTO is in the process of developing corrective action plans to address the recommendations presented in the separate limited distribution IT general controls report.