REPORT OF AUDIT OFFICE OF DATA PROCESSING FOR THE PERIOD 1 OCTOBER 1980 TO 30 APRIL 1982

Approved For Lease 2005/07/28 CIA-RDP90-00992R,Q0100040002-5 REPORT OF AUDIT Office of Data Processing For the Period 1 October 1980 to 30 April 1982 Summary 1. Financial and logistical controls, procedures and records of the Office of Data Processing (ODP) were, except as noted below, in accordance with Agency regulations. Prior audit recommendations, with the exception of one that pertains to disaster recovery, were satisfactorily Ife rtr resolved.!S v;'t / (j1R bVIA ew)AA -_ r,t ~~ ,,,,,A vP o +'', ~ G U I, G 2. The ODP Deputy Directorate for Applications is being reorganized to improve efficiency, effectiveness and control over development and maintenance of computer systems. The audit indicated that considerable benefit should accrue to the Organization from these efforts and from the resulting implementation of new and revised standards for quality assurance in the development and maintenance function. Employees were found to be highly committed to the objectives of the reorganization. The ODP is to be commended for this endeavor to improve services. Approved For Release 2005/07/28 CIA-RDP90-00992R000100040002-5  1 Approved For tease 2005/07/28 : CIA-RDP90-00992RO0100040002-5 3. This report includes comments and recommendations concerning the following: reducing the number of seldom used and unneeded tapes in storage to alleviate overcrowding recording additional information in the tape destruction process to improve security strengthening control to ensure that only authorized personnel can check out tapes completing a written disaster recovery plan to reduce service interruption in emergencies ? discontinuing giving out passwords over the telephone to improve security ? requesting implementation of a new property control system to improve efficiency, and updating hand receipts as required to improve control over property on loan. Approved For Release 2005/07/28 : CIA-RDP90-00992R000100040002-5 SECS ti E T  3LUl\L I 0~ev Approved For Rase 2005/07/28 : CIA-RDP90-00992RW0100040002-5 Scope and Purpose 4. The audit included a review of administrative functions to evaluate the effectiveness of controls and procedures and to assure compliance with Agency regulations. Financial and logistical transactions were tested to determine that documentation, approvals and certifications were in accordance with applicable accounting and reporting require- ments and to ensure that expenditures were within the scope of authorized activities. 5. The audit also included reviews and tests in both computer centers to determine that established procedures and other documentation were sufficient, adequate and followed to protect against potential security and safety risks. 6. A survey of ODP applications was performed to review the reorganization and to identify the standards and procedures to be used in the forthcoming quality assurance program. Because the reorganization is still in process, no tests were conducted to determine compliance with the standards and pro- cedures. Approved For Release 2005/0'/28 : CIA-RDP90-00992R000100040002-5 SECRET  Approved For R&ease 2005/07/28 CIA-RDP90-009928, 0100040002-5 Background 7. ODP provides a central computer service to satisfy automatic data processing (ADP) requests from Agency components and to satisfy Intelligence Community requirements as assigned. In performing this service, ODP has as of 30 April 1982 a personnel ceiling of ? review and coordinate Agency proposals for the acquisition of computer hardware (including word processing equipment), software, and services ? operate two computer centers (Ruffing and Special) to provide facilities and services for batch and interactive computer processing, data base management, and on-line information storage and retrieval, and ? perform analysis of requirements for ADP services, develop and implement application systems, perform maintenance and production control of completed application programs. Approved For Release 2005/07/28 CIA-RDP90-00992R000100040002-5  JLJI Li Approved For Release 2005/07/28 : CIA-RDP90-00992RQP0100040002-5 Detailed Comments Tape Library Capacity f10. Opportunity exists to provide needed storage space in the Ruffing Center tape library by reducing the number of Approved For Release 2005/07/28 CIA-RDP90-00992R000100040002-5 SECRET  LUI-(L I Approved For R (ease 2005/07/28 : CIA-RDP90-00992RQ00100040002-5 A seldom used and unneeded tapes in storage. Lack of storage space for about 38,000 tapes requires storing approximately 4,500 of them adjacent to the library in the computer center. This increases the already overcrowded conditions in the center and decreases security since these tapes are not safe- guarded by the library's additional fire protection and more central location for improved monitoring. While the library may ultimately need to be enlarged, it may be possible to store all necessary tapes in the library by eliminating tapes not requiring current access. 11. Although ODP has a policy to archive tapes not used in six-months, space is wasted by not strictly enforcing the policy and by honoring requests to retain such tapes in the library beyond that time. It appears that thousands of these tapes could be purged from the library. For example, of tapes expiring after eleven years, audit identified 3,492 that were unused in the previous twelve months, while.7,718 were unused in the previous six-months. In total, twenty-five per cent, or 8,400 of all ODP tapes were unused in the previous six-month period tested. 12. This-suggests some non-compliance with the six-month retirement policy, possibly because ODP honors user requests to retain such tapes in the library beyond that period. The re- tirement policy by itself, if more strictly enforced by Approved For Release 2005/07/28 CIA6RDP90-00992R000100040002-5 SECT  ~tl,~`~C t Approved For RQ1ease 2005/07/28 CIA-RDP90-00992114W100040002-5 retiring unused tapes to archives, could conceivably provide the space needed in the library to eliminate storing tapes in the computer center. 13. While tape reductions are possible by enforcing the retirement policy, even further reductions are possible by not automatically storing tapes unneeded during the initial six-month storage period. Archival action on new tapes is taken only after an initial, automatic six-month storage period to provide time for use-patternsto develop. In the meantime, space is wasted by automatically storing thousands of these tapes. Also, librarians report that users waste space in both Headquarters and archives by creating many unnecessary tapes and tapes with over-long retention periods, thus providing even more opportunity for reductions. 14. Reductions in such tapes are currently not possible since no requirement exists to identify and retire them before the expiration of the six-month storage period. A reasonable requirement to facilitate reductions could entail ADP Control Officers identifying such tapes on present Tape List inventories already forwarded weekly to them for in- formation. Since no action is presently required on these lists, required feedback identifying suspect tapes on a I Approved For Release 2005/07/28 CIA-RDP90-00992R000100040002-5 SECRET  Approved For Release 2005/07/28 : CIA-RDP90-00992R$00100040002-5 O F T J .continuing basis could provide the impetus for retiring them to archives or scratching them on a more current basis. 15. Incentive for compliance with such a procedure could involve requiring ADP Control Officers to certify to their superiors the necessity for storing tapes remaining on respec- tive lists and for using long-term expiration dates. Other possibilities for reductions include requiring special approval to create tapes with long-term expiration dates together with system controls to automatically restrict their creation without these approvals. 16. ODP should consider initiating these or other appropriate procedures to help reduce overcrowding. Although ODP reviewed this area about two years ago, another review appears to be in order in accordance with) I Since 25X1A storing unused tapes is a luxury not easily afforded, ODP officers indicated.a willingness to again look into this matter for possible improvements. Recommendation #1: Review tape handling procedures to alleviate overcrowding,by reducing the number of seldom-used and unneeded tapes in storage, and consider: Approved For Release 2005./.07/28': CIA-RDP90-00992R000100040002-5 SECRET  '~~: ,! Approved For R,&ase 2005/ RDP90-00992RQ 30100040002-5 ? increasing compliance with the six-month tape retirement policy ? requiring ADP Control Officers to provide feedback identifying sus- pect tapes ? requiring ADP Control Officers to certify in writing the necessity for storing tapes and using long- term expiration dates and, requiring special approval to create tapes with long-term expiration dates. Approved For Release ~L uITiCIA-RDP90-00992R000100040002-5 0516  Approved For Lase 2O b5TO /28~l1A-RDP90-00992f 0100040002- P ~ 7r T AT,*- 'Taro je-JOYS pmt Tape Destruction Controls 17. Controls and security can be improved in the Ruffing Center tape destruction process by recording additional information in the tape destruction records. While records contain appropriate information on tapes initially packed by the library for destruction, they contain no information on tapes subsequently transported from the library, degaussed and burned. Since destruction activities expose tapes to compromise outside the Ruffing Center, procedures should be revised to add assurance that tapes earmarked for destruction are actually destroyed. In addition to reflecting the initial preparation process, the records should be expanded to reflect pertinent information on the entire destruction process. This should not entail new recordkeeping but only a change in the records being kept. Present records do not reflect this information due to library personnel being unfamiliar with needed controls. Details for improving recordkeeping were discussed with library personnel and they agreed to consider audit suggestions in their quest to identify needed revisions. Recommendation #2,: Revise tape destruction records to include information on the entire tape destruction process. Approved For Release 2005/07/28 : dlik-RDP90-00992R000100040002-5 SECRET  Approved For Release 2005/07/28: CIA-RDP90-009928 0100040002-5 Tape Check-Out Control 18. Strengthened control is needed to ensure that only authorized personnel are allowed to check out ODP tapes from both the Ruffing and Special Computer Centers. Anyone with a badge can presently check out a tape by merely identi- fying the reel number and dataset name. While this appears to be an adequate control, compromise is possible as various computer listings contain this information making it avail- able to unauthorized personnel. 17. Improved security would entail matching a badge number or name to computer system information that authorizes check-out privileges. Such a control is available in the Access Control Facility-2 (ACF-2) system presently used by ODP to verify authorization to remove category Y and Z tapes. Although ODP tapes are subject to withdrawal, they have not been accorded this control because they are subject to considerably less frequent withdrawal than are Y and Z tapes. We were informed that since ACF-2 is already being used to control some tapes, it could be used to control all tapes and k nPYcI/Q. security. Recommendation #3 : Improve security by implementing ACF-2 pro- cedures for withdrawal of ODP tapes fry tape libraries. Approved For Release 2005/07/28': d .IA-RDP90-00992R000100040002-5  Approved For Release 2005/07/28 : CIA-RDP90-00992MOO0100040002-5 Disaster Recovery Plan 20. Due to resource constraints, ODP has failed to develop a comprehensive disaster recovery plan, despite efforts to comply with past audit recommendations in this area. Although ODP still intends to eventually develop a comprehensive disaster recovery plan, their efforts to date indicate that it will be expensive, difficult and therefore perhaps less com- prehensive than originally envisioned. Meanwhile, ODP should. consider a more modest plan, but still capable of being effective. 21. A more modest plan at more acceptable cost and effort can still minimize the magnitude of service interruption in an emergency situation. Since ODP already knows many of the actions to take in an emergency, these actions should be consolidated into a single planning document. Topics to cover include: requirements in notifying management, vendor and other personnel needed in an emergency; requirements in effecting agreements with vendors regarding emergency assistance and with Agency components regarding applications; requirements in technical areas; and similar considerations. Approved For Release 2005/07/28 CIA-RDP90-00992R000100040002-5  J"_l,I\L I. Approved For Release 2005/07/28: CIA-RDP90-00992FM0100040002-5 22. The objective of such a plan would be to implement a practical and workable disaster recovery program within the framework of resource constraints. Because of Agency de- pendence on data processing, it is important that such a plan be developed. Recommendation #4: Develop a disaster recovery plan that minimizes risk within resource constraints. Password Control 23. Customer Services Staff improved security during the audit when it ceased services giving out passwords over the X"rv- telephone. Although passwords were being provided over secure lines to users requesting them, the inability to properly identify the caller presented possibilities for unauthorized access to the system. After learning of this, ODP management gave assurance that the practice would stop. 24. This was being done as a convenience to users who requested their passwords over theAtelephone after having forgotten them. Discontinuance of this service will result Approved For Release 2005/07/213 CIA-RDP90-00992R000100040002-5 C f:('DFT  Approved For Release 2005/07/28 : CIA-RDP90-00992RQ00100040002-5 in some regretable but necessary inconvenience to users. ODP indicated that in the future passwords will only be given out in person after proper identification is pre- sented. They also explained that a procedure may be developed to securely provide this service over computer terminals. No recommendation is thus considered necessary. Property Procedures 25. ODP logistics personnel maintain duplicate automated and manual records on which to record Type II Property trans- actions. While the automated portion augments the manual system, supporting duplicate records is costly and time consuming. Since ODP expends considerable effort in main- taining one of the largest property accountability systems in the Agency, a single system would be more efficient and effective. Such a system exists in the Agency Standard Automated Property System (ASAPS) recently implemented by the Office of Logistics to satisfy requirements for Type II property accounting and intended as a replacement for existing systems. ASAPS would provide an online capability and would replace many of the labor intensive and paper, dependent processes now in use. Although implementing ASAPS would entail data conversion and orientation problems, the Approved For Release 2005/07/28 CIA-RDP90-00992R000100040002-5 Fr, FT  6 =URL Approved For R9ease 2005/07/28 : CIA-RDP90-009928 0100040002-5 long term benefits of the system should outweigh these initial disadvantages. ODP agreed to consider replacing its present property system with ASAPS. Recommendation #5: Request implementation of ASAPS as a replacement for the property records currently in use. Property on Loan Controls 26. Property items on loan for which Engineering Division is responsible are not controlled in accordance with regulations. Property on loan at the time of audit consisted of seventy-one computer terminals and related equipment. Improvement is needed in the inventory and record-keeping procedures used to control this property: The division conducts the annual inventory of property on :Loan over the telephone with loanees in lieu of having them re-sign hand receipts. Also, the division could not initially locate twenty-nine hand receipts for audit; apparently the receipts were lost, misplaced or never obtained. 27. Hand receipts for property on loan are required by regulation to be obtained and updated by signature at least Approved For Release 2005/07/281:5CIA-RDP90-00992R000100040002-5 gFrPPT  Approved For' (ease 2005i7f28 `. i J-RDP90-009928.00100040002-5 r.. annually, preferably in conjunction with the physical inventory. During the audit the division resolved the question of missing hand receipts by finding them, obtaining them from loanees or effecting return of the property involved. The question of not updating hand receipts by signature or effecting return of the property remains to be resolved. Although Engineering Division was fully aware of the requirement for obtaining and maintaining hand receipts, they were not fully aware of the requirement for obtaining annual signatures on hand receipts. While they prefer using the convenience of the telephone to update hand receipts, they agreed during the audit to update them in the future as required. A recommen- dation on obtaining and maintaining hand receipts is not necessary since this requirement is understood and was met during the audit. Recommendation #6: Update hand receipts for property on loan by obtaining signatures at least annually or effect return of the property involved. Approved For Release 2005/07/281 g3lA-RDP90-00992R000100040002-5  Approved For Release 2005/07/28 : CIA-RDP90-00992R000100040002-5 C/MS/ODP DATE 1 6 At... 1982 Draft of recent Audit Report. Please review and phone or send comments to EXO or by COB 20 Augu ... FROM: DDA j ROOM NO. I BUILDIIM';ffQ "$' FORM REPLACES 36-8 1 FEB 55 No' 241 WHICH MAY BE USED. 25X1A 25X1 Approved For Release 2005/07/28 : CIA-RDP90-00992R000100040002-5