FBI systems still need work, IG says

Department of Justice Inspector General report

The FBI's technology systems still suffer from weak security planning and management and inefficient access controls, according to a Justice Department Inspector General report released Oct. 14.

The bureau has been the subject of numerous information technology audits listing hundreds of recommendations over the years, and it needs a process to ensure those studies are followed up, the report says.

"For years, reviews have found major weaknesses associated with the FBI's IT," Inspector General Glenn Fine said in the report. "The FBI has made upgrading its [IT] one of its top 10 priorities."

Since September 2002, the FBI has been developing ways to document the audits and follow-up procedures, the report said. The FBI's Inspection Division developed a database — the Automated Response and Compliance System — to document and track data requests from auditors and provide the status of improvements.

FBI officials should develop procedures to follow up audit recommendations, and ensure the compliance system is complete, Fine said. The bureau should show that managers are held accountable for making changes by quickly closing auditors' recommendations, the report states.

The office interviewed personnel with the FBI, inspector general and General Accounting Office and reviewed more than 100 documents on the process for tracking the resolution of the recommendations, the report states.

Although the FBI has implemented many recommendations from inspector general reports since 1990, recent reviews found "repeated deficiencies" in compliance with information security requirements, the report states. As of April, the FBI had weaknesses in protecting sensitive information and guarding against fraudulent financial transactions or unauthorized software changes.

The inspector general also found the FBI fixed about one-fourth of the deficiencies cited in a fiscal 2001 audit on compliance with the Government Information Security Reform Act of 2000. However, the bureau still has problems with security policies, network backup and restoration controls, password management, log-on management, and system patches, Fine wrote.

The report also identifies two factors that could affect the success of the FBI's Virtual Case File system, the automated case support system to be completed in December as part of the bureau's Trilogy modernization project. The technical requirements have not been defined for the system's second and third releases, which could pose a problem, the report said.

"We believe the lack of technical, cost and schedule baselines not only creates uncertainties for how much the [system] will cost and when it will be completed, but also how it will perform upon implementation," Fine wrote.

Meeting the technical requirements and ensuring the system's acceptance by agents are necessary for its success, the report states.