FINANCIAL MANAGEMENT: Management Report for the Audit of the Department of the Treasury's Consolidated Financial Statements for Fiscal Years 2019 and 2018

View Report

Date Issued

Monday, December 16, 2019

Submitting OIG

Department of the Treasury OIG

Other Participating OIGs

Department of the Treasury OIG

Agencies Reviewed/Investigated

Department of the Treasury

Components

Bureau of the Fiscal Service

Report Number

OIG-20-022

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Open Recommendations

This report has 10 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
7-1	Yes	$0	$0
Bureau of the Fiscal Service (Fiscal Service) management should finalize policies and procedures to review audit logs of production DB2 servers.
7-2	Yes	$0	$0
Bureau of the Fiscal Service (Fiscal Service) management should implement an oversight process to ensure that designated Fiscal Service personnel: a. Reviews the security logs for the UNIX and DB2 servers hosting the Payment Information Repository (PIR), Judgment Fund Internet Claim System (JFICS), and Security Payment System (SPS) applications on a pre-defined frequency, as indicated in the Fiscal Service Baseline Security Requirements (BLSR). b. Formally documents completion of their reviews and any escalations to the Information System Security Office (ISSO), and c. Retains the audit logs and documentation of its reviews for 18 months, as required by the BLSR.
7-3	Yes	$0	$0
Bureau of the Fiscal Service (Fiscal Service) management should periodically review Fiscal Service management's implementation and operation of the review the security audit logs for the UNIX and DB2 servers hosting the Payment Information Repository (PIR), Judgment Fund Internet Claim System (JFICS), and Secure Payment System (SPS) applications to determine that Fiscal Service management completes the reviews on a pre-defined basis, documents completion of the reviews and escalations, and maintains such documentation.
7-4	Yes	$0	$0
Bureau of the Fiscal Service (Fiscal Service) management should establish an effective enforcement process or mechanism to ensure that (a) UNIX and DB2 events and monitoring controls are followed, and (b) Fiscal Service management has confidence it consistently reviews for potential unauthorized or inappropriate activity.
17-1	Yes	$0	$0
Bureau of the Fiscal Service (Fiscal Service) management should develop and implement documentation to assign responsibility for ensuring adequacy of UNIX and database security and baseline settings.
17-2	Yes	$0	$0
Bureau of the Fiscal Service (Fiscal Service) management should update existing UNIX and database configuration security baseline documents to ensure that these documents fully incorporate and enforce the components of the Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIG). Management should document any deviations from the STIGs and note compensating controls that mitigate the security risk to an acceptable level.
17-3	Yes	$0	$0
Bureau of the Fiscal Service (Fiscal Service) management should develop, document, and implement policies, procedures, and controls to conduct periodic reviews of actual UNIX and database settings against the security configuration baselines.
17-4	Yes	$0	$0
Bureau of the Fiscal Service (Fiscal Service) management should provide logging and monitoring of security related events to include the retention of evidence of reviews performed.
17-5	Yes	$0	$0
Bureau of the Fiscal Service (Fiscal Service) management should develop a baseline of essential security settings and specifying that baseline as the standard to be observed.
17-6	Yes	$0	$0
Bureau of the Fiscal Service (Fiscal Service) management should implement corrective actions to address all vulnerabilities associated with the baseline enforcement to include removing the three default user accounts on UNIX servers.