ACTION TAKEN ON REPORT OF AUDIT APPRAISAL, HUMAN RESOURCES SYSTEM

CONFIDENTIAL proved For Rele4 se 2003/12/03 : CIA-RDP84-00933f 9001002 0006-6 11 May 1981 MEMORANDUM FOR: Chief, Audit Staff . Inspector General I c Ling Director of Personnel D/Pa $Cc; SUBJECT - Action Taken on Report of Audit Appraisal, (^ ij) -- 1. I have. reviewed the Report of Audit Appraisal, Human Resources System (HRS). of 31 March 1981. The HRS represents the development of a complex computer system and since its acceptance and activation in March of 1980, it has been used. successfully, proving to be an accurate integrated centralized personnel information system responsive to Agency management requirements. The scope of the audit and the several findings are reasonable, constructive, and acceptable. 2. Our actions and responses to the audit comments and. re.co'mmendati,ons are keyed to the report. Recommendation #1: Formally designate a data base tanager for the I-IRSS and give him final approval authority for all changes to the HRS. The Chief, Information Division is designated as the Data Base Manager of the HRS with, responsibility for changes, interfaces, and access to the HRS. (Note: Chief, ID was not interviewed during the audit.) Supplementing this designation is the. alignment and utilization of Chief, Automated Data Resources Branch (ADRB1 as the, Technical Data Base Manager, participating in the development and servicing of the data structure relevant to the software, testings, and system program implementation. This combination is a satisfactory and practical arrangement since Chief, Information Division, as DBM, confers and consults daily with Chief, ADRB and Chief, Information and Analysis Branch (TAB) for purposes of discussing system. applications, changes, controls, requirements, and resolution of problems. Chief, ID, by. this routine, is fully cognizant of HRS activity with complete confidence in actions proposed and taken by C/ADRB and C/TAB. However, in furtherance of the audit recommendation, all requests for changes to the HRS (workorder.s') will be approved and signed by Chief, ID as 25X1 CONFIDENTIAL Approved For Release 2003/12/03 : CIA-RDP84-0093q ODP 9 fi4 j  t viiCimi I iML Approved For ,lease 2003/12/03 : CIA-RDP84-00933iWO0100290006-6 DBM, after impact assessment with C/ADRB. and C/IAB, as appropriate. In the absence of C/ID, the C/ADRB, as Technical DBM, will insure system continuity and IAB compatibility for HRS modifications, and sign workorders as needed. Recommendation #2: Document in writing ADRB's testing and approval of software changes. The documentation should include as a minimum: the name of the individual testing the changes, the results obtained, the date of the test, the date of the approval, and the signature of the individual approving implementation of the change. Hard copy backup of testing information is maintained by ADRB and contains the documentation noted in Recommendation #2, but only a verbal approval to execute the change was given to ODP, This procedure has been changed to conform to the audit recommendation with ADRB giving ODP written approval for implementing software changes, Recommendation #3: Require prior written approval from tie -WIT or other designated individuals for changes to the Common Validation Dictionaries, Changes to COMM are controlled very closely with review and assessment of the requested change(s) by C/ADRB. All requests are documented by ADRB and retained indefinitely (COMVAD audits are held for at least one year). Changes to _..-COMVAD will Be made only after C/ADRB or the DBM has placed signed approval on the documented request. Recommendation #4: Request the ODP to modify the HRS sa that se curity violation notices reject the transaction at time of entry and such notices are recorded for :suhsequent review and appropriate follow-up. ODD' Production Division has been requested,'by memorandum ?ta'liave th.e system reject improper requests for data and to send daily listing of all security code violations issued by HRS'2, to ADRB for review and follow,up as appropriate. (Copy attache dl, Recommendation #5: Periodically review the access Ti st ancd update- as required. Operators on HRS data base have been reviewed; adds, - -.-changes, and deletes have been made to align the data base, and signed user authorization lists have been sent to each ..'...--branch- having HRS -2 users. A quarterly review will be made to keep the lists current. Approved For Release 20 3 1 / ! R 400933R000100290006-6 w.J i14-00933R0001 .  Approved ForQoease 2003/12/03 : CIA-RDP84-00933i9'00100290006-6 Recommendation #6 (For ODP) : Follow established procedures to ensure that backup copies of HRS files are stored offsite in a'timely manner. ODP Production Division has been requested, by memorandum, to?conform with this recommendation. (Copy attached). Recommendation #7: Determine whether MINI-GAP can be used in lieu of manual posting of Service Record Cards. Although the Mini-GAP program contains data which is applicable to Service Record Cards (SCR/SF-7) purposes, it is data only from July 1975 forward. Moreover, configuration .of the Mini-GAP file is not conducive (cost effective) to automated production of the.SRC. Automated production of the SRC was planned as a component and function of the General Archives Program CGAP1 -- a storage and retrieval system of ,history and personnel information from 1968 forward. Time and resource impasses necessitated the suspension of GAP development. However, its completion and applications, including elimination of manual posting of the SRC, remain objectives which regrettably, at this time, are overtaken by higher priority commitments. Comment to Para 14: Secur?ty has been tested and installed on the race and handtcap codes and the true name values on the production data rase. These codes/.values have been protected previously but ttiet are now. avai l ab le to fewer system users. 3 The appraisal was helpful and balanced, and I am appTeciatiive of the 'efforts and consideration extended by the auditors. Attachment: As stated 25X1 Distribution: Original E 1. Addressee 1 - AD/OP 1 - C/ADRB 1 - C/ODP V 3 1 C/IAB 1 - ID Chrono Approved For Release QUO Il:JALoo933Roooloo29ooo6-6  UUNHUUN I IAL Approved For&,lease 2003/12/03 : CIA-RDP84-00933QP00100290006-6 8 May 19 81 25X1 MEMORANDUM FOR: chief, Production Division, ODP 25X1 FROM Chief,, n formation Division, OP SUBJECT Compliance with the Audit of the Human Resources System 1. The audit performed on the Human Resources System, (HRS) by the Information System Audit Division/Audit Staff, surfaced two areas of weakness in the overall strength of the HRS production environment. This memorandum will formalize Office of Personnel request to strengthen these areas: A. No record or notice of security violations is printed by the system, Improper requests for data from the FIRS are not reported to the -DBM or other appropriate officials. REQUESTED ACTION: The system generates "Security Code Violation" to users who exceed their authority to extract or update information on the HRS. The security violation notices should reject the transaction at the time of entry and I would like to obtain a listing on a daily basis of all security code violations issued by HRS2. The listing will be picked up the following morning-and reviewed by OP/ADRB along with their-review of the database statistics. B. Procedures for safeguarding the HRS data file have not been followed by ODP. REQUESTED ACTION: ----- -ODP--should- follow- established- procedures -to -insure --that backup copies of HRS files are stored offsite in a timely manner. . ---.,...Copies of HRS data files are created every night; a copy of the cutoff date tapes are stored at GC-47 in case GS-03 -is damaged; and, monthly tapes are sent I would like 25X1 T"tea be "a"ssure~ -that the procedures -will-be o owed. 25X1 Approved For Release /,1/~0O EQIfAflD4OO933R  CONFIULN 1 IAL Approved For&lease 2003/12/03 : CIA-RDP84-00933 300100290006-6 2. The audit found that the HRS operates efficiently and is generally satisfying the needs of its users. Additionally, the personnel involved with the operation of the HRS were performing their assigned task in an effective manner. The service and fine performance of your Division certainly are a contribution to this effort and our accomplishments. Your assistance and support is greatly appreciated. 25X1 Approved For Release 2003/12/03 : CIA-RDP84-00933R000100290006-6 CONFIDFNTIAI