Second Follow-up Audit Report on Department of Education Internal Controls Over Its Data Center

This second follow-up audit determined whether the Department of Education (DOE), formally the Board of Education (the Board), implemented the 12 recommendations made in an earlier audit, Follow-up Audit Report of the Internal Controls of the Board of Education’s Data Center (Audit 7F01-113, issued May 8, 2001). We conducted this second follow-up audit because issues reported in our initial audit of the Board’s Data Center, Audit Report of the Internal Controls of the Board of Education’s Data Center, (Audit 7A95-172, Issued June 15, 1995), had not been fully resolved and since a new issue was disclosed in the follow-up audit.

The first follow-up audit found a number of weaknesses, including that the data center did not have an alternate-processing site and did not complete, formally approve, and update its disaster recovery plan. In addition, the Board did not have a time-out function to limit computer access during extended periods of inactivity; did not have a method to detect unauthorized hardware and software use on its networks; and had not conducted penetration testing of its computer networks. Moreover, the Board had insufficient Internet connectivity security controls and did not monitor firewall traffic sufficiently. In this audit, we discuss the 12 recommendations we made in the first follow-up report as well as the implementation status of those recommendations.

Audit Findings and Conclusions

DOE implemented one, partially implemented two, and did not implement nine of the 12 recommendations made in the previous audit. In this second follow-up audit, we found that DOE has installed time-out features for all on-line systems and has installed Internet security software to monitor the Internet activities of the instructional staff and to generate associated reports. To control access to undesirable Web sites, DOE has installed filtering software on all servers used for instructional purposes within schools. However, DOE still has not established sufficient Internet security controls for its administrative staff, does not conduct regular penetration testing of its computer networks, and does not monitor its firewall traffic. Moreover, DOE still has not established procedures to detect unauthorized hardware and software use on its networks.

In addition, DOE still does not have an alternate-processing site to resume data processing operations in the event of a disaster, nor a complete, formally approved, tested, or updated disaster recovery plan. However, DOE will consolidate its mainframe computer operations with those of the Department of Information Technology and Telecommunications (DoITT) by the end of calendar year 2004. Although DoITT will perform disaster recovery for DOE mainframe computer operations after the consolidation, DOE will continue to be responsible for its network disaster recovery.

Other issues identified during this audit included weaknesses in system access controls and procedures.