Parts of the report were redacted, indicated by x’s below.
Executive Summary:
The Office of Inspector General (OIG) performed a review of the Department of Education’s (Department) external web sites. This audit was conducted in accordance with the Federal Information Security Management Act (FISMA) as enacted by Title III of the E-Government Act of 2002, Public Law 107-347, and the Privacy Act of 1974. Specifically, we assessed whether information technology (IT) security controls were in place to protect Department resources in the areas of incident handling, security awareness and training, and Privacy Act compliance. FISMA requires the OIG to perform independent evaluations and testing of the effectiveness of information security control techniques and to provide an assessment of the Department’s compliance.
Based on our review, the Department’s Chief Information Officer (CIO) must improve security controls over the incident response and handling program and accelerate two-factor authentication for protecting Privacy Act information to adequately protect the confidentiality, integrity, and availability of the personally identifiable information (PII) data residing on public web sites. During our audit, we also identified significant conditions related to the work performed regarding xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx and public domain web site establishment and maintenance
Incident Handling
• The Department did not have an effective incident response and handling program. The Department’s CIO: (a) did not provide sufficient security awareness to Department users regarding xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; (b) provided conflicting guidance regarding incident response reporting procedures; and (c) did not properly oversee the Department’s Customer Service staff. The Department has a responsibility to implement all precautions to protect all vital PII data residing on the Department’s network. Compromise of this data would cause substantial harm and embarrassment to the Department and may lead to identity theft or other fraudulent use of the information.
Two-Factor Authentication
• The Department’s CIO did not implement two-factor authentication or other effective compensating controls commensurate with the risk and magnitude of harm resulting from a Department data compromise. Specifically, using information from two public web sites, we were able to use xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx techniques to remotely obtain access to sensitive Department information and PII. If sensitive Department information and PII data are compromised, the Department could suffer substantial embarrassment and that compromise may lead to fraudulent misuse of the information.
XXX Configuration
• The Department did not configure the xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. Our tests demonstrated that unauthorized access to the system through xxxxxxxxxxxxxxxx attacks could provide a potential malicious attacker with the capability of exploiting systems, deleting and/or modifying sensitive data, and causing serious harm to Department information. Users with malicious intent could gain access to the xxxxx xxxxxxxxxxxxxxxxxxxxx for email spoofing, social engineering, and other possible malicious attacks.
Public Domain Web Sites
• The Department did not properly establish and maintain public domain web sites. Specifically, the Department did not: (a) properly track, update, and verify a directory of public web sites; (b) properly control internet protocol address assignment; (c) properly issue and administer web site certificates; (d) properly monitor public domain web sites; and (e) use approved domain names. The Department’s CIO has the overall responsibility to implement all precautions to protect Department data residing on public domain web sites. Additionally, the public has the right to assume that web sites hosted or provided by the Department are valid and trusted. It is essential that the Department validate its public web sites and adequately protect the confidentiality, integrity, and availability of the PII data residing on public web sites.
In response to our draft report, the Department thanked the OIG for the opportunity to provide comments for this audit report. The Department also stated it concurred, as of the start date of this audit, with the findings and recommendations identified. In response to our system security review, management stated that corrective action plans for the weaknesses will be finalized through the Department’s normal audit resolution process. xxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ED-OIG/A11I0006, June 10, 2009