This is the accessible text file for GAO report number GAO-09-195 entitled 'Information Security: Further Actions Needed to Address Risks to Bank Secrecy Act Data' which was released on January 30, 2009. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Requesters: United States Government Accountability Office: GAO: January 2009: Information Security: Further Actions Needed to Address Risks to Bank Secrecy Act Data: GAO-09-195: GAO Highlights: Highlights of GAO-09-195, a report to congressional requesters. Why GAO Did This Study: The Financial Crimes Enforcement Network (FinCEN), a bureau within the Department of the Treasury, relies extensively on its own computer systems, as well as those at the Internal Revenue Service (IRS) and the Treasury Communications System (TCS), to administer the Bank Secrecy Act (BSA) and fulfill its mission of safeguarding the U.S. financial system from financial crimes. Effective information security controls over these systems are essential to ensuring that BSA data, which contains sensitive financial information used by law enforcement agencies to prosecute financial crime, is protected from inappropriate or deliberate misuse, improper disclosure, or destruction. GAO evaluated whether security controls that effectively protect the confidentiality, integrity, and availability of the information and systems that support FinCEN’s mission have been implemented. To do this, GAO examined security policies and controls for systems at three organizations. What GAO Found: FinCEN, TCS, and IRS have taken important steps in implementing numerous controls to protect the information and systems that support FinCEN’s mission; however, significant information security weaknesses remain in protecting the confidentiality, integrity, and availability of these systems and information. The three organizations implemented many information security controls to protect the information and systems that support FinCEN’s mission. For example, IRS controlled changes to a key application and FinCEN segregated areas of its network. Nonetheless, the organizations had inconsistently applied or not fully implemented controls to prevent, limit, or detect unauthorized access to this information and these systems. For example, the organizations did not always (1) implement user and password management controls for properly identifying and authenticating users, (2) restrict user access to data to only what was required for performing job functions, (3) adequately encrypt data, (4) protect the external and internal boundaries on its systems, and (5) log user activity on databases. Furthermore, weaknesses in which systems were insecurely configured and patches were not applied to critical systems also existed. As a result, sensitive information used by the federal government, financial institutions, and law enforcement agencies to combat money laundering and terrorist financing is at an increased risk of unauthorized use, modification, or disclosure. A key reason for many of the weaknesses was that FinCEN and IRS had not fully implemented key information security program activities. For example, FinCEN did not always include detailed implementation guidance in its policies and procedures and adequately test and evaluate information security controls. Furthermore, GAO has previously reported that IRS did not sufficiently verify whether remedial actions were implemented or effective in mitigating vulnerabilities and recommended that it implement a revised remedial action verification process. What GAO Recommends: GAO recommends that the Secretary of the Treasury direct the FinCEN Director to take several actions to fully implement an effective agencywide information security program. In commenting on a draft of this report, Treasury agreed to develop a detailed corrective action plan for each of the recommendations. To view the full product, including the scope and methodology, click on [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-09-195]. For more information, contact Nancy Kingsbury at (202) 512-2700 or kingsburyn@gao.gov, or Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov. [End of section] Contents: Letter: Results in Brief: Background: FinCEN, TCS, and IRS Had Not Fully Implemented Appropriate Security Controls and Practices to Protect Information and Systems Supporting FinCEN's Mission: Conclusions: Recommendations for Executive Action: Agency Comments: Appendix I: Objective, Scope, and Methodology: Appendix II: Comments from the Department of the Treasury: Appendix III: GAO Contacts and Staff Acknowledgments: Figure: Figure 1: BSA Environment Operational Relationships and Data Flow: Abbreviations: BSA: Bank Secrecy Act: FinCEN: Financial Crimes Enforcement Network: FISMA: Federal Information Security Management Act: IRS: Internal Revenue Service: NIST: National Institute of Standards and Technology: OMB: Office of Management and Budget: TCS: Treasury Communications System: Treasury: Department of the Treasury: WebCBRS: Web-based Currency and Banking Retrieval System: [End of section] United States Government Accountability Office: Washington, DC 20548: January 30, 2009: The Honorable Barney Frank: Chairman: The Honorable Spencer Bachus: Ranking Member: Committee on Financial Services: House of Representatives: The Honorable William Lacy Clay: House of Representatives: The Honorable Stephen F. Lynch: House of Representatives: As the administrator of the Bank Secrecy Act (BSA),[Footnote 1] the Financial Crimes Enforcement Network (FinCEN), a bureau within the Department of the Treasury (Treasury), is tasked with the mission of safeguarding the U.S. financial system from money laundering, terrorist financing, and other abuses. In fulfilling this mission, FinCEN performs analysis in support of law enforcement; issues regulations and enforces compliance with the BSA; facilitates information-sharing of BSA data; and coordinates with foreign counterparts. FinCEN relies extensively on its own information systems, as well as on systems located at the Treasury components of the Internal Revenue Service (IRS) and the Treasury Communications System (TCS) to manage, store, and disseminate the data that financial institutions are required to report under the BSA. These data contain sensitive information, including transaction amounts, account numbers, and social security numbers, and are used by law enforcement agencies investigating financial crimes, including terrorist financing and money laundering. The computer systems that support FinCEN's mission must be properly protected through strong information security controls [Footnote 2] because a security breach could place sensitive financial and personally identifiable information at risk and allow criminals to subvert law enforcement's ability to detect illegal activity. Our objective was to determine whether information security controls have been implemented that effectively protect the confidentiality, integrity, and availability of the information and systems that support FinCEN's mission. To accomplish this objective, we examined the information security controls at FinCEN and two organizations that operate systems or process and store data on its behalf--specifically, TCS and IRS. We concentrated our evaluation on the applications, databases, and network and mainframe infrastructure that support FinCEN's mission. We performed our review at FinCEN and TCS facilities in the Washington, D.C., metropolitan area and at an IRS computing center. We conducted this performance audit from March 2008 to January 2009 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective. For more details on our objective, scope, and methodology, see appendix I. Results in Brief: Although FinCEN, TCS, and IRS have taken important steps in implementing numerous controls to protect the information and systems that support FinCEN's mission, significant weaknesses existed that impaired their ability to ensure the confidentiality, integrity, and availability of these information and systems. The organizations have implemented many security controls to protect the information and systems. For example, FinCEN employed controls to segregate areas of its network and restrict access to sensitive areas, and IRS controlled changes to a key application in its BSA processing environment. However, weaknesses existed that placed sensitive data at risk of unauthorized disclosure. The organizations did not always consistently apply or fully implement controls to prevent, limit, or detect unauthorized access to devices or systems. For example, the organizations had not consistently or fully (1) implemented user and password management controls for properly identifying and authenticating users, (2) restricted user access to data to permit only the access needed to perform job functions, (3) encrypted data, (4) protected external and internal boundaries, and (5) logged user activity on key systems. Shortcomings also existed in managing system configurations, patching systems, and planning for service continuity. As a result, increased risk exists that unauthorized individuals could read, copy, delete, add, and modify data and disrupt service on systems supporting FinCEN's mission. A key reason for many of the weaknesses was that FinCEN and IRS had not fully implemented key information security program activities. For example, FinCEN did not always include detailed implementation guidance in its policies and procedures or adequately test and evaluate information security controls. Furthermore, IRS did not sufficiently verify whether actions taken to remedy or mitigate known vulnerabilities were fully implemented or effective. To help strengthen information security controls over the information and systems supporting FinCEN's mission, we are making five recommendations to the Secretary of the Treasury to direct the Director of FinCEN to fully implement key information security program activities. We also are making 88 recommendations in a separate report with limited distribution. These recommendations consist of actions to be taken to correct the specific information security weaknesses at FinCEN, TCS, and IRS. In commenting on a draft of this report, Treasury's Deputy Assistant Secretary for Information Systems and Chief Information Officer stated that securely maintaining BSA information contributes to the department's goal of promoting the nation's security through strengthened financial systems. He also stated that Treasury will provide a detailed corrective action plan for each of the recommendations and noted that many of the actions required to address the recommendations are already completed or under way. Background: Information security is a critical consideration for any organization that depends on information systems and computer networks to carry out its mission or business. It is especially important for government agencies, where the public's trust is essential. The dramatic expansion in computer interconnectivity and the rapid increase in the use of the Internet are changing the way our government, the nation, and much of the world communicate and conduct business. Without proper safeguards, they also pose enormous risks that make it easier for individuals and groups with malicious intent to intrude into inadequately protected systems and use such access to obtain sensitive information, commit fraud, disrupt operations, or launch attacks against other computer systems and networks. Our previous reports, and those by inspectors general, describe serious and widespread information security control deficiencies that continue to place federal assets at risk of inadvertent or deliberate misuse, mission-critical information at risk of unauthorized modification or destruction, sensitive information at risk of inappropriate disclosure, and critical operations at risk of disruption. Accordingly, we have designated information security as a governmentwide high-risk area since 1997,[Footnote 3] a designation that remains in force today. [Footnote 4] Recognizing the importance of securing federal agencies' information systems, Congress enacted the Federal Information Security Management Act (FISMA) in December 2002 to strengthen the security of information and systems within federal agencies.[Footnote 5] FISMA requires each agency to develop, document, and implement an agencywide information security program for the information and systems that support the operations and assets of the agency, using a risk-based approach to information security management. Such a program includes assessing risks; developing and implementing security plans, policies, and procedures; providing security awareness and specialized training; testing and evaluating the effectiveness of controls; planning, implementing, evaluating, and documenting remedial actions to address information security deficiencies; and ensuring continuity of operations. The BSA and FinCEN: The BSA, enacted by Congress in 1970, authorizes the Secretary of the Treasury to issue regulations requiring financial institutions to retain records and file reports useful in criminal, tax, and regulatory investigations. Following the September 11, 2001, terrorist attacks, Congress passed the USA PATRIOT Act, which, among other things, amended the BSA to expand the number of industries subject to BSA regulation and required financial institutions to establish proactive anti-money laundering programs to combat terrorist financing.[Footnote 6] In addition, the USA PATRIOT Act expanded reporting requirements and allowed the records and reports collected under the BSA to be used in the conduct of intelligence or counterintelligence activities to protect against international terrorism. As the administrator of the BSA, FinCEN, a bureau within Treasury, is tasked with the mission of safeguarding the U.S. financial system from money laundering, terrorist financing, and other abuses. In fulfilling this mission, FinCEN plays four key roles: (1) performing analysis in support of law enforcement; (2) issuing regulations and enforcing compliance; (3) facilitating information-sharing of BSA data; and (4) coordinating with foreign counterparts. Providing analysis was FinCEN's original mission when it was established in 1990, a role that it continues to perform. In its capacity as regulator, FinCEN develops regulations and delegates authority to eight other federal agencies to perform compliance examinations for BSA reporting requirements for referral to FinCEN, which retains enforcement authority. In terms of information-sharing, sections 361 and 362 of the USA PATRIOT Act mandate that FinCEN create and maintain networks to enable electronic filing of BSA reports and facilitate dissemination of the data to law enforcement and regulatory agencies. In addition, FinCEN participates in and promotes international collaboration and information-sharing among its foreign counterparts to detect and deter illicit financial activities. Between fiscal years 2002 and 2007, FinCEN's budget grew from $47.5 million to $73.2 million. According to FinCEN, this growth has taken place primarily because of the expansion of its regulatory functions. Information That Supports FinCEN's Mission: FinCEN relies on information submitted under BSA reporting requirements to fulfill its mission. Specifically, FinCEN collects information submitted and disseminates it to law enforcement and regulatory agencies. The information primarily consists of Currency Transaction Reports and Suspicious Activity Reports that are filed by financial institutions. Currency Transaction Reports must be filed for any account cash withdrawals and deposits, currency exchanges, and wire transfers purchased with cash exceeding $10,000. Suspicious Activity Reports must be filed by financial institutions if a transaction involves or aggregates a minimum threshold[Footnote 7] of funds or other assets and the institution knows, suspects, or has reason to suspect that the transaction is a violation of law. Law enforcement agencies use the information in these reports in combination with other information that they collect to link individuals and their activities, hinder activities, and prosecute criminals. Financial regulators, such as the Federal Deposit Insurance Corporation and the National Credit Union Administration, use the information to examine financial institutions for compliance with the BSA. Currency Transaction Reports and Suspicious Activity Reports contain highly sensitive, detailed information about the financial activity of private individuals[Footnote 8] that is intended to help federal, state, and local law enforcement agencies in their investigations and, thus, potentially hinder criminal activity. Inappropriate disclosure, modification, or misuse of this information could undermine the ability of the federal government, financial institutions, and law enforcement agencies to combat money laundering and terrorist financing. Information Systems That Support FinCEN's Mission: Information systems located at FinCEN, TCS, and IRS comprise the overall computing environment where BSA information is collected, processed, stored, disseminated, and protected in support of FinCEN's mission. In its own computing environment, FinCEN maintains a Web portal by which law enforcement agencies, regulatory agencies, and FinCEN employees access BSA data. It also has an analysis tool that it uses to provide analyses to law enforcement customers and a database containing a copy of the BSA database maintained by IRS. These systems reside on FinCEN's network infrastructure. Additional systems are operated at TCS, including the electronic filing system and the supporting TCS network infrastructure. FinCEN's electronic filing system is operated on the TCS network under a hosting agreement. FinCEN also relies on systems operated by IRS, including the BSA database and the Web-based Currency Banking and Retrieval System (WebCBRS). WebCBRS and the database reside on a mainframe computer and supporting network infrastructure at an IRS computing facility. Information Flow in the BSA Environment: The information in BSA reports submitted by financial institutions comprise the data that is stored in the BSA database at IRS. Most reports[Footnote 9] are submitted electronically, either singly or in batch form, over the Internet to the electronic filing system; FinCEN moves this data through its network infrastructure and passes them to IRS. Reports submitted in paper form are mailed directly to IRS; they are then forwarded to a contractor, who converts the reports into digital format and returns them electronically. IRS personnel then manually upload the data to the database. BSA data are provided to law enforcement and regulatory agencies in multiple ways. Organizations may access the data through FinCEN's Web portal, which provides access to the WebCBRS application. These organizations either have a memorandum of understanding with FinCEN, which allows them to access the portal remotely through the Internet, or participate in FinCEN's Platform Program, which allows them to access the portal on-site at FinCEN. In addition, certain federal agencies also periodically receive bulk downloads of BSA data for use at their agencies. FinCEN also has its own analysis tool that it uses to provide investigative leads to support financial criminal investigations and produce a variety of analytical products that can be used by law enforcement to more effectively target their investigations. Organizations may request that FinCEN analysts assist with their investigations by conducting queries or analyses on their behalf. Some internal IRS analysts and investigators also have direct access to WebCBRS to support compliance examinations for nonbank financial institutions and investigations of money laundering and other tax-related crime. The flow of data through the overall BSA environment is illustrated in figure 1. Figure 1: BSA Environment Operational Relationships and Data Flow: [Refer to PDF for image] This figure is a diagram representing the BSA Environment Operational Relationships and Data Flow. Source: GAO analysis of agency data. [End of figure] Security Responsibilities: Treasury's Chief Information Officer is responsible for developing and maintaining a departmentwide information security program and for developing and maintaining information security policies, procedures, and control techniques that address all applicable requirements. Each Treasury bureau, including FinCEN and IRS, is responsible for implementing Treasury-mandated security policies within its domain. In order to implement departmentwide security policies, FinCEN and IRS are required to develop their own information security programs, including their own security compliance functions. In addition, the organizations operating the systems that support FinCEN's mission have formalized agreements that define security responsibilities. For example, FinCEN's hosting agreement with TCS documents security prerequisites and the responsibilities of TCS as the host network. Additionally, FinCEN and IRS have an interconnection security agreement that identifies the technical requirements of the interconnection between the FinCEN network and the IRS systems that store and process the data. The agreement specifies that FinCEN owns the data and indicates that the environment where the data resides is to be logically isolated from the other systems at IRS. FinCEN, TCS, and IRS Had Not Fully Implemented Appropriate Security Controls and Practices to Protect Information and Systems Supporting FinCEN's Mission: Although FinCEN, TCS, and IRS had implemented many information security controls to protect the information and systems supporting FinCEN's mission, weaknesses existed in several critical areas. Specifically, the organizations did not consistently implement effective electronic access controls, including user accounts and passwords, access rights and permissions, encryption of sensitive data, protection of information system boundaries, audit and monitoring of security- relevant events, and physical security to prevent, limit, and detect access to their critical financial and sensitive systems. In addition, weaknesses in other information system controls, including managing system configurations, patching sensitive systems, and service continuity, further increase the risk to the information and systems that support FinCEN's mission. One key reason for these weaknesses was that FinCEN and IRS had not yet fully implemented key elements of their information security programs. As a result, BSA data--containing highly sensitive personal and financial information about private individuals that is used by the law enforcement community to identify and prosecute illegal activity--are at an increased risk of unauthorized use, modification, or disclosure. Some Access Controls Had Been Implemented, but Significant Weaknesses Remained: A basic management objective for any organization is to protect the resources that support its critical operations from unauthorized access. Organizations accomplish this objective by designing and implementing controls that are intended to prevent, limit, and detect unauthorized access to computing resources, programs, information, and facilities. Inadequate access controls diminish the reliability of computerized information and increase the risk of unauthorized disclosure, modification, and destruction of sensitive information and disruption of service. Access controls include those related to (1) user identification and authentication, (2) authorization, (3) cryptography, (4) boundary protection, (5) audit and monitoring, and (6) physical security. Weaknesses in each of these areas existed across the BSA environment, as the following sections in this report demonstrate. Policies for Identifying and Authenticating Users Were Established, but Were Not Always Consistently Implemented: A computer system must be able to identify and authenticate different users so that activities on the system can be linked to specific individuals. When an organization assigns unique user accounts to specific users, the system is able to distinguish one user from another--a process called identification. The system must also establish the validity of a user's claimed identity by requesting some kind of information, such as a password, that is known only by the user--a process known as authentication. FinCEN policy states that user IDs and passwords should not be shared. National Institute of Standards and Technology (NIST) guidance states that information systems should prohibit passwords from being reused for a specified number of generations and that complex passwords reduce the risk that a password could be guessed by an attacker. IRS requires that passwords not be shared, that each account have a unique user ID, and that default mainframe passwords be changed when information systems are installed. Weaknesses in identification and authentication controls existed over the information and systems supporting FinCEN's mission at FinCEN, TCS, and IRS, including the following: * Although FinCEN had established policies for identifying and authenticating users and required complex passwords on its databases, it allowed multiple users to share an account on the dedicated workstation used to download BSA data from IRS. * TCS also had not consistently implemented effective password controls. For example, three accounts on a key database, including an administrative account, had passwords that were not complex, making them easily guessable. Additionally, the electronic filing application did not lock out user accounts after a specific number of unsuccessful log-in attempts. * IRS did not always effectively control user identification and authentication. For example, it did not change easily guessable default passwords for two special purpose accounts that provided interactive mainframe privileges, access to BSA data, and powerful processing capabilities. As a result of these weaknesses, there is an increased risk that malicious individuals could gain inappropriate access to sensitive BSA applications and data. User Access to Sensitive Data Was Not Always Appropriately Authorized: Authorization is the process of granting or denying access rights and privileges to a protected resource, such as a network, system, application, function, or file. A key component of authorization and a basic principle for securing computer resources and data is the concept of least privilege. Least privilege means that users are granted access to only those programs and files that they need in order to perform their official duties. To restrict legitimate users' access in this way, organizations establish access rights and permissions. User rights are allowable actions that can be assigned to users or to groups of users. File and directory permissions are rules that regulate which users have access to a particular file or directory and the extent of that access. To avoid unintentionally giving users unnecessary access to sensitive files, directories, and special machine instructions that programs use to communicate with the operating system, an organization must give careful consideration to its assignment of rights and permissions. FinCEN requires that access to resources be given only to users who need it, that managers re-evaluate the system privileges granted to users at least once every 6 months, and that all system privileges and access to information immediately cease when employees leave the organization. Additionally, IRS requires that information systems uniquely identify users that access sensitive information and that such access be given only to those employees with a valid need to know. Weaknesses in authorization controls existed at FinCEN and TCS that could place the information and systems that support FinCEN's mission at risk, as the following examples indicate: * FinCEN did not always adequately restrict access to sensitive files. The bureau had assigned rights and permissions to network users; however, it did not consistently protect all network resources. For example, it assigned excessive permissions to a shared network drive that stored BSA data received from IRS. In addition, FinCEN managers did not re-evaluate user privileges every 6 months. Further, two former employees retained access to the Web portal for at least 2 weeks after they left FinCEN. * Additionally, TCS did not consistently ensure that access to resources was appropriate. For example, it did not restrict access to log files and other operating system files associated with the electronic filing application to only those who needed the access to perform their jobs, increasing the risk that data could be accessed by unauthorized users or that malicious activity could potentially go undetected. In addition, it allowed users direct access to a shared administrative account, making it difficult to establish individual accountability for privileged activities. More serious authorization control weaknesses existed over the information and systems supporting FinCEN's mission operated by IRS, including the following: * IRS did not implement controls to restrict access to data and systems to only those who needed it. IRS and FinCEN created a memorandum of understanding and an interconnection security agreement in which IRS agreed to secure the systems and data supporting FinCEN by isolating them from other systems and controlling IRS user access to the systems and data through a dedicated network. However, IRS did not isolate the systems and data from its other systems and had not restricted user access to the systems and data via a dedicated network. Instead, other paths allowed any of its employees to gain access without detection, most of whom did not have a legitimate need for such access: - IRS allowed more than 600 IRS employees to have privileges on the mainframe supporting FinCEN's mission that they did not need in order to do their jobs; the privileges allowed them to interactively enter commands into the system and perform activities that are usually associated with programming and system administration. - Mainframe files had excessive permissions that could allow their contents to be read or copied by any user able to gain interactive access to the mainframe. - The systems supporting FinCEN's mission shared their data storage devices with other IRS systems, allowing users with interactive access to the mainframe the ability to view information about the BSA related datasets, including their location, even though most of them did not have a job-related need for this information. - Additionally, IRS did not maintain documentation of approved access privileges allowed to each system resource by each user group on its systems supporting FinCEN's mission, limiting IRS's ability to monitor and verify access privileges. By allowing access to information and systems to individuals who do not have a legitimate job-related need, FinCEN, TCS, and IRS are placing these data and systems at increased risk of unauthorized access or disclosure, which could hinder FinCEN's ability to fulfill its mission. FinCEN Employed Encryption, but Sensitive Data Were Not Always Adequately Protected: Cryptography[Footnote 10] underlies many of the mechanisms used to enforce the confidentiality and integrity of critical and sensitive information. One primary principle of cryptography is encryption. Encryption can be used to provide basic confidentiality and integrity for data by transforming plain text into cipher text using a special value known as a key and a mathematical process known as an algorithm. FinCEN requires that sensitive information must be encrypted when it is transmitted or stored. In addition, IRS requires the use of insecure protocols to be restricted on its systems in order to protect passwords and other sensitive data. Weaknesses in encryption controls over the information and systems supporting FinCEN's mission at FinCEN and IRS could place sensitive data at risk, as the following examples indicate: * Although FinCEN employed encryption mechanisms to protect data on its network and workstations, not all sensitive data were encrypted. FinCEN employed software to encrypt data on removable flash drives. However, user IDs and passwords for a key system were transmitted unencrypted across the FinCEN network, making them vulnerable to being compromised and used to gain unauthorized access. Additionally, although FinCEN encrypted the hard drives on its laptop computers, the encryption software did not protect data after the computers had been booted to a running state. * IRS did not always secure the transmission of information on its network. For example, user IDs and passwords for the mainframe were transmitted unencrypted over the network, making them vulnerable to being compromised. In addition, it did not use certificates to ensure that the encrypted communications path between its network and the BSA database could be trusted. As a result, weaknesses in encryption increased the risk of exposing data at FinCEN and IRS to unnecessary disclosure or misuse by unauthorized individuals. FinCEN and TCS Implemented Boundary Protection and Intrusion Detection Controls, but Weaknesses Remained: Boundary protections demarcate logical or physical boundaries between unknown users and protected information and systems. Best practices dictate that organizations allocate publicly accessible information system components to separate subnetworks with separate physical network interfaces and that key components within private networks are also adequately segregated as subnetworks. Unnecessary connectivity to an organization's network increases not only the number of access paths that must be managed and the complexity of the task, but also the risk of unauthorized access in a shared environment. NIST guidance states that information systems should establish a trusted communications path between remote users, that firewalls should control both outgoing and incoming network traffic, and that boundary mechanisms separate computing systems and network infrastructures. In addition, IRS requires that test and production environments be kept separate. Although FinCEN and TCS had employed controls to segregate sensitive areas of their networks and protect them from intrusion, the organizations did not always adequately control the logical and physical boundaries protecting information and systems supporting FinCEN's mission, as the following examples indicate: * FinCEN had not fully implemented controls to protect the boundaries of its network. For example, FinCEN did not configure its virtual private network[Footnote 11] with controls to validate whether the systems that connected to it were secure. In addition, it did not employ host-based firewalls on its workstations. * TCS also did not always control the logical and physical boundaries protecting the systems supporting FinCEN. For example, TCS stored sensitive files on a network segment that was less secure than other segments. In addition, the TCS e-mail server allowed spoofed e-mail messages[Footnote 12] and potentially harmful attachments to be delivered to FinCEN. * IRS did not restrict the processing of sensitive data on its systems that support FinCEN. For example, updates to libraries containing key control programs and source code and creation and deletion of datasets containing BSA information were submitted from areas of the mainframe that did not support FinCEN. In addition, some of this processing originated from a test environment. As a result, there is an increased risk that individuals, internal and external to FinCEN, TCS, and IRS, could gain unauthorized access to the information and systems that support FinCEN's mission. Audit and Monitoring Controls Were Implemented, but They Did Not Always Capture Key Events: To establish individual accountability, monitor compliance with security policies, and investigate security violations, it is crucial to determine what, when, and by whom specific actions have been taken on a system. Organizations accomplish this by implementing system or security software that provides an audit trail of needed information in the desired format and locations so they can use it to determine the source of a transaction or attempted transaction and to monitor users' activities. The way in which organizations configure system or security software determines the nature and extent of information that the audit trails can provide. A key aspect of this process is managing audit logs.[Footnote 13] Organizations should periodically review audit log design, review processes and procedures, and implement changes as needed to ensure that logs effectively detect security incidents. FinCEN requires audit logs to be maintained for all information systems and for unsuccessful log-in attempts to be recorded; in addition, it requires intrusion detection systems[Footnote 14] to be employed to protect the network from external threats. Similarly, IRS policy requires that audit records be created, protected, and retained to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity. Weaknesses in audit and monitoring controls existed over the systems supporting FinCEN's mission at FinCEN and IRS, including the following: * FinCEN logged user activity for two key applications; however, it did not always log security events on its databases. For example, the bureau did not enable auditing on the FinCEN BSA database and did not log failed log-in attempts to the database's error logs. In addition, its intrusion detection systems did not capture data from complete sessions or inspect outbound encrypted traffic. * IRS did not effectively capture changes to datasets on its mainframe. Specifically, it did not configure its security software to log successful changes to key datasets that contain parameters and procedures used to support production operations of the operating system, system utilities, and user applications, including WebCBRS. As a result of weaknesses in logging and monitoring controls at FinCEN and IRS, there is an increased risk that unauthorized activity would not be effectively detected or investigated. FinCEN Controlled Physical Access to Sensitive Areas, but Did Not Control Laptop Computers Entering and Exiting Its Facility: Physical security controls are important for protecting computer facilities and resources from espionage, sabotage, damage, and theft. These controls restrict physical access to computer resources, usually by limiting access to the buildings and rooms in which the resources are housed and by periodically reviewing the access granted in order to ensure that it continues to be appropriate. FinCEN's physical security policy requires that access to sensitive areas be restricted to authorized personnel and that all information system-related items, including laptop computers, are to be monitored and controlled when they enter or leave FinCEN. Although FinCEN controlled access to sensitive areas, it did not always implement a physical security control. FinCEN implemented an electronic badging system to control access to sensitive areas. However, at the time of our site visits, security guards at the FinCEN facility did not inspect laptop computers entering and exiting the facility. Controlling the entry and exit of laptop computers would reduce the risk that a malicious individual could introduce malware onto the FinCEN network or that sensitive data could be taken off site without authorization. Other Information Security Weaknesses Existed: In addition to access controls, other important controls should be in place to protect the confidentiality, integrity, and availability of an organization's information. These controls include policies, procedures, and techniques for (1) ensuring continuity of computer processing operations in the event of a disaster or unexpected interruption; (2) securely configuring information systems and preventing unauthorized changes to systems; and (3) protecting systems from known vulnerabilities. Weaknesses in these control areas increased the risk of unauthorized use, disclosure, modification, or loss of sensitive information and information systems supporting FinCEN's mission. FinCEN Documented Contingency Plans for Major Systems, but the Plans for High-Risk Systems Were Not Fully Tested: Continuity of operations planning, which includes contingency planning, is a critical component of information protection. Continuity planning controls should be designed to ensure that when unexpected events occur, critical operations continue without interruption or are promptly resumed and that critical and sensitive data are protected. These controls include (1) environmental controls and procedures designed to protect information resources and minimize the risk of unplanned interruptions and (2) a well-tested plan to recover critical operations should interruptions occur. If service continuity controls are inadequate, even relatively minor interruptions can result in lost or incorrectly processed data, which can cause financial losses, expensive recovery efforts, and inaccurate or incomplete financial or management information. NIST guidance states that contingency plans for high-risk systems should be tested at an alternate processing site. In addition, FinCEN policy requires contingency plans to be documented for each major system and tested at least annually. FinCEN documented and tested contingency plans for each of the three major systems we reviewed, including two high-risk systems. For the high-risk systems, the plan for the network infrastructure had been tested with a table top exercise, and portions of the Web portal plan had been simulated in a functional exercise. Although the plans had not undergone a full functional test at FinCEN's alternate processing site, the bureau identified this as a weakness and planned to conduct tests at the alternate site once the infrastructure at the site was capable of supporting a full test. However, until FinCEN tests the plans at the alternate site, the risk that FinCEN may not be able to effectively recover these systems and resume normal operations after a disruption is increased. IRS and FinCEN Implemented Configuration Management and System Change Controls, but Weaknesses Remained: The purpose of configuration management is to establish and maintain the integrity of an organization's systems. Organizations can better ensure that only authorized applications and programs are placed into operation by establishing and maintaining baseline configurations and by monitoring changes to these configurations. Organizations should ensure that changes to systems are necessary, work as intended, and do not result in the loss of data or program integrity by documenting, authorizing, testing, and independently reviewing changes. FinCEN's configuration management policy requires that change control procedures be developed and that documentation be created and retained for configuration changes. Additionally, NIST guidance states that change control procedures should address emergency changes. Further, IRS policy requires the establishment and maintenance of baseline configurations and inventories of organizational information systems and the establishment and enforcement of security configuration settings for IT products employed in organizational information systems. Weaknesses existed in configuration management controls at FinCEN and IRS over the systems that support FinCEN's mission, including the following: * FinCEN maintained an inventory for its network assets, established configuration management plans for its major systems, and established processes for documenting, authorizing, testing, and reviewing system changes. However, its configuration management plans were not fully documented and not all system changes included required documentation. For example, the Web portal plan did not describe the documentation that was required for system changes and the electronic filing system plan did not describe a key step in the change control process. In addition, the Web portal and network infrastructure plans did not include procedures for handling emergency changes. Moreover, although its network infrastructure configuration management plan required security assessments to be documented for changes, FinCEN did not document them for any of the eight infrastructure changes we reviewed. * IRS did not always adequately manage the configuration of sensitive systems. IRS had adequately documented and tested the seven changes to the WebCBRS application that we reviewed. However, IRS did not maintain or enforce a baseline configuration on the mainframe system that supports the WebCBRS system and the BSA database, as well as other critical IRS systems. Until FinCEN fully documents change control procedures and system changes, there is an increased risk that changes to its systems could be unnecessary, may not work as intended, or may result in the unintentional loss of data or program integrity. Moreover, without a baseline configuration, IRS is unable to adequately track and monitor changes to its mainframe, potentially placing sensitive BSA data at risk. FinCEN Established a Patch Management Program, but Key Systems Were Missing Critical Patches: Patch management is a critical process that can help alleviate many of the challenges of securing computing systems.[Footnote 15] As vulnerabilities in a system are discovered, attackers may attempt to exploit them, possibly causing significant damage. Malicious acts can range from defacing Web sites to taking control of entire systems, thereby being able to read, modify, or delete sensitive information; disrupt operations; or launch attacks against other organizations' systems. After a vulnerability is validated, the software vendor may develop and test a patch or workaround to mitigate the vulnerability. Incident response groups and software vendors issue information updates on the vulnerability and the availability of patches. FinCEN policy requires all of its systems to be patched on a monthly basis, that patches be tested on nonproduction systems before being loaded onto production systems, and a log be maintained of all patches applied to each system. FinCEN did not always apply patches in a timely manner, and sensitive systems were missing critical patches. Although the bureau required all of its systems to be patched monthly, it was only applying patches to the Web portal application every 3 months. Furthermore, several systems that processed BSA data were missing critical patches or were running software that was out of date. Because the organization was not always applying patches in a timely manner, had not yet installed many critical patches, and had not upgraded software on all of its systems, data were unnecessarily vulnerable to compromise. FinCEN and IRS Had Not Fully Implemented Elements of Their Information Security Programs: A key reason for the information security weaknesses over the information and systems supporting FinCEN's mission is that FinCEN and IRS had not fully implemented information security program elements required by FISMA. FISMA requires agencies to develop, document, and implement an information security program that, among other things, includes: * periodic assessments of the risk and magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems; * policies and procedures that (1) are based on risk assessments, (2) cost-effectively reduce information security risks to an acceptable level, (3) ensure that information security is addressed throughout the life cycle of each system, and (4) ensure compliance with applicable requirements; * plans for providing adequate information security for networks, facilities, and systems; * security awareness training to inform personnel of information security risks and of their responsibilities in complying with agency policies and procedures, as well as training personnel with significant security responsibilities for information security; * periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices, to be performed with a frequency depending on risk, but no less than annually, and that includes testing of management, operational, and technical controls for every system identified in the agency's required inventory of major information systems; and: * a process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in its information security policies, procedures, or practices. Although FinCEN made progress in implementing its information security program, it had not yet fully implemented key activities. Additionally, although we did not fully evaluate IRS's security program separately as a part of this review, in previous reports we have found that key elements of IRS's program have shortcomings. Until all key elements of its information security programs are fully and consistently implemented, FinCEN and IRS will not have sufficient assurance that new weaknesses will not emerge and that sensitive data and systems are adequately safeguarded from inadvertent or deliberate misuse, fraudulent use, improper disclosure, or destruction.[Footnote 16] FinCEN Conducted Risk Assessments for Systems Transmitting and Storing BSA Data: Identifying and assessing information security risks are essential steps in determining what controls are required to mitigate the risks. Moreover, by increasing awareness of risks, these assessments can generate support for the policies and controls that are adopted in order to help ensure that these policies and controls operate as intended. NIST guidelines state that the identification of risk for an information technology system requires an understanding of the system's processing environment, including data and information, system and data criticality, and system and data sensitivity. Furthermore, according to NIST, risk management should identify threats and vulnerabilities, set priorities for actions to reduce risks, identify new controls or countermeasures, and determine risks remaining after implementing the new control, also known as residual risk. FinCEN risk assessment policy requires that risk assessments be documented for all systems, conducted in accordance with NIST guidance, and updated at least every 3 years as part of the certification and accreditation process. FinCEN documented risk assessments for all three of the major systems we reviewed; they were conducted in accordance with FinCEN policy and NIST guidance for risk assessments. The assessments were current, documented potential threats, and recommended corrective actions for mitigating or eliminating the vulnerabilities identified. FinCEN Made Progress Toward Developing and Documenting Information Security Policies and Procedures, but Lacked Detailed Implementing Guidance: A key element of an effective information security program is establishing and implementing appropriate policies, procedures, and technical standards to govern security over an agency's computing environment. Moreover, such policies and procedures should integrate all security aspects of an organization's interconnected environment, including local and wide area networks and interconnections to contractors and other federal agencies that support critical mission operations. Establishing and documenting security policies is important because they are the primary mechanism by which management communicates its views and requirements; these policies also serve as the basis for adopting specific procedures and technical controls. In addition, agencies need to take the actions necessary to effectively implement or execute these procedures and controls. Otherwise, agency systems and information will not receive the protection that should be provided by the security policies and procedures. Although FinCEN had made progress toward developing and documenting information security policies and procedures, the policies did not always include key information, and detailed implementing guidance for its policies did not always exist. FinCEN updated its policies and approved them in June 2008; the policies replaced older ones that had not been updated since 2003. However, shortcomings in the updated policies existed. For example, although FinCEN established a patch management policy, the implementing guidance for UNIX patches did not address prioritization of critical patches. In addition, its policy requiring that the network be protected by an intrusion detection system did not require that outbound network traffic be inspected. Further, the bureau did not have detailed implementation guidance for securely configuring its virtual private network. The weaknesses we identified in each of these controls demonstrate the need for such guidance. FinCEN and IRS Developed System Security Plans, but FinCEN Did Not Document All Required Controls: An information system security plan should provide a complete and up- to-date overview of a system's security requirements and describe the controls that are in place or planned to meet those requirements. Office of Management and Budget (OMB) Circular A-130 specifies that agencies develop and implement system security plans for major applications and for general support systems and that these plans address policies and procedures for providing management, operational, and technical controls. Under FISMA, federal agencies are required to categorize information systems as low, moderate, or high impact; apply the appropriate set of baseline security controls in accordance with NIST guidance; and document the security controls in a system security plan. In addition, NIST recommends that security plans include, among other topics, existing or planned security controls, the name of the individual responsible for the security of the system, a description of the system and its interconnected environment, and rules of behavior for individuals accessing the system. FinCEN also requires that its system security plans describe the system's security requirements, identify the security controls and whether they are planned or implemented for a system, and that they be reviewed, updated, and reapproved by management at least annually, or whenever a significant change to the system occurs. Additionally, IRS requires that system security plans document the security controls for systems, whether planned or in place, as well as rules of behavior for individuals accessing the system. Although FinCEN documented system security plans for each of its major information systems, it did not always consistently document controls. While the three system security plans we reviewed documented the status of almost all of the required management, operational, and technical controls, two plans for systems categorized as high impact did not document five required security controls. During our review, FinCEN provided updated versions of the plans; however, one of them still did not document one control or describe how another control was implemented. IRS documented system security plans for each of its three major systems that support FinCEN's mission. The plans included information required by OMB; documented the management, operational, and technical controls in place; and mapped the controls directly to those prescribed by NIST. FinCEN Employees Completed Security Awareness Training: An important component of an information security program is providing required training so that users understand system security risks and their own role in implementing related policies and controls to mitigate those risks. FISMA mandates that federal employees and contractors who use agency information systems be provided with periodic training in information security awareness. FISMA also requires agencies to provide appropriate training on information security to personnel who have significant security responsibilities. This training, described in NIST guidance,[Footnote 17] should inform personnel, including contractors and other users of information systems supporting the operations and assets of an agency, of information security risks associated with their activities and their roles and responsibilities to properly and effectively implement the practices that are designed to reduce these risks. Depending on an employee's specific security role, training could include specialized topics, such as incident detection and response, physical security, or firewall configuration. FinCEN also requires all of its employees and contractors to complete annual security awareness training and for individuals with significant security responsibilities to complete specialized security awareness training annually. FinCEN implemented a security awareness training program and ensured that its employees and contractors completed it annually. The annual training given to all employees and contractors included topics that were consistent with NIST guidance, such as laws and regulations, e- mail security, procedures for handling sensitive information, and security threats such as viruses. The bureau reported that all of its 471 employees and contractors who were required to do so completed the training between June 2007 and July 2008. FinCEN provided certificates documenting that all 17 of the employees that we selected had completed required training and that all 8 of the employees holding significant IT responsibilities that we selected had completed the required specialized training. FinCEN Conducted Periodic Vulnerability Scans, but the Scans Were Not Always Comprehensive or Timely: An important element of an information security program is ongoing testing and evaluation to ensure that systems are in compliance with policies and controls that are both appropriate and effective. This type of oversight is a fundamental element because it demonstrates management's commitment to the security program, reminds employees of their roles and responsibilities, and identifies and mitigates areas of noncompliance and ineffectiveness. Although control tests and evaluations may encourage compliance with security policies, the full benefits of such activities will not be achieved unless the results improve the security program. Analyzing the results of monitoring efforts--as well as security reviews performed by external audit organizations--provides security specialists and business managers with a means of identifying new problem areas, reassessing the appropriateness of existing controls, and identifying the need for new controls. NIST requires organizations to scan information systems for vulnerabilities; in addition, it states that vulnerability analysis for custom software and applications includes specialized approaches such as review of source code. In addition, according to commercial vendors, running scanning software in an authenticated mode allows the software to detect additional vulnerabilities. FinCEN policy also requires periodic scanning of its systems every 3 months to detect potential vulnerabilities. Although FinCEN conducted periodic vulnerability scans of major systems, the scans were not always comprehensive or timely. FinCEN scanned its workstations and network infrastructure, but did not scan databases or applications; it also did not scan or conduct independent reviews of source code for its internally developed applications. Further, scanning had not been conducted quarterly; in June 2008, FinCEN officials told us that they had not conducted any scans since February 2008, a period of 4 months. As a result, FinCEN could be unaware of many undetected vulnerabilities in its applications, systems, and network in a timely manner. FinCEN Improved Its Process for Verifying Corrective Actions, but IRS's Corrective Actions Were Not Always Effective: In its guidance to agencies, OMB requires agencies to develop remedial action plans, also known as plans of action and milestones. A remedial action plan assists agencies in the identification, assessment, prioritization, and monitoring of the progress of corrective efforts for weaknesses found in systems and programs. FinCEN policy requires that the agency track vulnerabilities found during security assessments, together with planned and implemented mitigation actions to correct these weaknesses, in each system's respective remedial action plan. IRS has a similar policy, which requires that it track the status of resolution for all weaknesses and verify that each weakness is corrected. FinCEN developed a new remedial action management process to manage and mitigate security weaknesses in its systems. FinCEN officials told us that the bureau did not have a process to document and validate remedial actions prior to March 2008 and that the new process was developed in order to address this. The process describes how the bureau plans to identify, prioritize, and track vulnerabilities as they are addressed. Among other things, the new process requires: * monthly meetings between key staff and the Information Security System Officer in order to review the status of new and existing vulnerabilities; * vulnerabilities to be prioritized according to risk; and: * all information concerning remedial actions to be updated at least monthly. FinCEN officials told us that they had collected supporting documentation when remedial actions were completed and provided us with examples. However, FinCEN's procedure for the new process did not specify that supporting documentation was required. Requiring supporting documentation in the procedure would better ensure that remedial actions are verified as effective. As we have previously reported,[Footnote 18] IRS's verification process for determining whether remedial actions were implemented was not always effective. In January 2009, we reported that IRS indicated that it had corrected or mitigated 65 previously reported weaknesses but that 16 still existed at the time of our review; 3 of these weaknesses affect the systems that support FinCEN's mission. We have identified a similar weakness in both our January 2008[Footnote 19] and March 2007 [Footnote 20] reports; however, this condition continues to exist. Without a sound remediation process, IRS will not have assurance that the proper resources will be applied to known vulnerabilities or that those vulnerabilities will be properly mitigated. We have previously recommended that IRS implement a revised remedial action verification process that ensures actions are fully implemented. Conclusions: FinCEN, TCS, and IRS have taken important steps in implementing numerous controls to protect the information and systems that support FinCEN's mission. However, significant weaknesses in access controls and other information security controls existed at all three organizations that impaired their ability to ensure the confidentiality, integrity, and availability of the information and systems. FinCEN had made important progress in implementing its information security program; however, one key reason for many of the weaknesses was that FinCEN and IRS had not yet fully implemented elements of their information security programs. Further actions are needed to address the risk to the information and systems. Until (1) the organizations act to mitigate identified weaknesses and (2) FinCEN and IRS fully implement their information security programs, there is an increased risk that sensitive BSA information will not be adequately protected against unauthorized disclosure or modification and that systems could be disrupted. Recommendations for Executive Action: To better ensure the security of the overall BSA environment, we are recommending that the Secretary of the Treasury direct the Director of FinCEN to fully implement its information security program by taking the following five actions: * Update information security policies and procedures to address key missing information such as patch prioritization and inspection of outbound network traffic, as well as to include detailed implementation guidance for issues such as securely configuring the virtual private network. * Ensure that system security plans document all required controls and describe how all required controls are implemented. * Conduct vulnerability scans on databases, applications, and network infrastructure on a quarterly schedule. * Implement vulnerability scanning of custom source code or manual source code reviews. * Update remedial action procedures to require that supporting documentation be provided to verify that corrective actions are fully implemented and effective. In a separate report designated "Limited Official Use Only", we are making 88 detailed recommendations to the Secretary of the Treasury to strengthen information security controls at FinCEN, TCS, and IRS over the systems supporting FinCEN's mission. Agency Comments: In providing written comments (reprinted in app. II) on a draft of this report, Treasury's Deputy Assistant Secretary for Information Systems and Chief Information Officer stated that the department is committed to promoting the nation's security through strengthened financial systems and promoting safer and more transparent U.S. and international financial systems, noting that securely maintaining BSA information significantly contributes to this goal. He also stated that Treasury will provide a detailed corrective action plan for each of the recommendations and that many of the actions required to address the recommendations are already completed or under way. We are sending copies of this report to interested congressional committees, the Secretary of the Treasury, the Director of FinCEN, the Commissioner of Internal Revenue, the Treasury Inspector General, and the Treasury Inspector General for Tax Administration. In addition, the report will be available at no charge on the GAO Web site at [hyperlink, http://www.gao.gov]. If you or your staffs have any questions regarding this report, please contact Nancy Kingsbury at (202) 512-2700 or Gregory C. Wilshusen at (202) 512-6244. We can also be reached by e-mail at kingsburyn@gao.gov and wilshuseng@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. Key contributors to this report are listed in appendix III. Signed by: Nancy R. Kingsbury: Managing Director, Applied Research and Methods: Signed by: Gregory C. Wilshusen: Director, Information Security Issues: [End of section] Appendix I: Objective, Scope, and Methodology: The objective of our review was to determine whether information security controls have been implemented that effectively protect the confidentiality, integrity, and availability of the information and information systems supporting the mission of the Financial Crimes Enforcement Network (FinCEN). To accomplish this, we tested the effectiveness of information security and information technology-based internal controls. We focused our evaluation on the controls for the applications, databases, and network infrastructure that directly or indirectly support the processing and storage of Bank Secrecy Act (BSA) data on behalf of FinCEN at the Department of the Treasury (Treasury), FinCEN, and the Internal Revenue Service (IRS). Specifically, we evaluated FinCEN's network infrastructure and Web portal used to access BSA data; the Web-based Currency and Banking Retrieval System (WebCBRS) and the mainframe and network infrastructure supporting it at IRS; and the electronic filing system and related network infrastructure at the Treasury Communications System (TCS). Our evaluation was based on our Federal Information System Controls Audit Manual, which contains guidance for reviewing information system controls that affect the confidentiality, integrity, and availability of computerized information. We also used FinCEN, IRS, and Treasury policies and procedures to evaluate the information system controls at the organizations. Additionally, where federal requirements or guidelines were applicable, such as the Federal Information Security Management Act of 2002 (FISMA) or National Institute of Standards and Technology (NIST) guidance, we used them to assess the extent to which the organizations had complied with specific requirements. To determine whether TCS, FinCEN, and IRS had implemented access controls, contingency planning controls, and configuration controls over the information and systems that support FinCEN, we: * evaluated and reviewed the security software password settings to determine if users were appropriately identified and authenticated and if strong password management was enforced; * examined application and system access lists and associated documentation to determine whether users were properly authorized or had more permissions than necessary to perform their assigned job functions; * analyzed network and system configurations to determine if access paths were adequately controlled and if sensitive data were being encrypted; * tested and observed physical access controls and environmental controls to determine if computer facilities and resources were being protected from intentional or unintentional loss or impairment; * evaluated and reviewed backup and recovery procedures to determine if they adequately protected key systems against service interruptions; * examined contingency plans and test results for key FinCEN systems to determine whether those plans were adequately documented, had been updated, or had been appropriately tested; * inspected key servers, workstations, and network infrastructure devices to determine whether critical patches had been installed or were up-to-date; and: * evaluated and reviewed change request documentation to determine if system and application changes were appropriately authorized, tested, and approved. To assess whether FinCEN had fully implemented an information security program to ensure that controls were established and maintained for its information systems, we used the requirements of FISMA, which establish key elements for an effective agencywide information security program. To evaluate FinCEN's implementation of these key elements, we: * analyzed risk assessments for key FinCEN systems to determine whether risks and threats were documented; * examined security plans to determine if management, operational, and technical controls were in place or planned and whether these security plans were updated; * analyzed FinCEN policies, procedures, practices, and standards to determine their effectiveness in providing guidance to personnel responsible for securing information and information systems; * inspected training records for personnel with significant responsibilities to determine if they received training commensurate with those responsibilities; * analyzed test plans and test results for key FinCEN systems to determine whether management, operational, and technical controls were adequately tested at least annually and were based on risk; and: * evaluated FinCEN's process to correct weaknesses to determine whether remedial action plans complied with federal guidance. In addition, we examined IRS's security plans for WebCBRS and the related general support systems to determine if management, operational, and technical controls were in place or planned and whether these security plans were updated. We also interviewed key security representatives and officials responsible for information security management at FinCEN, TCS, and IRS to help determine whether information system controls were in place, adequately designed, and operating effectively. We also reviewed a previous report issued by the Treasury Inspector General's Office on FinCEN information security and previous reports from GAO on IRS information security. Our work was conducted in the Washington, D.C., metropolitan area and at FinCEN, TCS, and IRS computing facilities in Virginia and Michigan. We conducted this performance audit from March 2008 to January 2009 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective. [End of section] Appendix II: Comments from the Department of the Treasury: Department Of The Treasury: Washington, DC 20220: January 16, 2009: Mr. Greg Wilshusen: Director, Information Security Issues: U.S. Government Accountability Office: 441 G Street N.W. Washington, D.C. 20515: Dear Mr. Wilshusen: Thank you for the opportunity to review and comment on the Government Accountability Office (GAO) draft reports entitled, Information Security: Further Actions Needed to Address Risks to Bank Secrecy Act Data (GAO-09-200SU and GAO-09-195). Treasury is committed to promoting the nation's security through strengthened financial systems and promoting safer and more transparent U.S. and international financial systems. The ability to securely maintain Bank Secrecy Act (BSA) information contributes significantly to this goal. Therefore, we appreciate GAO's efforts in reviewing BSA information security. Although the Financial Crimes Enforcement Network (FinCEN) is the administrator of the BSA, your reports correctly note that three entities within Treasury have responsibilities associated with maintaining and safeguarding BSA information: FinCEN, the Department's Office of the Chief Information Officer (OCIO) which operates the Treasury Communications System (TCS), and the Internal Revenue Service Enterprise Computing Center in Detroit (IRS ECC-Detroit). Many of the actions required to address the recommendations are already completed or underway. Specifically, of the 41 recommendations addressed to FinCEN, 18 have already been completed; of the 21 recommendations addressed to the Department's OCIO, 12 have already been completed; and of the 11 addressed to IRS, 4 have already been completed. Treasury will provide a detailed corrective action plan for each of the recommendations with the response to the final reports. If you have any questions, please feel free to contact Mr. Ed Roback, Associate Chief Information Officer for Cyber Security at 202-622-2593. Sincerely, Signed by: Michael D. Duffy: Deputy Assistant Secretary for Information Systems and Chief Information Officer: [End of section] Appendix III: GAO Contacts and Staff Acknowledgments: GAO Contacts: Nancy R. Kingsbury, (202) 512-2700 or kingsburyn@gao.gov: Gregory C. Wilshusen, (202) 512-6244 or wilshuseng@gao.gov: Staff Acknowledgments: In addition to the contacts named above, Edward Alexander and Jeffrey Knott (Assistant Directors), Rebecca Alvarez, Angela Bell, Bruce Cain, William Cook, Neil Doherty, Denise Fitzpatrick, Myong Kim, George Kovachick, Rebecca LaPaze, Kevin Metcalfe, Nancy Glover, David Plocher, Zsaroq Powe, Matthew Snyder, and Christopher Warweg made key contributions to this report. [End of section] Footnotes: [1] Bank Secrecy Act, Titles I and II of Pub. L. No. 91-508, 84 Stat. 1114 (1970), as amended, codified at 12 U.S.C. §§ 1829b, 1951-1959, and 31 U.S.C. §§ 5311-5322. [2] Information security controls include access controls, configuration management, patch management, and continuity of operations. These controls are designed to ensure that access to data is appropriately restricted, that systems are configured appropriately, that systems are protected against known vulnerabilities, and that back- up and recovery plans are adequate to ensure the continuity of essential operations. [3] GAO, High-Risk Series: Information Management and Technology, [hyperlink, http://www.gao.gov/products/GAO/HR-97-9] (Washington, D.C.: February 1997). [4] GAO, High-Risk Series: An Update, [hyperlink, http://www.gao.gov/products/GAO-09-271] (Washington, D.C.: January 2009). [5] FISMA was enacted as Title III, E-Government Act of 2002, Pub. L. No. 107-347, 116 Stat. 2946 (Dec. 17, 2002). [6] USA PATRIOT Act, Pub. L. No. 107-56, 115 Stat. 272 (Oct. 26, 2001). [7] 31 U.S.C. § 5318(g)(1) and 31 C.F.R. §§ 103.15-103.21. Depending on the type of financial institution, the threshold amount may vary. For example, money services businesses generally must file a Suspicious Activity Report if a transaction involves or aggregates $2,000 in funds or other assets. Suspicious Activity Report forms must be filed for certain suspicious transactions involving possible violations of law or regulation, including transactions that are broken up for the purpose of evading the BSA reporting and record-keeping requirements. [8] In addition to the dollar amount of the cash transaction, these reports may record other sensitive information, including the name of the account owner; the name of the person actually conducting the transaction (if not the account holder); social security numbers; driver's license or identification numbers; and account numbers. [9] According to FinCEN, approximately 71 percent of BSA submissions are made through the electronic filing system. [10] Cryptography is the discipline that embodies principles, means, and methods for providing information security, including confidentiality, data integrity, nonrepudiation, and authenticity. [11] A virtual private network is a private network that is maintained across a shared or public network, such as the Internet, by means of specialized security procedures. Virtual private networks are intended to provide secure connections between remote clients, such as branch offices or traveling personnel, and a central office. [12] E-mail spoofing occurs when a user receives e-mail that appears to have originated from one source when it actually was sent from another source. E-mail spoofing is often an attempt to trick the user into making a damaging statement or releasing sensitive information (such as passwords). [13] Log management is the process for generating, transmitting, storing, analyzing, and disposing of log data. [14] An intrusion detection system detects inappropriate, incorrect, or anomalous activity that is aimed at disrupting the confidentiality, availability, or integrity of a protected network and its computer systems. [15] For example, see GAO, Information Security: Continued Action Needed to Improve Software Patch Management, [hyperlink, http://www.gao.gov/products/GAO-04-706] (Washington, D.C.: June 2, 2004). [16] The information and systems at TCS that support FinCEN's mission are subject to the information security program for Treasury; however, we did not evaluate Treasury's program as part of this review. [17] NIST, Information Technology Security Training Requirements: A Role-and Performance-Based Model, SP 800-16 (Gaithersburg, Md., April 1998); and NIST, Building an Information Technology Security Awareness and Training Program, SP 800-50 (Gaithersburg, Md., October 2003). [18] GAO, Information Security: Continued Efforts Needed to Address Significant Weaknesses at IRS, [hyperlink, http://www.gao.gov/products/GAO-09-136] (Washington, D.C.: Jan. 9, 2009). [19] GAO, Information Security: IRS Needs to Address Pervasive Weaknesses, [hyperlink, http://www.gao.gov/products/GAO-08-211] (Washington, D.C.: Jan. 8, 2008). [20] GAO, Information Security: Further Efforts Needed to Address Significant Weaknesses at the Internal Revenue Service, [hyperlink, http://www.gao.gov/products/GAO-07-364] (Washington, D.C.: Mar. 30, 2007). [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: