USPTO Performance and Accountability Report - U.S. Patent and ...

United States Patent and Trademark Office
Independent Auditors’ Report
United States Patent and Trademark Office
November 7, 2012
Independent Auditors’ Report
Page 6 of 7
November 7, 2012
Page 6 of 7
Exhibit I – Significant Deficiency
INDEPENDENT AUDITORS’ REPORT
Exhibit I – Significant Deficiency
Information Technology Access and Configuration Management Controls Need Improvement
Information The U.S. Technology Department of Access Commerce and Configuration (Commerce) Office Management of Inspector Controls General Need (OIG), Improvement and departmental selfassessments
identified weaknesses in USPTO’s information technology (IT) and financial systems controls
The U.S. for several Department years. of During Commerce fiscal (Commerce) year 2012 new Office deficiencies of Inspector were General identified (OIG), that and require departmental management’s selfassessments
attention. identified weaknesses in USPTO’s information technology (IT) and financial systems controls
for several years. During fiscal year 2012 new deficiencies were identified that require management’s
Our fiscal year 2012 IT assessment, using the Government Accountability Office’s (GAO’s) Federal
attention.
Information System Controls Audit Manual (FISCAM), was focused on the IT general controls over
Our USPTO’s fiscal yearmajor 2012 financial IT assessment, management usingsystems the Government and supporting Accountability network infrastructure. Office’s (GAO’s) The IT Federal general
Information controls System that we Controls consider Audit collectively Manual to (FISCAM), be a significant was deficiency focused on under the the IT general standards controls issued by over the
USPTO’s American major Institute financial of Certified management Public systems Accountants and are supporting as follows: network infrastructure. The IT general
controls
� Access
that we
controls.
consider
In
collectively
close concert
to be
with
a significant
an organization’s
deficiency
security
under
management,
the standards
access
issued
controls
by the
for
American
general
Institute
support
of Certified
systems
Public
and applications
Accountants
should
are as
provide
follows:
reasonable assurance that computer resources
� Access such controls. as data files, In close application concert programs, with an organization’s and computer-related security facilities management, and equipment access controls are protected for
general against support unauthorized systems and modification, applications disclosure, should provide loss, or reasonable impairment. assurance Access controls that computer are facilitated resources by an
such organization’s as data files, entity-wide application security programs, program. and computer-related Such controls include facilities physical and equipment controls, such are protected as keeping
against computers unauthorized in locked modification, rooms to disclosure, limit physical loss, access, or impairment. and logical Access controls, controls such are as facilitated security software by an
organization’s programs designed entity-wide to security prevent program. or detect Such unauthorized controls access include to physical sensitive controls, files. Inadequate such as keeping access
computers controls in diminish locked rooms the reliability to limit physical of computerized access, and data logical and controls, increase such the risk as security of destruction software or
programs inappropriate designed disclosure to prevent of information. or detect unauthorized access to sensitive files. Inadequate access
controls The objectives diminish of the limiting reliability access of are computerized to ensure that data users and have increase only the the access risk needed of destruction to perform their or
inappropriate duties; that disclosure access of to information. sensitive resources, such as security software programs, is limited to few
The objectives
individuals;
of
and
limiting
that employees
access are
are
to
restricted
ensure that
from
users
performing
have only
incompatible
the access
functions
needed to
or
perform
duties beyond
their
duties;
their
that
responsibility.
access to sensitive
This is reiterated
resources,
by Federal
such as
guidelines.
security software
For example,
programs,
Office
is
of
limited
Management
to few
and
Budget (OMB) Circular No. A-130 and the supporting National Institute of Standards and Technology
individuals; and that employees are restricted from performing incompatible functions or duties beyond
(NIST) publications provide guidance related to the maintenance of technical access controls. In
their responsibility. This is reiterated by Federal guidelines. For example, Office of Management and
addition, the Commerce IT Security Program Policy contains many requirements for operating
Budget (OMB) Circular No. A-130 and the supporting National Institute of Standards and Technology
Commerce IT devices in a secure manner.
(NIST) publications provide guidance related to the maintenance of technical access controls. In
addition, During the fiscal Commerce year 2012, IT we Security noted that Program access controls Policy should contains be improved many requirements by USPTO, for primarily operating in the
Commerce areas of: IT (1) devices managing in a secure user accounts manner. to appropriately disable and recertify network, financial system,
database and operating system accounts, (2) improving logical controls over financial applications and
During
database
fiscal year
system
2012,
access,
we noted
(3)
that
ensuring
access
compliance
controls should
with
be
audit
improved
log review
by USPTO,
requirements,
primarily
and
in the
(4)
areas preventing of: (1) managing the use of user shared accounts database to appropriately and operating disable system accounts and recertify and passwords. network, financial We recognize system, that
database USPTO and has operating certain system compensating accounts, controls (2) improving in place to logical help reduce controls the over risk of financial the identified applications weaknesses, and
database and we system have considered access, (3) such ensuring compensating compliance controls with as part audit of our log USPTO review financial requirements, statement and audit. (4)
preventing the use of shared database and operating system accounts and passwords. We recognize that
USPTO � Configuration has certain compensating management. controls Configuration in place management to help reduce involves the risk the of identification the identified and weaknesses, management
and we of security have considered features for such all compensating hardware, software, controls and as firmware part of our components USPTO financial of an information statement system audit. at a
given point and systematically controls configuration changes throughout the system’s life cycle.
� Configuration Establishing management. controls over modifications Configuration to management information involves system components the identification and related and management
documentation
of security helps to features ensure for that all only hardware, authorized software, systems and and firmware related program components modifications of an information are implemented. system at This a
given is point accomplished and systematically by instituting controls policies, configuration procedures, and changes techniques throughout to ensure the that system’s hardware, life software cycle.
Establishing controls over modifications to information system components and related documentation
helps to ensure that only authorized systems and related program modifications are implemented. This
is accomplished by instituting policies, procedures, and techniques to ensure that hardware, software
www.uspto.gov
121