Audit Reports

-A A +A
skip-to-content

The Volpe Center’s Information Technology Infrastructure Is at Risk for Compromise

Self-Initiated
Project ID: 
FI2016056

This report presents the results of our audit of the security controls for the John A. Volpe Center’s (Volpe) information technology infrastructure. Our objectives were to determine whether: (1) Volpe’s local area network (LAN) and Web sites are secure from compromise, and (2) security weaknesses exist in Volpe’s IT infrastructure.

Volpe’s LAN was not secure from compromise because the Center did not follow the National Institute of Standards and Technology’s (NIST) guidance on information security and DOT’s cybersecurity policy. Some Volpe management practices also created security weaknesses that made its IT infrastructure vulnerable to compromise. Furthermore, Volpe’s oversight practices for the network space it contracts out created risks for compromise. Finally, Volpe did not maintain a complete inventory of its network devices. NIST’s guidance and DOT’s policy require Operating Administrations to maintain up-to-date inventories of their systems’ components and devices. However, Volpe’s administrators did not have a complete inventory and could not identify unauthorized devices. Consequently, Volpe’s IT infrastructure and the systems and data on it are at risk for compromise. We made several recommendations to help the Center address these issues.

Sensitive information exempt from public disclosure under the Freedom of Information Act, 5 U.S.C. § 552, has been redacted and we have marked the document as FOR OFFICIAL USE ONLY. The redacted version is posted to our website.

Recommendations

Open

Closed

Closed on 05.09.2017
Sensitive
No. 1 to RITA

Sensitive information redacted

Closed on 01.27.2017
No. 2 to RITA

Implement security measures for protecting PII in accordance with DOT Chief Information Officer Departmental Privacy Risk Management Policy.

No. 3 to RITA

Install a network-based intrusion detection and prevention solution to complement the current host-based systems, enabling more comprehensive and accurate detection and prevention of malicious activity on the network, including traffic coming from trusted connections.

Closed on 11.01.2016
No. 4 to RITA

Implement a network admission control solution to ensure only authorized users can access network resources.

Closed on 03.21.2017
No. 5 to RITA

Conduct regular vulnerability assessments and scans of the LAN to identify known vulnerabilities and common misconfigurations, and implement a policy that holds system administrators accountable for remediating identified vulnerabilities.

Closed on 03.21.2017
No. 6 to RITA

Develop and execute interconnection security agreements with clients that it contracts with for network space on the IT infrastructure in accordance with NIST and DOT policy and guidelines.

Closed on 03.21.2017
No. 7 to RITA

Develop and maintain a complete inventory of authorized network devices accessible to staff who monitor departmental networks.

Closed on 11.01.2016
No. 8 to RITA

Implement a procedure to require the ISSM's approval before any device, including virtualized and other non-physical IT devices, is connected to the LAN, to include development and project systems.