USPTO Performance and Accountability Report - U.S. Patent and ...
USPTO Performance and Accountability Report - U.S. Patent and ...
USPTO Performance and Accountability Report - U.S. Patent and ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
United States <strong>Patent</strong> <strong>and</strong> Trademark Office<br />
Independent Auditors’ <strong>Report</strong><br />
United States <strong>Patent</strong> <strong>and</strong> Trademark Office<br />
November 7, 2012<br />
Independent Auditors’ <strong>Report</strong><br />
Page 6 of 7<br />
November 7, 2012<br />
Page 6 of 7<br />
Exhibit I – Significant Deficiency<br />
INDEPENDENT AUDITORS’ REPORT<br />
Exhibit I – Significant Deficiency<br />
Information Technology Access <strong>and</strong> Configuration Management Controls Need Improvement<br />
Information The U.S. Technology Department of Access Commerce <strong>and</strong> Configuration (Commerce) Office Management of Inspector Controls General Need (OIG), Improvement <strong>and</strong> departmental selfassessments<br />
identified weaknesses in <strong>USPTO</strong>’s information technology (IT) <strong>and</strong> financial systems controls<br />
The U.S. for several Department years. of During Commerce fiscal (Commerce) year 2012 new Office deficiencies of Inspector were General identified (OIG), that <strong>and</strong> require departmental management’s selfassessments<br />
attention. identified weaknesses in <strong>USPTO</strong>’s information technology (IT) <strong>and</strong> financial systems controls<br />
for several years. During fiscal year 2012 new deficiencies were identified that require management’s<br />
Our fiscal year 2012 IT assessment, using the Government <strong>Accountability</strong> Office’s (GAO’s) Federal<br />
attention.<br />
Information System Controls Audit Manual (FISCAM), was focused on the IT general controls over<br />
Our <strong>USPTO</strong>’s fiscal yearmajor 2012 financial IT assessment, management usingsystems the Government <strong>and</strong> supporting <strong>Accountability</strong> network infrastructure. Office’s (GAO’s) The IT Federal general<br />
Information controls System that we Controls consider Audit collectively Manual to (FISCAM), be a significant was deficiency focused on under the the IT general st<strong>and</strong>ards controls issued by over the<br />
<strong>USPTO</strong>’s American major Institute financial of Certified management Public systems Accountants <strong>and</strong> are supporting as follows: network infrastructure. The IT general<br />
controls<br />
� Access<br />
that we<br />
controls.<br />
consider<br />
In<br />
collectively<br />
close concert<br />
to be<br />
with<br />
a significant<br />
an organization’s<br />
deficiency<br />
security<br />
under<br />
management,<br />
the st<strong>and</strong>ards<br />
access<br />
issued<br />
controls<br />
by the<br />
for<br />
American<br />
general<br />
Institute<br />
support<br />
of Certified<br />
systems<br />
Public<br />
<strong>and</strong> applications<br />
Accountants<br />
should<br />
are as<br />
provide<br />
follows:<br />
reasonable assurance that computer resources<br />
� Access such controls. as data files, In close application concert programs, with an organization’s <strong>and</strong> computer-related security facilities management, <strong>and</strong> equipment access controls are protected for<br />
general against support unauthorized systems <strong>and</strong> modification, applications disclosure, should provide loss, or reasonable impairment. assurance Access controls that computer are facilitated resources by an<br />
such organization’s as data files, entity-wide application security programs, program. <strong>and</strong> computer-related Such controls include facilities physical <strong>and</strong> equipment controls, such are protected as keeping<br />
against computers unauthorized in locked modification, rooms to disclosure, limit physical loss, access, or impairment. <strong>and</strong> logical Access controls, controls such are as facilitated security software by an<br />
organization’s programs designed entity-wide to security prevent program. or detect Such unauthorized controls access include to physical sensitive controls, files. Inadequate such as keeping access<br />
computers controls in diminish locked rooms the reliability to limit physical of computerized access, <strong>and</strong> data logical <strong>and</strong> controls, increase such the risk as security of destruction software or<br />
programs inappropriate designed disclosure to prevent of information. or detect unauthorized access to sensitive files. Inadequate access<br />
controls The objectives diminish of the limiting reliability access of are computerized to ensure that data users <strong>and</strong> have increase only the the access risk needed of destruction to perform their or<br />
inappropriate duties; that disclosure access of to information. sensitive resources, such as security software programs, is limited to few<br />
The objectives<br />
individuals;<br />
of<br />
<strong>and</strong><br />
limiting<br />
that employees<br />
access are<br />
are<br />
to<br />
restricted<br />
ensure that<br />
from<br />
users<br />
performing<br />
have only<br />
incompatible<br />
the access<br />
functions<br />
needed to<br />
or<br />
perform<br />
duties beyond<br />
their<br />
duties;<br />
their<br />
that<br />
responsibility.<br />
access to sensitive<br />
This is reiterated<br />
resources,<br />
by Federal<br />
such as<br />
guidelines.<br />
security software<br />
For example,<br />
programs,<br />
Office<br />
is<br />
of<br />
limited<br />
Management<br />
to few<br />
<strong>and</strong><br />
Budget (OMB) Circular No. A-130 <strong>and</strong> the supporting National Institute of St<strong>and</strong>ards <strong>and</strong> Technology<br />
individuals; <strong>and</strong> that employees are restricted from performing incompatible functions or duties beyond<br />
(NIST) publications provide guidance related to the maintenance of technical access controls. In<br />
their responsibility. This is reiterated by Federal guidelines. For example, Office of Management <strong>and</strong><br />
addition, the Commerce IT Security Program Policy contains many requirements for operating<br />
Budget (OMB) Circular No. A-130 <strong>and</strong> the supporting National Institute of St<strong>and</strong>ards <strong>and</strong> Technology<br />
Commerce IT devices in a secure manner.<br />
(NIST) publications provide guidance related to the maintenance of technical access controls. In<br />
addition, During the fiscal Commerce year 2012, IT we Security noted that Program access controls Policy should contains be improved many requirements by <strong>USPTO</strong>, for primarily operating in the<br />
Commerce areas of: IT (1) devices managing in a secure user accounts manner. to appropriately disable <strong>and</strong> recertify network, financial system,<br />
database <strong>and</strong> operating system accounts, (2) improving logical controls over financial applications <strong>and</strong><br />
During<br />
database<br />
fiscal year<br />
system<br />
2012,<br />
access,<br />
we noted<br />
(3)<br />
that<br />
ensuring<br />
access<br />
compliance<br />
controls should<br />
with<br />
be<br />
audit<br />
improved<br />
log review<br />
by <strong>USPTO</strong>,<br />
requirements,<br />
primarily<br />
<strong>and</strong><br />
in the<br />
(4)<br />
areas preventing of: (1) managing the use of user shared accounts database to appropriately <strong>and</strong> operating disable system accounts <strong>and</strong> recertify <strong>and</strong> passwords. network, financial We recognize system, that<br />
database <strong>USPTO</strong> <strong>and</strong> has operating certain system compensating accounts, controls (2) improving in place to logical help reduce controls the over risk of financial the identified applications weaknesses, <strong>and</strong><br />
database <strong>and</strong> we system have considered access, (3) such ensuring compensating compliance controls with as part audit of our log <strong>USPTO</strong> review financial requirements, statement <strong>and</strong> audit. (4)<br />
preventing the use of shared database <strong>and</strong> operating system accounts <strong>and</strong> passwords. We recognize that<br />
<strong>USPTO</strong> � Configuration has certain compensating management. controls Configuration in place management to help reduce involves the risk the of identification the identified <strong>and</strong> weaknesses, management<br />
<strong>and</strong> we of security have considered features for such all compensating hardware, software, controls <strong>and</strong> as firmware part of our components <strong>USPTO</strong> financial of an information statement system audit. at a<br />
given point <strong>and</strong> systematically controls configuration changes throughout the system’s life cycle.<br />
� Configuration Establishing management. controls over modifications Configuration to management information involves system components the identification <strong>and</strong> related <strong>and</strong> management<br />
documentation<br />
of security helps to features ensure for that all only hardware, authorized software, systems <strong>and</strong> <strong>and</strong> firmware related program components modifications of an information are implemented. system at This a<br />
given is point accomplished <strong>and</strong> systematically by instituting controls policies, configuration procedures, <strong>and</strong> changes techniques throughout to ensure the that system’s hardware, life software cycle.<br />
Establishing controls over modifications to information system components <strong>and</strong> related documentation<br />
helps to ensure that only authorized systems <strong>and</strong> related program modifications are implemented. This<br />
is accomplished by instituting policies, procedures, <strong>and</strong> techniques to ensure that hardware, software<br />
www.uspto.gov<br />
121