Skip navigation

Audit of Marshals Service Prisoner Tracking System, IG, 2004

Download original document:
Brief thumbnail
This text is machine-read, and may contain errors. Check the original document to verify accuracy.
REVIEW OF THE UNITED STATES
MARSHALS SERVICE’S
PRISONER TRACKING SYSTEM

U.S. Department of Justice
Office of the Inspector General
Audit Division
Audit Report 04-29
August 2004

REVIEW OF THE UNITED STATES MARSHALS SERVICE’S
PRISONER TRACKING SYSTEM
EXECUTIVE SUMMARY
The United States Marshals Service (USMS) is responsible for housing
federal prisoners awaiting trial in federal courts. On any given day, the
USMS maintains custody of approximately 40,000 federal prisoners in local
jails, contract facilities, and federal Bureau of Prisons (BOP) facilities
throughout the country. Depending upon the length of a prisoner’s court
trial, time spent in USMS custody may run from several days to several
years.
The USMS uses the Prisoner Tracking System (PTS) application to
maintain tracking information for federal prisoners in USMS custody. The
PTS contains information that is specific to each individual prisoner, including
the prisoner’s personal data, property, medical information, criminal
information, and location. Additionally, the USMS uses the application as an
informational and scheduling tool to assist USMS personnel in locating
prisoners for court appearances. Prisoners’ records are created using
information obtained from key source documents, and this information is
entered into the PTS. The PTS information is critical to processing and
transporting prisoners because the USMS relies on the confidentiality,
availability, and integrity of this information to ensure the safety of both the
prisoners and the law enforcement officers charged with their care.
The objectives of this audit were to assess the effectiveness of select
general controls for the PTS at the entity-wide level, review PTS’s application
controls, and perform data integrity testing. The Office of the Inspector
General (OIG) performed this audit in accordance with the Government
Auditing Standards. We used the Federal Information System Controls Audit
Manual (FISCAM), Department of Justice (Department) policies and
procedures, National Institute of Standards and Technology (NIST) Special
Publications (SP), Office of Management and Budget (OMB) Guidelines, and
the USMS’s policies for prisoner processing and cellblock operations as
criteria for this audit.1 Specific details of our audit objectives, scope, and
methodology appear in Appendix 1.

1

The General Accounting Office’s (GAO) FISCAM provides a methodology for guiding
auditors in evaluating general and application controls used by information systems to
protect the integrity, confidentiality, and availability of data. Descriptions of the FISCAM
select general control and application control areas tested during this audit can be found in
Appendix 3.

The USMS divides its operations into four regions with 94 district
offices (DOs). To gain a nationwide represent ation of PTS operational
activities, we elected to review DOs in each of the four USMS regions. We
judgmentally selected the following sites: Alexandria, Virginia; Washington,
D.C.; New York, New York; Houston, Texas; Philadelphia, Pennsylvania;
Chicago, Illinois; Miami, Florida; and Phoenix, Arizona.
During our audit, we reviewed select general controls designed to
protect the PTS application against unauthorized use, loss, or modification of
its data.2 Additionally, we reviewed application controls within the PTS that
are used to ensure the validity, proper authorization, and completeness of
transactions when entering prisoners’ data into the PTS. We also tested
output reports from the PTS application against source documents contained
in prisoner file folders to assess the data integrity within the PTS.
SUMMARY RESULTS OF THE AUDIT
Select General Controls
Our review of the PTS identified weaknesses within each of the six
general control categories designed to protect the PTS’s system
environment. Specifically, we found deficiencies within PTS’s entity-wide
security program planning and management, access controls, application
software development and change control, system software, segregation of
duties, and service continuity controls.

2

General controls are entity-wide controls used to protect a system’s environment.
The PTS application can only be accessed via the USMS’s Marshals Network (MNET);
therefore, MNET serves as the PTS application’s system environment. We reviewed the
select general controls recommended by the FISCAM for evaluating and testing application
controls because general controls for MNET were assessed during the OIG’s January 2004
Federal Information Security Management Act (FISMA) review. The results of this
assessment can be found in the OIG’s Audit Report No. 04-11.

ii

Following the chart below we summarize each vulnerability.
GENERAL CONTROL AREAS
VULNERABILITIES
NOTED
Entity-wide Security Program Planning & Management
Assess risks periodically
Document an entity-wide security program plan
Establish a security management structure and clearly assign
security responsibilities
Implement effective security-related personnel policies
Monitor the security program’s effectiveness and make changes
as needed

√
√

Access Controls
Classify information resources according to their criticality and
sensitivity
Maintain a current list of authorized users and ensure that their
access is authorized
Establish physical and logical controls to prevent and detect
unauthorized access
Monitor access, investigate apparent security violations, and
take appropriate remedial action

√
√

Application Software Development & Change Control
Authorize processing features and modifications

√

Test and approve all new and revised software
Control software libraries

System Software
Limit access to system software
Monitor access to and use of system software

√

Control system software changes

Segregation of Duties
Segregate incompatible duties and establish related policies

√

Establish access controls to enforce segregation of duties
Control personnel activities through formal operating procedures
and supervision and review

√

Service Continuity
Assess the criticality and sensitivity of computerized operations
and identify supporting resources
Take steps to prevent and minimize potential damage and
interruption
Develop and document a comprehensive contingency plan
Test the contingency plan periodically and adjust it as
appropriate

iii

√
√
√

Entity-wide Security Program Planning and Management
Within the area of entity-wide security program planning and
management, a security manager for the PTS application was not appointed
and employees lacked adequate training and expertise. These deficiencies
could negatively impact the USMS’s ability to assess risks and provide
protection for sensitive PTS data.
Access Controls
The USMS did not properly maintain the PTS authorized user list and
allowed accounts to remain on the list for employees who no longer required
access. Active but invalid accounts could enable an unauthorized user to gain
access to sensitive information. Ineffective access controls diminish the
reliability of data and subject the system to unauthorized use, loss, or
modification.
Additionally, the USMS did not enforce physical access controls to
protect data entry terminals from access by unauthorized users. Physical
access to computer facilities that house data entry terminals could allow
unauthorized individuals to obtain confidential printed reports, view sensitive
data displayed on computer screens, and steal or damage equipment.
Application Software Development and Change Control
Interviews conducted during our site visits disclosed that program
modifications were not properly authorized. Application users are generally
responsible for requesting and authorizing system changes. However, we
found that the PTS application end-users were either unfamiliar with or
unaware of the process for requesting changes to the application.
Inadequacies with controls that protect application software from
unauthorized changes could result in the USMS allowing unauthorized
modifications to be made to the PTS application.
System Software
The effectiveness of the PTS’s system software controls were
jeopardized because the USMS is using outdated programming and database
management software to support the application. The use of such outdated
software prevents the USMS from implementing new security enhancements
that are designed to protect the application. This deficiency also increases
the risk that without timely software updates that enhance functionality and

iv

security, data could be improperly processed by the application or
insufficiently protected.
Segregation of Duties
Policies and procedures are not in place to segregate incompatible
duties for personnel performing critical functions, such as prisoner intake and
record creation processes. Compounding this problem, the USMS has no
formal procedures to guide personnel performing activities that directly affect
the reliability of the PTS data. Without the segregation of duties, and in the
absence of formal procedures, the USMS cannot ensure the confidentiality,
integrity, and availability of PTS data during the prisoner processing cycle.
Service Continuity
Backup tapes were not being rotated off-site, and the contingency plan
for the PTS had not been tested. We also found that key personnel
responsible for emergency response activities lacked sufficient training and
expertise. System administrators were not familiar with the current version
of the software supporting the PTS application or the location of their local
DOs database files. Consequently, the USMS may lose the capability to
restore the PTS’s application software and data because it is relying on
insufficient preventative measures to mitigate service disruptions.
Moreover, the USMS is depending on inadequately trained individuals to
respond appropriately in the case of an emergency and to assist in restoring
the application software and data files of this mission critical operation.

v

Application Controls
In addition to the general controls findings previously mentioned, our
review of the PTS identified deficiencies within each of the four application
control areas we tested. Following the chart below is a summary of each
vulnerability indicated in the chart.
APPLICATION CONTROL AREAS
VULNERABILITIES
NOTED
Authorization Controls
All data are authorized before entering the application system
Restrict data entry terminals to authorized users for authorized
purposes
Master files and exception reporting help ensure all data are
processed and are authorized

√
√

Completeness Controls
All authorized transactions are entered into and processed by
the computer

√

Reconciliations are performed to verify data completeness

Accuracy Controls
Data entry design features contribute to data accuracy
Data validation and editing are performed to identify erroneous
data
Erroneous data are captured, reported, investigated, and
corrected
Output reports are reviewed to help maintain data accuracy
and validity

√
√

Controls Over Integrity of Processing and Data Files
Procedures ensure that the current version of production
programs and data files are used during processing
Programs include routines to verify that the proper version of
the computer files is used during processing
Programs include routines for checking internal file header
labels before processing
Mechanisms within the application protect against concurrent
file updates

√

Authorization Controls
We found problems with authorization controls that ensure the validity
of transactions. The USMS has not formally established baseline
requirements for key source documents used to create prisoner records in
the PTS or for the proper authorization of source documents. This lack of
standards from the USMS headquarters for key source documents resulted in

vi

inconsistent data collection, record creation, and file maintenance practices
throughout the USMS sites audited. Formal standards would help to ensure,
at a minimum, that each prisoner file folder contains photographs, medical
information, and fingerprint cards. Also, such standards would help to
ensure that critical identifying information is collected from a reliable source.
These standards could also provide reasonable assurance against the
misidentification or mishandling of a prisoner due to inaccurate,
unauthorized, or unreliable data.
Additionally, supervisory or independent reviews to ensure the proper
authorization of source documents and transactions were not being
performed prior to the data being entered into the PTS. This occurred
because the USMS has not implemented adequate authorization standards
for source documents or required that supervisory reviews be performed on
a consistent basis. This precautionary measure would help ensure that
transactions are properly authorized and supported by a reliable source
document that has been signed. It would also assist with the prevention of
unauthorized, inappropriate, or incorrect transactions from being entered
that could negatively impact the integrity of data within the PTS.
Controls for ensuring that data entry terminals are used for authorized
purposes, such as audit logs, were weak. Audit logs that help to recreate
events and track user activity were not being maintained for the PTS
application. The USMS management does not require that audit logs be
maintained for the PTS to track the occurrence of unauthorized activities. In
our opinion, this condition increases the risk to the USMS that covert activity
by a user, such as entering an unauthorized transaction resulting in the early
release of a prisoner, may go undetected. The risks to the safety of the
USMS personnel who process and transport prisoners and the general public
are increased when coupled with weak authorization controls over source
documents and the lack of supervisory reviews of transactions.
Completeness Controls
The PTS application does not effectively use a completeness control
known as computer sequence checking to automatically perform global
database searches. Computer sequence checking would identify or prevent
the assignment of multiple USMS numbers to the same
prisoner. 3 At present, each of the 94 DOs maintains a local PTS database

3

Computer sequence checking helps identify missing or duplicate numbers in a
series. USMS numbers are assigned sequentially to prisoners processed by a DO;
however, database searches are conducted by prisoner name rather than USMS number.

vii

and the application is only programmed to automatically perform searches
for existing name and USMS number information within a user’s own local
database. The current configuration does not provide assurance that the
prisoner does not have an existing USMS number in any one of the other 93
local USMS databases. Without the capability to perform global searches of
all existing databases, the USMS cannot ensure that it complies with its own
policies prohibiting the multiple assignment of USMS numbers to the same
prisoner.
Accuracy Controls
Within the area of accuracy controls, we found that the USMS
management does not have an effective means of determining the existence
of erroneous data, such as uncorrected errors, or the severity of errors in
data entered into or processed by the application. Information regarding
erroneous data was not collected and reported back to the USMS
management for investigation or correction. This occurred because the
USMS did not require that information regarding such data be collected.
This type of oversight could negatively impact the reliability of the PTS’s
data through the propagation of undetected errors throughout the
application.
We also found that the PTS’s accuracy controls were impacted because
the USMS did not adequately control the production and distribution of
sensitive PTS output reports. Specifically, authorized users of the PTS print
sensitive output reports to shared network printers used by non-authorized
employees. This practice exposes sensitive system data at a level above
that which employees are required to perform their duties. Without
adequate controls over the distribution of output reports, unauthorized
individuals may inadvertently gain access to output reports and divulge
sensitive and confidential information.
Controls Over Integrity of Processing and Data Files
Controls over integrity of processing and data files for the PTS
application were deficient. This was due to the USMS not ensuring that each
installation of the PTS application at the 94 DOs nationwide protects against
simultaneous updates. We observed that the application allowed two users
to update the same file concurrently, which raises doubt as to which user’s
information was accurately recorded and processed by the application. This
type of system malfunction could negatively impact the reliability of data
within the PTS application.

viii

Data Integrity
In addition to the deficiencies discovered within PTS’s general and
application controls, our audit disclosed weaknesses within PTS’s data
integrity. We tested the two factors that contribute to data integrity:
completeness of prisoner records and accuracy of information. Our review
discovered weaknesses within both areas tested. A summary of each
vulnerability follows the chart.
Data Integrity Assessment Factors
VULNERABILITIES
NOTED
Completeness of Information
Records contain all of the data elements and documents
used as support for the transactions

Accuracy of Information
Output reports reflect the data obtained from the source
documents

√
√

Completeness of Information
Our findings revealed deficiencies in the completeness of prisoner
records. Many of the prisoner file folders we reviewed were missing key
source documents used to validate data entry transactions and to
substantiate the actions taken by USMS personnel.4 This occurred because
the USMS did not establish and implement standards regarding data
collection in order to comply with federal records retention requirements.
Incomplete prisoner file folders pose a significant risk to the USMS’s ability to
validate the PTS transactions, verify information, and justify the actions of its
employees. Additionally, maintaining adequate and proper documentation of
program activities enables the USMS to protect the federal government’s
legal and financial interests.
Accuracy of Information
Reviews of output reports produced by the PTS application disclosed
discrepancies in the accuracy of information. Output reports help to maintain
the accuracy and validity of data within a system and determine the
completeness of processing. We found that prisoner identifying information,
such as a prisoner’s date of birth, appearing on the PTS output reports did
not match source documents contained in the prisoner’s file folder.
4

The GAO defines a source document as any form of information that serves as the
basis for entry of data into a computer system.

ix

Additionally, critical dates, such as a prisoner’s custody date, did not
correlate with dates on source documents in the prisoner’s file folder.
Inaccurate PTS information could result in the overpayment of jail bills, the
untimely release of a prisoner, or the misidentification of a prisoner requiring
special handling within the prisoner population.
CONCLUSION AND RECOMMENDATIONS
We consider our findings in the areas of select general controls,
application controls, and data integrity to be major weaknesses. We further
conclude that the state of the PTS’s existing controls poses a high risk to the
protection of its data from unauthorized use, loss, or modification.5
We conclude that these weaknesses occurred because the USMS did
not fully comply with current Department policies and procedures, NIST
standards, OMB guidelines, or its own procedures for prisoner processing
and cellblock operations. If not corrected, these security vulnerabilities
could impair the USMS’s ability to fully ensure the integrity, confidentiality,
and availability of data within the PTS.
This report contains 20 recommendations for improving select general
controls, application controls, and the integrity of data for the PTS. In
general, we recommend that the USMS:
•

Appoint a security manager responsible for the PTS application;

•

Develop a training program to ensure that PTS users receive
specialized training before being granted access to the
application and ensure that system administrators are trained in
their responsibilities;

•

Review access authorizations for the PTS application and update
the PTS authorized user list in a timely manner;

•

Ensure that existing measures, such as door locks, are used to
provide protection against unauthorized access to sensitive
areas;

5

NIST SP 800-18 defines risk as the possibility of harm or loss to any software,
information, hardware, administrative, physical, communications, or personnel resource
within an automated information system or activity. Additionally, NIST categorizes the
requirements for protecting the confidentiality, integrity, and availability of system
information into three basic categories – high, medium, and low – according to the system’s
sensitivity level. Specifically, a high risk is considered a critical concern of the system.

x

•

Inform users regarding policies and procedures for requesting
changes to the application and update the PTS’s production
environment by replacing outdated software with current
software;

•

Develop and enforce policies and procedures to segregate duties
among staff performing critical PTS functions;

•

Identify and train employees involved in emergency response
procedures in their roles and responsibilities; maintain
emergency contact lists on-site; rotate and store backup tapes
off-site; and test the PTS contingency plan annually;

•

Standardize the record creation process throughout the USMS
for the PTS and establish key source document requirements for
data collection;

•

Implement a control, such as requiring the supervisory
authorization of data, to ensure that before information is
entered into the system, transactions are supported by properly
authorized source documents;

•

Maintain and review audit trails for the PTS application;

•

Modify PTS to perform automatic global database searches to
assist with the prevention of assigning multiple USMS numbers
to the same prisoner, report erroneous data to the PTS users
department for investigation and correction, and protect the PTS
output reports containing sensitive privacy information from
access by unauthorized persons;

•

Ensure each installation of the PTS application protects against
simultaneous updates of the same record by more than one
end-user; and

•

Maintain adequate source documents in prisoners’ file folders to
substantiate employee activities and implement quality control
measures to ensure data integrity.

xi

TABLE OF CONTENTS
Page
I. BACKGROUND ...................................................................... 1
PTS Application System Environment ..................................... 2
II. FINDINGS AND RECOMMENDATIONS........................................ 3
1. Select General Controls ................................................... 3
Entity-wide Security Program Planning and Management ....... 3
Access Controls.............................................................. 7
Application Software Development and Change Control.........11
System Software............................................................13
Segregation of Duties .....................................................15
Service Continuity ..........................................................17
2. Application Controls ........................................................21
Authorization Controls.....................................................22
Completeness Controls....................................................27
Accuracy Controls...........................................................29
Controls Over Integrity of Processing and Data Files .............33
3. Data Integrity Testing .....................................................34
Completeness of Information............................................35
Accuracy of Information ..................................................37
III. CONCLUSION ......................................................................40
APPENDIX 1

OBJECTIVES, SCOPE, AND METHODOLOGY .................43

APPENDIX 2

FIELDWORK SITE VISIT MAP....................................45

APPENDIX 3

FEDERAL INFORMATION SYSTEM CONTROLS AUDIT
MANUAL, SELECT GENERAL CONTROLS AND
APPLICATION CONTROLS.........................................46

APPENDIX 4

GENERAL ACCOUNTING OFFICE, ASSESSING THE
RELIABILITY OF COMPUTER-PROCESSED DATA,
DATA INTEGRITY ASSESSMENT FACTORS...................48

APPENDIX 5

GENERAL ACCOUNTING OFFICE, FEDERAL
INFORMATION SYSTEM CONTROLS AUDIT MANUAL,
GENERAL CONTROLS REVIEW GUIDELINES ................49

APPENDIX 6

GENERAL ACCOUNTING OFFICE, FEDERAL
INFORMATION SYSTEM CONTROLS AUDIT MANUAL,
APPLICATION CONTROLS REVIEW GUIDELINES...........67

APPENDIX 7

GENERAL ACCOUNTING OFFICE, ASSESSING THE
RELIABILITY OF COMPUTER-PROCESSED DATA,
DATA INTEGRITY ASSESSMENT GUIDELINES ..............76

APPENDIX 8

ACRONYMS AND ABBREVIATIONS.............................77

APPENDIX 9

GENERAL CONTROLS CRITERIA ................................78

APPENDIX 10 APPLICATION CONTROLS CRITERIA...........................79
APPENDIX 11 DATA INTEGRITY ASSESSMENT CRITERIA ..................81
APPENDIX 12 AUDITEE RESPONSE ...............................................82
APPENDIX 13 ANALYSIS AND SUMMARY OF ACTIONS
NECECESSARY TO CLOSE REPORT.............................92

REVIEW OF THE UNITED STATES MARSHALS SERVICE’S
PRISONER TRACKING SYSTEM
I. BACKGROUND
The United States Marshals Service (USMS) is responsible for housing
federal prisoners awaiting trial in federal courts. On any given day, the
USMS maintains custody of approximately 40,000 federal prisoners in local
jails, contract facilities, and federal Bureau of Prisons (BOP) facilities
throughout the country. Depending upon the length of a prisoner’s court
trial, time spent in USMS custody may run from several days to several
years.
The USMS Prisoner Tracking System (PTS) supports the USMS’s
responsibility to maintain custody of individual federal prisoners while
criminal proceedings are pending. This period of custody extends from the
time of their arrest or remand to the USMS by the court until the prisoner is
sentenced, released from custody, or returned to the custody of the U.S.
Parole Commission or the BOP.
The PTS was implemented by the USMS in March 1993 to maintain
tracking information for federal prisoners and to monitor federal prisoners in
state and local detention facilities under contract to the USMS. The PTS
replaced the Prisoner Population Management System. The PTS captures
information necessary to complete the administrative processing, housing,
safekeeping, health care, and disposition of federal prisoners in USMS
custody.6 From fiscal year (FY) 2001 to FY 2004, the PTS’s total operating
costs were $3,370,000, with annual operating costs averaging $842,500.
Another $1,070,000 is projected for FY 2005 and a project to upgrade the
PTS application’s functionality, funded at $5 million over a 5-year period, is
currently underway. 7
The PTS is also used as an informational and scheduling tool. As an
informational tool, the PTS provides identifying data specific to each
prisoner, including the prisoner’s personal data, property, medical
information, criminal information, location, and time spent at a facility. As a
scheduling tool, PTS information assists USMS personnel in locating
prisoners to be transported for court appearances.
6

USMS System Security Plan for the Prisoner Tracking System (PTS)/USMS
Automated Booking System (USMS-ABS), June 2003.
7

Operating costs were obtained from budget requests submitted to the Office of
Management and Budget by the Justice Management Division.

1

In addition, the PTS also contains records of court proceedings
generated during the day-to-day processing and disposition of prisoners in
the USMS’s custody. Prisoners’ records contained within the PTS are created
using information obtained from key source documents, such as the
individual custody and detention form, intake photos, Federal Bureau of
Investigation (FBI) finger print cards, and the prisoners’ medical form.
PTS Application System Environment
The PTS application software runs on a local server in each of the 94
USMS district offices (DOs) located throughout the U.S. and its territories.
In addition to the application, a database is maintained on the local server
that contains information relative to prisoners processed by the DO. Thus,
the USMS PTS environment consists of 94 copies of the PTS application
along with 94 individual databases.
At each DO, PTS client workstations connect to their local PTS
application server to gain access to database information. PTS users initially
log into the Marshals’ Network (MNET) located at the USMS headquarters in
Arlington, Virginia, in order to log into the PTS application server at the ir
location. Additionally, remote users can gain access to the PTS server in
their district by dialing into the remote access server located at the USMS
headquarters. The user is required to provide additional remote access user
identification information in order to log into MNET. The following diagram
depicts the PTS’s access configuration.

PTS Access Configuration
PTS
Users

PTS Laptop
Users

HQ
Remote
Access Server

HQ
MNet
PTS Servers
94 District
Offices
2

II. FINDINGS AND RECOMMENDATIONS
Our review of select general controls designed to protect the
PTS’s system environment identified weaknesses with the
PTS’s entity-wide security program planning and
management, access controls, application software
development and change control, system software,
segregation of duties, and service continuity controls. We
also identified deficiencies with the PTS’s application controls
that are used to help ensure the validity of transactions and
proper authorization of data. These deficiencies included
inadequate authorization controls, completeness controls,
accuracy controls, and controls over integrity of processing
and data files. Our findings relative to data integrity included
deficiencies with the completeness of prisoner records and the
accuracy of information contained within the PTS. In our
judgment, these findings are major weaknesses in the PTS.
We consider the system overall to be at a high risk to the
protection of its data from unauthorized use, loss, or
modification. These weaknesses occurred because the USMS
did not develop or fully enforce its own policies or comply
with the Department policies, NIST standards, and OMB
guidelines. If not corrected, these weaknesses could impair
the USMS’s ability to fully protect the integrity, confidentiality,
and availability of data contained within the PTS database.
1. SELECT GENERAL CONTROLS
General controls are entity-wide access controls used to safeguard a
system’s environment. Our review of select general controls for the PTS
application identified weaknesses in all six of the Federal Information System
Controls Audit Manual (FISCAM) general controls areas – entity-wide
security program planning and management, access controls, application
software development and change control, system software, segregation of
duties, and service continuity controls.
Entity-wide Security Program Planning and Management
Entity-wide security program planning and management allows an
organization to establish a security control structure that enables senior

3

management to identify and address security risks. An effective plan
requires that an organization:
•
•
•
•
•

Assess risks periodically;
Document an entity-wide security program plan;
Establish a security management structure and clearly assign
security responsibilities;
Implement effective security-related personnel policies; and
Monitor the security program’s effectiveness and make changes as
needed.

We confirmed that the USMS adequately assessed risks, documented
an entity-wide security program plan, and monitored the security program’s
effectiveness. However, vulnerabilities were noted as indicated in the
following chart:
Entity-wide Security Program Planning & Management
CONTROL AREAS

VULNERABILITIES
NOTED

Assess risks periodically
Document an entity-wide security program plan
Establish a security management structure and clearly assign
security responsibilities
Implement effective security-related personnel policies
Monitor the security program’s effectiveness and make changes
as needed

√
√

Establish a Security Management Structure and Clearly Assign
Security Responsibilities
Security managers are an essential component of an organization’s
security control structure and are responsible for reporting compliance
issues to senior management. Security managers perform specific functions
to ensure the effectiveness of security plans established to protect systems
that maintain sensitive data. These functions include assessing and
managing risks to protect the confidentiality, availability, and integrity of
system data. Security managers are also actively involved in addressing
threats posed by authorized internal users and unauthorized outsiders
attempting to gain access to system data, and implementing logical and
physical access controls to prevent breaches in security.
Our review of the PTS’s entity-wide security program planning and
management revealed that no security manager for the PTS application had
4

been formally appointed. This occurred because USMS did not establish a
security management structure and clearly assign security responsibilities.
The PTS’s system security plan, included in the application’s
certification and accreditation documentation, lists an individual as the
“Computer Systems Security Officer (CSSO).” However, when we
interviewed the individual designated as the CSSO, we found that he was
not actively involved in providing security manager duties for the PTS
application and did not know he had been officially appointed. Subsequent
interviews with USMS management officials confirmed that the USMS had
not officially appointed a security manager to address computer security
practices specific to the PTS application.
OMB Circular A-130 requires that an entity “assign responsibility for
security for each major application to a management official.” Furthermore,
the guidance recommends that the individual be “assigned the responsibility
in writing to assure the application has adequate security.”
Without the appointment of a security manager for the PTS
application, the USMS cannot ensure that the application has adequate
security or that security-related tasks are carried out. Such tasks include
properly authorizing system access, communicating security policies to the
user population, and monitoring risk management activities.
Recommendation:
We recommend that the USMS:
1. Appoint a security manager responsible for the PTS
application and ensure the appointment is documented.
Implement Effective Security-Related Personnel Policies
The USMS did not implement effective security-related personnel
policies to assure that employees possess adequate training and expertise.
The USMS’s Prisoner Services Division (PSD) offers specialized PTS training
at a federal government facility in Glynco, Georgia. However, users of the
PTS application who perform critical functions such as record creation and
record updating were not required by management to attend the specialized
training prior to being granted access to the system.
OMB Circular A-130 states that users of an application should receive
specialized training prior to being granted access, and that the specialized
training should focus on their responsibilities and rules of expected behavior
5

for the application. We found that no policy existed that required users to
receive specialized training prior to or within a reasonable period after hire,
and that the majority of PTS users had never received the specialized
training offered by the USMS.
Additionally, we determined that USMS personnel functioning as
system administrators for the application did not have adequate training
and expertise. According to the system administrator position description
provided by the USMS, system administrators are responsible for
“operating, troubleshooting, repairing, and maintaining IT systems.”
Additionally, the document states that employees must possess the
requisite technical knowledge to sustain the availability of the hardware and
software environment. The system administrator must also be competent
to maintain operating systems, applications, and data elements. However,
we found that some system administrators were unfamiliar with their
hardware and software environment and lacked specific knowledge, such as
what version of the application was running on their server, what files
supported the application, or where the PTS database they were responsible
for protecting was located.
OMB Circular A-130 requires that an aspect of an entity’s information
management policy should require that employees, such as system
administrators, are trained in skills appropriate to the management and
protection of system information and that this training shall be an ongoing
part of the information life cycle.8
These deficiencies could negatively impact the USMS’s ability to assess
risks and provide protection for sensitive PTS data.
Recommendations:
We recommend that the USMS:
2. Develop a training program to ensure that users of the PTS
application receive specialized training before being granted
access to the application.
3. Ensure that individuals performing system administrator
duties are properly trained in their responsibilities.

8

OMB defines the term "information life cycle" as the stages through which
information passes, typically characterized as creation or collection, processing,
dissemination, use, storage, and disposition.

6

Access Controls
Access controls are designed to limit or detect access to computer
programs, data, and equipment to protect these resources from
unauthorized modification, disclosure, loss, or impairment. Access controls
are both logical and physical. These controls are used to ensure that staff
duties and responsibilities are implemented in a way that safeguards
programs.
In order to successfully implement the critical elements of access
controls, an organization must:
•
•
•
•

Classify information resources according to their criticality and
sensitivity;
Maintain a current list of authorized users and ensure that their
access is authorized;
Establish physical and logical controls to prevent or detect
unauthorized access; and
Monitor access, investigate apparent security violations, and
take appropriate remedial action.

We found that the USMS successfully classified information resources
and investigated apparent security violations. However, vulnerabilities were
identified as indicated in the chart below:
Access Controls
VULNERABILITIES
NOTED

CONTROL AREAS
Classify information resources according to their criticality and
sensitivity
Maintain a current list of authorized users and ensure that
their access is authorized
Establish physical and logical controls to prevent and
detect unauthorized access
Monitor access, investigate apparent security violations, and take
appropriate remedial action

√
√

Maintain a Current List of Authorized Users and Ensure That
Their Access is Authorized
We found that the PTS’s list of authorized users contained multiple
errors and inaccurate information. This resulted because USMS
headquarters did not properly maintain a current list of authorized users that
was coordinated with information maintained by the DOs. Additionally, the
USMS did not regularly review the PTS authorized user list, validate the
levels of access authorized to users, or update the user list accordingly.
7

We obtained a consolidated user list for all authorized PTS users from
USMS headquarters. Officials at USMS headquarters informed us that
system administrators at each DO were responsible for maintaining their
respective user list by adding and deleting names. Therefore, we sorted the
headquarters list by DO location to produce a list for each of the following
sites we visited: Eastern District of Virginia (E/VA) in Alexandria, Virginia;
the District Court for the District of Columbia (DC/DC) in Washington, D.C.;
the Southern District of New York (S/NY) in New York, New York; the
Southern District of Texas (S/TX) in Houston, Texas; Eastern District of
Pennsylvania (E/PA) in Philadelphia, Pennsylvania; the Northern District of
Illinois (N/IL) in Chicago, Illinois; the Southern District of Florida (S/FL) in
Miami, Florida; and the District of Arizona (D/AZ) in Phoenix, Arizona.
Our review of the eight DO lists disclosed that: a) the USMS allowed
accounts to remain on the application’s authorized user list for employees
who no longer required access to the PTS; and b) the authorized user list
generated by USMS headquarters did not match the authorized user lists
maintained at the DOs.
The following chart represents specific deficiencies noted during our
review of the authorized user list at each site we visited. The “total number
of user accounts” column represents the total number of names appearing
on the PTS authorized user list obtained from the USMS headquarters for
each site visited. The figures in the “number determined invalid or
unknown” column represent accounts that could not be confirmed as “valid”
by the responsible system administrator. User accounts in this category
were determined to be “invalid” if the names had not been removed from
the user list although the user had departed the site or was no longer
authorized access to the PTS application. User accounts were determined to
be “unknown” if the system administrator could not attest to the users’
identity or their authority to access the application.
PTS Authorized User List

Sites
Visited
E/VA
DC/DC
S/NY
E/PA
S/TX
N/IL
S/FL
D/AZ
Totals:

Total Number of
User Accounts
According to HQ
76
111
144
94
346
88
143
138
1140

Number Determined
Invalid or Unknown
by Comparing
DO to HQ
16
64
33
35
113
41
45
45
392

Source: The OIG’s analysis of user lists workpapers for eight sites visited.

8

Percentage of
Invalid
Accounts
21%
58%
23%
37%
33%
47%
31%
33%
34%

A further review of the authorized user list for each site visited
revealed that erroneous or invalid entries appeared on the user list obtained
from USMS headquarters. However, the system administrators provided
evidence that they were properly maintaining the user list at their site. We
surmised that the discrepancies involving erroneous entries and unknown
accounts occurred because the consolidated user list generated by USMS
headquarters was not incorporating the additions, deletions, and changes
made at the DO level.
The DO user lists extracted from the HQ consolidated user list
contained various column headings such as userID, name, and date of the
user’s last login. In addition to the deficiencies previously noted, the
following deficiencies contributed to rendering accounts “invalid:”
•
•
•
•

Employees’ official titles and their DO locations were improperly
entered in the “name” field of the user list;
Descriptions of the employees’ positions appeared in the “name” field
of the user list as opposed to the users’ proper name;
UserID information (e.g., last name, first initial) frequently did not
match the actual user’s name that appeared on the DO list; and
Entries were “missing name information,” because userIDs did not
have an accompanying user name.

Prior to our departure from each site, the system administrators
agreed to remove entries deemed “invalid or unknown users” from their
PTS-authorized user list.
The above conditions do not comply with the Department’s Order
2640.2E, “Information Technology Security,” which requires that each user
be identified as unique. The Department’s Order further requires access
controls to ensure sys tem users can only access the resources necessary to
accomplish their duties and no more. Additionally, OMB Circular A-130
requires agencies to implement the practice of “least privilege,” whereby
user access to systems is restricted to the minimum level possible.
Allowing “invalid and unknown” user accounts to remain on the PTS
authorized user list could jeopardize the effectiveness of security features
designed to restrict the user's access to only that information which is
necessary for operations and for which the user has a need to know. The
existence of active but invalid accounts could enable an unauthorized user to
gain access to sensitive information. For example, accounts represented by
an employee’s official title or position description, as opposed to a specific
userID, are equivalent to generic or “guest” accounts. Guest accounts could
allow various members of a DO to share the same userID and password
9

information to gain access to and make changes within a system. Any
actions performed by these accounts, detrimental or otherwise, would be
difficult to trace back to a specific user. OMB Circular A-130 sets forth
personnel controls that strengthen access authorizations, provides for
individual accountability, and emphasizes the need to hold users accountable
for their actions. Ineffective access authorizations, such as allowing generic
accounts to remain on an authorized user list, diminish the reliability of data
and subject the system to unauthorized use, loss, or modification.
Recommendation:
We recommend the USMS:
4. Ensure that access authorizations for the PTS are reviewed
and that USMS headquarters update its authorized PTS
users list in a timely manner to incorporate changes from
the DOs.
Establish Physical and Logical Controls to Prevent and Detect
Unauthorized Access
Physical access controls consist of measures such as locking doors to
facilities housing computers that process sensitive information and posting
guards at entrance points to those facilities.
Logical access controls involve the use of computer hardware and
security software programs to prevent or detect unauthorized access by
requiring users to input unique user identifications, passwords, or other
identifiers that are linked to predetermined access privileges. Additionally,
controls are designed to reduce the risk of errors or fraud from occurring
and going undetected. Policies outlining the supervision and assignment of
responsibilities to groups and related individuals should be documented,
communicated, and enforced. Such controls keep individuals from
subverting a critical process. As discussed previously, we determined that
the PTS’s access authorizations or logical access controls were weak because
USMS headquarters did not properly maintain a current list of authorized
users.
Physical access controls were adequately enforced at seven of the
eight sites visited. However, we encountered an instance where physical
access controls were not enforced to prevent or detect unauthorized access.
We observed that the locks on the door to a restricted area at one location
were not engaged. Adequate physical access controls to the building were
provided by armed guards; however, the door to the restricted area housing
10

data terminals and sensitive PTS information was left unlocked and
potentially accessible by unauthorized visitors to the building.
NIST Special Publication (SP) 800-18, “Guide for Developing Security
Plans for Information Technology Systems” explains that physical access
controls protect computer resources and “restrict the entry and exit of
personnel.”
By not enforcing adequate physical access controls, the USMS exposed
the PTS to the risk that unauthorized individuals could gain access to
sensitive information. Additionally, the USMS’s ability to protect sensitive
printed data or equipment from theft or inadvertent disclosure would be
compromised if an unauthorized person entered a restricted facility
containing sensitive PTS equipment and data.
Recommendation:
We recommend that the USMS:
5.

Ensure that existing measures, such as door locks, are used
to provide protection against unauthorized access to
sensitive areas.

Application Software Development and Change Control
Application software development and change control is an essential
component of an application’s system development life cycle (SDLC). These
measures allow managers responsible for seeing that software supporting
their operation meets the requirement of the organization and produces
reliable data.
An entity should institute policies, procedures, and techniques to
ensure responsible individuals:
•
•
•

Authorize processing features and program modifications properly;
Test and approve all new and revised software; and
Control software libraries.

11

We determined that the USMS adequately tested new software and
controlled its software libraries. However, our review disclosed a deficiency
as indicated in the chart below:
Application Software Development & Change Control
CONTROL AREAS
Authorize processing features and modifications

VULNERABILITIES
NOTED
√

Test and approve all new and revised software
Control software libraries

Authorize Processing Features and Modifications
An entity should ensure that its SDLC policies provide a structured
approach that identifies who can authorize modifications to the system, and
the policies should be distributed to all users. Ultimately, application end
users have the primary responsibility for taking part in the design and
implementation of processing features and approving subsequent changes
made to the application.
Although the USMS had a documented SDLC for the PTS that included
instructions for requesting changes to the application, many of the PTS users
at the DOs we visited were not aware of the policy and were not aware of
how to formally request changes to the application. This condition exists
because the USMS has not adequately disseminated established change
control policies throughout the organization.
The Department’s Order 2640.2E, Chapter 1, “Security Program
Management,” directs components to develop a process to integrate security
into various stages of a system’s life cycle and to ensure that changes to any
system are controlled.
Ineffective management over modifications to application software
could hamper an entity’s ability to prevent knowledgeable programmers
from covertly changing program code to access sensitive data. Additionally,
the entity could risk the likelihood of implementing incorrect or outdated
versions of operating system and application software. Failure to establish
such controls could allow the introduction of malicious code that could lead
to the loss or destruction of sensitive data.

12

Recommendation:
We recommend that the USMS:
6. Ensure PTS users are informed of the policies and procedures
for requesting changes to the application.
System Software
Often referred to as a “utility,” system software is used by
programmers to configure a system and manage the input, processing,
output, and data storage associated with all of the applications that run on a
system. System software operates at a higher level than application
software and can thus be used to read, modify, or delete critical or sensitive
information and to bypass security controls built into application programs.
Moreover, some system software can change data and program code without
leaving an audit trail, such as programming software and database
management systems (DBMS). 9
Weakness in controls over system software could negatively impact
the reliability of information produced by applications supported by the
computer system. An organization can protect the integrity of system
software in the following ways:
•
•
•

Limiting access to system software;
Monitoring access to and use of system software; and
Controlling system software changes.

Although the USMS effectively limited access to system software and
monitored its use, deficiencies were noted in the area indicated in the
following chart:
System Software
CONTROL AREAS

VULNERABILITIES
NOTED

Limit access to system software
Monitor access to and use of system software

√

Control system software changes

9

DBMSs organize data in a database and manage actions such as queries and updates.

13

Control System Software Changes
The PTS application consists of a database controlled by a DBMS and
application programming software. The database is used to store data
pertaining to the USMS’s prisoner operations and prisoner identifying
information. The application’s user interface and functionality are modified
using a commercial-off-the shelf programming language.
We determined that the controls for the PTS’s system software
changes were deficient. The USMS is using an outdated version of the
database management software and programming language to support the
PTS application in its production environment. According to the DBMS and
application programming software vendor, the company no longer provides
technical support for these products and has not done so for over five years.
This condition exists because the USMS has not updated and patched these
critical components although the vendor has produced three version updates
since the release of the version currently used by the USMS.
OMB Circular A-130 recommends that entities periodically review
security controls and seek ways to improve security such as utilizing
technical tools to look for security problems and installing the latest software
patches. NIST SP 800-40 specifically addresses procedures for handling
security patches. NIST warns that not patching information systems in a
timely manner can impact operations and degrade the confidentiality,
availability, and integrity of a system’s information.
The USMS’s use of outdated programming and database management
software could prevent the USMS from implementing security enhancements
such as system security patches designed to protect the PTS application
from malicious software. This deficiency also increases the risk that without
timely updates, data entered into the PTS could be improperly processed by
the application.
Recommendation:
We recommend that the USMS:
7. Remove outdated versions of the PTS’s application
programming software and database management system
from the production environment and replace with current
versions that are supported by the vendor.

14

Segregation of Duties
Segregation of duties is the practice of dividing the steps in a critical
function among different individuals. In a computer processing
environment, such a control assists in the prevention of one individual
having complete control of the input, processing, and output stages of the
information cycle and keeps a single individual from subverting a critical
process.
Organizations should take steps to ensure that they:
•
•
•

Segregate incompatible duties and establish related policies;
Establish access controls to enforce segregation of duties; and
Control personnel activities through formal operating procedures
and supervision and review.

Controls that sustain the proper segregation of duties enable
management to maintain control over personnel activities. Additionally,
segregation of duties requires the establishment of formal operating
procedures as well as active supervision and review of these activities.10
We found that the USMS had adequately established access controls to
enforce segregation of duties. However, deficiencies were noted within
other control areas affecting segregation of duties as indicated below:
Segregation of Duties
CONTROL AREAS
Segregate incompatible duties and establish related policies
Establish access controls to enforce segregation of duties
Control personnel activities through formal operating
procedures and supervision and review

VULNERABILITIES
NOTED
√
√

Segregate Incompatible Duties and Establish Related Policies
Our review of the PTS disclosed that the USMS had not properly
segregated incompatible duties and established related policies to ensure
personnel understand their roles and responsibilities. Duties and
responsibilities associated with the USMS’s PTS system life cycle were not
10

OMB Circular A-130 defines procedures as detailed steps to be followed by users,
system operations personnel, or others to accomplish a particular task (e.g., preparing new
user accounts and assigning the appropriate privileges). It adds that procedures normally
assist in complying with applicable security policies, standards, and guidelines.

15

properly segregated among staff. At the USMS’s headquarters, only one
individual is assigned to code, test, and implement changes to the PTS
application. The same individual is authorized to move changes into the
production environment and distribute those changes to the 94 DO servers.
This condition allows a single individua l to have complete control over
application programming and change control processes that should be
divided among two or more individuals.
The Department’s Order 2640.2E, Chapter 2, specifies the requirement
for segregation of duties. The Order states that system duties should be
“defined and documented.” OMB Circular A-130 discusses the requirement
for personnel security and recommends that an application’s security plan
incorporate measures for the separation of duties. Furthermore, NIST SP
800-12, “Computer Security Handbook” describes separation of duties as
“dividing roles and responsibilities so that a single individual cannot subvert
a critical process.”
Control Personnel Activities Through Formal Operating
Procedures and Supervision and Review
We found that the USMS has not developed formal policies and
procedures to guide PTS users in performing their duties. Although the
USMS has published a user manual for the PTS application, the manual falls
short of providing formal operating procedures to be followed during critical
processes such as the record creation process and subsequent record
updates. These processes directly affect the confidentiality, integrity, and
availability of the PTS data. Due to the lack of policies and procedures, we
found that the record creation process was not standardized at any of the
DOs we visited and that this condition exists throughout the USMS.
Following our site visits, we conferred with program managers for the
PTS application who informed us that USMS headquarters has not provided
formal operating policies and procedures to standardize the record creation
process nor has it established standards for the collection of source
information used to create prisoner records in the PTS. In the absence of
formal policies and procedures, USMS headquarters and DOs had not
formally established compensating controls such as requiring adequate
supervision or review of information once a record is created or updated in
the system. We observed that all DOs we visited operated differently with
respect to the record creation process. We also found that while some DOs
performed minimal supervisory reviews, others did not perform any
supervisory reviews because they were not required to do so. Supervisory
reviews, performed on a consistent basis, would help to detect the types of
completeness and accuracy errors we found during our review of PTS data.
16

Without proper segregation of duties, the USMS increases the risks
that erroneous or fraudulent transactions could be processed by the PTS and
that computer resources could be damaged or destroyed. Additionally,
without the USMS providing adequate controls over personnel activities,
mistakes within the PTS could occur and go undetected and expose the
application and its data to unauthorized use, loss, or modification.
Recommendation:
We recommend that the USMS:
8. Ensure policies and procedures for segregating duties are
developed and enforced to provide assurance that distinct
functions are performed by different individuals and that no
individual has complete control over the PTS’s processing
functions.
Service Continuity
Service continuity measures provide for the capability to protect
information resources and minimize the risk of unplanned interruptions.
Service continuity controls involve ensuring that when unexpected events
occur, critical operations continue without interruption or are promptly
resumed and the organization’s sensitive data are protected. To review the
adequacy of its service continuity control, an entity should:
•
•
•
•

Assess the criticality and sensitivity of computerized operations
and identify supporting resources;
Take steps to prevent and minimize potential damage and
interruption;
Develop and document a comprehensive contingency plan; and
Test the contingency plan periodically and adjust it as appropriate.

17

The USMS had developed a contingency plan for the PTS application.
However, we found other deficiencies within service continuity controls for
the PTS application as indicated below:
Service Continuity
CONTROL AREAS

VULNERABILITIES
NOTED

Assess the criticality and sensitivity of computerized
operations and identify supporting resources
Take steps to prevent and minimize potential damage and
interruption
Develop and document a comprehensive contingency plan
Test the contingency plan periodically and adjust it as
appropriate

√
√
√

Assess the Criticality and Sensitivity of Computerized
Operations and Identify Supporting Resources
We determined that the USMS successfully assessed the criticality and
sensitivity of the PTS. However, we found that the USMS was deficient in
identifying supporting resources within the DOs, which according to FISCAM
includes human resources. Specifically, the USMS had not implemented a
means to identify employees with service continuity responsibilities to users
within the DOs, such as making an emergency contact list available to users
at each site. Although the USMS maintained emergency contact lists at its
headquarters, this deficiency occurred because the USMS did not require the
DOs to maintain emergency contact lists to identify supporting resources
on-site. Consequently, we found that the majority of the DOs did not
maintain lists or make this information available to users.
NIST SP 800-34, “Contingency Planning Guide for Information
Technology Systems,” identifies contact lists as an element of an effective
contingency plan and recommends the frequent review of such lists.
We also found that the USMS did not distribute its contingency plan,
which contains emergency contact information, to supporting resources at
the DOs – although execution of the contingency plan requires support from
the system administrators assigned to the DOs. NIST SP 800-34 states that
copies of contingency plans are typically provided to persons with service
continuity responsibilities, such as the system administrators at the DOs.

18

We found that the information regarding emergency notifications was
contradictory. The USMS PTS contingency plan identifies the Help Desk as
the point -of-contact for service disruptions. The plan also states that the
system administrator is responsible for maintaining the PTS servers at each
field location and for reporting failures.11 However, the plan presents an
emergency response scenario wherein the system administrator would notify
the Help Desk if the PTS server in the DO were disabled or unavailable. This
scenario implies that system administrators, who are assigned to the DOs,
are logically the first responders to users within the DOs and would most
likely be contacted in case of emergency.
The absence of an emergency contact list to identify individuals at the
DOs with service continuity responsibilities could cause users to become
confused as to who should be notified in the event of an emergency,
especially during non-duty hours. Additionally, without a copy of the USMS
contingency plan for the PTS, individuals identified as supporting resources
could become confused as to their service continuity roles and
responsibilities.
In addition to our findings regarding the clear identification of
supporting resources, we also found problems with the competence of those
individuals involved in emergency response procedures. This occurred
because the USMS had not required or provided sufficient training for
employees with service continuity responsibilities.
NIST SP 800-18 provides guidance for developing security plans for
information technology (IT) systems. The guidance states that responsible
individuals should be designated as points-of-contact for a system and that
the individuals should be knowledgeable about the system. We reviewed the
system administrator position description and verified that the system
administrators are designated as the primary representative at the DOs for
IT functions and are responsible for responding to emergency situations.
The position description specifically states that the employee must possess
knowledge of IT systems “recovery” methods and practices. However, we
found that system administrators, who were expected to assist with service
continuity functions, lacked sufficient training to support the restoration of
the application and its data files. Many of the system administrators at the
sites we visited did not know specific characteristics of the system that
would enable them to respond appropriately in case of an emergency.
Specifically, system administrators did not know the version of the
application running on their server or the location of their PTS database.

11

According to the USMS PTS Contingency Plan dated June 2003.

19

In the event of an emergency or system abnormality, system
administrators who are not properly trained could impede restoration of the
data files and software by failing to respond appropriately.
Recommendation:
We recommend that the USMS:
9. Ensure that:
a) employees involved in emergency response procedures
are identified and trained in their emergency roles and
responsibilities; and
b) emergency contact lists are maintained on-site.
Take Steps to Prevent and Minimize Potential Damage and
Interruption
Two aspects of preventing and minimizing damage or interruption of
service to users of the PTS application include ensuring that: a) data and
program backup procedures have been implemented; and b) staff have been
trained to respond to emergencies.
Our review disclosed that backup tapes created at three of the DOs we
visited were not consistently rotated off-site. This occurred because the
USMS did not take steps to prevent and minimize potential damage and
interruption by securing backup data away from the processing facility.
Additionally, the USMS did not enforce its own guidelines for backup
operations. The PTS security plan addresses contingency planning and
states that backups should be created nightly and transferred off-site once a
month.
NIST SP 800-34, “Contingency Planning Guide for Information
Technology Systems,” addresses backup methods. The guidance requires
that backup policies be established and backup data stored off-site.
Consequently, the USMS may lose the capability to restore the PTS’s
application software and data by relying on insufficient preventative
measures to mitigate service disruptions if tapes are not properly secured at
an off-site location.
We also found that the USMS did not effectively ensure that staff had
been trained to respond to emergencies, another aspect of minimizing
20

service interruptions. As discussed in the previous section regarding
identifying supporting resources, we found that system administrators
lacked sufficient knowledge of their system environment to provide support
of recovery functions and that copies of the contingency plan that specified
emergency roles and responsibilities had not been distributed to the DOs.
Therefore, we recommended the USMS provide training for employees
involved in emergency response procedures in Recommendation 9.
Recommendation:
We recommend that the USMS:
10. Ensure the PTS’s backup tapes are properly rotated and
stored at an off-site location.
Test the Contingency Plan Periodically and Adjust It As
Appropriate
Although the USMS has developed and documented a contingency plan
for the PTS application, it has not tested the plan. The Department’s Order
2640.2E, Chapter 1, sets standards for contingency planning. It directs
components to develop a contingency plan and test the plan annually.
Furthermore, OMB Circular A-130 advises that untested contingency plans
“may create a false sense of ability to recover in a timely manner.”
The USMS places the PTS application and its data at risk by having an
untested contingency plan for PTS. This deficiency could prevent the USMS
from achieving timely restoration of critical PTS system information and
diminish the assurance for continuity of operations in the event of a disaster.
Recommendation:
We recommend that the USMS:
11. Perform annual testing of the PTS contingency plan as
required by the Department.
2. APPLICATION CONTROLS
Application controls are the structures, policies, and procedures that
apply to application systems. Application controls include both the routines
built into the computer program code and the external safeguards provided
by users. External safeguards include manual measures performed by the

21

user such as reviewing output reports to determine that the computer
processes data accurately.
Application controls help make certain that transactions are valid,
properly authorized, and completely and accurately processed by the
computer during all three phases of a processing cycle – input, processing,
and output. At the time of input, data should be authorized, converted to an
automated form, and entered into the system. This transaction is expected
to be accurate, complete, and occur in a timely manner. For the processing
phase, the computer accepts the data entered and files are updated in the
system’s database. Lastly, in the output phase, files and reports are
generated by the system and the results are expected to yield an accurate
processing of the data entered into the system. Controls should be in place
to ensure that system outputs are controlled and distributed only to
authorized persons.
To assess the effectiveness of application controls for the PTS, we
reviewed authorization, completeness, accuracy, and integrity of processing
controls. We identified deficiencies within all of the application control areas.
Authorization Controls
Authorization controls are designed to ensure the validity of system
transactions, and that the transactions performed represent an event that
actually occurred during a given period. These controls regulate access to
network resources and ensure that data is properly converted to an
automated form so it can be processed accurately, completely, and timely.
Effective authorization controls should protect the data input process
and include the following critical elements:
•
•
•

All data are authorized before entering the application system;
Restrict data entry terminals to authorized users for authorized
purposes; and
Master files and exception reporting help ensure all data processed
are authorized.

22

The USMS effectively used master files to help ensure that all data are
processed. However, the following deficiencies were noted as indicated
below:
Authorization Controls
CONTROL AREAS
All data are authorized before entering the application system
Restrict data entry terminals to authorized users for authorized
purposes
Master files and exception reporting help ensure all data are
processed and are authorized

VULNERABILITIES
NOTED
√
√

All Data Are Authorized Before Entering the Application System
In order to ensure that all data are authorized before entering the
application system, the FISCAM recommends that entities should implement
measures to: a) control source documents and require authorizing
signatures; and b) ensure supervisory reviews of data occur before entering
the application system. The guidance acknowledges that paper source
documents continue to play an important role during the data collection
process. It cautions, however, that source documents should be controlled
at the earliest point in the process and the data should be approved for use
prior to entering the system. FISCAM also outlines requirements for
performing independent or supervisory reviews of data regardless of the
source. Our review disclosed deficiencies within both areas designed to
ensure the proper authorization of data.
Control source documents and require authorizing signatures
We found that the USMS had not established controls over source
documents, nor provided for their proper authorization. The GAO defines a
source document as information that serves as the basis for the entry of
data into a computer system. At all sites visited, we experienced difficulty in
verifying the validity of the transactions we reviewed on PTS output reports
due to the absence of source documents or because of inconsistencies with
the collection and authorization of source documents. Therefore, the USMS
was not able to attest to the validity of many transactions entered into the
PTS or support the actions taken by its employees.
This condition occurred because the USMS had not formally
established baseline requirements for source documents to provide a
23

reasonable assurance that critical identifying information is collected from a
reliable source and is properly authorized. Additionally, the USMS had not
implemented effective controls to ensure the proper authorization of data
obtained from source documents prior to that data being used in PTS
transactions.
Because baseline requirements for source documents had not been
established by the USMS, we consulted the USMS employees performing
record creation duties at the sites visited to determine what documents were
used as source documents during the record creation process for the PTS.
According to these employees, “key” source documents us ed to support the
record creation process included: the individual custody and detention form
(USM-129); FBI fingerprints card (FD-129); intake photo; and medical form
(USM-552).
However, we found that because the USMS did not require employees
to collect these source documents on a consistent basis, some DOs were not
creating records based on documentation, but rather on interviews with
prisoners. This occurred because the USMS had not formally established
baseline requirements for source documents, such as the ones identified by
USMS personnel, to provide a reasonable assurance that critical identifying
information is collected from a reliable source and is properly authorized.
The USMS Cellblock Operations Directive advises employees to
interview the prisoner during the initial intake process and collect identifying,
arrest, prosecution, and medical information from the prisoner. The
directive instructs employees to then enter the information obtained from
the prisoner into the PTS to create a prisoner record. Under these
conditions, the USMS is basing the reliability of the information collected on
the integrity of the prisoner. Furthermore, the directive does not require
that information be approved by an authorizing official or verified from other
presumably more reliable sources such as court documents or forms
completed by arresting officers.
OMB Circular A-130 advises federal agencies of the requirement for
records management and states that agencies should “create and keep
adequate and proper documentation of their activities.” 12 OMB also warns
that the lack of sufficient record keeping weakens agencies’ ability to
12

According to OMB, the term "records management " involves those managerial
activities that support records creation, records maintenance and use, and records
disposition. Records management allows agencies to achieve adequate and proper
documentation of the policies and transactions of the federal government and effective and
economical management of agency operations. (44 U.S.C. 2901(2))

24

responsibly perform their missions. OMB emphasizes the importance of
record-keeping activities in each stage of a system’s life cycle and directs
agencies to document their procedures for information collection.
By failing to establish standards and controls over source documents
and provide for the proper authorization of data, the USMS is jeopardizing
the reliability of information collected during the record creation process.
The reliability of data that serves as the basis for creating records in the PTS
has a direct impact on the confidentiality, availability, and integrity of the
data within the PTS.
Throughout our review, we also found inconsistencies with the
collection of source documents, the authorization of data, and the
maintenance of source documents within each prisoner’s file folder. We
noted that each DO essentially performed data collection, record creation,
and file maintenance functions differently. These inconsistent practices
resulted in the deficiencies discovered during our assessment of the PTS’s
data integrity. Specifically, we discovered findings within the PTS’s
completeness of information and accuracy of information. This occurred
because the USMS had not standardized the record creation process
throughout the USMS to aid in establishing control over source documents.
The GAO’s guidance for assessing data reliability emphasizes the need
for organizations to establish and adhere to standardized rules for the
collection and use of data in computer processing environments.
Additionally, adherence to the consistent interpretation of data rules, or the
use of standardized processes, contributes to data reliability. The guidance
stresses that standardization and consistency are particularly important to
systems where data is entered at multiple sites, such as the PTS. The
guidance asserts “inconsistent interpretation of data rules can lead to data
that, taken as a whole, are unreliable.” Failure to establish and enforce
standardized procedures during critical processes, such as the record
creation process for the PTS, could negatively affect the reliability of data
within the PTS and impact the mission of the USMS.
We determined that the USMS’s cellblock directive and user manual do
not provide adequate data rules for employees or set standards for
consistency during the record creation process. In the case of the PTS,
formal standards would ensure, at a minimum, that each prisoner file folder
contains photographs, medical information, and fingerprint cards; and that
critical identifying information is collected from a reliable source such as a
court document or agent arrest form. These standards could also provide
reasonable assurance against the misidentification or mishandling of a
prisoner due to inaccurate, unauthorized, or unreliable data.
25

Recommendation:
We recommend that the USMS:
12. Develop policies and procedures to:
a)

establish key source document requirements; and

b)

standardize the record creation process throughout
the USMS for the PTS.

Ensure supervisory reviews of data occur before entering the
application system
We also found that supervisory or independent reviews of source
document information were not being performed on a consistent basis prior
to the information being entered into the PTS. This was evidenced by the
fact that handwritten “Individual Custody and Detention” (USM-129) forms,
when used, did not always contain an authorizing signature. We observed
that some DOs provided supervisory reviews during the record creation
process while others did not. In addition, our review of prisoner file folders
for accuracy of information disclosed discrepancies between information on
source documents and information on the PTS output reports. We
determined that these inaccuracies could have been prevented through the
use of compensating controls such as supervisory reviews. This condition
existed because the USMS did not require DOs to perform supervisory
reviews of source documents and transactions.
In the absence of policies and procedures, supervisory reviews serve
as a compensating control to ensure the proper authorization of source
documents and transactions. OMB Ci rcular A-130 prescribes the use of
controls that monitor individual accountability and prevent and detect harm
caused by “authorized individuals engaged in improper activities, whether
intentional or accidental.”
Recommendation:
We recommend that the USMS:
13. Implement a control, such as requiring the supervisory
authorization of data, to ensure that before information is
entered into the system, transactions are supported by
properly authorized source documents.
26

Restrict Data Entry Terminals to Authorized Users for
Authorized Purposes
The USMS has not implemented automated controls to trace actions on
the system or ensure that data entry terminals are restricted to authorized
users for authorized purposes. In our judgment, this weakness exists
because the USMS does not maintain sufficient audit trails for the PTS
application or require exception reports generated from audit logs. These
reports could help identify unauthorized activities such as excessive errors
made by an employee, record deletions, or attempts to gain access to
resources to which the user is not authorized.
The Department’s Order 2640.2E, Chapter 2, “Security Requirements”
(Accountability and Audit Trails), requires that audit logs be maintained and
reviewed for activities that could modify, bypass, or negate the system's
security safeguards. Audit logs provide a measure of assurance to enforce
individual user accountability.
The USMS has not implemented automated controls to trace the
occurrence of unauthorized activities or look for patterns of behavior by
users of the PTS application. Therefore, USMS management has reduced its
ability to monitor unauthorized attempts by users who have access to
sensitive data above their access levels, unauthorized changes or deletions
to prisoner records, or activities of users with privileged accounts. These
vulnerabilities could impact the integrity of data within the PTS application.
Recommendation:
We recommend that the USMS:
14. Maintain and review audit trails for the PTS application as
required by the Department.
Completeness Controls
Completeness controls are designed to ensure that all authorized
transactions are processed and completed prior to being entered into the
computer. These controls include the use of record counts and control
totals, computer sequence checking, computer matching of transaction data
with data in a master or suspense file, and checking of reports for
transaction data.

27

Completeness controls in an application provide safeguards for
ensuring that:
•
•

All aut horized transactions are entered into and processed by the
computer; and
Reconciliations are performed to verify data completeness.

Our review of the USMS’s completeness controls for the PTS disclosed
a deficiency as indicated in the following chart:
Completeness Controls
CONTROL AREAS
All authorized transactions are entered into and processed by
the computer

VULNERABILITIES
NOTED
√

Reconciliations are performed to verify data completeness

All Authorized Transactions Are Entered Into and Processed by
the Computer
In our review of completeness controls, we found that mechanisms
built into the PTS application to perform computer sequence checking were
inadequate for the PTS environment. This condition exists because the
current configuration of the PTS application is restrictive in that the default
system configuration confines sequence checking to the information
contained in the local database and does not automatically extend the
search to other DO databases.
The USMS Cellblock Operations Directive dictates that a prisoner will
be assigned only one USMS number throughout their history with the
agency. This would require that all 94 DO databases be searched to
determine if the prisoner being processed has an existing USMS number
assigned by another district before a district issued a USMS number.
The PTS application’s current software configuration is not conducive
to automatically facilitate global database searches for prisoners’ USMS
tracking numbers and name information because the USMS maintains a
separate PTS database at each of its 94 DOs. Under the current
configuration, PTS users can (by default) search only their local database to
determine if a prisoner has been previously assigned a USMS number in
their district. The PTS application is not programmed to automatically
extend the search to other DO databases.
28

In order to determine if a prisoner has an existing USMS number that
was assigned in another district, the PTS user must manually connect to the
PTS database where the original USMS number and prisoner information is
maintained. In the absence of knowing where the USMS number originated,
the PTS user would have to manually perform 93 additional database
searches to determine if a USMS number exists for the prisoner in another
DO.
In its own directive regarding cellblock operations, the USMS advises
PTS users to exit the application and go to the Federal Bureau of Prisons’s
(BOP) SENTRY application to search for the existence of a previously
assigned USMS number. 13 This workaround solution is impractical because it
forces PTS users to seek USMS information outside their own component
that should be readily available on USMS systems. Additionally, not all users
of the PTS application have access to BOP SENTRY; therefore, those users
are restricted from performing the search within SENTRY to check for a preexisting USMS number before assigning a new USMS number.
The current configuration of the PTS application constrains a name
search to the local database. This constraint threatens compliance with the
USMS’s own directives regarding multiple USMS numbers. Additionally, it
does not provide adequate assurance to the USMS that multiple USMS
numbers will not be assigned to the same individual.
Recommendation:
We recommend the USMS:
15. Ensure that the PTS application is modified to perform
automatic global database searches of all its DO databases
to prevent the assignment of more than one USMS number
to the same prisoner.
Accuracy Controls
Accuracy controls are implemented to ensure that data recording is
valid and accurate in order to produce reliable results. The implementation
of these controls includes well-designed data entry processes, easy-to-follow
data entry screens, limit and reasonableness checks, and validation of
13

The OIG conducted a Review of Select Application Controls for the BOP SENTRY
application in its Audit Report No. 03-25, July 2003. SENTRY is BOP’s primary mission
support database. The system collects, maintains, and tracks critical inmate information,
including inmate location, medical history, behavior history, and release data.

29

override actions for appropriateness and correctness. Without accuracy
controls, invalid data may enter the system and produce unreliable results.
Entities can take steps to strengthen the effectiveness of accuracy
controls by making sure that:
•
•
•
•

Data entry design features contribute to data accuracy;
Data validation and editing are performed to identify erroneous
data;
Erroneous data are captured, reported, investigated, and corrected;
and
Output reports are reviewed to help maintain data accuracy and
validity.

We determined that the PTS’s data entry design and data validation
and editing features were adequate. However, our review identified
weaknesses with accuracy controls within the PTS application as indicated
below:
Accuracy Controls
CONTROL AREAS

VULNERABILITIES
NOTED

Data entry design features contribute to data accuracy
Data validation and editing are performed to identify erroneous data
Erroneous data are captured, reported, investigated, and
corrected
Output reports are reviewed to help maintain data accuracy
and validity

√
√

Erroneous Data Are Captured, Reported, Investigated, and
Corrected
Our review of accuracy controls for the PTS application disclosed that
erroneous data within the system was not identified, reported, investigated,
nor corrected. Information on erroneous data is useful in forming a basis
from which management can review and analyze the levels and types of
transaction errors and formulate plans for corrective action. However, we
found that information on rejected transactions and erroneous data was not
analyzed because the USMS management did not require erroneous data to
be collected and reported back for investigation and correction.
NIST SP 800-12, Chapter 4, “Common Threats,” warns that errors and
omissions can threaten data and system integrity. It classifies some errors
30

as threats, because users frequently make errors that result in security
problems. The guidance recommends that because application programs
cannot detect all types of input errors or omissions, erroneous data should
be reviewed to determine if errors cause threats to a system or result in
vulnerabilities.
The NIST Federal Information Processing Standards Publication 73,
Section 3.1.3, states that checking of input data during processing and
validation of data that is generated by the application system are essential
for assuring data integrity. Errors in PTS data should be detected and
corrected as soon as possible in order to prevent the propagation of invalid
data throughout the system and the potential contamination of the system
application.
Without the USMS effectively implementing measures to strengthen
accuracy controls, invalid data may be entered in the system, be processed
by the system, and cause production results that are unreliable to the
system users. Our review of the PTS output reports for accuracy of the
information reflects the existence of errors and omissions that accuracy
controls are designed to detect.
Recommendation:
We recommend that the USMS:
16. Ensure erroneous data are collected and reported back to
USMS management for investigation and correction.
Output Reports Are Reviewed to Help Maintain Data Accuracy
and Validity
A critical element of accuracy controls includes the review of output
reports to help maintain data accuracy and validity. An aspect of enforcing
the review of output reports consists of maintaining control over system
output production and distribution. We determined that the controls over
system output production and distribution for the PTS application were weak
because the USMS did not enforce strict controls to prevent the exposure of
sensitive PTS output to non-authorized employees.
The USMS allows authorized PTS users and non-authorized USMS
employees to share the same network printers. This poses a problem with
the district office’s ability to adequately protect sensitive output production
and distribution from non-authorized employees who have physical access to
network printers. We also observed that cover pages are not used to
31

safeguard sensitive PTS data from viewing by unauthorized individuals when
the output is printed on network printers. Cover pages could serve as a
mitigating control to identify the owner of the printed output on shared
printers.
NIST SP 800-53, “Recommended Security Controls” provides guidance
for protecting sensitive information to prevent the unauthorized receipt of
paper media. It cautions that entities should provide adequate supervision
of personnel and develop detailed procedures to ensure that unauthorized
individuals cannot read, copy, alter, or destroy information generated by the
information system in printed form. Additionally, the guidance stresses
assurances that “Output from the information system is given only to
authorized users.”
The Department’s Order 2640.2E, “Access Control,” requires that users
only have access to information necessary to perform their duties and no
more. Moreover, it requires that controls be in place to ensure that users
can only access resources critical to the accomplishment of their duties.
OMB Circular A-130 also provides requirements for information
safeguards. It states that information protected by the Privacy Act of 1974
should be collected, maintained, and protected to prevent disclosure of
personal information and intrusion into the privacy of individuals. The
Circular holds agencies responsible to see that appropriate information
safeguards are instituted and that employees are trained in the protection of
privacy.
By allowing authorized PTS users to print sensitive PTS output on
network printers shared by non-authorized USMS employees, the USMS is
neglecting critical physical security measures that protect against
unauthorized access. This vulnerability poses a threat to the USMS’s ability
to comply with federal regulations that require protection of privacy
information from unauthorized disclosure. It also undermines the USMS’s
efforts to effectively enforce appropriate access control and segregation of
duties.
Recommendation:
We recommend the USMS:
17. Ensure that PTS output reports containing sensitive privacy
information are protected from unauthorized persons.

32

Controls Over Integrity of Processing and Data Files
Controls over integrity of processing and data files are used to ensure
that the current versions of production programs and data files are made
available to users during system processing. These controls prevent users
from accessing outdated versions of software that may be present in the
production environment. Controls over integrity of processing and data files
include:
•
•
•
•

Procedures that ensure that the current version of production
programs and data files are used during processing;
Programs with routines that verify that the proper version of the
computer file is used during processing;
Programs with routines that check for internal file header labels
before processing; and
Mechanisms within the application that protect against concurrent
file updates.

We found that procedures existed to ensure that the current versions
of production programs, data files, and computer files are used during
processing and that programs check internal file header labels before
processing. However, we discovered the following deficiency in the control
area indicated below:
Controls Over Integrity of Processing and Data Files
CONTROL AREAS
Procedures ensure that the current version of production programs
and data files are used during processing
Programs include routines to verify that the proper version of the
computer files is used during processing
Programs include routines for checking internal file header labels
before processing
Mechanisms within the application protect against concurrent
file updates

VULNERABILITIES
NOTED

√

Mechanisms Within the Application Protect Against Concurrent
File Updates
Our review of the PTS application disclosed deficiencies within the
controls that prevent concurrent updates of files. According to USMS
headquarters, the PTS application is distributed to each of the 94 DOs.
USMS headquarters also asserted that system administrators at each site
cannot modify the PTS’s functionality and that the application should
33

function uniformly. However, we discovered malfunctions with the controls
built into the application to prevent concurrent file updates. We performed
testing at all DO locations visited, and at four locations we observed that the
controls against concurrent updates did not work consistently. PTS users
were able to access the same prisoner record and make changes to the
database simultaneously.
OMB Circular A-130 recommends that entities periodically review
security controls and seek ways to improve security such as utilizing
technical tools to look for security problems and installing the latest software
patches. NIST SP 800-40 specifically addresses procedures for handling
security patches and confirms that many organizations fail to keep software
updated and patched. It warns that not patching information systems in a
timely manner can impact operations and degrade the confidentiality,
availability, and integrity of a system’s information.
Weaknesses with controls that protect against the concurrent update
of records within an application threaten the integrity of its data. When
multiple users of the application can access the same prisoner record and
make changes to the database simultaneously, there is no assurance that
the information in the record is correct or that the application has processed
the information properly.
It appears that this weakness occurred because the USMS did not
ensure that all of its DOs received identical versions of the PTS application or
that the existing versions were not patched in a timely manner. Specifically,
USMS should confirm that the version of the PTS application in production at
each site contains the full security controls, including those designed to
prevent simultaneous updates to protect the integrity of data.
Recommendation:
We recommend the USMS:
18. Ensure that each installation of the application protects
against simultaneous updates of the same record by more
than one end-user.
3. DATA INTEGRITY TESTING
The goal of maintaining data integrity is the assurance that
information processed by the computer is reasonably complete and accurate
and meets the needs of the organization. Completeness and accuracy of
information reflect how well data integrity is maintained.
34

•
•

Completeness of information. This requires that the PTS records
contain all necessary data elements and transactions are supported
by source documents; and
Accuracy of information. Information on the PTS output reports
reflect the data entered into the PTS from source documents.

Our review of the factors that contribute to data integrity disclosed
deficiencies within the areas indicated below:
Data Integrity Assessment Factors
VULNERABILITIES
NOTED
Completeness of Information
Records contain all of the data elements and documents used
as support for the transactions

Accuracy of Information
Output reports reflect the data obtained from the source
documents

√
√

Completeness of Information
Completeness is achieved when data elements are processed as
intended and source documents are maintained to support the results of
processing. We evaluated the completeness of prisoner file folders to
determine if PTS data were properly authorized and supported by adequate
and proper documentation. Our review for completeness of information
focused on the existence of key source documents in prisoner records as
discussed earlier in the authorization controls section of this report.
Records contain all of the data elements and documents used
as support for the transactions
We found that many of the prisoner file folders reviewed were missing
information used to validate data entry transactions and to substantiate the
actions taken by USMS personnel. This occurred because the USMS did not
establish and implement standards regarding data collection and comply
with federal records retention requirements.

35

The chart below details the number of occurrences for source
document discrepancies found during the review of 25 records at each site,
and the percentages were calculated against the total number of records
(200) reviewed at all sites.
PTS’s Prisoner File Folder Completeness Analysis

Sites
Visited
E/VA
DC/DC
S/NY
E/PA
S/TX
N/IL
S/FL
D/AZ
Totals:
Percentage:
Source:

Missing
Original
USM-129 &
312
7
2
2
5
7
5
1
9
38
19%

Missing
Photos
3
5
1
10
3
0
0
3
25
13%

Missing
Fingerprint
Cards
(FD-129)
1
2
2
1
3
0
0
6
15
8%

Missing
USM-552/553
(medical form)
2
22
4
24
11
24
3
2
92
46%

The OIG’s analysis of record completeness.

OMB Circular A-130 outlines an information management policy that
includes records retention requirements and advises agencies to record
sufficient information to ensure the management and accountability of its
programs. Additionally, the guidance directs agencies to incorporate records
management functions into a system’s SDLC that include maintaining
adequate and proper documentation of agency activities. Furthermore, OMB
directs agencies to provide training and guidance to all employees regarding
their records management responsibilities, especially with respect to
maintaining adequate and proper documentation of program activities to
protect the federal government’s legal and financial interests.
Incomplete prisoner file folders pose a significant risk to the USMS’s
ability to validate PTS transactions, verify information, and justify the
actions of its employees.
Recommendation:
We recommend the USMS:
19. Ensure that adequate and proper source documents are
maintained in prisoner file folders to substantiate employee
activities.

36

Accuracy of Information
Information is considered accurate if the results of computer
processing reflect the contents of source documents. Accuracy of
information can be verified by the periodic spot-checking of system output
reports to validate and confirm that the application has processed the data
entered into it correctly.
Output reports reflect the data obtained from the source
documents
System output is evidence of the results of the input and processing
functions of an application and reflects the effectiveness of such operations.
If reviewed, output reports help to maintain the accuracy and validity of data
within a system and determine the completeness of processing. The USMS’
form 129 (USM-129) is the PTS application’s output report resulting from
prisoner record creation and subsequent record updates.
After performing the analysis for the existence of key source
documents used to create and update prisoner records, we reviewed the
same prisoner file folders for accuracy of information. This review included
the manual inspection of source documents contained in prisoner file folders.
The source documents were then compared against the information
appearing on the prisoner’s USM-129 form (PTS’s output report) to determine
data accuracy.
Our review of output reports produced by the PTS application disclosed
discrepancies in the accuracy of information. We found that prisoner
identifying information, such as a prisoner’s date of birth (DOB) and social
security number (SSN), appearing on the PTS output reports did not always
match the source documents contained in the prisoner’s file folder.
Additionally, critical dates, such as a prisoner’s custody date, did not always
correlate with dates on source documents in the prisoner file folders. Such
dates are used by the USMS to calculate expenditures for reimbursements to
contract jail facilities.
We noted common deficiencies in eight areas. These areas included:
•
•
•
•
•
•
•
•

Incorrect DOB;
Incorrect SSN;
Misfiled documents;
Concurrent jail days;
Misnumbered file jackets (prisoner’s file folder);
Missing transactions;
Wrong dates (such as custody and sentence dates); and
No supporting documentation.
37

The chart below illustrates the results of our review of the PTS’s output
reports. The numbers in each column represent the number of inaccuracies
found during the review of 25 records at each site. The percentages were
calculated against the total number of records (200) reviewed.
Accuracy of PTS’s Output Reports
Incorrect
DOB

Incorrect
SSN

Misfiled
Documents

Concurrent
Jail Days

Misnumbered
File Jackets

Missing
Transactions

Wrong
Dates

No Supporting
Documentation

E/VA

2

1

1

1

0

7

8

18

DC/DC

1

2

0

1

1

7

10

23

S/NY

0

0

0

0

0

1

8

5

E/PA

0

1

2

0

3

0

2

21

S/TX

4

0

0

0

3

0

12

20

N/IL

1

1

0

0

0

0

7

25

S/FL
D/AZ

0
1

1
0

0
1

0
0

5
0

2
1

7
1

24
15

Total:

9

6

4

2

12

18

55

151

5%

3%

2%

1%

Percentage:

6%

9%

28%

76%

Source: The OIG’s analysis of data accuracy.

DOB and SSN information. This information is used to distinguish
between prisoners with identical names. We found instances where
documents in the prisoners’ file folders did not match the DOB or SSN
information appearing on the PTS’s USM-129 report.
Misfiled documents. We discovered documentation pertaining to one
USMS prisoner erroneously filed inside another prisoner’s file folder.
Prisoner file folders contain records of court proceedings such as writs,14
judgment and commitment orders, and warrants that are used to initiate
and substantiate updates to prisoner records. A document filed in the wrong
prisoner’s file folder could delay or prevent the processing of a time-sensitive
prisoner action such as a release, movement, or designation to a BOP
facility.
Concurrent jail days. These represent instances where entries in the
chronological prisoner history section of the USM-129 indicated that a
prisoner was housed at two different jail facilities on the same dates. USMS
uses the number of jail days to calculate monthly obligations to state and
local contract jail facilities. Therefore, jail day discrepancies could negatively
14

Writs are formal legal documents that order or prohibit some action. For
exa mple, a “Writ Ad Testificandum” is a legal document ordering a witness to testify in a
court proceeding.

38

impact the accurate payment of bills causing the USMS to pay for contract
jail services it did not receive.
Misnumbered file jackets. At one site visited, we experienced difficulty
locating a prisoner’s file folder because the USMS number on the file folder
did not match the prisoner’s USMS number. We also observed what
appeared to be a re-constructed file folder because the prisoner’s USM-129
showed substantial confinement history, but the file folder had little or no
contents and was missing the minimal source documents such as
photographs and fingerprint cards. An error of this nature could prevent
USMS personnel from locating records in a timely manner or result in the
need to “reconstruct” a prisoner file folder for the prisoner in custody.
Missing transactions. We identified occurrences where documentation
existed in the prisoner’s file folder that changed the prisoner’s status, but
the transaction was not entered into the PTS. Specifically, the prisoner’s file
folder contained documentation that would trigger an update action such as
the receipt of a judgment and commitment order, but the appropriate
transaction to update the record was not entered into the PTS (WT-J/C).15
Again, this type of discrepancy could prevent or delay a time-sensitive
transaction from being entered into the PTS.
Wrong dates. These were identified when comparing the PTS’s system
output (USM-129 report) with the agent’s arrest form source document.
Incorrect entries were identified for critical dates – the prisoner’s arrest date
and USMS custody date. Discrepancies with the prisoner’s arrest date and
USMS custody date directly affect the credit a prisoner receives for time
served and also factor in the calculation for jail days used to reconcile jail
bills and other expenditures.
No supporting documentation. At all sites visited, we found that
prisoners’ file folders were missing documents that were needed to
substantiate record update actions taken by the USMS personnel. In these
instances, we determined that documentation did not exist for many of the
status code transactions and the majority of the facility history transactions
that chronicled prisoner movements. Specifically, key documents, such as
prisoner manifest forms, were not consistently maintained in the prisoner’s

15

The code “WT-J/C” is the status code for a sentenced prisoner for whom the
district has not yet received the Judgment/Commitment (J&C) papers to confirm the
sentence information. Upon receipt of the J&C, the district may send a request to BOP in
order to determine which BOP facility the prisoner will serve the period of confinement.

39

file folder or filed in the DOs for longer than one year. 16 Other supporting
documents, such as “requests for designation” or correspondence from the
BOP that justified prisoner movements, were also not maintained in the
prisoner file folders we reviewed.
We found a significant number of errors with respect to the accuracy of
information on system output and with the completeness of prisoner file
folders records. We attributed the existence of these conditions to the lack
of policies and procedures to standardize the intake process, as well as the
lack of supervisory review of data before it is entered into the PTS
application.
Recommendation:
We recommend that the USMS:
20. Ensure that data integrity assurances and quality control
measures are developed and implemented to:
a) require the periodic spot-checking and validation of
output from the PTS; and
b) confirm that the processing of information is
correct.
III. CONCLUSION
The weaknesses identified in our review of select general controls
included problems with entity-wide security planning and management. We
found that the USMS has not appointed a security manager for PTS and the
organization did not ensure that employees receive specialized PTS training
either before accessing the system or within a reasonable period thereafter.
Weaknesses with segregation of duties occurred because the USMS has not
developed and implemented formal operating policies and procedures to
guide users in the performance of their duties. Furthermore, the
organization has not developed policies to segregate incompatible duties.
We also found that PTS users were not familiar with the USMS’s
application software development and change control procedures and that
the USMS is using outdated programming and database management
16

According to USMS Policy Directive No. 99-47, Cellblock Operations, prisoner
manifest forms such as the USMS’ Form 40/41, “Prisoner Remand or Order to Deliver &
Receipt for U.S. Prisoners,” are executed to reflect the transfer of custody during the release
of prisoners to the temporary custody of law enforcement officers.

40

software to support the PTS, a mission-critical application. We determined
that access controls were inadequate because the PTS authorized user list
was not properly maintained and physical access controls designed to
protect data terminals that process sensitive PTS information were not
enforced.
Our review of the PTS’s application controls disclosed that controls to
properly authorize data and validate transactions were deficient.
Specifically, we found tha t the USMS had not established proper
authorization controls or standards for key source documents used to create
prisoner records in the PTS. Additionally, supervisory reviews of source
documents and transactions were not being performed on a consistent basis
to mitigate this condition. We also discovered that audit logs used to
recreate events and track user activity were not being kept. Problems with
accuracy controls included weaknesses with erroneous data not being
collected or reported back to management for investigation or correction.
Furthermore, the USMS failed to control system output reports by allowing
authorized PTS users to share printers with non-authorized USMS
employees.
Deficiencies with completeness controls involved the USMS’s failure to
enforce its own policy that dictates that a prisoner may not have more than
one USMS prisoner number. To complicate matters, the current PTS
configuration does not provide for universal computer sequence checking to
prevent the assignment of multiple USMS numbers to the same prisoner. In
addition, we found that the application did not consistently enforce controls
over integrity of processing and data files. We observed that the system
allowed concurrent file updates when two users were able to update the
same prisoner record at the same time.
Problems were identified with data integrity for the PTS application
during our review of prisoner records for completeness and in our checks for
accuracy of information contained in system output. We found that prisoner
file folders were missing key source documents critical to the record creation
process and that the proper documentation needed to substantiate actions
taken by USMS personnel was not maintained in the folders.
We consider our findings in the areas of select general controls,
application controls, and data integrity to be major weaknesses that pose a
high risk to the protection of its data from unauthorized use, loss, or
modification. We conclude that the weaknesses with select general controls
and application controls occurred because the USMS did not enforce its own
policies and did not comply with the Department’s policies and procedures,
NIST standards, and OMB guidelines. We further conclude that the
41

deficiencies with data integrity occurred because the USMS did not develop
and implement formal policies and procedures to guide users in the
performance of critical duties, such as creating and updating prisoner
records in the PTS. As a result, we found errors and omissions on system
output reports that we attributed to the lack of sufficient training and
inconsistent practices.
The USMS’s reliance on the data within the PTS with inaccurate
information could result in over expenditures for reimbursable contracts with
private jail facilities. Additionally, the untimely release of a prisoner or the
misidentification of a prisoner requiring segregation or protection within the
prisoner population also could occur. If not corrected, these weaknesses
could impair the USMS’s ability to ensure the integrity, confidentiality, and
availability of data contained within the PTS.

42

APPENDIX 1

OBJECTIVES, SCOPE, AND METHODOLOGY
Our audit objectives were to review application controls, select general
controls, and assess the reliability of the Prisoner Tracking System (PTS)
data. The audit work, which occurred between June and December 2003,
was performed in accordance with the Government Auditing Standards. We
conducted fieldwork at the United States Marshals Service (USMS)
headquarters in Arlington, Virginia, and 8 of the 94 USMS district offices
(DOs). The eight DOs were: Alexandria, Virginia; Washington, D.C.; New
York, New York; Houston, Texas; Philadelphia, Pennsylvania; Chicago,
Illinois; Miami, Florida; and Phoenix, Arizona. The DOs were selected
because their location, detainee processing volume, or USMS headquarters
identified them as “model sites.”
Although our primary objectives were to review application controls
and perform data integrity testing, our audit criteria for evaluating
application controls included certain select general control areas. Those
steps involved obtaining an overview of the application’s user population
(access controls), developing an understanding of the operational workflow
process (entity-wide security program planning and management and
segregation of duties), and developing an understanding of the hardware
and software environment (system software, application software
development, and service continuity). Therefore, this report contains
findings from select general control areas required to assess the
effectiveness of PTS’s application controls.
The Marshals Network (MNET) serves as the PTS’s system environment
because PTS users must login to MNET to gain access to PTS servers. The
OIG performed an audit of MNET’s general controls during its fiscal year
2003 Federal Information Security Management Act (FISMA) review. We
therefore relied on audit findings disclosed during the FISMA review as an
assessment of the PTS application’s system environment and reported on
those select general controls we reviewed as required by the application
controls audit criteria.
To accomplish our audit objectives, we conducted over 50 interviews
and visited the 8 DOs represented on the map in Appendix 2. We
interviewed USMS headquarters officials from the Prisoner Services Division,
Planning and Analysis Branch, and Information Technology Services Division
to assess select general controls, such as entity-wide security program
planning and management of the PTS and service continuity. From these
interviews, we were able to gain an understanding of the application’s user
population, operational workflow process, and hardware and software
43

environment. Additionally, we obtained information from deputy marshals,
administrative officers, criminal clerks, detention enforcement officers, and
system administrators at each DO visited to evaluate the overall
effectiveness of application controls for protecting the PTS’s data. We
specifically reviewed authorization, completeness, accuracy, and integrity of
processing controls.
Our visits to the selected DOs included observing operational activities
and performing data integrity testing. Our observation of operational
activities allowed us to assess the USMS’s compliance with the Federal
Information System Controls Audit Manual (FISCAM), USMS’s PTS User
Manual, and USMS’s Policy Directive No. 99-47 (Cellblock Operations). To
perform data integrity testing, we judgmentally selected a total of 200
prisoners’ file folders (25 file folders at each of the 8 sites visited). We
reviewed these prisoners’ records for completeness of information and
manually compared source documents to the PTS output to determine
accuracy of information as recommended in the General Accounting Office’s
(GAO) guidance for Assessing the Reliability of Computer-Processed Data.
Additionally, we reviewed the certification and accreditation
documentation for the PTS, the Department’s information technology
management policies and procedures, the USMS’s organizational structures,
and information contained within individual prisoner file folders.

44

APPENDIX 2
FIELDWORK SITE VISIT MAP

Map

District Offices Visited Representing
United States Marshals Service Regions

Chicago, Illinois

MID-WEST
Region
WEST
Region

NORTHEAST
Region
SOUTH
Region

Phoenix, Arizona

Houston, Texas
Miami, Florida

45

Alexandria, Virginia
District of Columbia
New York, New York
Philadelphia,, Pennsylvania

APPENDIX 3
FEDERAL INFORMATION SYSTEM CONTROLS AUDIT MANUAL
SELECT GENERAL CONTROLS

CONTROL AREAS

VULNERABILITIES
NOTED

Entity-wide Security Program Planning & Management
Assess risks periodically
Document an entity-wide security program plan
Establish a security management structure and clearly assign
security responsibilities
Implement effective security-related personnel policies
Monitor the security program’s effectiveness and make changes
as needed

√
√

Access Controls
Classify information resources according to their criticality and
sensitivity
Maintain a current list of authorized users and ensure that their
access is authorized
Establish physical and logical controls to prevent and detect
unauthorized access
Monitor access, investigate apparent security violations, and
take appropriate remedial action

√
√

Application Software Development & Change Control
Authorize processing features and modifications

√

Test and approve all new and revised software
Control software libraries

System Software
Limit access to system software
Monitor access to and use of system software

√

Control system software changes

Segregation of Duties
Segregate incompatible duties and establish related policies

√

Establish access controls to enforce segregation of duties
Control personnel activities through formal operating procedures
and supervision and review

√

Service Continuity
Assess the criticality and sensitivity of computerized operations
and identify supporting resources
Take steps to prevent and minimize potential damage and
interruption
Develop and document a comprehensive contingency plan
Test the contingency plan periodically and adjust it as
appropriate

46

√
√
√

FEDERAL INFORMATION SYSTEM CONTROLS AUDIT MANUAL
APPLICATION CONTROLS

CONTROL AREAS

VULNERABILITIES
NOTED

Authorization Controls
All data are authorized before entering the application system
Restrict data entry terminals to authorized users for authorized
purposes
Master files and exception reporting help ensure all data are
processed and are authorized

√
√

Completeness Controls
All authorized transactions are entered into and processed by
the computer

√

Reconciliations are performed to verify data completeness

Accuracy Controls
Data entry design features contribute to data accuracy
Data validation and editing are performed to identify erroneous
data
Erroneous data are captured, reported, investigated, and
corrected
Output reports are reviewed to help maintain data accuracy
and validity

√
√

Controls Over Integrity of Processing and Data Files
Procedures ensure that the current version of production
programs and data files are used during processing
Programs include routines to verify that the proper version of
the computer files is used during processing
Programs include routines for checking internal file header
labels before processing
Mechanisms within the application protect against concurrent
file updates

47

√

APPENDIX 4

GENERAL ACCOUNTING OFFICE
ASSESSING THE RELIABILITY OF COMPUTER-PROCESSED DATA
DATA INTEGRITY ASSESSMENT FACTORS
VULNERABILITIES
NOTED
Completeness of Information
Contain all of the data elements and records used as
support for the transactions

Accuracy of Information
Reflect the data obtained from the source documents

48

√
√

APPENDIX 5
GENERAL ACCOUNTING OFFICE
FEDERAL INFORMATION SYSTEM CONTROLS AUDIT MANUAL
GENERAL CONTROLS REVIEW GUIDELINES
The general controls guidelines used for this audit were obtained from
Chapter 3, “Evaluating and Testing General Controls,” of the GAO’s FISCAM.
The information below represents only those sections from the FISCAM that
serve as the basis for the vulnerabilities identified during our review of the
Prisoner Tracking System.17
3.0 OVERVIEW
General controls are the structure, policies, and procedures that apply
to an entity’s overall computer operations. They create the environment in
which application systems and controls operate. During a financial
statement audit, the auditor will focus on general controls that normally
pertain to an entity’s major computer facilities and systems supporting a
number of different applications, such as major data processing installations
or local area networks. If general controls are weak, they severely diminish
the reliability of controls associated with individual applications. For this
reason, general controls are usually evaluated separately from and prior to
evaluating application controls.
There are six major categories of general controls that the auditor should
consider. These are:
• entity-wide security program planning and management that
provides a framework and continuing cycle of activity for managing risk,
developing security policies, assigning responsibilities, and monitoring the
adequacy of the entity’s computer-related controls;
• access controls that limit or detect access to computer resources (data,
programs, equipment, and facilities), thereby protecting these resources
against unauthorized modification, loss, and disclosure;
• application software development and change controls that prevent
unauthorized programs or modifications to an existing program from
being implemented;

17

The areas from the FISCAM selected for inclusion in this report have been
paraphrased.

49

• system software controls that limit and monitor access to the powerful
programs and sensitive files that (1) control the computer hardware, and
(2) secure applications supported by the system;
•

segregation of duties that are policies, procedures, and an
organizational structure established so that one individual cannot control
key aspects of computer-related operations and thereby conduct
unauthorized actions or gain unauthorized access to assets or records;
and

• service continuity controls to ensure that when unexpected events
occur, critical operations continue without interruption or are promptly
resumed, and critical and sensitive data are protected.
For each of these six categories, the manual identifies several critical
elements that represent tasks that are essential for establishing adequate
controls. For each critical element, there is a discussion of the associated
objectives, risks, and critical activities, as well as related control techniques
and audit concerns. The auditor can use this information to evaluate entity
practices.
3.1

ENTITY-WIDE SECURITY PROGRAM PLANNING AND
MANAGEMENT (SP)

An entity-wide program for security planning and management is the
foundation of an entity’s security control structure and a reflection of senior
management’s commitment to addressing security risks. The program
should establish a framework and continuing cycle of activity for assessing
risk, developing and implementing effective security procedures, and
monitoring the effectiveness of these procedures. Without a well-designed
program, security controls may be inadequate; responsibilities may be
unclear, misunderstood, and improperly implemented; and controls may be
inconsistently applied. Such conditions may lead to insufficient protection of
sensitive or critical resources and disproportionately high expenditures for
controls over low-risk resources.

50

CRITICAL ELEMENTS
SP-1 Assess risks periodically
SP-2 Document an entity-wide security program plan
SP-3 Establish a security management structure and clearly assign
security responsibilities
SP-4 Implement effective security-related personnel policies
SP-5 Monitor the security program’s effectiveness and make changes as
needed

Critical Element SP-3: Establish a security management structure
and clearly assign security responsibilities
Senior management should establish a structure to implement the security
program throughout the entity. The structure generally consists of a core of
personnel who are designated as security managers. These personnel play a
key role in developing, communicating, and monitoring compliance with
security policies and reporting on these activities to senior management.
The security management function also serves as a focal point for others
who plan a role in evaluating the appropriateness and effectiveness of
computer-related controls on a day-to-day basis. These include program
managers who rely on the entity’s computer systems, system
administrators, and system users.
SP-3.1: A security management structure has been established
The effectiveness of the security program is affected by the way in which
responsibility for overseeing its implementation is assigned. Generally, such
responsibility is assigned to a central security program office.
Responsibilities of the central security program office may include:
•
•
•
•
•
•

facilitating risk assessments,
coordinating the development of and distributing security policies and
procedures,
routinely monitoring compliance with these policies,
promoting security awareness among system users,
providing reports to senior management on policy and control evaluation
results and giving advice to senior management on security policy-related
issues; and
representing the entity in the security community.
51

SP-3.2: Information security responsibilities are clearly assigned
OMB Circular A-130, Appendix III, requires that the rules of the system and
application “shall clearly delineate responsibilities and expected behavior of
all individuals with access . . . and shall be clear about the consequences of
behavior not consistent with the rules.” Security-related responsibilities of
offices and individuals throughout the entity that should be clearly defined
include those of (1) information resource owners and users, (2) information
resources management and data processing personnel, (3) senior
management, and (4) security administrators. Further, responsibilities for
individual employee accountability regarding the use and disclosure of
information resources should be established.”
Critical Element SP-4:
personnel policies

Implement effective security-related

Policies related to personnel actions, such as hiring and termination, and
employee expertise are important factors for information security. If
personnel policies are not adequate, an entity runs the risk of (1) hiring
unqualified or untrustworthy individuals, (2) providing terminated
employees opportunities to sabotage or otherwise impair entity operations
or assets, (3) failing to detect continuing unauthorized employee actions,
(4) lowering employee morale, which may in turn diminish employee
compliance with controls, and (5) allowing staff expertise to decline.
SP-4.2: Employees have adequate training and expertise
Management should ensure that employees – including data owners, system
users, data processing personnel, and security management personnel –
have the expertise to carry out their information security responsibilities. To
accomplish this, the security program should include:
•
•
•
•

job descriptions that include the education, experience, and
expertise needed;
periodic reassessment of the adequacy of employees’ skills;
annual training requirements and professional development programs
to help make certain employees’ skills, especially technical skills, are
adequate and current; and
monitoring employee training and professional development
accomplishments.

52

3.2 ACCESS CONTROLS (AC)
Access controls should provide reasonable assurance that computer
resources (data files, application programs, and computer-related facilities
and equipment) are protected against unauthorized modification, disclosure,
loss, or impairment. Such controls include physical controls, such as
keeping computers in locked rooms to limit physical access, and logical
controls, such as security software programs designed to prevent or detect
unauthorized access to sensitive files.
Inadequate access controls diminish the reliability of computerized data and
increase the risk of destruction or inappropriate disclosure of data. The
following examples illustrate the potential consequences of such
vulnerabilities.
•

By obtaining direct access to data files, an individual could make
unauthorized changes for personal gain or obtain sensitive
information. For example, a person could (1) alter the address of a
payee and thereby direct a disbursement to himself or herself, (2)
alter inventory quantities to conceal a theft of assets, (3) inadvertently
or purposefully change a receivable balance, or (4) obtain confidential
information about business transactions or individuals.

•

By obtaining access to application programs used to process
transactions, an individual could make unauthorized changes to these
programs or introduce malicious programs, which in turn could be
used to access data files, resulting in situations similar to those
described above, or to process unauthorized transactions. For
example, a person could alter a payroll or payables program to
inappropriately generate a check for himself or herself.

•

By obtaining access to computer facilities and equipment, an individual
could (1) obtain access to terminals or telecommunications equipment
that provide input into the computer, (2) obtain access to confidential
or sensitive information on magnetic or printed media, (3) substitute
unauthorized data or programs, or (4) steal or inflict malicious damage
on computer equipment and software.

53

CRITICAL ELEMENTS
AC-1 Classify information resources according to their criticality and
sensitivity
AC-2 Maintain a current list of authorized users and ensure that their
access is authorized
AC-3 Establish physical and logical controls to prevent and detect
unauthorized access
AC-4 Monitor access, investigate apparent security violations, and take
appropriate remedial action

Critical Element AC-2 : Maintain a current list of authorized users
and ensure that their access is authorized

An entity should institute policies and procedures for authorizing access to
information resources and documenting such authorizations. These policies
and procedures should cover user access needed for routine operations,
emergency access, and the sharing and disposition of data with individuals
or groups outside the entity.
AC-2.1: Resource owners have identified authorized users and their
access authorized
The computer resource owner should identify the specific user or class of
users that are authorized to obtain direct access to each resource for which
he or she is responsible. This process can be simplified by developing
standard profiles, which describe access needs for groups of users with
similar duties, such as accounts payable clerks.
Access may be permitted at a file, record, or field level. Files are composed
of records, typically one for each item or transaction. Individual records are
composed of fields that contain specific data elements relating to each
record. Access authorizations should be documented on standard forms,
maintained on file, approved by senior managers, and securely transferred
to security managers. Owners should periodically review access
authorization listings and determine whether they remain appropriate.
Listings of authorized users and their specific access needs and any
modifications should be approved by an appropriate senior manager and
54

directly communicated in writing by the resource owner to the security
management function.
It is equally important to notify the security management function
immediately when an employee is terminated or, for some other reason, is
no longer authorized access to information resources.
Critical Element AC-3 : Establish physical and logical controls to
prevent and detect unauthorized access

The entity should have a cost-effective process for protecting data files,
application programs, and hardware through a combination of physical and
logical security controls. Physical security involves restricting physical
access to computer resources, usually by limiting access to the buildings and
rooms where they are housed, or by installing locks on computer terminals.
However, physical controls alone cannot ensure that programs and data are
protected. For this reason, it is important to establish logical security
controls that protect the integrity and confidentiality of sensitive files. The
security function should be responsible for implementing and maintaining
both physical and logical controls based upon authorizations provided by the
owners of the resources.
AC-3.1: Adequate physical security controls have been implemented
Physical security controls restrict physical access to computer resources and
protect them from intentional or unint entional loss or impairment.
In evaluating the effectiveness of physical security controls, the auditor
should consider the effectiveness of the entity’s policies and practices for:
•
•
•
•
•
•
•

granting and discontinuing access authorizations,
controlling passkeys,
controlling entry during and after normal business hours,
controlling the deposit and withdrawal of tapes and other storage media
to and from the library,
handling emergencies,
controlling reentry after emergencies; and
establishing compensatory controls when restricting physical access is not
feasible, as is often the case with telecommunications lines.

55

3.3 APPLICATION SOFTWARE DEVELOPMENT AND CHANGE
CONTROL (CC)
Application software is designed to support a specific operation, such as
payroll or loan accounting. Typically several applications may operate under
one set of operating system software. Controls over operating system
software are discussed in Section 3.4.
Establishing controls over the modifications of application software programs
helps to ensure that only authorized programs and authorized modifications
are implemented. This is accomplished by instituting policies, procedures,
and techniques that help make sure all programs and program modifications
are properly authorized, tested, and approved; and that access to and
distribution of programs is carefully controlled. Without proper controls,
there is a risk that security features could be inadvertently or deliberately
omitted or “turned off” or that processing irregularities or malicious code
could be introduced. For example,
•
•
•

a knowledgeable programmer could surreptitiously modify program
code to provide a means of bypassing controls to gain access to
sensitive data;
the wrong version of a program could be implemented, thereby
perpetuating outdated or erroneous processing that is assumed to
have been updated; or
a virus could be introduced, inadvertently or on purpose, that disrupts
processing.

CRITICAL ELEMENTS
CC-1 Authorize processing features and modifications
CC-2 Test and approve all new and revised software
CC-3 Control software libraries

Critical Element CC-1 : Authorize processing features and
modifications
The processing features built into application software should be authorized
by the managers responsible for the agency program or operations that the
application supports. This is because these are the managers responsible for
seeing that software supporting their operations meets their needs and
56

produces reliable data and that the operations are carried out in accordance
with applicable laws, regulations, and management policies. For example,
the processing features associated with loan accounting software should be
authorized by the loan program managers. Such user or owner
authorization is needed when new systems are being developed, as well as
when operational systems are being modified.
Authorization is the first step in implementing the features or the changes
that have been decided on by the users, and the entity should have a
process for obtaining, documenting, and communicating such authorizations
as part of its system development life cycle (SDLC) methodology. If
authorization procedures have not been developed or are not followed, an
individual might be able to initiate program changes that result in erroneous
processing or weakened access controls or edits built into the software.
CC-1.2: Authorizations for software modifications are documented
and maintained
Policies and procedures should be in place that detail who can authorize a
modification and how these authorizations are to be documented. Generally
the application users have the primary responsibility for authorizing systems
changes. However, users should be required to discuss their proposed
changes with systems developers to confirm that the change is feasible and
cost effective. For this reason, an entity may require a senior systems
developer to co-authorize a change.
The use of standardized change request forms helps ensure that requests
are clearly communicated and that approvals are documented.
Authorization documentation should be maintained for at least as long as a
system is in operation in case questions arise regarding why or when system
modifications were made. Authorization documents may be maintained in
either paper or electronic form as long as their integrity is protected.
3.4 SYSTEM SOFTWARE (SS)
System software is a set of programs designed to operate and control the
processing activities of computer equipment. Generally, one set of system
software is used to support and control a variety of applications that may
run on the same computer hardware. System software helps control and
coordinate the input, processing, output, and data storage associated with
all of the applications that run on a system. Some system software can

57

change data and program code on files without leaving an audit trail. The
following are examples of system software:
•
•
•
•
•
•
•

operating system,
system utilities,
program library,
file maintenance,
security,
data communications systems; and
database management systems.

Controls over access to and modification of system software are essential in
providing reasonable assurance that operating system-based security
controls are not compromised and that the system will not be impaired.
Inadequate controls in this area could lead to unauthorized individuals using
system software to circumvent security controls to read, modify, or delete
critical or sensitive information and programs; authorized users of the
system gaining unauthorized privileges to conduct unauthorized actions;
and/or systems software being used to circumvent edits and other controls
built into application programs. Such weaknesses seriously diminish the
reliability of information produced by all of the applications supported by the
computer system and increase the risk of fraud and sabotage. System
software programmers are often more technically qualified than other data
processing personnel and, thus, have a greater ability to perform
unauthorized actions if controls in this area are weak.
CRITICAL ELEMENTS
SS-1 Limit access to system software
SS-2 Monitor access to and use of system software
SS-3 Control system software changes

Critical Element SS-3: Control system software changes

Modifications to system software should be controlled so that only authorized
and properly tested changes are implemented. If system software is not
adequately controlled and tested, system parameters may be inadequate to
prevent unauthorized changes to application programs or data.
Furthermore, software malfunctions during processing runs could result in
inaccurate or incomplete financial data. Controls should provide that all
58

changes are tested and approved and that only approved system software is
implemented.
SS-3.2: Installation of system software is documented and reviewed
When possible, the installation of system software changes and new versions
or products should be scheduled to minimize the impact on data processing
operations, and an advance notice should be provided to system software
users. The actual installation should be logged to establish an audit trail and
reviewed by data center management. The migration of system software
from the testing environment to the production environment should be done,
after approval, by an independent library control group. Outdated versions
of system software should be removed from the production environment to
preclude their future use. Some changes may be made specifically to
correct security or integrity vulnerabilities, while using outdated versions
allows the entity’s data and systems to remain exposed to these
vulnerabilities.
All vendor-supplied system software should be supported by the vendor.
Vendors often release new versions of system software products and may
discontinue support of earlier versions. Enhancements and corrections made
to subsequent versions of system software will not be available to entities
that forgo acquiring the latest version. All system software should have
current and complete documentation. Inadequate documentation will hinder
maintenance activities, particularly during emergency situations when
in-house systems programmers are attempting to restart a failed system
and vendor assistance is not readily available.
3.5

SEGREGATION OF DUTIES (SD)

Work responsibilities should be segregated so that one individual does not
control all critical stages of a process. For example, while users may
authorize program changes, programmers should not be allowed to do so
because they are not the owners of the system and do not have the
responsibility to see that the system meets user needs. Similarly, one
computer programmer should not be allowed to independently write, test,
and approve program changes. Often, segregation of duties is achieved by
splitting responsibilities between two or more organizational groups.
Dividing duties among two or more individuals or groups diminishes the
likelihood that errors and wrongful acts will go undetected because the
activities of one group or individual will serve as a check on the activities of
the other.

59

CRITICAL ELEMENTS
SD-1 Segregate incompatible duties and establish related policies
SD-2 Establish access controls to enforce segregation of duties
SD-3 Control personnel activities through formal operating procedures
and supervision and review

Critical Element SD-1: Segregate incompatible duties and
establish related policies

The first steps in determining if duties are appropriately segregated are to
analyze the entity’s operations, identify incompatible duties, and assign
these duties to different organizational units or individuals. Federal internal
control standards specify that key duties and responsibilities for authorizing,
processing, recording, and reviewing transactions should be separated. This
concept can also be applied to the authorization, testing, and review of
computer program changes.
Segregating duties begins by establishing independent organizational groups
with defined functions, such as a payroll unit responsible for preparing
payroll transaction input and a data processing unit responsible for
processing input prepared by other units. Functions and related tasks
performed by each unit should be documented for the unit and in staff job
descriptions and should be clearly communicated to personnel assigned the
responsibilities.
SD-1.1: Incompatible duties have been identified and policies
implemented to segregate these duties
Management should have analyzed operations and identified incompatible
duties tha t are then segregated through policies and organizational divisions.
Although incompatible duties may vary from one entity to another, the
following functions are generally performed by different individuals:
Information Systems (IS) management, systems design, application
programming, systems programming, quality assurance/testing, library
management/change management, computer operations, production control
and scheduling, data security, data administration, and network
administration.

60

The following include examples of restrictions that are generally addressed in
policies about segregating duties and are achieved through organizational
divisions and access controls.
•
•
•
•
•
•
•
•

Application users should not have access to operating system or
application software.
Programmers should not be responsible for moving programs into
production or have access to production libraries or data.
Access to operating system documentation should be restricted to
authorized systems programming personnel.
Access to application system documentation should be restricted to
authorized applications programming personnel.
Access to production software libraries should be restricted to library
management personnel.
Persons other than computer operators should not set up or operate
the production computer.
Only users, not computer staff, should be responsible for transaction
origination or correction and for initiating changes to application files.
Computer operators should not have access to program libraries or
data files.

Some steps involved in processing a transaction also need to be
separated among different individuals. For example, the following
combinations of functions should not be performed by a single individual.
•
•
•
•

Data entry and verification of data,
Data entry and its reconciliation to output,
Input of transactions for incompatible processing functions (e.g., input
of vendor invoices and purchasing and receiving information); and
Data entry and supervisory authorization functions (e.g., authorizing a
rejected transaction to continue processing that exceeds some limit
requiring a supervisor’s review and approval).

Organizations with limited resources to segregate duties should have
compensating controls, such as supervisory review of transactions
performed.
Critical E lement SD-3: Control personnel activities through formal
operating procedures and supervision and review
Control over personnel activities requires formal operating procedures and
active supervision and review of these activities. This is especially relevant
61

for computer operators. Inadequacies in this area could allow mistakes to
occur and go undetected, and facilitate unauthorized use of the computer.
SD-3.1: Formal procedures guide personnel in performing their
duties
Detailed, written instructions should exist and be followed to guide
personnel in performing their duties. These instructions are especially
important for computer operators. For example, computer operator
instruction manuals should provide guidance on system startup and shut
down procedures, emergency procedures, system and job status reporting,
and operator prohibited activities. Application-specific manuals
(commonly called “run” manuals) should provide additional instructions for
operators specific to each application, such as instructions on job setup,
console and error messages, job checkpoints, and restart and recovery
steps after system failures. Operators should be prevented from overriding
file label or equipment error messages.
SD-3.2: Active supervision and review are provided for all personnel
Supervision and review of personnel activities help make certain that these
activities are performed in accordance with prescribed procedures, that
mistakes are corrected, and that the computer is used only for authorized
purposes. To aid in this oversight, all computer operator activities on the
computer system should be recorded on an automated history log, which
serves as an audit trail. Supervisors should routinely review this history log
and investigate any abnormalities.
3.6 SERVICE CONTINUITY (SC)
Losing the capability to process, retrieve, and protect information
maintained electronically can significantly affect an agency’s ability to
accomplish its mission. For this reason, an agency should have (1)
procedures in place to protect information resources and minimize the risk of
unplanned interruptions and (2) a plan to recover critical operations should
interruptions occur. These plans should consider the activities performed at
general support facilities, such as data processing centers and
telecommunications facilities, as well as the activities performed by users of
specific applications. To determine whether recovery plans will work as
intended, they should be tested periodically in disaster simulation exercises.
To mitigate service interruptions, it is essential that the related controls be
understood and supported by management and staff throughout the
organization. Senior management commitment is especially important to
62

ensure that adequate resources are devoted to emergency planning,
training, and related testing. In addition, all staff with service continuity
responsibilities, such as staff responsible for backing up files, should be fully
aware of the risks of not fulfilling these duties.
CRITICAL ELEMENTS
SC-1 Assess the criticality and sensitivity of computerized operations and
identify supporting resources
SC-2 Take steps to prevent and minimize potential damage and
interruption
SC-3 Develop and document a comprehensive contingency plan
SC-4 Test the contingency plan periodically and adjust it as appropriate

Critical Element SC-1: Assess the criticality and sensitivity of
computerized operations and identify supporting resources
At most entities, the continuity of certain automated operations is more
important than others, and it is not cost-effective to provide the same level
of continuity for all operations. For this reason, it is important that
management analyze data and operations to determine which are the most
critical and what resources are needed to recover and support them. This is
the first step in determining which resources merit the greatest protection
and what contingency plans need to be made.
SC-1.2: Resources supporting critical operations are identified
Once critical data and operations have been determined, the minimum
resources needed to support them should be identified and their role
analyzed. The resources considered include computer resources, such as
computer hardware, software, and data files; computer supplies, including
paper stock and preprinted forms; telecommunications services; and any
other resources that are necessary to the operation, such as people, office
facilities and supplies, and noncomputerized records. For example, an
analysis should be performed to identify the maximum number of disk drives
needed at one time and the specific requirements for telecommunications
lines and devices.
Because essential resources are likely to be held or managed by a variety of
groups within an organization, it is important that program and information
63

security (IS) support staff work together to identify the resources for critical
operations.
Critical Element SC-2: Take steps to prevent and minimize
potential damage and interruption
There are a number of steps that an organization should take to prevent or
minimize the damage to automated operations that can occur from
unexpected events. These can be categorized as follows:
•
•
•
•

routinely duplicating or backing up data files, computer programs, and
critical documents with off-site storage;
installing environmental controls, such as fire suppression systems or
backup power supplies;
arranging for remote backup facilities that can be used if the entity’s
usual facilities are damaged beyond use; and
ensuring that staff and other users of the system understand their
responsibilities in case of emergencies.

Taking such steps, especially implementing thorough backup procedures and
installing environmental controls, are generally inexpensive ways to prevent
relatively minor problems from becoming costly disasters. In particular, an
entity should maintain an ability to restore data files, which may be
impossible to recreate if lost. In addition, effective maintenance, problem
management, and change management for hardware equipment will help
prevent unexpected interruptions.
SC-2.1: Data and program backup procedures have been
implemented
Routinely copying data files and software and securely storing these files at
a remote location are usually the most cost-effective actions that an entity
can take to mitigate service interruptions. Although equipment can often be
readily replaced, the cost could be significant, and reconstructing
computerized data files and replacing software can be extremely costly and
time-consuming. Sometimes, reconstruction of data files may be virtually
impossible. In addition to the direct costs of reconstructing files and
obtaining software, the related service interruptions could lead to significant
financial losses.
A program should be in place for regularly backing up computer files,
including master files, transaction files, application programs, systems
software, and database software, and storing these backup copies securely
64

at an off-site location. Although choosing a backup storage location is a
matter of judgment, the backup location should be far enough away from
the primary location that it will not be impaired by the same events, such as
fires, storms, and electrical power outages. In addition, it should be
protected from unauthorized access and from environmental hazards, such
as fires and power outages.
SC-2.3: Staff have been trained to respond to emergencies
Staff should be trained in and aware of their responsibilities in preventing,
mitigating, and responding to emergency situations. For example, data
center staff should receive periodic training in emergency fire, water, and
alarm incident procedures as well as their responsibilities in starting up and
running an alternate data processing site. Also, if outside users are critical
to the entity’s operations, they should be informed of the steps they may
have to take as a result of an emergency.
Generally, information on emergency procedures and responsibilities can be
provided through training sessions and by distributing written policies and
procedures. Training sessions should be held at least once a year and
whenever changes to emergency plans are made.
Also, if staff could be required to relocate or significantly alter their
commuting routine in order to operate an alternate site in an emergency, it
is advisable for an entity to incorporate into the contingency plan steps for
arranging lodging and meals or any othe r facilities or services that may be
needed to accommodate the essential human resources.
Critical Element SC-4: Periodically test the contingency plan and
adjust it as appropriate
Testing contingency plans is essential to determine whether they will
function as intended in an emergency situation. According to OMB, federal
managers have reported that testing revealed important weaknesses in their
plans, such as backup facilities that could not adequately replicate critical
operations as anticipated. Through the testing process, these plans were
substantially improved.
The most useful tests involve simulating a disaster situation to test overall
service continuity. Such a test would include testing whether the alternative
data processing site will function as intended and whether critical computer
data and programs recovered from off-site storage are accessible and
current. In executing the plan, managers will be able to identify weaknesses
65

and make changes accordingly. Moreover, tests will assess how well
employees have been trained to carry out their roles and responsibilities in a
disaster situation.
SC-4.1: The plan is periodically tested
The frequency of contingency plan testing will vary depending on the
criticality of the entity’s operations. Generally, contingency plans for very
critical functions should be fully tested about once every year or two,
whenever significant changes to the plan have been made, or when
significant turnover of key people has occurred. It is important for top
management to assess the risk of contingency plan problems and develop
and document a policy on the frequency and extent of such testing.

66

APPENDIX 6

GENERAL ACCOUNTING OFFICE
FEDERAL INFORMATION SYSTEM CONTROLS AUDIT MANUAL
APPLICATION CONTROLS REVIEW GUIDELINES
The general controls guidelines used for this audit were obtained from
Chapter 4, “Evaluating and Testing Application Controls,” of the GAO’s
FISCAM. The information below represents only those sections from the
FISCAM that serve as the basis for the vulnerabilities identified during our
review of the Prisoner Tracking System.18
4.0

OVERVIEW

Application controls are the structure, policies, and procedures that
apply to separate, individual application systems, such as accounts
payable, inventory, payroll, grants, or loans. An application system is
typically a collection or group of individual computer programs that
relate to a common function. In the federal government, some
applications may be complex comprehensive systems, involving
numerous computer programs and organizational units, such as those
associated with benefit payment systems. For the purposes of this
document, application controls encompass both the routines contained
within the computer program code, and the policies and procedures
associated with user activities, such as manual measures performed by
the user to determine that data were processed accurately by the
computer.
Application controls help make certain that transactions are valid, properly
authorized, and completely and accurately processed by the computer. They
are commonly categorized into three phases of a processing cycle:
•
•
•

input – data are authorized, converted to an automated form, and
entered into the application in an accurate, complete, and timely manner;
processing – data are properly processed by the computer and files are
updated correctly; and
output – files and reports generated by the application actually occur
and accurately reflect the results of processing, and reports are controlled
and distributed to the authorized users.

18

The areas from the FISCAM selected for inclusion in this report have been
paraphrased.

67

Some guides provide additional categories of application controls. For
example, data origination is a breakout of input it controls to focus on source
documents and their need for authorization and proper preparation and
control. Also, data storage and retrieval focuses on access to and use of
data files and protecting their integrity.
Instead of using the phases of a processing cycle, this document uses
control categories that better tie-in with the Specific Control Evaluation
Worksheets (SCE) found in the Financial Audit Manual. The SCE is used to
document the controls evaluation and is prepared for each significant
accounting application. Included on the SCE are columns for recording the
control objectives and control techniques being evaluated, and accuracy
including whether the assertion and related transactions are authorized,
complete, valid, and accurate. The control objectives and techniques
addressed in this chapter are consistent with other guidance, but our
categorization, tying to the SCE, are the following:
•

Authorization controls – This is most closely aligned with the financial
statement accounting assertion of existence or occurrence. This
assertion, in part, concerns the validity of transactions and ensures that
they represent economic events that actually occurred during a given
period.

•

Completeness controls – This directly relates to the financial statement
accounting assertion on completeness, which deals with whether all valid
transactions are recorded and properly classified.

•

Accuracy controls – This most directly relates with the financial
statement assertion on valuation or allocation. This assertion deals with
whether transactions are recorded at correct amounts. The control
category, however, is not limited to financial information, but also
addresses the accuracy of other data elements.

•

Controls over integrity of processing and data files – These
controls, if deficient, could nullify each of the above control types and
allow the occurrence of unauthorized transactions, as well as contribute
to incomplete and inaccurate data.

68

4.1

AUTHORIZATION CONTROLS (AN)

Only authorized transactions should be entered into the application system
and processed by the computer.
Critical Elements
AN-1 All data are authorized before entering the application system
AN-2 Restrict data entry terminals to authorized users for authorized
purposes
AN-3 Master files and exception reporting help ensure all data are
processed and are authorized

Critica l Element AN-1: All data are authorized before entering the
application system

Data should be authorized before it is entered into the application system.
Federal financial management systems are often characterized as large
complex ‘legacy’ systems and often involve a multitude of documents that
flow through various work steps. Paper source documents still play a
significant role for originating data that enter application systems in the
federal government. These source documents should fall under control
measures so that unauthorized transactions are not submitted to and
processed by the application. Also, data – whether from a source document
or not – should undergo an independent or supervisory review prior to
entering the application.
AN-1.1 Source documents are controlled and require authorizing
signatures
Control over source documents should begin even before data is recorded on
the document. Access restrictions over blank source documents should
prevent unauthorized personnel from obtaining a blank source document,
recording unauthorized information, and inserting the document in the flow
with authorized documents and possibly causing a fraudulent or malicious
transaction to occur. Use of pre-numbered source documents could help
identify unauthorized documents that fall outside the range of authorized
numbers for documents being prepared for data entry.

69

Key source documents for an application should require an authorizing
signature, and the document should provide space for the signature by an
authorized official.
AN-1.2 Supervisory or independent reviews of data occur before
entering the application system.
Providing supervisory or independent review of data before entering the
application system helps prevent the occurrence of unauthorized
transactions. A data control unit is effective for this purpose and this
function has evolved as technology has advanced. With earlier systems,
source documents were batched in the user department and sent to a data
control unit that was organizationally under the information systems
department. This unit monitored data entry and processing of the
documents, seeing that all batches were received, entered, and processed
completely. In addition, personnel in this unit verified that each source
document was properly prepared and authorized before the data on the
document was entered into the system.
This function has migrated to the user department as it gained access to
application systems through computer terminals. Several or more personnel
in the user department may now enter source documents into a transaction
file that is not released for processing until a supervisory or independent
review occurs. A user department control unit may have the responsibility
to see that entered transactions are supported by a source document that
contains a valid authorizing signature. Also, supervisors in the user
department may hold this responsibility. These application systems may
have a separate authorization screen accessed by computer terminal, by
control unit, or by supervisory personnel. After verifying the input
transactions, the control unit or supervisory personnel enter the required
authorization and release the data for further processing.
Critical Element AN-2: Restrict data entry terminals to authorized
users for authorized purposes

The integrity of application data can be compromised by unauthorized
personnel who have unrestricted access to data entry terminals, as well as
by authorized users who are not restricted in what transactions they can
enter. Without limits, unauthorized personnel and authorized users could
enter fraudulent or malicious transactions. To counter this risk, both
physical and logical controls are needed to restrict data entry terminals to
authorized users for authorized purposes.
70

AN-2.1 Data entry terminals are secured and restricted to authorized
users
Data entry terminals should be located in physically secure rooms. When
terminals are not in use, these rooms should be locked, or the terminals
themselves should be capable of being secured to prevent unauthorized use.
Supervisors should sign on to each terminal device, or authorize terminal
usage from a program file server, before an operator can sign on to begin
work for the day. Each operator should be required to use a unique
password and identification code before being granted access to the system.
Data entry terminals should be connected to the system only during
specified periods of the day, which corresponds with the business hours of
the data entry personnel. Each terminal should automatically disconnect
from the system when not used after a specified period of time.
Where dial-up access is used to connect terminals to the system, connection
should not be completed until the system calls back to the terminal. These
terminals should generate a unique identifier code for computer verification.
Such procedures help limit access to known, authorized terminals.
On-line access logs should be maintained by the system, for example,
through the use of security software, and should be reviewed regularly for
unauthorized access attempts. All transactions should be logged as they are
entered, along with the terminal ID that was used, and the ID of the person
entering the data. This builds an audit trail and helps hold personnel
accountable for the data they enter.
4.2

COMPLETENESS CONTROLS (CP)

All authorized transactions should be entered into and completely processed
by the computer.
Critical Elements
CP-1 All authorized transactions are entered into and processed by the
computer
CP-2 Reconciliations are performed to verify data completeness

71

Critical Element CP-1: All authorized transactions are entered into
and processed by the computer

A control for completeness is one of the most basic application controls, but
is essential to ensure that all transactions are processed, and missing or
duplicate transactions are identified. The most commonly encountered
controls for completeness include the use of record counts and control totals,
computer sequence checking, computer matching of transaction data with
data in a master or suspense file, and checking of reports for transaction
data.
CP-1.2 Computer sequence checking
This control begins by providing each transaction with a unique sequential
number. Some transactions originate on source documents with
preassigned serial numbers. This number should be entered into the
computer along with the other data on the transaction. The computer can
identify numbers missing from the sequence and provide a report of those
numbers. The missing numbers should be investigated to determine
whether they are numbers for voided source documents, or are valid
documents that may have been lost or misplaced.
For transactions not on source documents with preassigned serial numbers,
the computer can assign a unique sequential number as the data is entered.
At a later point in processing, such as when transaction data updates a
master file, the computer can verify that all numbers are accounted for.
Again, missing numbers are reported for investigation.
Sequence checking is also valuable in identifying duplicate transactions. For
example, two transactions with the same preassigned serial number for a
source document would indicate that the transaction had been erroneously
entered a second time. As another example, a file of sequential numbers for
purchase orders could help prevent paying for the purchase more than once.
After the purchased goods and vendor’s bill are received, a payment
transaction with the purchase order number would be matched with the file
containing all purchase order numbers, and an indicator for the payment
would be recorded on the file for that purchase. The payment indicator
would cause following payment transactions for the same purchase order to
be rejected and reported for investigation.

72

4.3

ACCURACY CONTROLS (AY)

The recording of valid and accurate data into an application system is
essential to provide for an effective system that produces reliable results.
CRITICAL ELEMENTS
AY-1
AY-2
AY-3
AY-4

Data entry design features contribute to data accuracy
Data validation and editing are performed to identify erroneous data
Erroneous data are captured, reported, investigated, and corrected
Output reports are reviewed to help maintain data accuracy and
validity

Critical Element AY-3: Erroneous data are captured, reported,
investigated, and corrected
Transactions detected with errors need to be controlled to ensure that they
are corrected and reentered in a timely manner. During data entry,
particularly with more modern systems, an error can be identified and
corrected at the data entry terminal. With errors identified during the data
processing cycle, however, a break generally has been made from the data
entry terminal. Therefore, errors identified cannot be communicated in a
real-time mode back to personnel entering the data for immediate
correction. An automated error suspense file is an essential element to
controlling these data errors, and the errors need to be effectively reported
back to the user department for investigation and correction.
AY-3.2 Erroneous data are reported back to the user department for
investigation and correction
Systems that allow user groups to enter data at a computer terminal often
allow data to be edited as it is entered, and generally the systems allow
immediate correction of errors as they are identified. Error messages should
clearly indicate what the error is and what corrective action is necessary.
Errors identified at a later point in processing should be reported to the user
originating the transaction for correction.
Some systems may use error reports to communicate to the user
department the rejected transactions in need of correction. More modern
systems will provide user departments’ access to a file containing erroneous
transactions. Using a computer terminal, users can initiate corrective
actions. Again, error messages should clearly indicate what the error is and
73

what corrective action is necessary. The user responsible for originating the
transaction should be responsible for correcting the error. All corrections
should be reviewed and approved by supervisors before being reentered into
the system, or released for processing if corrected from a computer
terminal.
Critical Element AY-4: Output reports are reviewed to help
maintain data accuracy and validity

Output can be in several forms, including printed reports, data accessible
on-line by users, and computer files that will be used in a later processing
cycle, or by other programs in the application. Output should be reviewed
and control information should be reconciled to determine whether errors
occurred during processing. Various reports are typically produced by
application systems that, if reviewed, help maintain the data’s accuracy and
validity. Production and distribution of these reports need to be controlled,
and to be effective, they need to be reviewed by user department personnel.
AY-4.1 Control output production and distribution
Someone should be assigned responsibilities for seeing that all outputs are
produced and distributed in accordance with the requirements and design of
the application system. In larger organizations with mainframe computer
environments, this responsibility is typically assigned as part of the
responsibilities of a data control group, which falls within the information
systems department. This group, or some alternative, should maintain a
schedule by application that shows the output products produced, when they
should be completed, whom the recipients are, the copies needed, and when
they are to be distributed. The group should review output products for
general acceptability and reconcile control information to determine the
completeness of processing.
Printed reports should contain proper identification, including a title page
with the report name, time and date of production, and the processing
period covered by the report. Reports should also have an “end-of-report”
message to positively indicate the end of a report. A report may have pages
missing at the end of the report, which may go undetected without this type
of message. Controls and procedures are needed to ensure the proper
distribution of output to authorized users. Without control over distribution,
users may not receive needed output in a timely manner, and unauthorized
persons may gain access to output containing privacy or sensitive
information. Each output should be logged, manually if not done
74

automatically, along with the recipients of the output, including outputs that
are transmitted to a user’s terminal device. For these transmissions, the
computer system should automatically check the output message before
displaying, writing, or printing to make sure the output has not reached the
wrong terminal device. In the user department, outputs transmitted should
be summarized daily and printed for each terminal device, and reviewed by
supervisors.
Occasionally, errors may be identified in output products requiring corrective
action, including possibly rerunning application programs to produce the
correct product. A control log of output product errors should be
maintained, including the corrective actions taken. Output from reruns
should be subjected to the same quality review as the original output.

4.4

CONTROLS OVER INTEGRITY OF PROCESSING AND DATA FILES

Examples of items to cover:
•

Procedures ensure that the current versions of production
programs and data files are used during processing.

•

Programs include routines to verify that the proper version of the
computer file is used during processing.

•

Programs include routines for checking internal file header labels
before processing.

•

The application protects against concurrent file updates.

75

APPENDIX 7
GENERAL ACCOUNTING OFFICE
ASSESSING THE RELIABILITY OF COMPUTER-PROCESSED DATA
DATA INTEGRITY ASSESSMENT GUIDELINES
Data reliability refers to the accuracy and completeness of
computer-processed data, given the intended purposes for use.
Computer-processed data include data (1) entered into a computer
system and (2) resulting from computer processing. Computer-processed
data can vary in form – from electronic files to tables in published
reports. The definition of computer-processed data is therefore broad. In
this guidance, the term data always refers to computer-processed data.
The “Yellow Book” requires that a data reliability assessment be
performed for all data used as support for engagement findings,
conclusions, or recommendations.19 This guidance will help you to design
a data reliability assessment appropriate for the purposes of the
engagement and then to evaluate the results of the assessment.
Data are reliable when they are (1) complete (they contain all of
the data elements and records needed for the engagement) and (2)
accurate (they reflect the data entered at the source or, if available, in
the source documents). 20, 21 A subcategory of accuracy is consistency.
Consistency refers to the need to obtain and use data that are clear and
well-defined enough to yield similar results in similar analyses. For
example, if data are entered at multiple sites, inconsistent interpretation
of data rules can lead to data that, taken as a whole, are unreliable.
Reliability also means that for any computer processing of the data
elements used, the results are reasonably complete and accurate, meet
your intended purposes, and are not subject to inappropriate alteration.

19

The GAO’s “Government Auditing Standards,” 2003 Revision, commonly
referred to as the “Yellow Book” sets forth generally accepted government auditing
standards for use by government auditors.
20

A data element is a unit of information with definable parameters (for example,
a social security number), sometimes referred to as a data variable or data field.
21

Source document. Information that is the basis for entry of data into a

computer.

76

APPENDIX 8

ACRONYMS AND ABBREVIATIONS
ABS
BOP
CSSO
D/AZ
DBMS
DC/DC
Department
DO
DOB
E/PA
E/VA
FBI
FD-129
FISCAM
FISMA
GAO
J&C
MNet
N/IL
NIST
OIG
OMB
PTS
PSD
SDLC
S/FL
S/NY
SP
S/TX
SSN
U.S.C.
USERID
USM
USM-552/553
USMS
USM-129
USM-312
WT-J/C

Automated Booking Station
Federal Bureau of Prisons
Computer Systems Security Officer
District of Arizona
Database Management System
District Court for the District of Columbia
Department of Justice
District Office
Date of Birth
Eastern District of Pennsylvania
Eastern District of Virginia
Federal Bureau of Investigation
FBI Fingerprint Cards
Federal Information System Controls Audit Manual
Federal Information Security Management Act
General Accounting Office
Judgment and Commitment Order
Marshals Network
Northern District of Illinois
National Institute of Standards and Technology
Office of the Inspector General
Office of Management and Budget
Prisoner Tracking System
Prisoner Services Division
Software Development Life Cycle
Southern District of Florida
Southern District of New York
Special Publication
Southern District of Texas
Social Security Number
United States Code
User identification
United States Marshals
Medical Summary of Federal Prisoner/Alien in Transit
United States Marshals Service
United States Marshals Service-129 Prisoner Intake Form
United States Marshals Service-312 Personal History Form
Waiting Judgment and Commitment Order

77

APPENDIX 9

GENERAL CONTROLS CRITERIA
1.

Privacy Act of 1974, Public Law 93-579

2.

Computer Fraud & Abuse Act of 1986, as amended, Public Law 99-474

3.

Computer Security Act of 1987, Public Law 100-235

4.

Paperwork Reduction Act of 1978, as amended in 1995, U.S. Code 44
Chapter 35

5.

OMB Circular A-130, “Management of Federal Information Resources,”
Section 6, “Definitions” and Section 8, “Policy”

6.

OMB Circular A-130, Appendix III, “Security of Federal Automated
Information Resources,” Section A, “Requirements” and B, “Descriptive
Information”

7.

The GAO’s Federal Information System Controls Audit Manual,
Chapter 3, “Evaluating and Testing General Controls”

8.

Department of Justice Order 2640.2E, Information Technology Security,
Chapter 1, “Security Program Management” and Chapter 2, “Security
Requirements”

9.

National Institute of Standards and Technology, Special Publication
800-12, “An Introduction to Computer Security: The NIST Handbook”

10.

National Institute of Standards and Technology, Special Publication
800-18, “Guide for Developing Security Plans for Information
Technology Systems”

11.

National Institute of Standards and Technology, Special Publication
800-34, “Contingency Planning Guide for Information Technology
Systems”

12.

National Institute of Standards and Technology, Special Publication
800-40

13.

National Institute of Standards and Technology, Federal Information
Processing Standards Publication 73, Section 3.1.1

78

APPENDIX 10
APPLICATION CONTROLS CRITERIA
1.

The GAO’s Federal Information System Controls Audit Manual,
Chapter 4, “Evaluating and Testing Application Controls”

2.

Department of Justice Order 2640.2E, Information Technology
Security, Chapter 2, “Security Requirements,” Section 16, “Access
Control;” 18.h., “Accountability and Audit Trails;” 23, “Assignment
and Segregation of Duties”

3.

OMB Circular A-130, “Management of Federal Information
Resources,” Section 6, “Definitions” and Section 8, “Policy”

4.

OMB Circular A-130, Appendix III, “Security of Federal Automated
Information Resources,” Section A.3.b.2., “Application Security
Plan” and B.b.2.g., “Public Access Controls”

5.

OMB Circular A-130, Appendix IV, “Analysis of Key Sections,”
Analysis, Section 8a(4), “Records Management” and “Training”

6.

National Institute of Standards and Technology, Special Publication
800-12, “An Introduction to Computer Security: The NIST
Handbook,” Chapter 4, “Common Threats,” 1. “Errors and
Omissions”

7.

National Institute of Standards and Technology, Special Publication
800-18, “Guide for Developing Security Plans for Information
Technology Systems”

8.

National Institute of Standards and Technology, Special Publication
800-53, “Recommended Security Controls,” SI-2.b “Personnel
Supervision;” SI-5.e.MP-1e, “Media Access;” and SI-5.e,
“Validation of Mission Processing, Output”

9.

National Institute of Standards and Technology, Special Publication
800-64, “Security Considerations in the Information System
Development Life Cycle,” B.10.3, “Auditing”

10.

National Institute of Standards and Technology, Federal
Information Processing Standards Publication 73, Section 3.1,
“Data Validation”

11.

The USMS’s Prisoner Tracking System Contingency Plan, Version
1.08, dated June 2003
79

12.

The USMS’s “Cellblock Operations” Directive 99-47, “Prisoner
Tracking System (PTS) and Appendix B – “Records to be
Maintained in the USM-123 File”

13.

The USMS’s “Prisoner Tracking System User Manual,” dated June
2003

14.

The USMS’s “PTS System Security Guide,” dated June 2003

15.

The “USMS System Security Plan for the Prisoner Tracking System
(PTS)/USMS Automated Booking Station (USMS-ABS),” Version 1.05,
dated June 2003

16.

The USMS’s Security Evaluation Report dated June 2003

80

APPENDIX 11
DATA INTEGRITY ASSESSMENT CRITERIA
1. “Assessing the Reliability of Computer-Processed Data,”
GAO-03-273G, October 2002
2. National Institute of Standards and Technology, Special Publication
800-12, “An Introduction to Computer Security: The NIST
Handbook,” 1.4, “Important Terminology”

81

APPENDIX 12

82

83

84

85

86

87

88

89

90

OIG Note: Additional attachments to the consolidated response were
too voluminous to incorporate into this report. The attachments may
be obtained by contacting the United States Marshals Service.

91

APPENDIX 13
OFFICE OF THE INSPECTOR GENERAL, AUDIT DIVISION,
ANALYSIS AND SUMMARY OF ACTIONS NECESSARY
TO CLOSE THE REPORT
The USMS’s response to the audit (Appendix 12) describes the
actions taken or plans for implementing our recommendations. In
some cases, we made revisions to our final report where appropriate.
This appendix summarizes our response and the actions necessary to
close the report. In addition to responding to the recommendations
the USMS stated in the second paragraph of the cover memorandum
“For purposes of accuracy, please note that Page 1 of the report
includes dollar figures ascribed to PTS, with Footnote 7 reporting these
figures to be derived from budget requests submitted to OMB and
JMD. These figures are not consistent with what USMS has submitted
through the budget process. We are at OIG’s disposal to discuss the
figures reported and provide the information we believe to be
accurate.”
We requested operating cost information for the PTS on two
occasions from USMS representatives prior to the issuance of the PTS
draft report. On the first occasion, February 24, 2004, we sent a
written request to the USMS Planning and Analysis Branch requesting
budget information. During our second attempt on February 25, 2004,
we sent a request to a USMS IT Services representative who replied
that he had “passed the request on to the USMS budget people.” We
informed the USMS that this information would be used in the draft
report and that the request was time sensitive since we were in the
final stages of writing the draft report. Because we were not provided
with information from either of the USMS contacts, we contacted the
Justice Management Division to determine if any historical budget
information existed in their files. On March 8, 2004, the Justice
Management Division provided the information used in the report .
According to JMD’s representative, “The official source of the
information are exhibit 300 or 53 reports prepared by the component
that are on file in our office.” Therefore, the OIG did not dispute the
accuracy of the information since we were informed that it originated
from the USMS.
Because the USMS expressed concern that the costs provided by
the JMD were not accurate, we again contacted the USMS on July 12,
2004, to obtain the operating costs the USMS believed to be accurate
for PTS. On July 21, 2004, the USMS provided an email containing
92

cost information for which we subsequently requested the supporting
documentation such as an exhibit 300 or 53 report. However, the
USMS could not provide any supporting budget documentation to
substantiate the figures it provided. Therefore, the operating cost
information previously provided by JMD will remain in the report as the
official and best available data for the PTS.
With respect to our recommendations, the USMS frequently
disagreed or the corrective action proposed by the USMS was not
sufficient to address our recommendations. For these reasons,
recommendations 3, 4, 5, 6, 8, 9, 10, 12, 13, 14, 17, and 18 are
unresolved. The status of each recommendation follows:
Recommendation Number:
1. Closed. The USMS provided a copy of a signed memorandum
dated April 30, 2004, designating an Information Systems Security
Officer (ISSO) for the PTS. As a result of the USMS actions, we
consider this recommendation closed.
2. Resolved. The USMS states that the future Justice Detainee
Information System (JDIS) will include a training module for the
PTS application. To close this recommendation, the USMS should
provide milestones for its implementation to us with evidence that
the training module for PTS is or has been developed.
3. Unresolved. The USMS requested additional information
pertaining to which system administrators lacked adequate training
and expertise regarding their knowledge of the PTS’s hardware and
software environment. The USMS believed that this finding was
noted because the OIG may have interviewed the wrong personnel.
As we stated at our exit conference with the USMS, in planning our
site visits, we first contacted each affected district office and
requested the following individuals be made available for meetings
or interviews: the U.S. Marshal (or designee), system
administrator, and criminal clerk. At the Eastern District of
Virginia, we were directed to an individual whom we were told was
performing system administrator duties. As the interview
progressed, however, we learned that the individual was
performing some system administrator duties, but that the system
administrator responsible for the site was physically located at the
District Court for the District of Columbia. While at the Eastern
District of Virginia, we gathered the information this individual
93

could provide and subsequently interviewed the responsible system
administrator. We did not, however, interview the administrative
officer in lieu of the system administrator. Rather, we were initially
misdirected and subsequently spoke to the system administrator
responsible for the office. When we spoke to the system
administrator who represented the site in question, we still found
deficiencies with the system administrator’s knowledge.
As stated in the final report, the system administrator position
description provided by the USMS states that system
administrators are responsible for “operating, troubleshooting,
repairing, and maintaining IT systems.” Additionally, the position
description states that employees must possess the requisite
technical knowledge to sustain the availability of the hardware and
software environment and be competent to maintain operating
systems, applications, and data elements. According to the USMS
headquarters, system administrators within the district offices are
responsible for adding and deleting user names from the PTS
authorized user list. However, we found specific problems at the
sites indicated below:

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

When we requested to speak to the system administrator at the
Eastern District of Virginia, we were directed to the administrative
officer. The administrative officer was performing cursory system
administrator duties and he did not know where the PTS database
94

D/AZ

x

S/FL

x

N/IL

S/NY

x

S/TX

E/PA

System Administrators lacked knowledge of
the PTS change control process
System Administrators were unfamiliar with
the PTS application’s timeout period
System Administrators were unfamiliar with
the PTS application’s master files
System Administrators did not know the
version number of PTS running on the
District Office’s server
System Administrators did not know how to
delete user names from the PTS authorized
user list
Source: OIG working papers

DC/DC

Specific Deficiencies

E/VA

Deficiencies Found Pertaining to System Administrator
Training and Expertise

x

for the district office was located. We subsequently interviewed
the system administrator, whom we located at the District Court
for the District of Columbia, and found that she did not know how
to delete names from the user list, among other things.
The areas identified in the previous chart represent facets of
requisite technical knowledge that enable system administrators to
effectively sustain the availability of the hardware and software
environment and demonstrate competence in maintaining
operating systems, applications, and data elements.
In order to resolve and close this recommendation, the USMS
should provide documented evidence to us that individuals
performing system administrator duties are properly trained in
their responsibilities.
4. Unresolved. The USMS’s response asserts that there is no
Department or federal security requirement to maintain user lists
at both the USMS district offices and at USMS headquarters. The
USMS response does not address our recommendation. Our
recommendation speaks to the condition that the PTS authorized
user list provided by the USMS headquarters contained information
that, once verified at the site, possessed multiple inaccuracies.
Appendices 5 and 6 of this report contain excerpts from Chapters 3
and 4 of the GAO’s FISCAM, which we used as guidance for the
development of the audit program followed during the audit.
Pages 54 through 55 of the final report provide the specific FISCAM
requirement that the computer resource owner should maintain a
current list of authorized users and ensure that their access is
authorized. We did not recommend that separate lists be
maintained. Separate lists exist because the USMS headquarters
has delegated the user management responsibility to the district
offices (DOs). This does not absolve the USMS headquarters from
its responsibility as data owners to maintain a current list of
authorized users and ensure that their access is authorized.
Additionally, the Department’s Order 2640.2E requires that each
authorized user of a system have a unique identifier. In the case
of the authorized user list provided by USMS headquarters, entries
were found to be outdated and did not reflect a replication of
changes, additions, and deletions made at the district offices we
visited. Our report details the nature and frequency of errors
found during our user list review at each site. In order to resolve
and close this recommendation, the USMS should provide evidence
95

to us that the access authorizations for the PTS are reviewed and
that USMS headquarters updates its authorized PTS user list in a
timely manner to incorporate changes from the DOs.
5. Unresolved. As we stated at our exit conference, we found that
the lock on the door to the office suite containing data terminals,
prisoner file folders, printed output reports, and other sensitive
information was not engaged at the District Court for the District of
Columbia location. During our visit, we were able to gain access to
this area from the hallway in a building accessed by the public, and
at the time, no one assigned to the district office was present in
the area. Although physical security is provided at the entrance to
the building, private citizens are unescorted once they enter the
building, which presents a serious threat to the protection of
sensitive information. We agree that this condition occurred at
only one of the eight sites reviewed. However, we found that the
means for providing adequate physical security was present and a
lock was on the door. Unfortunately, the office failed to exercise
due diligence to ensure its use. Additionally, this condition was in
sharp contrast to the high levels of security observed at the other
seven sites visited. In order to resolve and close this
recommendation, the USMS should provide us with documented
evidence that existing measures, such as door locks, are used to
provide protection against unauthorized access to sensitive areas.
6. Unresolved. The USMS response states that system change
request instructions for the PTS application have been sufficiently
disseminated to users of the application. The USMS headquarters
informed us prior to our site visits of the systems development life
cycle (SDLC) process in place that contains system change request
instructions. Although the USMS feels that users have been
sufficiently notified of existing policies, our observations proved
different. As stated previously, we followed an audit program in
which identical questions were asked of individuals representing
specific positions within the district office. Specifically, we asked
those most familiar with the application, the criminal clerk and the
system administrator, how changes were requested to the PTS
application. We found at all eight of the locations visited, the
Eastern District of Virginia; the District Court for the District of
Columbia; the Eastern District of Pennsylvania; the Southern
District of New York; the Southern District of Texas; the Northern
District of Illinois; the Southern District of Florida; and the District
of Arizona, that knowledge of the official change control process for
the PTS application was deficient. In most cases, neither the
96

system administrator nor the criminal clerk were aware of the
existence of a change request form or how to process a request
according to the existing policy.
Also in the USMS’s response to recommendation 6, the USMS
states that the audit report text does not substantiate the
information in the last paragraph of page 12 of the draft report
where the discussion of the ineffective management of
modifications to application software is expanded to include
unauthorized changes made by knowledgeable programmers. On
page 16 of our report, we state that, “At the USMS’s headquarters,
only one individual is assigned to code, test, and implement
changes to the PTS application.” This example substantiates the
audit report text because according to the Department’s Order
2640.2E, components are directed to integrate security into various
stages of a system’s life cycle and to ensure that changes to any
system are controlled. Changes to a system include changes
requested by users as well as changes made by knowledgeable
programmers. We presented this information on page 16 under
Segregation of Duties because it represented a good example of
failure to segregate duties among staff although it also applies to
the ineffective management of modifications to application
software. We disagree that this vulnerability should be excluded
from the report. In order to resolve and close this
recommendation, the USMS should provide documented evidence
to us that PTS users are informed of the policies and procedures for
requesting changes to the application.
7. Resolved. The USMS states that it has taken steps through the
development of JDIS to address the problem of PTS’s outdated
programming software and database management system. In
order to close this recommendation, the USMS should provide
documented evidence to us that the outdated versions of the PTS’s
application programming software and database management
system have been removed from the production environment and
replaced with current versions that are supported by the vendor.
8. Unresolved. The USMS provided an attachment to its response to
demonstrate that duties have been segregated to minimize
functional incompatibility. The attachment lists duties for positions
within the USMS such as end users, system administrators, and the
information systems security officer as they relate to computer
security. While valuable, the information only partially addresses
the conditions described on pages 15 through 17 of the report that
97

enumerate problems with procedures that affect critical processes
performed by the PTS application’s end users and the application
programmer.
In this report, we provide the FISCAM guidance under the
“Segregation of Duties” section that requires entities not only to
segregate incompatible duties, but also to establish related
policies. We also provide FISCAM guidance that requires entities to
control personnel activities through formal operating procedures
and supervision and review. Our recommendation applies to our
observations during field site visits that duties were not sufficiently
segregated among staff and that sufficient procedural guidance
does not exist for the record creation process. Specifically, district
office operations allow an end user to create a prisoner record,
manipulate that record, and commit changes to information
contained in the PTS database with no management oversight or
approval prior to the completion of a transaction, or shortly
thereafter. This condition creates the situation where a single
individual has complete control over the input, processing, and
output stages of the information cycle. We also provided the
example of the condition existing at USMS headquarters wherein
one individual can code, test, and implement software changes
thereby having complete control over the PTS’s system life cycle.
We have reviewed the information provided as Attachment 2 to the
USMS response. The additional procedural steps added to the
Cellblock Operations Manual 99-47 address the conditions
described in this report pertaining to controlling personnel activities
through formal operating procedures. However, none of the
information provided ensures that duties affecting the application’s
life cycle are sufficiently segregated or that supervisory review of
data is assigned to anyone at the district office level. In order to
resolve and close this recommendation, the USMS should provide
to us documented evidence that policies and procedures for
segregating duties are developed and enforced to provide
assurance that distinct functions are performed by different
individuals and that no individual has complete control over the
PTS’s processing functions.
9a. Unresolved. The USMS contends that system administrators are
fully aware of required actions and responsibilities in the event of
an emergency situation and the USMS requested that we provide
specific examples of where this may not be accurate. We
reviewed both the USMS system security plan for the PTS
98

application and the contingency plan for the application in order to
gain an understanding of emergency procedures in place to protect
the application and minimize service interruptions. We found that
emergency procedures and contact information established for the
PTS application are contained in the contingency plan for the
application; however, the USMS headquarters confirmed that it had
not disseminated the contingency plan to the district offices. We
found that none of the system administrators at the sites had been
provided a copy of the contingency plan containing emergency
procedures and contact information. In addition, we found that the
USMS has not tested the contingency plan for PTS to actually verify
that employees can perform their necessary duties in the event of
an emergency. We found the following conditions at the sites
indicated in the chart below:

N/IL

S/FL

D/AZ

x
x

S/TX

No knowledge of the existing contingency
plan
Source: OIG working papers

S/NY

No emergency contact list on site

E/PA

Specific Conditions

DC/DC

E/VA

Emergency Procedures Deficiencies

x

x
x

x
x

x
x

x
x

x
x

x

In order to resolve and close this recommendation, the USMS
should provide evidence to us that it has tested the contingency
plan and disseminated the plan to system administrators to ensure
that employees involved in emergency response procedures are
identified and trained in their emergency roles and responsibilities.
9b. Unresolved. The USMS provided information regarding the
location of its contingency plans on the USMS intranet. However,
this electronic posting does not provide assurance that in the event
of an emergency where access to files located on network servers
are not available, that individuals at the site would know who to
contact. In order to resolve and close this recommendation, the
USMS should provide to us documented evidence that emergency
contact lists are maintained on-site.
10. Unresolved. The USMS requested additional information
regarding specific sites where backup tapes were not being rotated
off-site. We found that this condition existed at the Eastern
99

District of Pennsylvania and the Southern District of New York. The
USMS provided a corrective action plan to reinforce backup tape
rotation policies at the locations identified. In order to resolve and
close this recommendation, the USMS should provide us with
documented evidence that PTS’s backup tapes are properly rotated
and stored at an off-site location.
11. Resolved. The USMS states that the PTS contingency plan will be
tested, but does not specify a milestone date for this action. In
order to close this recommendation, the USMS should provide us a
milestone date for the annual testing of the PTS contingency plan
as required by the Department and confirmation of the results of
the test once completed.
12a.

Unresolved. The USMS states that key source document
requirements are already in place and that district office
management will be directed to review data collection activities.
We agree that modifications made to the Cellblock Operations
Manual 99-47 provide guidance to improve data collection
procedures. However, the revised Cellblock Operations Manual
does not define, specifically, the minimum source documents
required during the record creation process, such as two
photographs of the inmate to aid the USMS with proper inmate
identification and the medical form USM-552 to document health
related issues disclosed during the initial interview with the inmate.
In order to resolve and close this recommendation, the USMS
should provide evidence to us that policies and procedures to
establish key source document requirements have been developed.

12b.

Unresolved. The USMS states that the record creation process is
standardized throughout the USMS and states that the PTS User’s
Manual and associated policy directives address this condi tion.
However, during our site visits we found that the USMS had not
established controls over source documents nor provided for their
proper authorization because the USMS had not provided adequate
data rules for employees or set standards for consistency during
the record creation process. In order to resolve and close this
recommendation, the USMS should provide evidence to us that
policies and procedures were developed to standardize the record
creation process throughout the USMS for the PTS.

13. Unresolved. The USMS’s response states that the OIG calls for a
supervisor to sign off on a handwritten USM-129/312. This is not
an accurate interpretation of our recommendation. We
100

recommended that a “control” be implemented to ensure that
transactions are supported by properly authorized source
documents, but we did not mandate that supervisors sign off on
handwritten USM-129/312s. In the report, we simply presented
supervisory authorizations on source documents as an example of
a control. We observed at the Eastern District of Virginia that the
handwritten USM-129 was used as a form of authorization control
and offered this as an example of what worked effectively at one
office, but did not suggest this practice as an overall solution. The
determination of what specific control would be feasible for
implementation throughout the USMS was left to the discretion of
the USMS. To resolve and close this recommendation, the USMS
should provide us with documented evidence that it has
implemented a control to ensure that before information is entered
into the system, transactions are supported by properly authorized
source documents.
14. Unresolved. The USMS agrees that sufficient auditing is not
conducted, but states that this deficiency is not due to the lack of
management’s requirement to do so. We reviewed the certification
and accreditation documentation for the PTS application provided
by the USMS in June 2003. On Form 6, Item 14a and b of the Risk
Assessment Report for PTS/USMS-ABS dated June 2003, the USMS
responded affirmatively that it has defined audit requirements for
the PTS application and that the application has the capability to
identify the creator of data and processes. In order to resolve and
close this recommendation, the USMS should provide
documentation to us evidencing that audit trails for the PTS
application are maintained and reviewed as required by the
Department.
15. Resolved. The USMS states that global database searches will be
possible through the upcoming JDIS initiative. In order to close
this recommendation, the USMS should provide documented
evidence to us indicating that the PTS application has been
modified to perform automatic global database searches of all its
district office databases.
16. Resolved. The USMS indicates that erroneous data is collected
through jail utilization and population projection reports reviewed
by the Prisoner Services Division. The USMS does not indicate,
however, what types of erroneous data are captured or what
actions are taken to correct and investigate such data. Specifically,
this audit report refers to the need to collect and review
101

information on erroneous data, such as rejected transactions and
input errors or omissions, to determine if errors cause threats to
the PTS application or render the system vulnerable to
compromise. Our findings indicate that all eight sites visited failed
to collect statistics on the frequency of error messages generated
by the system. In order to close this recommendation, the USMS
should provide to us documented evidence of how erroneous data
is collected and reported back to the USMS management for
investigation and correction.
17. Unresolved. The USMS contends that there is no “unauthorized”
employee from which sensitive privacy information should be
protected and asserts that a background investigation suffices as
authorization to access PTS data. However, an examination of
PTS’s certification and accreditation documents indicates that the
USMS does distinguish between “authorized” and “unauthorized”
users.
Specifically, in the PTS/USMS-ABS System Security Plan, Section
1.8, System Interconnection/Information Sharing, the USMS states
that “Not all Marshals users are authorized access to PTS, but all
users who are authorized to connect to PTS do so through MNET.”
In the security plan’s Section 4. 2, Logical Access Controls, the
USMS explicitly states that “Controls exist in the PTS system to
authorize and restrict users from performing particular functions.”
The document further states that “Access rights are granted based
on the determination of USMS district management.”
In the PTS’s system security plan, section 1.10, General
Description of Information Sensitivity, the USMS defines the
requirement for confidentiality as high and further states that
“Inappropriate disclosure of the information of the information
could have negative impact on the safety of prisoners in USMS
custody and the law enforcement officials assigned to transport
and guard them. Furthermore, inappropriate disclosure could place
the families of prisoners in USMS custody at risk as well as USMS
employees assigned to protect and transport prisoners. All Privacy
Act information within PTS must be protected. . . The requirement
for confidentiality is HIGH.” Protection of system data includes
output reports and considering the USMS’s own categorization of
its requirement for confidentiality as high, USMS’s protection of
system output must be commensurate with its confidentiality
category. In order to resolve and close this recommendation, the
USMS should provide to us documented evidence that output
102

reports containing sensitive privacy information are protected from
unauthorized persons.
18. Unresolved. The USMS requests that additional information be
provided regarding instances where the PTS application allowed
simultaneous updates of the same record by more than one user.
We witnessed this condition at the following locations: the District
Court for the District of Columbia; the Eastern District of
Pennsylvania; the Southern District of New York; and the District of
Arizona. In order to resolve and close this recommendation, the
USMS should provide us documented evidence that each
installation of the PTS application protects against simultaneous
updates of the same record by more than one end-user.
19. Resolved. The USMS agrees with our recommendation that
adequate and proper source documents be maintained in prisoner
file folders to substantiate employee activities. The USMS
submitted a revised Cellblock Operations Manual 99-47 that
enumerates in Section C.3, Prisoner Records, specific documents
that must be maintained in prisoner files. In order to close this
recommendation, the USMS should provide documented evidence
to us that an internal review process has been formalized to ensure
that adequate and proper source documents be maintained in
prisoner file folders to substantiate employee activities.
20a.

Resolved. The USMS agrees with our recommendation to
implement integrity assurances and quality control measures to
require periodic spot-checking and validation of output from the
PTS. We have accepted the USMS’s proposed resolution to
Recommendation 19 that refers to Recommendation 12a. The
proposed resolution to Recommendation 12a states that the USMS
will include, during its Program Review’s internal audits, a review
of prisoner’s files to compare the contents with reports of the USM129/312 generated by PTS. In order to close this
recommendation, the USMS should provide documented evidence
to us that policies and procedures to implement quality control
measures require the periodic spot-checking and validation of
output from the PTS have been developed.

20b.

Resolved. As stated previously, we accept the USMS’s proposed
resolution to Recommendation 19 that refers to its proposed
resolution to Recommendation 12a. The proposed resolution to
Recommendation 12a states that output will be checked as a
requirement during Program review’s internal audits to confirm
103

that processing of information is correct. In order to close this
recommendation, the USMS should provide documented evidence
to us that policies and procedures have been developed to
implement quality control measures to confirm that the correct
information is processed in PTS.

104