http://www.oig.dot.gov/rss.jsp?subject=7 The 10 most recent releases on the U.S. DoT OIG web site related to Information Technology en-US webmaster@oig.dot.gov (OIG Webmaster) http://www.oig.dot.gov/images/dot.gif http://www.oig.dot.gov/rss.jsp?subject=7 http://www.oig.dot.gov/item.jsp?id=2542 On October 1, 2009, we issued our final report on the general, application, and operational controls over the DOT Enterprise Services Center. OIG hired a CPA firm to perform this review in accordance with the Statement of Auditing Standard No. 70, which is required by OMB for agencies designated as Federal Service Providers to provide crossagency services. The audit covered Delphi Financial Management System operations, which are used by multiple Federal agencies; and the Consolidated Automation System for Time and Labor Entry (CASTLE), which is used to support DOT operations only. The audit concluded that managements description of controls presents fairly, in all material respects, the controls that have been placed in operation and controls are suitably designed. In addition, controls were operating effectively except in the areas of logical access and segregation of duties concerning CASTLE system operations. Thu, 01 Oct 2009 00:00:00 GMT http://www.oig.dot.gov/item.jsp?id=2542 http://www.oig.dot.gov/item.jsp?id=2519 On July 30, 2009, we issued our report on the audit of the Data Integrity of the Commercial Drivers License Information System (CDLIS), as required by the Safe, Accountable, Flexible, Efficient Transportation Equity Act: A Legacy for Users (SAFETEA−LU). This audit addressed the validity of CDLIS data and security issues. We assessed: (1) whether convictions received from the courts were recorded in a timely manner, (2) whether CDLIS and state department of motor vehicles (DMV) systems were adequately secured, and (3) the adequacy of contingency plans to ensure continued CDLIS service to DMVs following a disaster or other emergency. FMCSA has taken measures to strengthen the CDL program, but additional action is necessary to increase the safety of the Nations highways. First, DMVs are still experiencing delays in posting convictions to their driver history records for CDLIS users access. Second, deficiencies in security controls persist. Specifically, system certification and accreditation reviews have not been completed, and states lag in developing and implementing comprehensive security policies and procedures to better protect DMV systems. Third, enhanced contingency planning and testing of both CDLISAccess and state DMV systems has not fully occurred. We made specific recommendations to address these weaknesses. The Acting Deputy Administrator, Federal Motor Carrier Safety Administration concurred with our findings and recommendations, and has provided plans to take specific actions to implement them. Thu, 30 Jul 2009 00:00:00 GMT http://www.oig.dot.gov/item.jsp?id=2519 http://www.oig.dot.gov/item.jsp?id=2465 On May 4, 2009, we issued our report on Federal Aviation Administration (FAA) web applications security and intrusion detection in air traffic control (ATC) systems, requested by the Ranking Minority Members of the full House Transportation and Infrastructure Committee and its Aviation Subcommittee. The objectives of this performance audit were to determine whether (1) web applications used in supporting ATC operations were properly secured to prevent unauthorized access to ATC systems, and (2) FAAs network intrusiondetection capability was effective in monitoring ATC cybersecurity incidents. We found that web applications used in supporting ATC systems operations were not properly secured to prevent attacks or unauthorized access. During the audit, our staff gained unauthorized access to information stored on web application computers and an ATC system, and confirmed system vulnerability to malicious code attacks. In addition, FAA had not established adequate intrusiondetection capability to monitor and detect potential cyber security incidents at ATC facilities. The intrusiondetection system has been deployed to only 11 (out of hundreds of) ATC facilities. Also, cyber incidents detected were not remediated in a timely manner. Mon, 04 May 2009 00:00:00 GMT http://www.oig.dot.gov/item.jsp?id=2465 http://www.oig.dot.gov/item.jsp?id=2454 On April 24, 2009, we issued our report on the audit of the Department of Transportations implementation of earned value management (EVM), and the supportability of estimated security costs for major information technology (IT) investments. An independent firmKPMG, LLP, of Washington, D.C. under contract to the Office of Inspector General (OIG) assessed the effectiveness of DOTs program and practices in these areas, specifically to determine if (1) the earned value management measures included in OMB Exhibit 300 submissions properly reflected project performance, and (2) security costs included in the submissions were supported.KPMG concluded that the Department applied EVM controls inconsistently throughout the Operating Administrations. The Department lacked a standard EVM approach for implementation and was not consistent with requirements specified by OMB; consequently, the EVMSrelated processes used to collect and report the EVM measures included in Exhibit 300 submissions could not be relied upon to properly reflect project performance. Additionally, KPMG found the Department has not established a standard method to accurately and consistently estimate the costs of implementing IT security. As a result, the security cost estimates for Exhibit 300 submissions cannot be fully supported.We made specific recommendations to address these weaknesses. The DOT Chief Information Officer concurred with our findings and recommendations, and has provided plans to take specific actions to implement them. Fri, 24 Apr 2009 00:00:00 GMT http://www.oig.dot.gov/item.jsp?id=2454 http://www.oig.dot.gov/item.jsp?id=2412 The Office of Inspector General is initiating an audit of DOTs implementation of personal identity verification (PIV) cards. On August 27, 2004, President Bush signed Homeland Security Presidential Directive 12 (HSPD12), “Policy for a Common Identification Standard for Federal Employees and Contractors.” This Directive requires the development and implementation of a mandatory, governmentwide standard for security and reliable forms of identification, referred as PIV cards, to be issued by the Federal government to its employees and contractors. OMB required DOT to fully implement HSPD12 by October 27, 2008. Our audit objectives are to determine if DOT (1) has an effective process to issue, maintain, and terminate functional PIV cards for employees and contractors; and (2) is adequately protecting the personal information collected, stored, processed, and transmitted on the PIV systems. Fri, 19 Dec 2008 00:00:00 GMT http://www.oig.dot.gov/item.jsp?id=2412 http://www.oig.dot.gov/item.jsp?id=2369 On October 8, 2008, we issued our report presenting the results of our annual audit of the Departments information security program and practices, as required by the Federal Information Security Management Act of 2002 (FISMA). Consistent with FISMA and Office of Management and Budget requirements, we assessed the effectiveness of DOTs program and practices in this area, specifically (1) implementation of minimum security standards, (2) configuration management, and (3) incidenthandling and reporting. We found, overall, that the Departments information security program was not effective. Despite some improvements, DOT had not established adequate policies and procedures; privacy protection of personally identifiable information remained insufficient, as did protection of computer networks; training of employees and contractors was not being assured; identification of informationsecurity weaknesses was not being consistently carried out, nor was timely resolution of those identified; and departmental systems were not sufficiently protected or their recovery, when necessary, assured. We are making 27 specific recommendations to address these deficiencies. The DOT Chief Information Officer concurred with our findings and recommendations, and plans to provide, within 30 days, a description of specific actions to be taken to implement these recommendations, along with their milestone dates. Wed, 08 Oct 2008 00:00:00 GMT http://www.oig.dot.gov/item.jsp?id=2369 http://www.oig.dot.gov/item.jsp?id=2351 On September 9, 2008, we issued a final report on the Review of DOT Privacy Policies and Procedures. This audit was done as required by the Fiscal Year 2005 Consolidated Appropriations Act for Transportation, Treasury, Independent Agencies, and General Government. We found that DOT has made significant progress in addressing its statutory responsibilities under the Act by designating a senior officialthe departmental Chief Information Officerto be the Chief Privacy Officer. The Department has established proper procedures and a framework for assessing the necessity of using personally identifiable information (PII) and the collection, use, and security of PII. However, tests of sampled PII systems identified deficiencies in implementation of the prescribed procedures, placing these personal data at risk. For example, the departmental privacy office had evaluation documents for only the 109 systems contained in its PII inventory; however, the office could not provide support that no PII is stored in DOTs other 320 systems. Nine of 20 sampled systems requiring a System of Records Notice did not have one published to notify the public of the intended use of the information collected from it. Further, some systems containing PII did not meet minimum security requirements, such as encrypting PII during network transmission and using proper password controls to authenticate users. We also noted that the departmental privacy officer does not report directly to the Chief Information and Privacy Officer. In our opinion, this organization structure has reduced the visibility of the privacy program and was a major contributing factor to the deficiencies identified in this audit. Tue, 09 Sep 2008 00:00:00 GMT http://www.oig.dot.gov/item.jsp?id=2351 http://www.oig.dot.gov/item.jsp?id=2309 As required by the Federal Information Security Management Act of 2002 (FISMA), the Office of Inspector General is initiation is Fiscal Year 2008 audit of the Department of Transportations (DOT) information security program and practices. Our audit objective is to determine that effectiveness of DOTs information security program and practices. Tue, 10 Jun 2008 00:00:00 GMT http://www.oig.dot.gov/item.jsp?id=2309 http://www.oig.dot.gov/item.jsp?id=2307 The Office of Inspector General is initiating an audit of web applications security in air traffic control (ATC) systems in response to a request made by the U.S. House of Representatives Committee on Transportation and Infrastructure. The objectives of this audit are to determine whether: (1) web applications used in supporting ATC operations are properly secured to prevent unauthorized access to ATC systems, and (2) FAAs network intrusiondetection capability is effective in monitoring ATC cyber security incidents. Mon, 02 Jun 2008 00:00:00 GMT http://www.oig.dot.gov/item.jsp?id=2307 http://www.oig.dot.gov/item.jsp?id=2245 The Office of Inspector General is undertaking an audit of the Federal Aviation Administrations (FAA)Medical Support Systems (MSS) information security and privacy controls. Our audit objectives are to (1) determine if the airmens personally identifiable information is properly secured from unauthorized use or access, and (2) assess FAAs progress in establishing a program to flag airmen holding current medical certificates while receiving disability pay. Thu, 28 Feb 2008 00:00:00 GMT http://www.oig.dot.gov/item.jsp?id=2245