The Honorable Timothy J. Muris
Dear Chairman Muris:
The attached report covers the Office of Inspector General's (OIG) activities for the second half of fiscal year 2001, and is submitted according to Section 5 of the Inspector General Act of 1978, as amended.
During this six-month reporting period, the OIG conducted an information security evaluation as required by the Government Information Security Reform Act (GISRA). The OIG found that while the agency has systems in place to guard against intrusion by external sources, it lacks documented policies and procedures that would establish adequate controls to guard against abuses by internal sources. The OIG also found that security measures are not yet fully integrated into the IT systems' life cycle as required by OMB Circular A-130. In keeping with requirements of GISRA, a second OIG review is scheduled to be performed later in fiscal year 2002.
The OIG has also completed field work in response to a Congressional inquiry into the agency's implementation of the "SmartPay" program. The OIG found that the agency's use of charge cards to make selected small purchases was generally operating effectively.
The OIG also initiated fieldwork on the FY 2001 Financial Statement Audit along with performing some preliminary work relating to a survey of the agency's collection and use of unsolicited commercial email. Details of these efforts are found in the body of this report.
As in the past, management has been responsive in attempting to address OIG recommendations. I appreciate management's support, and I look forward to working with you in our ongoing efforts to promote economy and efficiency in agency programs.
Frederick J. Zirkel
TABLE OF CONTENTS
The Federal Trade Commission (FTC) seeks to assure that the nation's markets are competitive, efficient, and free from undue restrictions. The FTC also seeks to improve the operation of the marketplace by ending unfair and deceptive practices, with emphasis on those practices that might unreasonably restrict or inhibit the free exercise of informed choice by consumers. The FTC relies on economic analysis to support its law enforcement efforts and to contribute to the economic policy deliberations of Congress, the Executive Branch and the public.
To aid the FTC in accomplishing its consumer protection and antitrust missions, the Office of Inspector General (OIG) was provided with five work years and a budget of $656,400 for fiscal year 2001.
For this semiannual period, the OIG issued a Government Information Security Reform Act (GISRA) evaluation. The OIG also completed fieldwork on evaluating how the agency has managed its "SmartPay" credit card program, initiated fieldwork on the FY 2001 financial statement audit, and began an audit survey of the agency's collection and use of unsolicited commercial email. Detailed information regarding these audits and reviews is provided below.
In AR 01-051and AR 01-051A, GISRA Security Evaluations Report and Executive Summary, the OIG performed an evaluation of the agency's information security program and practices which included testing the effectiveness of security controls for selected agency systems.(1) The OIG applied the National Institute of Science and Technology's (NIST) Security Assessment Framework to the FTC's information security program to identify the level of security attained by the FTC. The OIG found that while the agency has systems in place to guard against external intrusion, it lacks documented policies and procedures to ensure continuity in the face of service interruptions and controls to effectively guard against internal abuse.
The Government Information Security Reform Act (P.L.106-398) amended the paperwork Reduction Act of 1995 by enacting a new subchapter on information security. In effect, GISRA codifies existing requirements of OMB Circular A-130, Security of Federal Automated Information Resources, which requires agencies to incorporate security into the life cycle of agency information systems. GISRA requires agencies to (i) implement an agency-wide security program practiced throughout the systems' life-cycles, (ii) provide incident response capability, (iii) conduct an annual program review, and (iv) detail security plan implementation steps in the annual performance plan.
The "NIST Framework" used by the OIG identifies five levels of IT security program effectiveness. The five levels measure specific management, operational and technical control objectives. Level 1 requires that the FTC have a formally documented and disseminated security policy covering its three major programs. Policy documentation should address, at a minimum, the purpose and scope of the policy, the person(s) responsible for implementing the policy, and the consequences and penalties for not implementing the policy. Subsequent levels build on this basic foundation, culminating with the highest level of security preparedness, Level 5, in which the organization has "fully integrated procedures and controls."
The OIG found that management had no documented security policy for any of its three program areas (Consumer Protection, Maintaining Competition and General Support) as required by OMB Circular A-130 and other government guidelines. As a result, the OIG concluded that the agency did not achieve a level 1 security rating in accordance with NIST guidelines which, in the opinion of the OIG, constitutes a material weakness.
Regarding a second material weakness, the OIG found that established security procedures were not routinely documented or followed in the general support program area. Documentation of technology configuration would provide a needed blueprint into current IT operations and would, once created, mitigate possible disruptions in operations whenever critical IT staff leave the agency.
Further, the OIG learned that the agency's contingency plan was outdated. Level 2 of the NIST Framework requires formal, complete and well-documented procedures (to include contingency plans) for implementing policies established at level 1. OMB guidelines require that the plan be reviewed annually and revised as appropriate. The agency's contingency plan was last updated in 1997. It identifies many systems that no longer exist at the agency, while other newer systems are not mentioned.(2)
Moving to Level 3 of the framework requires that IT security procedures and controls be implemented in a consistent manner and reinforced through training. In select areas where documentation does exist, the OIG found security procedures were not always being followed. Most serious were those procedures requiring IT staff to periodically check network and applications "user lists."(3) The OIG identified a number of employees who left the agency and who still had active network accounts.
The OIG also noted that the agency's IT Security Incident Response Policy (No. 2000-01) is not always followed. This vulnerability can lead to wrongdoing by agency staff not being detected timely, and/or external attacks not being reported to senior management consistently. The Incident Response Policy is not well known outside the small group of people involved in information security or system administration. As a result, many incidents go unreported. Incidents that were fully resolved did not contain evidence of followup with management.
The OIG found no indication that senior management was routinely made aware of security violations affecting agency information resources. Based on interviews with both program officials and technical operations staff, the OIG learned that dozens of incidents were "resolved" by operations with no incident reports being prepared. Short-cutting the Incident Response Policy means there is little, if any, effective management oversight as few records are maintained as to incident trends, types, or their ultimate resolution.
In addition to the aforementioned weaknesses, the OIG identified five other reportable conditions. Specifically, the OIG found:
To address the findings, the OIG recommended that IT management develop an agency-wide and individual systems security plan and policy; disseminate the Incident Response Policy to all program and IT employees and define what constitutes an "incident" for reporting purposes; produce exception reports to identify areas of potential internal abuse; immediately disable accounts of former employees and/or contractors and establish controls to prevent future occurrences; review current practices and redefine roles and responsibilities to ensure no single individual possesses all knowledge and access to security information; limit accounts of external users and periodically review internal user accounts to eliminate in a timely manner outdated access privileges; and provide the computer security officer with the necessary authorities to adequately fulfill the position's mandate.
The CIO is preparing a GISRA action plan to address these recommendations. The action plan is due to the Office of Management and Budget in the beginning of fiscal year 2002.
he Inspector General is authorized by the IG Act to receive and investigate allegations of fraud, waste and abuse occurring within FTC programs and operations. Matters of possible wrongdoing are referred to the OIG in the form of allegations or complaints from a variety of sources, including FTC employees, other government agencies and the general public.
Reported incidents of possible fraud, waste and abuse can give rise to administrative, civil or criminal investigations. OIG investigations might also be initiated based on the possibility of wrongdoing by firms or individuals when there is an indication that they are or were involved in activities intended to improperly affect the outcome of a particular agency enforcement action. Because this kind of wrongdoing strikes at the integrity of the FTC's consumer protection and antitrust law enforcement missions, the OIG places a high priority on investigating it.
In conducting criminal investigations during the past several years, the OIG has sought assistance from, and worked jointly with, other law enforcement agencies, including other OIG's, the Federal Bureau of Investigation (FBI), the U.S. Postal Inspection Service, the U.S. Secret Service, the U.S. Marshal's Service, the Internal Revenue Service, Capitol Hill Police, as well as state agencies and local police departments. In past years the OIG has also provided assistance to, and worked with foreign government law enforcement agencies, including the Royal Canadian Mounted Police and the Canada Customs and Revenue Agency.
During this reporting period, the OIG obtained assistance from, and worked on a criminal investigation with the FBI's Washington Field Office Computer Analysis Resource Team (CART).
During this reporting period the OIG received 35 complaints or allegations of possible wrongdoing. Of these 35 matters, a total of 20 involved issues which the OIG determined were the responsibility of FTC program components. Consequently, the OIG referred these 20 matters to appropriate FTC components for disposition, while one (1) other complaint/allegation was referred to another law enforcement agency for review and/or action.
Of the fourteen (14) remaining complaints/allegations, the OIG closed ten (10) of them after a careful review of the issues involved and/or after conducting preliminary investigative reviews. Based on all complaints/allegations of possible wrongdoing received during this reporting period, the OIG decided to open one (1) criminal investigation. Finally, the OIG continued to monitor three (3) other complaints/allegations that it received during this reporting period with the possibility of opening investigations in the future.
Also during this reporting period, the OIG closed three (3) investigations. The OIG also continued to monitor two (2) other investigations opened in prior reporting periods involving leaks of nonpublic information to the media and the embezzlement of several million dollars by a court-appointed receiver from several receivership estates growing out of FTC enforcement cases.
Following is a summary of the OIG's investigative activities for the six-month period ending September 30, 2001.
During this reporting period, the OIG provided some additional supporting material in a criminal case previously referred to a federal prosecutor in California involving the embezzlement of redress funds by a court-appointed receiver.
Also during this reporting period, the OIG referred a case for consideration of criminal prosecution to a federal prosecutor involving the downloading of pornography using government equipment. As none of the hundreds of images and/or film shorts downloaded on the employee's computer contained child pornography, criminal prosecution was declined and the matter was referred to management for administrative action.
During this period, the OIG issued one investigative alert to FTC management. An investigative alert is an OIG report which stems from an investigation. An OIG investigative alert, unlike an investigation report, does not focus on individual wrongdoing but instead identifies for management specific vulnerabilities or weaknesses in agency programs or operations which the OIG believes contributed to a climate in which the wrongdoing found during an OIG investigation was allowed to continue, or in which checks and balances which would have deterred the wrongdoing were not in place. Like an audit report, an investigative alert can include OIG recommendations.
The investigative alert issued to management this period identified certain internal control weaknesses within FTC's Information and Technology Management Office (ITM). The OIG learned of these internal control weaknesses while conducting interviews in an OIG investigation of alleged wrongdoing by an ITM employee.
Specifically, while conducting the investigation the OIG found: 1) a failure by contract employees assigned to ITM operations to report an FTC policy violation; 2) a failure by an ITM management official to address employee wrongdoing; and, 3) the computer security officer lacked authority to independently access information needed to quickly identify potential security abuses.
In this case, the OIG found that a number of ITM and contractor employees knew of the ITM employee's wrongdoing yet did nothing. More importantly, a lack of effective internal controls meant that the Chief Information Officer and the ITM computer security officer could not ascertain if a problem existed when attempting to learn what was going on.
As noted previously in this semiannual report, the Executive Director is in the process of finalizing an action plan based on the OIG's recent completion of an ITM security review mandated by GISRA. If the GISRA recommendations are implemented, the OIG believes that they should address the ITM internal control weaknesses identified in the investigative alert. Therefore, the OIG did not make any specific recommendations in the investigative alert.
Congressional Inquiries - The OIG responded to a PCIE/ECIE-wide request from the Chairman, Committee on Government Reform, to summarize OIG efforts in the area of recovery auditing. Recovery auditing is an established business practice whose objective is to identify missed discounts, duplicate payments and other overpayments. The FTC OIG provided the Committee with information about the overpayment of rent totaling $189,200. This finding is detailed in a management letter accompanying the FY 2000 Financial Statement Audit. Peer Review Activities - Federal offices of inspector general are required by the IG Act to have a peer review performed of their organization once every three years. These reviews are to be performed only by federal auditors. A committee of the Executive Council on Integrity and Efficiency (ECIE) schedules the reviews to ensure that resources are available to perform them and that OIGs do not conduct reviews of one another.
Against this background, the FTC OIG completed a peer review of the OIG at the Peace Corps. The objectives of a peer review are to determine whether an effective internal quality control system has been established in the office and established policies, procedures and applicable government auditing standards are being followed. A final report was prepared and provided to the Peace Corps inspector general.
Section 5(a)(12) of the Inspector General Act requires that if the IG disagrees with any significant management decision, such disagreement must be reported in the semiannual report. Further, Section 5(a)(11) of the Act requires that any decision by management to change a significant resolved audit finding must also be disclosed in the semiannual report. For this reporting period there were no significant final management decisions made on which the IG disagreed, and management did not revise any earlier decision on an OIG audit recommendation.
The IG is to be provided with ready access to all agency records, information or assistance when conducting an investigation or audit. Section 6(b)(2) of the IG Act requires the IG to report to the agency head, without delay, if the IG believes that access to required information, records or assistance has been unreasonably refused, or otherwise has not been provided. A summary of each report submitted to the agency head in compliance with Section 6(b)(2) must be provided in the semiannual report in accordance with Section 5(a)(5) of the Act.
During this reporting period, the OIG did not encounter any problems in obtaining assistance or access to agency records. Consequently, no report was issued by the IG to the agency head in accordance with Section 6(b)(2) of the IG Act.
The OIG can be accessed via the world wide web at www.ftc.gov/oig/oighome.htm. A visitor to the OIG home page can download recent (1996 - 2000) OIG semiannual reports to Congress, the FY 1998, FY 1999 and FY 2000 CFO Act audits and other program and performance audits issued beginning in FY 1999, and can browse through a list of audit reports issued prior to FY 1999 and order them via an e-mail link to the OIG. In addition to this information resource about the OIG, visitors are also provided a link to other federal organizations and offices of inspector general.
As of the end of this reporting period, all OIG audit recommendations for reports issued in prior periods have been resolved. That is, management and the OIG have reached agreement on what actions need to be taken.
Section 4 (a) (2) of the IG Act authorizes the IG to review and comment on proposed legislation or regulations relating to the agency or affecting the operations of the OIG. During this reporting period, the OIG reviewed several bills which were intended to fund Executive Branch agencies and law enforcement activities.
Employees and the public are encouraged to contact the OIG regarding any incidents of possible fraud, waste or abuse occurring within FTC programs and operations. The OIG telephone number is (202) 326-2800. To report suspected wrongdoing, employees and the public should call the OIG's chief investigator directly on (202) 326-2581. A confidential or anonymous message can be left 24 hours a day.
The OIG is located in room 494 of the FTC Headquarters Building at 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. Office hours are from 8:30 a.m. to 6:00 p.m., Monday through Friday, except federal holidays.
|IG Act Reference||Reporting Requirement||Page(s)|
|Section 4(a)(2)||Review of legislation and regulations||14|
|Section 5(a)(l)||Significant problems, abuses and deficiencies||1-4|
|Section 5(a)(2)||Recommendations with respect to significant problems, abuses and deficiencies||4|
|Section 5(a)(3)||Prior significant recommendations on which corrective actions have not been made|
|Section 5(a)(4)||Matters referred to prosecutive authorities||11|
|Section 5(a)(5)||Summary of instances where information was refused||13|
|Section 5(a)(6)||List of audit reports by subject matter, showing dollar value of questioned costs and funds put to better use||1-4|
|Section 5(a)(7)||Summary of each particularly significant report||1|
|Section 5(a)(8)||Statistical tables showing number of reports and dollar value of questioned costs||16|
|Section 5(a)(9)||Statistical tables showing number of reports and dollar value of recommendations that funds be put to better use||17|
|Section 5(a)(10)||Summary of each audit issued before this reporting period for which no management decision was made by the end of the reporting period||13|
|Section 5(a)(11)||Significant revised management decisions||13|
|Section 5(a)(12)||Significant management decisions with which the Inspector General disagrees||13|
INSPECTOR GENERAL ISSUED REPORTS
WITH QUESTIONED COSTS
Number Dollar Value
|Questioned Costs||Unsupported Costs|
|A. For which no management decision has been made by the commencement of the reporting period||0||0||0|
|B. Which were issued during the reporting period||0||0||0|
|Subtotals (A + B)||0||0||0|
|C. For which a management decision was made during the reporting period||0||0||0|
|(i) dollar value of disallowed costs||0||0||0|
|(ii) dollar value of cost not disallowed||0||0||0|
|D. For which no management decision was made by the end of the reporting period||0||0||0|
|Reports for which no management decision was made within six months of issuance||0||0||0|
INSPECTOR GENERAL ISSUED REPORTS
WITH RECOMMENDATIONS THAT FUNDS BE PUT TO BETTER USE
|A. For which no management decision has been made by the commencement of the reporting period||1||29,359*|
|B. Which were issued during this reporting period||0||0|
|C. For which a management decision was made during the reporting period||1||29,359|
|(i) dollar value of recommendations that were agreed to by management||1||29,359|
|- based on proposed management action||1||29,359|
|- based on proposed legislative action||0||0|
|(ii) dollar value of recommendations that were not agreed to by management||0||0|
|D. For which no management decision has been made by the end of the reporting period||1||29,359|
|Reports for which no management decision was made within six months of issuance||0||0|
*See AR 01-050A (pages 2, 20).
1. The Executive Summary was prepared in conjunction with management and was issued under a separate cover.
2. ITM management told the OIG that agency size and IT staff experience lessen the need for formal documentation as required by OMB A-130. To a large extent the OIG agrees that ITM can efficiently and effectively meet the agency's recurring IT operational needs without the need to document every system and procedure. However, a baseline level of documentation is needed to ensure that the agency maintains its focus on providing adequate security and that the agency is protected from unforeseen events.
3. Personnel separation lists are distributed twice monthly to system administrators to verify that all accounts have been disabled. A cross check against active accounts would identify accounts to terminate.