AUDIT OF OFFICE OF DATA PROCESSING

Approy .FA ?t: 0~/Q1,r_o 1 D~Ya Od 0200120r=6---- - 0OP k September = -1sr MEMORANDUM FOR: Director of Data Processing VIA: Inspector General FROM: Chief, Audit Staff SUBJECT: Audit of Office of Tata Processing STATINTL 1. The Audit Staff has scheduled an audit of the Of=icc~ of Data Processing for the period 1 July 1978 to 30 Se,ptei.ther 1980. The audit will cover compliance of activity with appli- cable laws, policies and regulations; effectiveness and e--fi- ciency of operations; and financial aid logistical record=, ;; 37 procedures. ' 2. The audit is scheduled to be-,in approximately 6 October 1980. The target date for :onpleaion is early December 1980. The audit team will c)nsist of five or six members of the Information Systems Au lit Division. Micba_?.1 McGraw will be the supervising auditor. We will request meeting with you prior to the start o- the audit. 3. Please indicate your concurrence by ,signing and returning the original of this memora-~dum, STATINTL Dire ctb of-Data Processing Distribution: 92i9. - Signature ~ Return 1 - Addressee 1 - O/Compt/BMG 9 8b ate STATINTL Approved For Release 2002/01/08 : CIA-RDP83T00573R0002001 ~iRfi~i~~~4 FE _f M~ Ct'.!f jj pr ~6t  Approved Fo Release 2002/01/08; CIA-RDP83T0057 000200120004-6 Report of Audit of Office of Data Processing as. of 30 June 1978 R-r,SOFFYW AUDIT STAFF RECOMMENDATION ODP RESPONSE C/MS #1: Present ODP's minicomputer support plan to the EAG for its consideration within the frame- work of the annual review as directed in the DDCI memorandum cited above. T) -e ODP plan was a new ii -_1 1 a tve to procure four mini cc ,m- p-iters in FY-80 and obta: n five F`Y'-80 personnel slots for 7 ni- c.)mputer support. The p- -' as r . jected by senior ;i ~_.ncv ;r --iagernent during the FYI ~3 get r et-iew process. 3r ee o the five staff per-=ornate ?re to provide Agenc, -w: (it, L _hnical support of ?es cq -~, 3 lvisition and maintF-n~ o ADP minicomputers. T;.e-! ocher t -?o staff personnel w---re oxide systems proor; ?~r~ --r ,pport to the four minicit_ .>uters sd were to undertake p _ng ,cI ciesi-gn work for disc. c rrnputiTng. The present >. an is to include minic~rr ),i-_ers i7i the ODP budget in sup.~3 t of " er recu i rements wherIev,er t is recuir ements have _2rif ieu prior to t c TI :- tion of a FY Program o~ et. t: -ouiremerits identif i r-d er I'r- oaram and Budget t of mu La -ion x.-;11 have to be funded i ::u n the r: per' s budget or prec_ s~-s c as n> i unfunded requirement. e known minicomputer pIa :s guiring ODP support that N,111 be presented to the >r t.G ?r review, as directe=d irs tine !,;)CI memorandum cited in F ,Ira. '2 of the Audit Report, axe an t'i'G minicomputer app] icatr_>n -d possibly the GIMINI cio- -rct--the latter was described in para. 10 of the Report. Approved-For Release 2002/01/08.: CIA-RDP83TO0573R000200120004-6  Approved Fo Release 2002/01/08 : CIA-RDP83T00573R000200120004-6 RESPONSIBLE OFFICER AUDIT STAFF RECOMMENDATION ODP RESPONSE C/MS #1: Continued DD/P 25X1A #2: Review and prioritize the Agency's emergency ADP require- ments and develop a written disaster recovery plan that adequately provides support in the event of a disaster. Also provide for a current maintenance and periodic testing of the plan after development. DD/P #3: Store system software back- up tapes and copies of critical data bases in the Archives and/or exchange copies between the two computer centers. The stored backup records and programs should also be currently main- tained and periodically tested to determine their operational readiness. G.P senior management wi c-c:.- v,ne in the near future to r view the ODP minicomPut_e: r =1icy and make revisions o t.e policy where deemed n .cessary. D aring FY-79 we will d eve i a methodology for determ:n tie Agency's emergency .Aisi' p ng requirements supported by -JP. N -xt, we will prepare anti ost o it a disaster recovery pi n far higher management's co i- s i derati on . With app ovcution of the plan, e r i.-L1 :iertake the necessary na- r =tion to execute the p1_.i l :ind t'fen commence periodic re- Lng c> the plan. C 'pies of critical prndi_u :c On data sets, GIMS data rba_>e=s (_ncluding GIMS procedures, dictionaries and sof tvtiar 3 ) and all computer programs n t-le ODP Centralized L' brar S .,stem are stored in `.he 25X1A A -chives with the except-.D- of C'r?ZS info-mation--the star ge of CAMS data and softwar t will commence by 31 I ,-,r 1978. The offsite sty` g25X1A c: critical data and pros r ,ns t is been a long stand Lnq i -qu ire-raieiit of the Fr : ad tI .; t. , on L_ .vision . In January 19 18 , orage procedures were gu::- shed in the ODP Usser' s G _Iide i -i a section entitled, "'Ala ~- r! -tic Tape Offsite Storage I ocedures." The procedures ply to all users of the .om- f Iter centers and also c(1r rain t ~)e criteria for ref-r-shir-4 n terial stored on ma1ne.t i : i pP. ~. 2 Approved for. Release 2002101/08.: CIA-R,DP83T0073R000200120004-6  Approved For W lease 2002/01/08 : CIA-RDP83T005731R000200120004-6 i;.ESPONSIBLE AUDIT STAFF OFFICER RECOD'LNENDAT I ON ODP RESPONSE .DD/P # 3 : Continued #4: Determine methods for better controls in the areas mentioned. Coordinate this study with the Office of Security. _C/M #5: Consider converting the current part time administrative assistant to a full time position. In addition, formally request technical security assistance from the Office of 'Security to assure proper attention to these technical security problems. Ex Change copies of sel: ct.d tem software have b--yen s: coed 4, r tie two computer centers and -c a certain extent stored in the C Archives. A procedure to s ire and refresh system se`_t-pare W, 11 be finalized during ff - 19 i then all system softwar ly 4?till stored at 25X1A All the areas identified ar d requiring action have been reviewed by the ODP/OS Jcir Working Group. The recently < _!Ipleted risk analysis stt :iy o identified these area! !Td gave recommendations icr wing the problems. anticipated that t; E o-.>ti,er ,biems identified will b( ved or approaches eccrm- ;; lving these problems i r I r - /9. ~c int, the GC-47 point, arc file labeling, are presertiy > ing studied with a goal ct ree critical areas, the CC-03 n~ 1 technical seeurity 11.1.- t,- ~. tion5 are cocrdr a u `n 3 ' S3G/OS directly or F e P/OS Joint Working (mro-,. p The conversion of the pait t: me position to a full i mt e position is inadequate to solve the problem. The i, t -Ent part time help is sas is F _ for the Security Officer r( main current on ad.mini:,-_ zi ive sks. A- additional position is rug eded to implement a coi t;.> i _; curity program as , ?ce.n L11 :,;:ed b the ODF/OS Joint Work .;1 I e_G- oup. Rather than ck:anue= .ahe ,y lninistrative assistant ;~ tion tt= full time, a full time .i? for s curity officer is n edt'ki 3 Approved For Release 2002/01/08 : etA-RDP83T00573R000200120004-6  Approved Forielease 2002/01/08 : CIA-RDP83T0057M000200120004-6 RESPONSIBLE OFFICER C/MS DD/P DD/P DD/P AUDIT STAFF RECONLMENDATION #5: Continued #6: Use Data Erase to sanitize all magnetic tapes that are to be used as "scratch" tapes in the Special Center. #7: Continue to review the need for "E" Ruffing Center access indicators for non-Center per- sonnel and expand the usage of no escort badges for infrequent users. #8: Install a remotely con- trolled access gate in the Ruffing Center 'point' area to limit unchallenged entry to the computer room. #9: Establish more stringent controls over users receipt of data from the "point" in the Ruffing Center. ODP RESPONSE she ODP plan to obtain (_)=a pc-rsonnel slot iur a com- puter security officer ' :s rejected by senior Age=is ? r,,anage- ;nent during the FY-80 ':-i ,get review process. The s = :rity officer was to formulate and monitor ODP computer s ir ity policies and plans ay in-ilyzing current security practLc,:-s, assessing vulnerabilities, and r"cormnending the r:ecessa y corrective actions. The Special Center will n+ple- ment a plan on 1 DE c,e;ib *` 1978 to use Data Erase to s_~ritize all magnetic "scratch" 1.-_Fes. Access to the Rut--ng &I,i Special Centers is r c i c ,jed each October and arc l' . On each review cycle, a 1 ) c id of "E" indicators are rei 7 _:ted. Use of no escort C3ac us been expanded. An access/authorizat.ic rr s`j stem is pre_,ently under cor_:a Ca? ra- tion that will conLro:_ ~-i,.ry into the computer r oort. n the Event the proposed y stem is tabs ed or delayed, eemn alternative solutions 4 11 be r,valuar_ed. The access/author i :at , c system mentioned in the a )ov:~ , esponse is the most logical a-zd effec- tive solution to the stringent c:ontr_ols problem. Ho~4cver, until its implernentatic , we will establish more sti.indent control over users recE ipt of data in the Ruff i_ng CEr per. 4 C' 'ii _ AaarQVed For--Release-200-2/01-/OB--- f,F" A IDP83 6 T`  Approved For4Release 2002/01/08 : CIA-RDP83T00573ROO0200120004-6 RESPONSIBLE OFFICER AUDIT STAFF RECO ILMEN DA.T 1014 DD/P #10: Provide terminal usage reports to appropriate ODP manage- ment personnel for monitoring efficiency and security of ter- minal usage. #11: Complete development and implement procedures to control systems changes. y the end of this cater (i:r :-ear, we will begin dist.3-_.- uting a terminal utili;non .port ?c appropriate t-!)P r.agement personnel and l Agency ADP Control ()-:cers or monitoring efficiency and =-curity of terminal us ,7Q1,. DD/P C/P4S C/AS #12: Continue efforts to update cost accounting procedures to accurately and completely iden- tify the current cost of ADP computer systems software. ODP RESPONSE The capability to gather c c.-La necessary to prepare such ieports has only recent-_v ~c come available to us as the It',' uit of over a year of de-:el I.r -rt fork. 1, system to control char c;t s to - I he GINS Production of t v, r e \ as implemented on 3 Jt:: 1 97 8 . 4:e are currently studyir;c our tricing structure and intend to i eflect new ADP cost acccoa.nting z rocedures in the chances; that re made. Also, in an E'? : ort ,0 furnish more accurate nior- ation to our users, in F -19 will separate the chr u-eyes _or ODP provided staff cie +_entractcr support. In to on, we are conside-inc; parating the charges it). oftware development and roduction processinc in our (oject Activity R,enort. #13: Continue the coordinated This is in response to zctcr;- effort with the office of Logis- rendations 13 and 14. 4e have tics to jointly solve ODP's completed the followinq: An property accounting problems. CL task force was formed n Insure that a complete physical s'eptember 1978 and s +od inventory is conducted in accord- within ODP. An analys-_-,of dance with Document (,DP's property accountinq any discrepancies revealed as a problems was initiatted; cic-ctu- result of the inventory as pre- n,entary deficiencies wen e iden- scribed by the regulations. tified; existing proert,v cquisition and dispc_;sa ro- 25X1A Approyed For Release 2002/011 8` 'CI 83T00573R000200120004-6  Approved For Release 2002/01/08 : CIA-RDP83T00573RMO200120004-6 RESPONSIBLE OFFICER AUDIT STIFF RECOI`'LM= NDATION C D P R-71 C PC C/AS #14: Take actions required to assure recording of Type II Property transactions on a more timely basis. DD/P cedu 'eE and the docum, 11'-s associated therewith we, e re- viewed in detail; : re unary work on new property co r of procedures was coneicic -_-ti, F ersonnel impact o: r;t_'w pro- cedures; was assess;-.(I; s s em of Agency stock for ODP Property to assis~ its control has been sr.ar 1; and di scrennancies in of y oocu- r:ients Lire being co_--re :. i as ound. A computEer. - ZED i y.,zem ()f pF o?,)erty conti o by Printing Services Div is , 011 is i)eing examined for ac ~p _ iron by oDP. he current s- L 1, is hat t:`ne -task f orc ' wil -require to i :.nother 180 days to c; ~.ts task, includ n;i a c_,.n- 7lete wal-l-to-wall in a t_~ry nnf ODP property and the estab- 1 isftnerit of an aut-w r a tE _: :control system. Wherever possible, ti. ~c_)pe of the Engineeri .ng Mar j .:e.iient Information System Mc:rt al (EMIS) will be E 1~ -n ec as resources are .rave cvCS c-_l le. The present system hzE. ueen under development c,.E t ..G ,oral years. Once all of '-r( r;oering Division's needs f re E.r .isfied, we will examine its : co -_ntial use as a data baste !(.,I . =_,a Acial transactions. 6 Approved -For Release 2002/01/08 CIA-RDP8 Q0 73ROD02.00120004-6 #15: Determine the present capa- bility of EMIS to serve as a cen- tral data base for all hardware transactions, both engineering and financial. Identify the information needs of various com- ponents and determine whether EMIS can be enhanced to the point where it satisfies the needs identified. If EMIS is enhanced research and verify to supporting documentation any missing data. Consider recording ODP's off:i-ce equipment on the data base in addition to currently listed major hardware items.