120 INDEPENDENT AUDITORS’ REPORT United States <strong>Patent</strong> <strong>and</strong> Trademark Office Independent Auditors’ <strong>Report</strong> November 7, 2012 Page 5 of 7 This report is intended solely for the information <strong>and</strong> use of the <strong>USPTO</strong>’s management, the U.S. Department of Commerce management <strong>and</strong> the U.S. Department of Commerce Office of Inspector General <strong>and</strong> is not intended to be <strong>and</strong> should not be used by anyone other than these specified parties. November November 7, 2012 PERFORMANCE AND ACCOUNTABILITY REPORT: FISCAL YEAR 2012
United States <strong>Patent</strong> <strong>and</strong> Trademark Office Independent Auditors’ <strong>Report</strong> United States <strong>Patent</strong> <strong>and</strong> Trademark Office November 7, 2012 Independent Auditors’ <strong>Report</strong> Page 6 of 7 November 7, 2012 Page 6 of 7 Exhibit I – Significant Deficiency INDEPENDENT AUDITORS’ REPORT Exhibit I – Significant Deficiency Information Technology Access <strong>and</strong> Configuration Management Controls Need Improvement Information The U.S. Technology Department of Access Commerce <strong>and</strong> Configuration (Commerce) Office Management of Inspector Controls General Need (OIG), Improvement <strong>and</strong> departmental selfassessments identified weaknesses in <strong>USPTO</strong>’s information technology (IT) <strong>and</strong> financial systems controls The U.S. for several Department years. of During Commerce fiscal (Commerce) year 2012 new Office deficiencies of Inspector were General identified (OIG), that <strong>and</strong> require departmental management’s selfassessments attention. identified weaknesses in <strong>USPTO</strong>’s information technology (IT) <strong>and</strong> financial systems controls for several years. During fiscal year 2012 new deficiencies were identified that require management’s Our fiscal year 2012 IT assessment, using the Government <strong>Accountability</strong> Office’s (GAO’s) Federal attention. Information System Controls Audit Manual (FISCAM), was focused on the IT general controls over Our <strong>USPTO</strong>’s fiscal yearmajor 2012 financial IT assessment, management usingsystems the Government <strong>and</strong> supporting <strong>Accountability</strong> network infrastructure. Office’s (GAO’s) The IT Federal general Information controls System that we Controls consider Audit collectively Manual to (FISCAM), be a significant was deficiency focused on under the the IT general st<strong>and</strong>ards controls issued by over the <strong>USPTO</strong>’s American major Institute financial of Certified management Public systems Accountants <strong>and</strong> are supporting as follows: network infrastructure. The IT general controls � Access that we controls. consider In collectively close concert to be with a significant an organization’s deficiency security under management, the st<strong>and</strong>ards access issued controls by the for American general Institute support of Certified systems Public <strong>and</strong> applications Accountants should are as provide follows: reasonable assurance that computer resources � Access such controls. as data files, In close application concert programs, with an organization’s <strong>and</strong> computer-related security facilities management, <strong>and</strong> equipment access controls are protected for general against support unauthorized systems <strong>and</strong> modification, applications disclosure, should provide loss, or reasonable impairment. assurance Access controls that computer are facilitated resources by an such organization’s as data files, entity-wide application security programs, program. <strong>and</strong> computer-related Such controls include facilities physical <strong>and</strong> equipment controls, such are protected as keeping against computers unauthorized in locked modification, rooms to disclosure, limit physical loss, access, or impairment. <strong>and</strong> logical Access controls, controls such are as facilitated security software by an organization’s programs designed entity-wide to security prevent program. or detect Such unauthorized controls access include to physical sensitive controls, files. Inadequate such as keeping access computers controls in diminish locked rooms the reliability to limit physical of computerized access, <strong>and</strong> data logical <strong>and</strong> controls, increase such the risk as security of destruction software or programs inappropriate designed disclosure to prevent of information. or detect unauthorized access to sensitive files. Inadequate access controls The objectives diminish of the limiting reliability access of are computerized to ensure that data users <strong>and</strong> have increase only the the access risk needed of destruction to perform their or inappropriate duties; that disclosure access of to information. sensitive resources, such as security software programs, is limited to few The objectives individuals; of <strong>and</strong> limiting that employees access are are to restricted ensure that from users performing have only incompatible the access functions needed to or perform duties beyond their duties; their that responsibility. access to sensitive This is reiterated resources, by Federal such as guidelines. security software For example, programs, Office is of limited Management to few <strong>and</strong> Budget (OMB) Circular No. A-130 <strong>and</strong> the supporting National Institute of St<strong>and</strong>ards <strong>and</strong> Technology individuals; <strong>and</strong> that employees are restricted from performing incompatible functions or duties beyond (NIST) publications provide guidance related to the maintenance of technical access controls. In their responsibility. This is reiterated by Federal guidelines. For example, Office of Management <strong>and</strong> addition, the Commerce IT Security Program Policy contains many requirements for operating Budget (OMB) Circular No. A-130 <strong>and</strong> the supporting National Institute of St<strong>and</strong>ards <strong>and</strong> Technology Commerce IT devices in a secure manner. (NIST) publications provide guidance related to the maintenance of technical access controls. In addition, During the fiscal Commerce year 2012, IT we Security noted that Program access controls Policy should contains be improved many requirements by <strong>USPTO</strong>, for primarily operating in the Commerce areas of: IT (1) devices managing in a secure user accounts manner. to appropriately disable <strong>and</strong> recertify network, financial system, database <strong>and</strong> operating system accounts, (2) improving logical controls over financial applications <strong>and</strong> During database fiscal year system 2012, access, we noted (3) that ensuring access compliance controls should with be audit improved log review by <strong>USPTO</strong>, requirements, primarily <strong>and</strong> in the (4) areas preventing of: (1) managing the use of user shared accounts database to appropriately <strong>and</strong> operating disable system accounts <strong>and</strong> recertify <strong>and</strong> passwords. network, financial We recognize system, that database <strong>USPTO</strong> <strong>and</strong> has operating certain system compensating accounts, controls (2) improving in place to logical help reduce controls the over risk of financial the identified applications weaknesses, <strong>and</strong> database <strong>and</strong> we system have considered access, (3) such ensuring compensating compliance controls with as part audit of our log <strong>USPTO</strong> review financial requirements, statement <strong>and</strong> audit. (4) preventing the use of shared database <strong>and</strong> operating system accounts <strong>and</strong> passwords. We recognize that <strong>USPTO</strong> � Configuration has certain compensating management. controls Configuration in place management to help reduce involves the risk the of identification the identified <strong>and</strong> weaknesses, management <strong>and</strong> we of security have considered features for such all compensating hardware, software, controls <strong>and</strong> as firmware part of our components <strong>USPTO</strong> financial of an information statement system audit. at a given point <strong>and</strong> systematically controls configuration changes throughout the system’s life cycle. � Configuration Establishing management. controls over modifications Configuration to management information involves system components the identification <strong>and</strong> related <strong>and</strong> management documentation of security helps to features ensure for that all only hardware, authorized software, systems <strong>and</strong> <strong>and</strong> firmware related program components modifications of an information are implemented. system at This a given is point accomplished <strong>and</strong> systematically by instituting controls policies, configuration procedures, <strong>and</strong> changes techniques throughout to ensure the that system’s hardware, life software cycle. Establishing controls over modifications to information system components <strong>and</strong> related documentation helps to ensure that only authorized systems <strong>and</strong> related program modifications are implemented. This is accomplished by instituting policies, procedures, <strong>and</strong> techniques to ensure that hardware, software www.uspto.gov 121