This document is an HTML formatted version of a printed document. The printed document may contain agency comments, charts, photographs, appendices, footnotes and page numbers which may not be reproduced in this electronic version. If you require a printed version of this document contact the United States Securities and Exchange Commission, Office of Inspector General, Mail Stop 11-7, 450 Fifth Street N.W., Washington, D.C. 20549 or call (202) 942-4460.
SECOA Local Area Network
Audit Report No. 243
March 6, 1997
We found that the SECOA network was generally managed and operated effectively. The Office of Information Technology has recently taken steps to improve the network's infrastructure, and further improvements are planned, including a change in operating system.
With client server initiatives being introduced, the Commission will rely even more on the network, increasing risk. We are making several recommendations to help ensure the network's continued effective operation.
The Offices of Information Technology, Administrative and Personnel Management, and the General Counsel provided written comments (attached) on a draft of this report. Generally, they concurred with our findings and recommendations.
OBJECTIVES AND SCOPEOur objective was to determine whether the SECOA network was effectively managed and operated. We considered the following issues: configuration management, application management, network security, network availability and performance, and administrative management.
During the audit, we interviewed Commission staff; observed conditions in headquarters, the Operations Center, and three regions; reviewed available documentation; and tested management controls. The review was performed from February 1996 to August 1996 in accordance with generally accepted government auditing standards.
BACKGROUNDThe SEC Office Automation (SECOA) computer network links all Commission staff, providing electronic mail, word processing, spreadsheets, and mainframe and external access, among other capabilities. SECOA has approximately 50 file servers (computers dedicated to network operations) running a network operating system called Netware.
The Communications and Systems Support Office in the Office of Information Technology (OIT) has primary responsibility for managing and operating the network. Other Commission staff and contractors provide assistance.
AUDIT RESULTSCurrently, the SECOA network is generally managed and operated effectively. For the most part, it meets user needs, and its availability and performance are adequate.
The Office of Information Technology (OIT) has recently taken several steps to improve the network's infrastructure, including upgrading its data carrying capacity, adopting improved telecommunication methods, improving network architecture, and for integrating the SECOA and EDGAR networks. It also plans to issue ADP security guidance in phases, including network security. The Commission has reported the lack of such guidance as a material weakness.
With client server initiatives being introduced, the Commission will rely even more on the network in the future, and operational traffic and risks will increase. We have several recommendations, described below, to help ensure the network's continued effective management and operation. Our recommendations should be implemented in a way that avoids adverse effects on the network’s performance.
OIT purchased a software package called Service Center in 1994. The package has not yet been installed because of other priorities. Service Center includes a module for configuration management which would enhance OIT's knowledge of network components, and help control changes to the network.
OIT should install the Service Center software or similar software.
Network diagrams depict the logical relationship of network and communication hardware components. They are used to evaluate network security and changes, and to help diagnose problems.
The diagrams developed by OIT and the Office of Administrative and Personnel Management (OAPM) are not current. Also, they do not record the physical location of the components.
OIT and OAPM should update all network diagrams.
Currently, when users report problems, OIT staff must physically visit the user's room, record the jack number of the network connection, and then locate the appropriate line in the telephone closet. A data base with the work station address (the media access control number or MAC recorded on a network interface card inside the work station), the user's name and room, and the jack number would eliminate the need to visit the user, saving time.
OIT should develop a database with the user address information discussed above. As users are visited or new computers deployed, address information should be entered into the database.
Commission file servers use versions 3.11 and 3.12 of the Netware operating system. This system contains software components called Netware Loadable Modules (NLMs) that are frequently changed through updates called patches. A similar situation exists for the various software releases installed in routers, hubs, and switch equipment used to support network connectivity.
Different file servers, routers, hubs and switch equipment have different patches, making it difficult to determine what version is in use. Documenting this information would assist in identifying problems and planning for future software upgrades.
OIT should document for each file server, router, hub, and switch equipment the operating system version and patches in use.
We observed many equipment racks in telephone closets that were not securely fastened, both in headquarters and the regions. Insecure racks could allow damage to equipment, or disruptions in service because of rack movement.
Some equipment racks in headquarters left little room to access telephone wires (patch panels). Someone could inadvertently disconnect wires, disrupting service.
OIT and OAPM should secure equipment racks and provide adequate access to telephone patch panels.
Software License Tracking
Currently, the Commission does not maintain a database to track software licenses purchased. A database would help ensure compliance with copyrights. It would also assist in purchasing decisions and in obtaining favorable rates for software upgrades.
The Office of Information Technology should track software licenses purchased, including the software name, release version, quantity, and price, and purchase order number.
The Commission does not have a policy governing use of copyrighted software (to prevent unauthorized copying and violation of the copyright laws). The policy would be provided to users. The Appendix includes the Department of Commerce’s copyrighted software policy, as well as modified excerpts from the Software Publishers Association’s software policies.
In addition, OIT does not use automated tools to inventory software on file servers and work stations. These tools would help detect unauthorized copies of software.
The Office of the Executive Director, in consultation with the Offices of Information Technology and the General Counsel, should develop a policy for copyrighted software, and distribute it to users.
The Office of Information Technology should consider using automated tools to inventory software on file servers and work stations.
Security Plans and Authorizations
Under OMB Circular A-130, agencies are required to develop security plans for their systems. The plans identify the nature and extent of sensitive information; the administrative and technical approaches to protecting this information; responsibilities for security; and plans for improvement. Also, agencies must formally authorize use of the systems every three years, based on a finding that controls are in place and effective.
OIT has not yet developed security plans or authorized system use.
OIT should develop security plans and authorize system use in compliance with OMB Circular A-130.
Network Security Features
The network's operating system (Netware) has certain security settings which are not currently implemented. Changing these settings as explained below would enhance security.
File servers can be controlled by a master console that includes a keyboard and video monitor. The "Monitor" lock feature if implemented would prevent keyboard entries until a password was entered.
File servers can also be controlled by a remote console. Currently, remote consoles can access the file server through a shared password that has not been changed in at least a year.
The "Secure Console" feature would restrict systems software programs (known as netware loadable modules) to authorized sub-directories. This feature would help prevent running of unauthorized programs. It would also prevent unauthorized entry to the operating system debugger, which can be used to modify the network operating system.
OIT should implement the "Monitor" lock feature for all file servers.
OIT should change the password for console remote access periodically. It should consider not using a shared password.
OIT should implement the "Secure Console" feature for all file servers.
Network Wall Jacks
We found several active wall jacks in public areas. A visitor could use these jacks, which allow computer equipment to attach to the network, for unauthorized monitoring and capture of Commission data.
OIT deactivated the wall jacks we identified. It needs to ensure, however, that no jacks are still active in public areas when not in use.
OIT should identify all wall jacks in public areas, and confirm that they have been deactivated when not in use.
Security software program
The Netware operating system contains a security software program. This program identifies user accounts with insecure or missing passwords or excessive access rights, as well as absent log-in scripts.
OIT has run this program infrequently. At our request, two regions ran the program and identified a number of potential security problems, as outlined above. Subsequently, OIT indicated that it re-ran the program on all SECOA file servers.
OIT should ensure the security program is run periodically. It should provide justification why specific potential weaknesses were not corrected (e.g. considered immaterial).
Thirteen people, including one contractor, have supervisory access to the network. OIT indicated that operational demands require this many people to have supervisory privileges.
However, because this access level is unrestricted, only two to three people are normally granted it.
OIT plans to deploy a new network operating system within the next two years. This operating system will have the capability to record supervisor activities, which would mitigate the security risk.
OIT should record supervisor activities after the new operating system is deployed.
OIT should periodically reevaluate the need for individuals to have supervisor access.
The telephone closets also contain network wiring and equipment. Any inadvertent or deliberate destruction of this wiring or equipment would disrupt portions of the network.
Currently, entry to the headquarters closets is through keys, which can be duplicated. Entry is supposed to be documented in a log (SEC Administrative Regulation 8-1, item C), but this procedure is not generally being followed. We found that some wire closets did not have logs, while logs in others were not used recently.
A proximity card system to control access to the headquarters telephone closets would improve security. This system is currently used in the Operations Center.
OIT should consider installing a proximity card system in the telephone wire closets.
After a period of inactivity, users are normally required to re-enter their passwords to remain on a network. This procedure helps prevent unauthorized use of an unattended computer.
Currently, the Commission's network does not require password re-entry. Since the network operating system is scheduled for replacement, this security procedure could be implemented in the new system.
OIT should require password re-entry on inactive computers when the new network operating system is installed.
Network Availability and Performance
OIT has not tested the network disaster recovery plan since 1994. That test only simulated a disaster at headquarters. Disaster recovery plans should be tested periodically to ensure they are still workable.
OIT should test the network disaster recovery plan at least annually. The test should simulate disasters at headquarters, the Operations Center and regional offices.
Performance and Capacity Measurement
OIT has not established criteria or installed software to measure network performance and capacity, including memory, disk, and CPU utilization, and communication through-put. Performance and capacity measures would help OIT anticipate future problems and identify trends.
OIT should establish criteria and install software to measure network performance and capacity.
Within the next two years, OIT intends to deploy a new network operating system, Windows NT Server. The conversion will require careful planning to ensure its success.
OIT should prepare a conversion plan for the migration to Windows NT Server.
Policies and Procedures
Policies and procedures governing network operations are out of date and incomplete. Also, they were not issued through the Commission's administrative regulation system or signed by OIT management, lessening their availability and authority.
Current network guidance consists of the LAN administrators manual; Office automation system manual; File server installation procedures; Regional operating procedure manual; and File server documentation procedures. We understand that the Communications and Systems Support Office within OIT is currently developing written guidance for the network.
The Office of Information Technology should issue complete and up to date guidance on network operations. Appropriate guidance should be issued as an administrative regulation.
The regions periodically submit file server back-up tapes to OIT for off-site storage. OIT does not maintain a log recording receipt of the tapes, nor does it acknowledge receipt to the regions. A lost or missing tape would only be noticed when the tape was needed to restore data.
OIT should record receipt of back-up tapes in a log, and send an acknowledgment to the region. It should ask the regions to notify it if they do not receive an acknowledgment for a tape.
Currently, incidents of viruses affecting network computers are not tracked. The number, severity, and location of these incidents are consequently unknown.
Tracking virus incidents would help determine possible sources of infection and appropriate counter-measures; the effectiveness of virus scanning software; the resources used to address virus incidents; and the risks viruses pose to the Commission.
OIT should track and analyze virus incidents.
Examples of Policies on Copyrighted Software
U. S. DEPARTMENT OF COMMERCE
COPYRIGHTED SOFTWARE POLICY
Title 17, United States Code, Section 106 gives copyright owners exclusive rights to reproduce and distribute their material, and Section 504 states that copyright infringers can be held liable for damages to the copyright owner.
Title 18, United States Code provides felony penalties for software copyright infringement.
It is the responsibility of each DOC employee and Supervisor to protect the government's interests as they perform their duties. This includes responsibility for assuring that commercial software, acquired by the government, is used only in accordance with licensing agreements. Likewise, it is also their responsibility to assure that any proprietary software is properly licensed before being installed on DOC equipment. This policy does not apply to software developed by or for a federal agency and no restrictions apply to its use or distribution within the federal government.
Supervisors will ensure that the following requirements are
made known to all employees and will be held accountable for conducting periodic audits to ensure that these policies are being followed:
1.Install only commercial software, including shareware, that has been purchased through the government procurement process on DOC systems;
2.Follow all provisions of the license agreements issued with the software and register organizational ownership;
3.Do not make any illegal copies of copyrighted software. Normally the license will allow a single copy to be made for archival purposes. If the license is for multiple users, do not exceed the authorized number of copies;
4.At least annually, an inventory of all software on each individual PC will be audited against the organization's license agreement records to ensure that no illegal copies of commercial software are installed on any equipment. 5.Maintain written records of software installed on each machine and ensure that a license or other proof of ownership is on file for each piece of software;
6.Store licenses, software manuals and procurement documentation in a secure location (i.e., closed file cabinet, etc.);
7.When upgrades to software are purchased, the old version should be disposed of in accordance with the licensing agreement to avoid a potential violation.
Upgraded software is considered a continuation of the original license, not an additional license;
8.Some government owned software licenses do allow employees to take copies home for use on their personally owned computers under specific circumstances (e.g., for government work but not personal business). Unless the license specifically states that employees may take copies of software home for installation on home computers, doing so is a violation of the copyright law and the individual will be liable.
9.All illegal copies of software will be deleted immediately. All organizations must acquire special purpose software to inventory and document all software on all PCs belonging to the organization. This special purpose software may be a commercial product or the organization may acquire free software produced by the Software Publishers Association for this purpose from their operating unit ITSO. Individual employees should be discouraged from installing their personally owned software on government equipment. If it is in the best interest of the DOC organization to allow personally owned software, authorization must be granted in writing by the immediate supervisor, showing the justification. Prior to authorization, the employee must provide the software license and give assurance that copyright infringement will not occur from installation on government equipment. Employees not following these procedures shall be held personally liable for any violations of the copyright laws and subject to the penalties contained in Title 17 and Title 18 of the United States Code.
Examples based on excerpts from the Software Publishers Association.
Policy on Computer Software Copying
Any duplication of copyrighted software, except for copying onto a single computer and the making of one backup copy, is a violation of the U.S. Copyright Act unless the applicable license agreement expressly authorizes additional duplication. Copyright infringement can subject the infringer to substantial civil damages and, if the infringement was done willfully and for purposes of commercial advantage or private financial gain, to a substantial criminal fine and prison term.
The Commission will not tolerate the unauthorized duplication of computer software by any employee, nor will it tolerate the providing of such software to outside third parties. Employees who engage in such activities are subject to disciplinary action, up to and including removal. The Commission must enforce a strict policy on software use in order to avoid liability to the copyright owner.
Any Commission employee who wants or needs to use Commission software at home should first consult with their ADP Liaison or the Office of Information Technology to determine if the applicable license agreement permits duplication for such a purpose.
- - - - - - - - - - -
Policy Regarding Use of Software
1. The Commission licenses the use of computer software from a variety of outside sources. The Commission does not own this software or its related documentation and, unless authorized by the applicable license agreement, has no right to duplicate the software other than to copy it onto a single computer and to make a single backup copy.
2. Any duplication of copyrighted software, except for copying onto a single computer and the making of one backup copy, is a violation of the U.S. Copyright Act unless the applicable license agreement expressly authorizes additional duplication. Copyright infringement can subject the infringer to substantial civil damages and, if the infringement was done willfully and for purposes of commercial advantage or private financial gain, to a substantial criminal fine and prison term.
3. The Commission will not tolerate the unauthorized duplication of computer software by any employee, nor will it tolerate the providing of such software to outside third parties. Employees who engage in such activities are subject to disciplinary action, up to and including removal. The Commission must enforce a strict policy on software use in order to avoid liability to the copyright owner.
4. With regard to use on local area networks or on multiple machines, Commission employees will use the software only in accordance with the applicable license agreement.
5. Any Commission employee who wants or needs to use Commission software at home should first consult with their ADP Liaison or the Office of Information Technology to determine if the applicable license agreement permits duplication for such a purpose.
6. Commission employees learning of any misuse of software or related documentation within the agency shall notify their division director or office head, as well as the Office of Inspector General.
I have read and understand the foregoing software protection policies of the Commission and I agree to abide by those policies.
Employee name (print)