Report Contents
What Was Audited
The Department of State (Department) uses a variety of IT systems to execute its global mission. Configuration change control ensures that unnecessary changes to IT systems, or changes that could introduce security weaknesses, are prevented. A system change could be as minor as adding a new type of printer or as significant as deploying an entirely new application. Enterprise-wide change requests are required to go through a review process led by the Department’s Information Technology Configuration Control Board (IT CCB).
Acting on behalf of the Office of Inspector General (OIG), Kearney & Company, P.C. (Kearney), an independent public accounting firm, conducted this audit to determine whether the Department’s enterprise-wide IT CCB authorized and tested change requests for the Department’s systems in accordance with Federal requirements and Department policies and met its internal deadlines for processing change requests.
What OIG Recommends
OIG made 17 recommendations to IRM to improve the Department’s review process for change requests submitted to the IT CCB. On the basis of the Bureau of Information Resource Management’s (IRM) response to a draft of this report, OIG considers 15 recommendations resolved, pending further action, and 2 recommendations unresolved. A synopsis of IRM’s response to the recommendations offered and OIG’s reply follow each recommendation in the Audit Results section of this report. IRM’s response to a draft of this report is reprinted in its entirety in Appendix C.
What Was Found
Kearney found the Department’s IT CCB did not authorize or test change requests in compliance with Federal requirements and Department policy. Specifically, Kearney found that change requests were not sufficiently authorized at every stage of the review process and change requests were not tested as required. For example, Kearney found that different categories of reviewing officials are not required to approve all change requests and do not always approve them before they move forward in the process. The IT CCB process is deficient in part because IRM has not implemented sufficient program management to execute the IT CCB process. In addition, the IT CCB process is not adequately designed to support the review of change requests. Furthermore, Kearney found deficiencies in the manner in which Technical Reviewers and Voters are appointed, as well as with IT CCB policies and procedures, the database used by the IT CCB to track change requests, and training. As a result of unauthorized and untested change requests, the Department’s network, applications, and software are put at risk because of an inconsistently applied and controlled configuration control process.
Kearney found that the Department was unable to meet its internal deadlines for processing more than half the change requests tested that were submitted through the IT CCB process. Untimeliness occurred at every phase of the process. One reason that the IT CCB did not always meet its timeliness metrics was that it has not developed and implemented sufficient monitoring procedures. In addition, Kearney found that, although the IT CCB had established deadlines for the different stages of the change request review process, it did not have a method to track whether these metrics were accomplished. Kearney also found inaccurate data in the database used to track change requests, which makes monitoring more difficult. Also, the IT CCB did not have sufficient policies and procedures in place. As a result of untimely processing of change requests, the Department could be exposed to network vulnerabilities.
Report Terms
Report Recommendations
OIG recommends that the Bureau of Information Resource Management develop and implement a detailed program plan for the Information Technology Configuration Control Board process that includes clear goals and attainable objectives and defines areas of authority and responsibility.
OIG recommends that the Bureau of Information Resource Management develop and implement a process to establish and periodically update a list of system, product, or software owners who will be authorized to make change requests for their system, product, or software. The list should be made available to users and members of the Information Technology Configuration Control Board through the Information Technology Configuration Control Board website or applicable policies and procedures outlined in Recommendation 12.
OIG recommends that the Bureau of Information Resource Management determine what documentation is needed to support a change request and modify the policies and procedures outlined in Recommendation 12 or other guidance, such as the submitters guide, provided to change request submitters to reflect the documentation that is required for a complete and accurate change request submission.
OIG recommends that the Bureau of Information Resource Management develop and implement guidance for change requests to require and include: (a) minimum testing standards for change requests, (b) instructions that testing be performed in advance of the change request being submitted and that the testing documentation be submitted as part of the change request process, and (c) a clearly defined technical review of the testing documentation that is submitted to verify the documentation complies with minimum standards.
OIG recommends that the Bureau of Information Resource Management remove the default proceed ability for Technical Reviewers in the Virtual Information Technology Configuration Control Board application.
OIG recommends that the Bureau of Information Resource Management formally notify all Technical Reviewers that default proceeds are no longer allowed and that all Technical Reviewers must review all change requests and either approve, stop, or reject the change request. Policies and procedures outlined in Recommendation 12 or other guidance should be updated to reflect this change to the process.
OIG recommends that the Bureau of Information Resource Management develop and implement a quality assurance assessment process for all change requests going through the enterprise-wide Information Technology Configuration Control Board. At a minimum, the quality assurance process should include periodic evaluation of open “stops,” reviews to ensure retention of all relevant documentation, and a final check prior to adding change to the baseline to ensure all pertinent process controls occurred at a minimum.
OIG recommends that the Bureau of Information Resource Management verify, no later than 30 days after the final issuance of this report, that all Technical Reviewers and Voters that participate in the Information Technology Configuration Control Board process are formally appointed.
OIG recommends that the Bureau of Information Resource Management develop and implement a process to formally appoint new Technical Reviewers and Voters who participate in the Information Technology Configuration Control Board process.
OIG recommends that the Bureau of Information Resource Management define the roles, responsibilities, and technical skillsets for each technical review and voting area and develop and implement a vetting process to verify Technical Reviewers and Voters have the knowledge, skills, and abilities to perform their assigned duties related to the Information Technology Configuration Control Board process.
OIG recommends that the Bureau of Information Resource Management develop and implement a process to verify that Technical Reviewers and Voters have formally appointed alternatives.
OIG recommends that the Bureau of Information Resource Management develop and implement complete and consistent policies and procedures and supplemental guidance, such as a Submitter’s Guide, for the Information Technology Configuration Control Board process. The policies, procedures, and guidance should, at a minimum, include guidance on roles and responsibilities, detailed procedure steps for submitters, minimum testing requirements, instructions on how Technical Reviewers and Voters should conduct their review, the appropriate use of “stops,” and established timelines for the process.
OIG recommends that the Bureau of Information Resource Management develop and implement a process to periodically review and validate the accuracy and completeness of the data in the Virtual Information Technology Configuration Control Board database and to correct data integrity, omissions and inaccuracies existing between the new and old databases and when identified going forward. As part of this effort, the Bureau of Information Resource Management should ensure that the old database is available solely as a read-only reference resource and that new data cannot be entered into that database.
OIG recommends that the Bureau of Information Resource Management develop and implement required, periodic, training for Information Technology Configuration Control Board management and personnel, Bureau Sponsors, Technical Reviewers, Voters, and change request submitters involved in the Information Technology Configuration Control Board process.
OIG recommends that the Bureau of Information Resource Management develop and implement a formal process to (a) monitor the status of all change requests throughout each stage of the change request process and (b) notify stakeholders when a request is nearing the end of a deadline or when an event occurs that may affect the deadline for a change request.
OIG recommends that the Bureau of Information Resource Management develop and implement policies and procedures to hold officials accountable for failure to meet established deadlines in the Information Technology Configuration Control Board change request process. Once completed, the policies, procedures, and supplemental guidance discussed in Recommendation 12 should be updated.
OIG recommends that the Bureau of Information Resource Management develop and implement a formal process to periodically gather, assess, and report on its change request review process timeliness metrics and to make those results available to its stakeholders and customers in addition to appropriate bureau officials.