United States DEPARTMENT of Commerce

More documents

Recommendations

Info

M a n a g e m e n t D i s c u s s i o n a n d A n a l y s i s Internal Control Review: The Department conducted an internal control review for all 14 of its operating units that combined FISMA and FMFIA requirements. The review assessed the effectiveness of IT security controls, PII management, C&A, IT security training, contractor system oversight, and usage of a newly instituted Information Security Acquisitions Checklist. In addition to reviewing the operating units, two program level functions were reviewed—the IT security and the identity theft protection programs. OCIO found that the internal controls that were examined were generally effective. Plans to Further Strengthen IT Security in FY 2008 Notwithstanding these achievements, the Department believes that further enhancements are possible in implementing and managing secure system configurations, and in sustaining improvements in the C&A process to ensure quality work products for managing system security. To ensure consistent and repeatable processes, the following activities will continue to foster effective oversight of Department-wide IT security program implementation: The Department CIO will continue to provide input to the rating official for each operating unit CIO on their performance, a significant portion of which will relate to IT security. The Department CIO will remain actively involved in the review of proposed IT budget initiatives to ensure that IT security is adequately addressed and funded, and to assure sufficient planning for continuity of operations (COOP). The Commerce IT Review Board, chaired by the Department CIO and co-chaired by the Department’s Chief Financial Officer/ Assistant Secretary for Administration (CFO/ASA), will continue to evaluate proposed security plans for every IT project under consideration, including new initiatives and continuing IT projects. These reviews include examining the adequacy of IT security management and funding, and the involvement of IT project managers in spotlighting IT security concerns for their projects as a key part of their work. The Department CIO will continue conducting annual internal control reviews as needed to ensure FISMA and FMFIA compliance. Automated FISMA Tool: The Department has developed an implementation plan for an automated FISMA tool, which will enhance its integrity in managing IT risks, corrective action plans (CAP), and OMB reporting. Secure Configurations: Secure system configurations are an essential element in an IT security program and the Department has made it a critical element of its C&A quality improvement process. In the OIG’s FY 2007 FISMA evaluation, four of the six C&A packages that were submitted for their review had inadequate secure configuration settings. As a result, secure configurations will be stressed and incorporated as a critical process in the Department’s C&A Smart Spot-Checks. OCIO has also coordinated with the Department’s Office of Acquisition Management to ensure that the appropriate security clause is used to obtain secure operating systems upon the purchase of any Microsoft Windows or Intel-based system. To support the operating units’ schedules for the use of secure configurations in early FY 2008 for all Vista and XP devices, OCIO has begun to explore how it can assist with consistency and standardization across the Department. Selection is imminent of a lead operating unit to help guide this effort and reduce redundancy for the implementation of configurations for Windows, as well as other key operating systems and applications. 34 F Y 2 0 0 7 P E R F O R M A N C E A N D A C C O U N T A B I L I T Y R E P O R T
A P P E N D I X A : P E R F O R M A N C E A N D R E S O U R C E T A B L E S M a n a g e m e n t D i s c u s s i o n a n d A n a l y s i s Perimeter Protection, Critical Infrastructure, and Continuity of Operations (COOP): The Department’s IT infrastructure is comprised of a heterogeneous network of networks. To effectively manage its IT assets, the Department utilizes a Defense-in- Depth strategy, which involves people, process, and technology. The Department has implemented a baseline IT security policy and conducted oversight reviews to ensure sufficient security awareness training for employees and contractors with security responsibilities. From a technology perspective, the Department, through a federation of CIRTs, communicates and protects its network perimeters from malicious threats. The Department’s CIRT uses state of the art technologies—including forensic analysis tools, intrusion detection and protection devices, incident alert software, and log analysis tools—to protect the Department’s networks and users from cyber incidents. As incidents occur and are investigated, the Department’s CIRT coordinates efforts with the Department of Homeland Security, US-CERT, OIG, and the Department federation of CIRTs. The Department responded to and reported 533 incidents in FY 2007. The Department has selected an E-Team emergency management system to provide alert notification and task tracking capability throughout the organization. Several exercises have been conducted thus far with personnel trained on the use of the system. The Department also participated in the government-wide FY 2007 Pinnacle exercise in which OCIO responded to several incidents and tested communications capabilities between the normal operating location and alternate operating facilities. The Department conducts monthly COOP working group meetings to share information and to coordinate appropriate maintenance of COOP support plans. OCIO recently conducted situational awareness, and roles and responsibilities refresher training for all personnel in its organization. Personnel were updated on the tasks to be performed in the event of COOP activation, as well as the importance of personnel availability and sustainability to ensure the Department’s essential functions continue regardless of the nature of any event. Other Internal Control Enhancement Activities Continue The Department’s comprehensive effort to enhance management of internal controls under OMB Circular A-123 continued during FY 2007. Progress made in implementing Appendix A to OMB Circular A-123, which relates to financial internal controls, included the following: A three-year, risk-based rotational testing plan was developed based on the FY 2006 assessment of the key processes and results of previous audits. Under this approach, high-risk cycles will be tested annually and low to moderate-risk cycles will be tested every three years. Selected test procedures at certain locations or on certain sub-processes will be performed as often as needed based on specifically identified risks; and a limited controls review assessment survey will be utilized for cycles that are not tested in any given year. The Senior Management Council (SMC) continued to oversee, direct, and implement the assessment process, and the Senior Assessment Team (SAT) continued to develop planning documentation, administer internal control test plans, and monitor and review test work. Department-wide testing templates for selected key processes and sub-processes were updated, and the Departmental sampling plan was modified to ensure consistency, including the use of a statistical sample size generator. Department-wide testing results and work papers were reviewed and the structure, breadth, and depth of bureau-level documentation were assessed to ensure consistency and completeness. F Y 2 0 0 7 P E R F O R M A N C E A N D A C C O U N T A B I L I T Y R E P O R T 35
Page 1 and 2: United States DEPARTMENT of Commerc
Page 3 and 4: U.S. Department of Commerce FY 2007
Page 5 and 6: A P P E N D I X A : P E R F O R M A
Page 11 and 12: M a n ag e m e n t D i s c u s s i
Page 13 and 14: Number of Targets Number of Targets
Page 29 and 30: 1,653 892 A P P E N D I X A : P E R
Page 43: A P P E N D I X A : P E R F O R M A
Page 75 and 76: P e r f o r m a n c e S e c t i o n
Page 77 and 78: S t r at e g i c G oa l 1
Page 79 and 80: s t r a t e g i c g o a l 1 * P e r
Page 95 and 96:
s t r a t e g i c g o a l 1 * P e r
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
Page 111 and 112:
S t r at e g i c G oa l 2
Page 113 and 114:
Page 115 and 116:
Page 117 and 118:
Page 119 and 120:
Page 121 and 122:
Page 123 and 124:
Page 125 and 126:
Page 127 and 128:
Page 129 and 130:
Page 131 and 132:
Page 133 and 134:
Page 135 and 136:
Page 137 and 138:
Page 139 and 140:
S t r at e g i c G oa l 3
Page 141 and 142:
Page 143 and 144:
Page 145 and 146:
Page 147 and 148:
Page 149 and 150:
Page 151 and 152:
Page 153 and 154:
Page 155 and 156:
Page 157 and 158:
Page 159 and 160:
Page 161 and 162:
Page 163 and 164:
Page 165 and 166:
Page 167 and 168:
Page 169 and 170:
Page 171 and 172:
Page 173 and 174:
M a n ag e m e n t I n t e g r at i
Page 175 and 176:
M Aa Nn Aa Gg Ee Mm Ee Nn T t I Nn
Page 177 and 178:
Page 179 and 180:
Page 181 and 182:
M A N A G E M E N T I N T E G R A T
Page 183 and 184:
F i n a n c i a l S e c t i o n
Page 185:
F i n a n c i a l M a n ag e m e n
Page 188 and 189:
F i n a n c i a l M a n a g e m e n
Page 190 and 191:
Page 192 and 193:
Page 194 and 195:
Page 196 and 197:
Page 198 and 199:
Page 200 and 201:
Page 203 and 204:
P R I N C I P A L F I N A N C I A L
Page 205 and 206:
P R I N C I P A L F I N A N C I A L
Page 207 and 208:
Notes to the Financial Statements (
Page 209 and 210:
N O T E S T O T H E F I N A N C I A
Page 211 and 212:
Page 213 and 214:
Page 215 and 216:
Page 217 and 218:
Page 219 and 220:
Page 221 and 222:
Page 223 and 224:
Page 225 and 226:
Page 227 and 228:
Page 229 and 230:
Page 231 and 232:
Page 233 and 234:
Page 235 and 236:
Page 237 and 238:
Page 239 and 240:
Page 241 and 242:
Page 243 and 244:
Page 245 and 246:
Page 247 and 248:
Page 249 and 250:
Page 251 and 252:
Page 253 and 254:
Page 255 and 256:
Page 257 and 258:
Page 259 and 260:
Page 261:
Consolidating Balance Sheet
Page 264 and 265:
C O N S O L I D A T I N G B A L A N
Page 267 and 268:
R e q u i r e d s u p p l e m e n t
Page 269 and 270:
R e q u i r e d s u p p l e m e n t
Page 271:
R e q u i r e d S u p p l e m e n t
Page 274 and 275:
R E Q U I R E D S U P P L E M E N T
Page 276 and 277:
Page 278 and 279:
Page 280 and 281:
Page 282 and 283:
Page 285 and 286:
I n d e p e n d e n t A u d i t o r
Page 287 and 288:
Page 289 and 290:
Page 291 and 292:
Page 293 and 294:
Page 295 and 296:
Page 297 and 298:
Page 299:
A p p e n d i c e s
Page 302 and 303:
A P P E N D I X A : P E R F O R M A
Page 304 and 305:
Page 306 and 307:
Page 308 and 309:
Page 310 and 311:
Page 312 and 313:
Page 314 and 315:
Page 316 and 317:
Page 318 and 319:
Page 320 and 321:
Page 322 and 323:
Page 324 and 325:
Page 326 and 327:
Page 328 and 329:
Page 330 and 331:
Page 332 and 333:
Page 334 and 335:
Page 336 and 337:
Page 338 and 339:
Page 340 and 341:
Page 342 and 343:
Page 344 and 345:
Page 346 and 347:
Page 348 and 349:
Page 350 and 351:
Page 352 and 353:
Page 354 and 355:
Page 356 and 357:
Page 358 and 359:
APPENDIX B: Discontinued or Changed
Page 360 and 361:
Page 362 and 363:
Page 364 and 365:
Page 366 and 367:
A P P E N D I x C : P e r f o r m a
Page 368 and 369:
Page 370 and 371:
Page 372 and 373:
Page 374 and 375:
Page 376 and 377:
Page 378 and 379:
Page 380 and 381:
Page 382 and 383:
Page 384 and 385:
Page 386 and 387:
Page 388 and 389:
Page 390 and 391:
Page 392 and 393:
Page 394 and 395:
Page 396 and 397:
Page 398 and 399:
Page 400 and 401:
Page 402 and 403:
Page 404 and 405:
Page 406 and 407:
Page 408 and 409:
Page 410 and 411:
Page 412 and 413:
Page 414 and 415:
Page 416 and 417:
A P P E N D I x D : I m p r o p e r
Page 418 and 419:
A P P E N D I x E : S u m m a r y o
Page 420 and 421:
A P P E N D I X F : G L O S S A R Y
Page 422 and 423:
A P P E N D I X F : G L O S S A R Y
Page 424:
D E PA R T M E N T O F C O M M E R
show all

United States DEPARTMENT of Commerce

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?