0% found this document useful (0 votes)
113 views20 pages

Firewall Security Review: Audit Report

The USPS OIG conducted an audit of Postal Service firewalls and found: 1) Firewalls were not implemented or properly configured at many mail processing facilities, leaving those systems vulnerable. 2) Firewall rules were not regularly reviewed and maintained, resulting in duplicate and outdated rules. 3) Firewall security standards and policies were not always followed or updated annually as required. The OIG made recommendations to implement firewalls at all facilities, regularly review and update firewall configurations and rules, and ensure security standards are followed.

Uploaded by

Abhishek Bahirat
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
113 views20 pages

Firewall Security Review: Audit Report

The USPS OIG conducted an audit of Postal Service firewalls and found: 1) Firewalls were not implemented or properly configured at many mail processing facilities, leaving those systems vulnerable. 2) Firewall rules were not regularly reviewed and maintained, resulting in duplicate and outdated rules. 3) Firewall security standards and policies were not always followed or updated annually as required. The OIG made recommendations to implement firewalls at all facilities, regularly review and update firewall configurations and rules, and ensure security standards are followed.

Uploaded by

Abhishek Bahirat
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 20

Highlights

Table of Contents

Firewall
Security
Review
Findings

Audit Report
Recommendations

Report Number
IT-AR-16-005
January 26, 2016
Appendices

Print
Highlights
Table of Contents

Highlights Background apply six of the nine critical security controls required for any of
the 30 firewalls we sampled.
U.S. Postal Service mail processing equipment and mail
handling equipment (MPE/MHE) includes computer systems
In addition, firewall administrators did not manage firewall rules
and networks that manage, monitor, and control mail processing
effectively or remove duplicate firewall rules. For the 30 firewalls
functions. There are about 74 types of MPE/MHE totaling more
in our sample, we reviewed 504,528 rules and identified
Findings

Postal Service firewalls are than 8,500 pieces of equipment used to sort about 155 billion
mailpieces annually.
We also identified
at all facilities
69,258 (14 percent) rules that
To secure its mail processing systems and control access to the
and are not properly , and 31,754 (6 percent) were
MPE/MHE environment, the Postal Service relies on 285 firewalls
duplicate rules.
managed and functioning to to control the flow of network traffic. Therefore, firewall policies
that effectively address security risks are critical to protecting
Further, we found the Postal Service does not always document
safeguard mail processing the Postal Service network.
Recommendations

and approve MPE/MHE firewall rule changes. During our audit,


operations according to the Corporate Information Security Office updated the policy
Our objective was to determine whether network firewalls
to include MPE/MHE rule changes in the Network Connectivity
Postal Service standards are in place, properly managed, and functioning to safeguard
Review Board’s approval process; therefore, we are not issuing
Postal Service mail processing operations according to
a recommendation on this issue.
and industry best practices. Postal Service standards and industry best practices.
Finally, we determined that firewall administrators did not review
What the OIG Found and update firewall security standards annually as required.
Postal Service firewalls are at all facilities and
are not properly managed and functioning to safeguard mail Firewalls were at some facilities because firewall
processing operations according to Postal Service standards administrators and system analysts decided to
Appendices

and industry best practices. We identified 67 out of 352 mail due to budget constraints. However,
processing facilities that did not their management did not perform a risk assessment to determine
MPE/MHE as required. Firewall administrators also did not the associated impact. In addition, Information Technology

Firewall Security Review


Report Number IT-AR-16-005
Print 1
Highlights
Table of Contents

firewall administrators and Engineering systems analysts What the OIG Recommended
focused on supporting system deployment as opposed to
We recommended administrators and analysts
implementing critical security controls and managing firewall rules.
at all mail processing facilities. In addition, we
recommended firewall administrators regularly review and
Facilities , along with improperly configured,
update current firewall configuration settings and implement
outdated, or nonexistent firewall security controls, significantly
Findings

all security controls in the hardening standards. Finally, we


decrease the Postal Service’s network security. This increases
recommended administrators and analysts review firewall
the risk of unauthorized access to data and disruption of critical
rules every 6 months and review and update firewall security
mail processing operations.
standards annually in accordance with policy.

OIG Recommendations: Click images to reveal a summary of OIG recommendations.


Recommendations
Appendices

CLEAR ALL

Firewall Security Review


Report Number IT-AR-16-005
Print 2
Highlights
Transmittal Letter

January 26, 2016


Table of Contents

MEMORANDUM FOR: BRIAN W. CARNELL


ACTING VICE PRESIDENT, INFORMATION TECHNOLOGY

MICHAEL J. AMATO
VICE PRESIDENT, ENGINEERING SYSTEMS

GREGORY S. CRABB
ACTING CHIEF INFORMATION SECURITY OFFICER
AND VICE PRESIDENT DIGITAL SOLUTIONS

E-Signed by Kimberly Benoit
VERIFY authenticity with eSign Desktop
Findings

FROM: Kimberly F. Benoit


Deputy Assistant Inspector General
for Technology, Investment and Cost

SUBJECT: Audit Report – Firewall Security Review


Recommendations

(Report Number IT-AR-16-005)

This report presents the results of our audit of the Postal Service’s Firewall Security
Review (Project Number 15TG036IT000).

We appreciate the cooperation and courtesies provided by your staff. If you have any
questions or need additional information, please contact Sean Balduff, acting director,
Information Technology, or me at 703-248-2100.

Attachment
Appendices

cc: Corporate Audit and Response Management

Firewall Security Review


Report Number IT-AR-16-005
Print 3
Highlights
Table of Contents

Cover
Highlights.......................................................................................................1
Background.................................................................................................1
What the OIG Found...................................................................................1
Table of Contents

What the OIG Recommended.....................................................................2


Transmittal Letter...........................................................................................3
Findings.........................................................................................................5
Introduction.................................................................................................5
Summary.....................................................................................................5
Mail Processing Facilities Without Firewalls...............................................6
Firewall Configuration Review....................................................................6
Firewall Rules Management.......................................................................7
Firewall Hardening Standards.....................................................................8
Recommendations........................................................................................9
Findings

Management’s Comments..........................................................................9
Evaluation of Management’s Comments..................................................10
Appendices.................................................................................................. 11
Appendix A: Additional Information...........................................................12
Background ..........................................................................................12
Recommendations

Objective, Scope, and Methodology.....................................................12


Prior Audit Coverage.............................................................................14
Appendix B: Management’s Comments....................................................15
Contact Information.....................................................................................19
Appendices

Firewall Security Review


Report Number IT-AR-16-005
Print 4
Highlights
Findings Introduction
This report presents the results of our self-initiated audit of the U.S. Postal Service’s firewall security review (Project Number
15TG036IT000). Our objective was to determine whether network firewalls are in place, properly managed, and functioning to
safeguard mail processing operations according to Postal Service standards and industry best practices. See Appendix A for
additional information about this audit.
Firewall administrators did
The Postal Service has one of the world’s largest information technology (IT) networks to store, transmit, and process sensitive
not at employee, customer, financial, law enforcement, and injury compensation data. Therefore, it is vital that the Postal Service
Table of Contents

secures sensitive information to allow for uninterrupted mail processing and network operations, and maintain the trust of the
67 out of 352 mail processing American public.
facilities, as required by
Postal Service mail processing equipment and mail handling equipment1 (MPE/MHE) includes computer systems and networks
Postal Service policy. that manage, monitor, and control mail processing functions. In addition, these systems collect workload statistics and transmit
data between the MPE/MHE and Postal Service information systems. There are about 74 different types of MPE/MHE totaling
more than 8,500 pieces of equipment used to sort about 155 billion mailpieces annually. To secure its mail processing systems,
the Postal Service relies on 285 firewalls2 to control the flow of network traffic. These firewalls help control access to MPE/MHE
systems and resources; therefore, firewall policies that effectively address security risks are critical to protecting the Postal Service
and its network.

Summary
Findings

Postal Service firewalls are at all facilities and are not properly managed and functioning to safeguard mail processing
operations according to Postal Service standards and industry best practices. Specifically, we identified mail processing
facilities that to protect their MPE/MHE. In addition, for the 30 firewalls we sampled, firewall administrators
3

did not apply six of the nine critical security controls as required by the Postal Service’s security standards.

Further, firewall administrators did not manage firewall rules effectively and did not remove duplicate firewall rules. For the 30 firewalls
in our sample, we reviewed 504,528 rules and identified four rules that allowed to flow
Recommendations

through two firewalls. We also identified 69,258 (14 percent) rules that allowed network traffic from
, and 31,754 (6 percent) duplicate rules. We also found that the Postal Service does not always document and review
MPE/MHE firewall rule changes and firewall administrators did not review and update firewall security standards in accordance
with Postal Service policy.

These issues exist because firewall administrators and system analysts decided to due
to budget constraints. In addition, IT firewall administrators and Engineering Systems analysts focused on supporting system
deployment as opposed to implementing security controls and managing firewall rules. Further, the telecommunications
infrastructure4 at mail processing facilities is not equipped to handle .
Facilities , along with improperly configured, outdated, or nonexistent firewall security controls, significantly
Appendices

1 Examples of mail processing and handling equipment include the Automated Flat Sorting Machine (AFSM), Delivery Barcode Sorter (DBSC), and National Directory
Support System (NDSS).
2 A network security device designed to control incoming and outgoing network traffic based on predetermined security rules.
3 See Table 1 for a listing of the 30 firewalls we sampled.
4 Telecommunication infrastructure refers to the transmission or exchange of information over significant distances by electronic means.

Firewall Security Review


Report Number IT-AR-16-005
Print
Highlights decrease the Postal Service’s network security. This increases the risk of unauthorized access to data and disruption of critical
mail processing operations.

Mail Processing Facilities Without Firewalls


Firewall administrators did not at 67 out of 352 mail processing facilities, as required by Postal Service policy.5
Due to budget constraints, firewall administrators and system analysts decided to place
; however, they did not perform a risk assessment to determine and document the impact of
Without , the Postal Service does not have a reliable and secure network and is at risk
Table of Contents

of unauthorized access to data and disruption of critical mail processing operations.

Firewall Configuration Review


Firewall administrators did not apply six of nine critical security controls6 across the 30 firewalls in our sample. Specifically, we
found that firewall administrators did not configure firewalls to:

■■

■■ Use 8
The firewalls in our sample used Postal Service hardening
standards require the use of
9
which uses an improved and stronger process for encryption and includes a secure file
Findings

transfer protocol that adds more security to minimize vulnerabilities.

■■ Update the time upon start-up. Postal Service hardening standards10 require the Network Time Protocol (NTP)11 to be
configured to update firewall time upon start-up. Time synchronization protocols are important during forensic analysis following
a network intrusion.

■■ Enable session timeout for . Postal Service hardening standards12 require session timeout of 60 seconds or less
Recommendations

for , which limits the potential for misuse of unattended sessions.

■■ Enforce password complexity or minimum length requirements. Current firewall configurations require passwords to have a
, but Postal Service policy13 states passwords must consist of at least 15 characters and include a
combination of characters and numbers, which limits the potential for a password compromise.

■■ Use a current operating systems version. The firewalls are currently running . As
of , the vendor no longer provides security updates or support for this version. Attackers could exploit known
operating system flaws to compromise the network.

5 Handbook AS-805, Section 11-5.2, .


6 Controls identified and approved in Postal Service policy and security hardening standards. See Table 2 for a list of security controls we reviewed.
Appendices

7 Security Hardening Standards for , Section 5.1, General Audit Logging Requirements, dated .
8 A for secure access to remote computers.
9 Security Hardening Standards for , Section 4.5.1, .
10 Security Hardening Standards for , Section 4.12.1 Use NTP Boot-Server.
11 A protocol that synchronizes computer clock times over a network. Network security logs and event analysis depend on accurate time synchronization.
12 Security Hardening Standards for , Section 4.2.5, Configure Idle Timeout for All Login Classes.
13 Handbook AS-805, Information Security, Section 9-6.1.1, Password Selection Requirements, dated May 2015.
Firewall Security Review
Report Number IT-AR-16-005
Print 6
Highlights These issues occurred because IT administrators and Engineering Systems analysts focused on supporting system deployment
as opposed to implementing required configurations and restricting network traffic. In addition, the manager, Perimeter Security
Services, stated that the amount of system log data generated by the firewalls caused network performance and availability issues.

Without adequate and effective security controls, the Postal Service cannot effectively identify and respond to security events
that could result in unauthorized disclosure of sensitive data and disruption of mail processing operations. We determined about
$237 million of revenue was processed at 1514 of the 30 facilities in our sample during Quarter (Q) 3, FY 2015.

Firewall Rules Management


Table of Contents

We determined firewall administrators did not identify and remove overly permissive15 and duplicate firewall rules to control
network traffic, prevent unauthorized access to data and avoid disrupting mail processing operations. According to Postal Service
hardening standards16 and industry best practices,17 firewall rules should allow only necessary network traffic. In addition, firewall
rules should be as specific as possible to allow the types18 of traffic that are required to support mail processing systems and
applications. For the 30 firewalls in our sample, we reviewed 504,528 rules. During our review:

■■

■■ We identified 51,656 (10 percent) firewall rules that permitted network traffic ; 13,852 (3 percent)
firewalls rules that permitted network traffic ; and 3,750 (1 percent) firewall rules that permitted
Findings

communication to in the administrative and mail processing infrastructure (MPI) networks.

■■ We identified 30,196 (6 percent) rules that allowed unencrypted data to flow across the network and 721 (less than 1 percent)
rules that allowed the use of
.

■■ We identified 31,754 (6 percent) duplicated rules that could degrade firewall performance and limit the firewall’s ability to
Recommendations

respond to connection requests and process legitimate network traffic. An excessive number of duplicate rules also make it
more difficult to manage all of the rules in an efficient manner.

Overly permissive or duplicate firewall rules existed because firewall administrators did not review rules semiannually according
to policy.21 In addition, administrators and analysts did not identify critical elements for developing secure rules. These elements
include source IPs, destination IPs, and applications. Identifying these elements would allow administrators and analysts to
customize the rule sets to secure the network environment without any business impact. In addition, contractors developed the

14 For this analysis we only calculated total revenue associated with competitive mail (Flats and Parcels) that was processed through Postal Service plants. This number
only includes 15 facilities from our sample that were part of the Postal Service’s statistical sample for Revenue Pieces Weights-Orgin Destination Information System
during Q3, FY 2015.
15 .
Appendices

16 Security Hardening Standards for , Section 4.14, Services.


17 National Institute of Standards and Technology (NIST) Special Publication 800-41,
dated September 2009.
18 Types of traffic include protocols, services, and source and destination IP addresses.
19
20 .
21 Handbook AS-805, Section 11.5-2, .
Firewall Security Review
Report Number IT-AR-16-005
Print 7
Highlights current rule sets based on legacy rules migrated from the previous firewall environment, which used a different firewall product.
Obsolete and misconfigured firewall rules may limit firewall performance, which curtails the firewall’s ability to respond to network
connection requests and process legitimate network traffic.
Firewall administrators
We also found that the Postal Service did not document and approve 63,764 of 85,027 (75 percent) MPE/MHE firewall rule
did not review and update changes prior to implementation because Postal Service policy did not designate the responsible authority for approving the
firewall security standards changes. Without an established change management process, the Postal Service may implement firewall rule changes that
disrupt critical mail processing operations or conflict with other rules. During our audit, the manager, Corporate Information
in accordance with Security, updated Handbook AS-805 to state that MPE/MHE firewall rule changes require Network Connectivity Review Board
Table of Contents

(NCRB) approval. Therefore, we will not make a recommendation regarding this issue.
Postal Service policy and
industry best practices. Firewall Hardening Standards
Firewall administrators did not review and update firewall security standards in accordance with Postal Service policy22 and
Specifically, firewall
industry best practices. Specifically, firewall administrators have not reviewed and updated security standards since
administrators have not because they believed their initial configurations were reliable and needed no changes. However, they did not perform a
review to ensure that the configurations included the latest updates to secure the environment against new potential threats and
reviewed and updated vulnerabilities. Lack of and outdated security controls increase the risk of unauthorized access to data and disruption of critical
mail processing operations.
security standards
since
Findings
Recommendations
Appendices

22 Handbook AS-805, Section 11-5.2,


Firewall Security Review
Report Number IT-AR-16-005
Print 8
Highlights
Recommendations We recommend the acting vice president, Information Technology, and the vice president, Engineering Systems, direct the
managers, Enterprise Asset Infrastructure and Engineering Software Management, to:

1. Perform a risk assessment for all mail processing facilities to ensure that they are
protected as appropriate or document acceptance of the risk.
We recommend management
We recommend the acting vice president, Information Technology, direct the manager, Enterprise Asset Infrastructure, to:
perform a risk assessment
2. Configure firewalls to enforce , proper encryption, network time protocol, session timeouts, and password complexity;
Table of Contents

for all mail processing and update the firewall operating system.
facilities
3. Update the telecommunication infrastructure to support firewall capabilities at all mail processing facilities.

We recommend the acting vice president, Information Technology, and the vice president, Engineering Systems, direct the
to ensure that they are managers, Enterprise Asset Infrastructure and Engineering Software Management, to:

protected as appropriate or
4. Review current firewall rules and remove those that are overly permissive or duplicative and; review firewall rules every 6 months
document acceptance of the according to Handbook AS-805, Information Security, and document the results of the review.

risk; and review and update We recommend the acting vice president, Information Technology, and the acting Chief Information Security Officer and vice
Findings

president Digital Solutions, direct the managers, Enterprise Asset Infrastructure and Corporate Information Security, to:
the firewall security
standards annually in 5. Review and update the firewall security standards annually in accordance with Handbook AS-805, Information Security.

accordance with Handbook Management’s Comments


AS-805, Information Security. Management agreed with recommendations 1 through 4 and disagreed with recommendation 5 and the $237 million in potential
revenue at risk. Management also stated that they agreed with all of the findings in the report. Management stated that their
Recommendations

priorities have always been improving the overall security posture and have efforts underway to enhance firewall and network
security. See Appendix B for management’s comments in their entirety.

Regarding recommendation 1, management stated that funding is in place and efforts are underway to upgrade existing firewalls
and install new firewall technology at all mail processing facilities. The target implementation date is December 31, 2017.

Regarding recommendation 2, management will configure firewalls to ensure proper encryption, network time protocol, session
timeouts, and password complexity; and update the firewall operating system. In addition, management will work with the
Enterprise Splunk team to determine the appropriate level of logging activity for the firewalls and configure them accordingly. The
target implementation date is September 30, 2017.
Appendices

Regarding recommendation 3, management will work with the Enterprise Splunk team to determine the appropriate level of
logging activity for firewalls and configure them accordingly. The target implementation date is September 30, 2016.

Firewall Security Review


Report Number IT-AR-16-005
Print 9
Highlights Regarding recommendation 4, management will review existing firewall rules and remove any that are duplicative or which grant
inappropriate access. Additionally, upon completion of the initial clean-up effort, management will perform a semiannual review of
firewall rules in accordance with policy. The target implementation date is September 30, 2017.

Regarding recommendation 5, management disagreed with the recommendation and stated that they have begun a large-scale
network upgrade that includes replacing all existing devices with devices and
installing this technology at all mail processing facilities. Management will replace the firewall security standards with
security standards, which they will review and update annually. The target implementation date is September 30, 2017.
Table of Contents

Regarding the $237 million in potential revenue at risk, management disagreed with our calculation and stated that the likelihood
of a potential malicious actor exploiting firewall vulnerabilities and simultaneously penetrating mail processing facilities and
disrupting mail processing is extremely remote. Management also stated that they have monitoring practices in place to identify an
attack within minutes and both manual and automated contingency plans in place to ensure mail processing operations continue in
the event of a disruption to the network. Management calculated an impact of $175,393.

Evaluation of Management’s Comments


The OIG considers management’s comments generally responsive to the recommendations and corrective actions should resolve
the issues identified in the report.

Regarding recommendation 5, we agree that a large-scale network upgrade that includes replacing all existing devices
Findings

with devices and replacing firewall security standards with security standards should resolve the
issue identified in the report. However, based on the target implementation date provided, management should continue updating
the security standards to support the firewalls currently in place. This recommendation will remain open until management
provides documentation supporting the network upgrade.

Management stated that they disagreed with the calculated $237 million in potential revenue at risk. We based our analysis on
the amount of revenue exposed to the risks we identified in our report and agree that this is not the amount of revenue that would
Recommendations

be lost during a single incident. We clarified in the report that $237 million is the amount of competitive mail revenue processed at
15 of the 30 facilities in our sample during Q3, FY 2015.

All recommendations require OIG concurrence before closure. Consequently, the OIG requests written confirmation when
corrective actions are completed. These recommendations should not be closed in the Postal Service’s follow-up tracking system
until the OIG provides written confirmation that the recommendations can be closed.
Appendices

Firewall Security Review


Report Number IT-AR-16-005
Print 10
Highlights
Appendices

Click on the appendix title Appendix A: Additional Information...........................................................12


Background ..........................................................................................12
Table of Contents

to the right to navigate


Objective, Scope, and Methodology.....................................................12
to the section content.
Prior Audit Coverage.............................................................................14
Appendix B: Management’s Comments....................................................15
Findings
Recommendations
Appendices

Firewall Security Review


Report Number IT-AR-16-005
Print 11
Highlights Appendix A: Background
Additional Information Cyber threats have become more sophisticated and have increased significantly over the past decade. Hackers can cause
damage on a large scale. In order to protect information resources and mail processing operations from unauthorized intrusion
and disruption, the Postal Service established standards for hardening information resources. Hardening is a security activity that
ensures all unnecessary services are disabled, security-related patches are applied to operating systems and applications, and
security-related configuration settings are in place and set up correctly. The primary goal is to support the creation of a strong
security infrastructure to protect the Postal Service’s electronic-business applications, data, and critical mail processing operations.
Table of Contents

The Postal Service relies on firewalls to protect information resources and secure its mail processing systems. Firewalls are
security devices that control the flow of network traffic and check against approved policies to either allow or block traffic based
on those policies. Policies should be based on the direction that the traffic moves across the network. This feature allows firewalls
to restrict connections to and from the internal networks, which prevents unauthorized access to systems and resources. The
Postal Service uses two brands of firewalls to control network traffic – firewalls are used on the IT
network for perimeter protection and firewalls are used in the MPI environment for internal network protection.

Objective, Scope, and Methodology


Our objective was to determine whether network firewalls are in place, properly managed, and functioning to safeguard mail
processing operations according to Postal Service standards and industry best practices. Our audit scope covered approved
firewall configuration baselines, security standards, and policies used to support mail processing operations at Postal Service
Findings

facilities. We conducted our audit work at Postal Service Headquarters; Engineering Systems Headquarters in Merrifield, VA; and
the Information Technology Service Center in Raleigh, NC.

To accomplish our objective we:

■ Reviewed policies and standards related to firewalls and interviewed IT, Corporate Information Security, and Engineering
Systems personnel to identify facilities without firewalls.
Recommendations

■ Interviewed IT, Corporate Information Security, and Engineering Systems personnel to obtain an understanding of network
security controls for the MPE/MHE environment.

■ Obtained the firewall inventory and selected a random sample of 30 firewalls to review and assess the sufficiency of their
configurations against the approved Postal Service firewall security standards and controls.

■ Compared the Postal Service firewall hardening standards to industry best practices and documented discrepancies.

■ Interviewed Engineering Systems and IT personnel to identify and document MPE/MHE applications and servers.

■ Reviewed firewall configurations, rules sets, and policies to determine whether appropriate controls were in place.
Appendices

Firewall Security Review


Report Number IT-AR-16-005
Print 12
Highlights Table 1 identifies the 30 facilities we randomly sampled. Each facility has one firewall identified by type of mail processing facility
and location.

Table 1. MPE/MHE Firewalls Reviewed

Mail Processing Facility City State


Table of Contents
Findings
Recommendations
Appendices

Source: Postal Service Telecom Services team and OIG analysis.

Firewall Security Review


Report Number IT-AR-16-005
Print 13
Highlights Table 2 identifies the nine security controls assessed for the 30 firewalls in our sample.

Table 2. Firewall Security Controls

Number of Compliant With


Security Control
Security Controls Security Standards

1 No
Table of Contents

2 No

3 No

4 Yes

5 Yes

6 Yes

7 No

8 No
Findings

9 No
Source: Postal Service Security Standards and OIG analysis.

We conducted this performance audit from July 2015 through January 2016, in accordance with generally accepted government
auditing standards and included such tests of internal controls, as we considered necessary under the circumstances. Those
standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for
Recommendations

our findings and conclusions based on our audit objective. We believe that the evidence obtained provides a reasonable basis for
our findings and conclusions based on our audit objective. We discussed our observations and conclusions with management on
December 18 and December 22, 2015, and included their comments where appropriate.

We assessed the reliability of firewall configurations and rules data by reviewing information stored in the Network
Management and the NCRB change management systems. In addition, we interviewed agency officials knowledgeable about the
data and process and tested required security controls. We determined that the data were sufficiently reliable for the purposes of
this report.

Prior Audit Coverage


Appendices

We did not identify any prior audits or reviews related to the objective of this audit.

23
24 Console logins left unattended by firewall administrators can compromise sensitive network information or allow accidental or intentional configuration changes by
unauthorized personnel.
Firewall Security Review
Report Number IT-AR-16-005
Print 14
Highlights Appendix B:
Management’s Comments
Table of Contents
Findings
Recommendations
Appendices

Firewall Security Review


Report Number IT-AR-16-005
Print 15
Appendices Recommendations Findings Table of Contents Highlights

Firewall Security Review


Report Number IT-AR-16-005
Print
16
Appendices Recommendations Findings Table of Contents Highlights

Firewall Security Review


Report Number IT-AR-16-005
Print
17
Appendices Recommendations Findings Table of Contents Highlights

Firewall Security Review


Report Number IT-AR-16-005
Print
18
Highlights
Table of Contents
Findings

Contact us via our Hotline and FOIA forms.


Follow us on social networks.
Stay informed.

1735 North Lynn Street


Recommendations

Arlington, VA 22209-2020
(703) 248-2100
Appendices

Firewall Security Review


Report Number IT-AR-16-005
Print 19

You might also like