Computer Security at the Bureau of Prisons
The following comes from the statement of Richard J. Hankinson, Deputy Inspector General, Office of the Inspector General before the Subcommittee on Government Information, Justice, and Agriculture of the Committee on Government Operations of the U.S. House of Representatives. It concerns computer security at the Bureau of Prisons (BOP) and focuses primarily on the SENTRY system. This took place on September 11, 1991. We thank the reader who forwarded this to us.
The Bureau of Prisons operates three main computer systems:
The SENTRY system is by far the most important, most used, and most sensitive. It is used for management of the 60,000 prisoners, property management, legal reference, and the BOP nationwide electronic mail system. Over 400,000 SENTRY transactions occur every day, and all 19,000 BOP staff members are actual or potential users.
The Batch Transmission System (BTS) is a personal computer (PC) based system that accumulates financial management data at a local institution or BOP office. Data from the PCs is transmitted to the BOP Network Control Center, and then re-transmitted to the Justice Management Division (JMD) Data Center in Rockville, Maryland, for processing.
The Federal Prison Point of Sale is a PC based system, networked locally, that is used to record inmate trust fund and commissary transactions at the institution.
Our audit focused on SENTRY, although the other two systems were also tested relative to the security of those two applications. We focused on SENTRY because of the importance of that system to the daily operations of BOP and because of the sensitivity of the data that is stored in and managed by that system.
Our audit work was conducted at BOP Headquarters at the Federal Correctional Center in Sandstone, Minnesota; at the United States Penitentiary in Leavenworth, Kansas; and at the Medical Center in Springfield, Missouri. Additional survey work was also done at the Metropolitan Correctional Center in Chicago, Illinois.
With that background, let me summarize the key deficiencies that we found and what BOP has done in response.
The Network Control Center (NCC) is the critical brain stem that connects data in the field with the mainframe computer in JMD's Rockville Data Center. Both the Batch Transmission System (that handles BOP financial data) and the SENTRY system depend on the effective operation of the NCC. We recommended that a Risk Analysis and Contingency Plan be prepared for this important facility. To its credit, BOP has chosen not to quarrel over whether the NCC meets the technical parameters of the DOJ Order requiring such reviews. Instead, BOP has acknowledged the value of such planning and already has awarded a contract for the work, which is scheduled to be completed in about six months. Once these are completed, they will be reviewed by both our auditors and by the Department's Security Officer.
We found that while BOP uses passwords to limit access to SENTRY terminals, it does not use them to the extent required by DOJ order, nor does it presently provide adequate security or an adequate audit trail. BOP relies on its control of access to offices that contain PCs, and on a terminal-based password (used by all workers in the office or department) to protect against unauthorized access to its computers. This is not adequate. BOP needs to assign a specific password to every individual authorized to access the SENTRY system, to limit the data applications each individual may access and how it may be accessed (i.e., read only, or read and enter data), and it needs to establish password lifetimes (i.e., periodic changes to passwords). By doing so, BOP will tighten control over access to SENTRY, will establish an audit trail that assures individual accountability for transactions performed in SENTRY and that will aid in the detection of unauthorized entries. Although BOP thought it might qualify for an exemption from this requirement, its request was denied on August 20, 1991, and BOP has advised my office that it will implement a password system that conforms to our recommendations by December 31, 1991.
Like some other components in the Department, BOP is delinquent in assuring that background investigations for new hires and reinvestigations every five years for existing employees are conducted on a timely basis. We found that 441 employees in our survey (which totaled 1,684 employees) did not have completed initial background investigations, including 261 employees who had been employed for over a year and 24 who had been employed for over 10 years. An additional 753 employees out of the same sample of 1,684 had not been reinvestigated within five years, as required; 475 of these had not been reinvestigated in over 10 years.
We are satisfied that the Department does indeed have adequate policies in place with regard to computer security. However, much remains to be done. We have directed the Department's components to improve the security of sensitive information processed or stored in departmental computer systems. As a result, JMD and the Offices, Boards, Divisions, and Bureaus are taking steps to further reduce security weaknesses. In July, the Department held an executive briefing regarding computer security awareness for all Department component heads. This executive briefing complements a series of security awareness training sessions already conducted for other employee groups (e.g., managers, end users) throughout the Department in compliance with the Computer Security Act of 1987.
In addition to computer security training, we have taken positive steps on a number of other fronts. These include the following:
Security at the Rockville Data Center
As the Committee is aware, the General Accounting Office identified a number of physical security weaknesses at the Rockville Data Center, ranging from the lack of appropriate alarms to questions regarding access. These have all now been addressed and resolved.
Contingency Planning
With two central, departmental data centers - in Rockville, Maryland and Dallas, Texas - which operate with compatible equipment and the same operating systems, the Department has been well positioned to create an operational contingency backup capacity for its components. We are now in the early stages of making that capacity a reality. This will require a balancing of equipment and operations between the two centers; a reconfiguration of the telecommunications network between Rockville, Dallas, and our field components; and a set of final determinations by each of our components regarding which systems require immediate backup. This process should take about two years and will move the Department of Justice into the front ranks of the government upon completion.
In addition, we have developed a security compliance review program involving departmental components. These reviews cover automated data processing, telecommunications, physical, document, and personnel security. If the component being reviewed has an ADP system designated as "sensitive," the review also covers the implementation of the computer security plan (as required by the Computer Security Act of 1987) and the accuracy of the computer systems security plan. Currently, the Department has 95 systems so designated. As staffing levels and work priorities have permitted, reviews have been conducted since May 1990.
JMD has conducted thirteen computer security reviews in four components (JMD, Tax Division, U.S. Attorneys, Bureau of Prisons). Six reviews were conducted in BOP. (A representative sample of locations was chosen: the Central Office, a regional office, three correctional facilities, and the Denver Training Center.) The BOP has prepared seven computer system security plans covering the seven systems that contain sensitive information.
They are: Batch Transmission System, Federal Prison Point of Sale System, SENTRY, Inmate Telephone System, Vehicle Tracking System, BOP Net, and Automated Inmate Management System. It should be noted that four of these systems are operational while three are under development.
The SENTRY system was selected for review because it is BOP's primary mission-support system which includes inmate-related information and management information sub-systems. SENTRY is a distributive system and serves many diverse users. Over 5,000 SENTRY terminals are now installed nationwide in over 65 correctional facilities in the U.S. and selected BOP Community Program offices, U.S. Parole Commission offices, U.S. Attorney offices, U.S. Probation offices, and U.S. Marshals' offices.
On any given day, over 500,000 transactions are processed in response to a variety of requests for information. The reviews validated information in all sections of the computer security plan. As a result of these reviews, the following major weaknesses have been identified: A formal risk analysis has not been conducted; a formal contingency plan has not been developed; user identification and unique passwords are not used; and inadequate computer security awareness training and no formal computer security awareness training for new employees and recurring computer security awareness training for current employees exist.
Other findings included concerns regarding uninterruptible power supply, user session audit trails, and scheduled password changes.
These issues have been presented to the Bureau of Prisons in discussion and will shortly be provided in formal draft for comment.
Earlier I stated that one of the findings of the computer security review was that BOP had not completed its risk analyses. This issue has been addressed in BOP's response. A contract has been signed for the development of a business continuity plan which will include the completion of risk analyses. Another finding of the computer security review was that user identification and unique passwords are not used. In response to our direction, the Bureau has now agreed to provide unique user identification and passwords for SENTRY users by December 31, 1991.
The Bureau has over 20,000 employees who must be trained in accordance with the Computer Security Act. In July, BOP issued guidance which implemented computer security training.
As a final comment, we would only observe that the Department takes its computer security responsibility very seriously. We believe we have an effective program. Only by doing everything within our power to safeguard information can we be reasonably assured that the Department's and the public's interests will continue to be well protected.
