REPORT OF AUDIT - CORPORATE INFORMATION RETRIEVAL AND STORAGE (CIRAS) SYSTEM

Approved for Release: 2018/08/22 C06636472 TO CENTRAL INTELLIGENCE AGENCY Office of Inspector General REPORT OF AUDIT orporate Information Retrieval and Storage (CIRAS) System Report No. 2005-0018-AS 5 September 2006 ISSUE DATE Approved for Release: 2018/08/22 C06636472 Approved for Release: 2018/08/22 C06636472 Report of Audit Corporate Information Retrieval and Storage (CIRAS) System EXECUTIVE SUMMARY The objectives of this audit were to determine whether: � The CIA can rely on CIRAS to store, process, and retrieve intelligence records efficiently and accurately. � CIRAS has adequate internal controls to protect information from unauthorized access, disclosure, alteration, or destruction. � The Trident conversion addresses issues identified with CIRAS in this audit. The CIA can rely on the CIRAS system to efficiently and accurately store, process, and retrieve intelligence records. our application testing found that features and functions in CIRAS generally meet requirements for speed, reliability, and consistency. In addition, we found that most CIRAS survey respondents were satisfied with the system as a tool to facilitate their work. TOP SECRET 1 Approved for Release: 2018/08/22 C06636472 Approved for Release: 2018/08/22 C06636472 TOP SECRE We did not evaluate how the Trident conversion addresses issues identified with CIRAS because the Trident system is in the early stages of deployment. Trident moved into a production environment in March 2006 and currently supports approximately 30 users. Trident Program Office management expects the application to completely replace CIRAS by the end of 2008. Assistant Inspector General for Audit TOP SECRET 2 Approved for Release: 2018/08/22 C06636472 Approved for Release: 2018/08/22 C06636472 BACKGROUND TOP SECRET/ CIRAS is a mission-critical system that serves as the primary intelligence informa ion repository and search, retrieval, and data organization and management system for the Directorate of Intelligence (DI) and other components in the CIA. As of May 2006, officers in the Washington Metropolitan Area and in the field use CIRAS to prepare intelligence reports, research requests for information. monitor real-time world events, and manage collection requirements. he CIRAS system was deployed in 1997, replacing the Support for the Analysts'e Environment (SAFE) system, which had ben in operation since 1986. Over the next several years, the Trident user interface will gradually replace CIRAS. Trident is being developed to meet the DI's priority of deploying advanced analytic tools and the CIA's transition to web-based applications. Trident's web-based architecture will allow Headquarters and field users to access the application using web-browser software. Trident will include tools for advanced searches, highlighting text and comment insertion, link analysis,5 mapping, data visualization,6 and foreign language translation. There are currentlyndual Trident-CIRAS users. The Trident Program Office predicts that Trident will service users by yearend, and that the remaining CIRAS users will be transitioned to Trident by the end of 2008. New Trident users will receive training on the system, and their CIRAS profiles will be adjusted to be compatible with Trident. Trident Program Office management told us they are preparing for full deployment by completing capacity testing to understand how a higher volume of users will affect performance, assessing non-DI users' requirements, and conducting field-connectivity testing. 5 Link analysis tools allow analysts to graphically depict interrelationships between objects, such as people, organizations, places, or products. 6 Data visualization refers to a visually oriented analytic tool-set that helps analysts understand large volumes of textual information. 3 TOP SECRET Approved for Release: 2018/08/22 C06636472 Approved for Release: 2018/08/22 C06636472 TOP SECRE AUDIT RESULTS AND RECOMMENDATIONS CIRAS is an Efficient Application The CIA can rely on CIRAS to efficiently and accurately store, process, and retrieve intelligence records. Our application testing found that features and functions in CIRAS generally meet requirements for speed, reliability, and consistency. In November 2005, we surveyed CIRAS users and received nearly a 29 percent response rate. CIRAS users surveyed included a judgmental sample of DI analysts, Trident ilot participants, and the most active CIRAS users. Eighty-five percent of th IRAS users who responded to our survey said they were satisfied with the CIRAS system as a tool to facilitate their work. Vulnerabilities Associated With IJIbdSLet covery and System Security Need To Be Addressed Internal controls over CIRAS are generally adequate. While our review of � the System Security Plan, incident response procedures, data integrity, and user access controls found that the CIRAS system has sufficient internal controlc in nlare TOP SECRET 4 Approved for Release: 2018/08/22 C06636472 Approved for Release: 2018/08/22 C06636472 TOP SECRET TOP SECRE1 Approved for Release: 2018/08/22 C06636472 Approved for Release: 2018/08/22 C06636472 TOP SECRE1 TOP SECRE1 Approved for Release: 2018/08/22 C06636472 Approved for Release: 2018/08/22 C06636472 TOP SECRET 7 TOP SECRET Approved for Release: 2018/08/22 C06636472 Approved for Release: 2018/08/22 C06636472 Exhibit A Objectives, Scope, and Methodology The objectives of this audit were to determine whether: � The CIA can rely on the Corporate Information Retrieval and Storage (CIRAS) system to store, process, and retrieve intelligence records efficiently and accurately. � CIRAS has adequate internal controls to protect information from unauthorized access, disclosure, alteration, or destruction. � The Trident conversion addresses issues identified with CIRAS in this audit. We did not evaluate how the Trident conversion addresses issues identified with CIRAS because the Trident system is in the early stages of deployment. In conducting the audit, we: � Reviewed applicable regulations and policy guidelines pertaining to information security of Federal information systems. � Reviewed CIRAS and Trident systems' documentation and received system briefings and demonstrations. � Interviewed cognizant officials involved in CIRAS system development, operation, maintenance, and security. � Interviewed and surveyed a judgmental sample of CIRAS and Trident users to gain user-perspective of the applications. � Tested CIRAS application controls. � Conducted internal controls testing of CIRAS (according to DCID 6/3 requirements). � Conducted interviews, reviewed documentation, and observed the relevant processes, procedures, and facilities to ensure compliance with DCID 6/3 management, operational, and technical controls. TOP SECRE Approved for Release: 2018/08/22 C06636472 Approved for Release: 2018/08/22 C06636472 TOP SECRET The audit was performed from August 2005 to May 2006 in accordance with generally accepted government auditing standards. We discussed our findings with officials from the Office of the Chief Information Officer, the Directorate of Support, and the Directorate of Intelligence during the audit. Comments on a draft of this report were provided by the Chief Information Officer and Chief, Information Services and were-considered in the preparation of the final report. 2 TOP SECRET Approved for Release: 2018/08/22 006636472 Approved for Release: 2018/08/22 C06636472 TOP SECRET Exhibit B Significant recommendations will be reported in the next Inspector General's semiannual report to the Director, Central Intelligence Agency. TOP SECRET/ Approved for Release: 2018/08/22 C06636472 Approved for Release: 2018/08/22 C06636472 TOP SECRET Exhibit C Audit Team Members This audit report was prepared by the Information Technology Division, Audit Staff, Office of Inspector General. TOP SECRET Approved for Release: 2018/08/22 C06636472