The Division of Information Technology (DIT) has reviewed the subject draft audit report and in general concurs with the Office of the Inspector General’s (OIG) recommendations. Specific corrective actions and estimated completion dates for each recommendation are outlined below.

General Comments

DIT would like to thank the Inspector General for incorporating several changes discussed at the Exit Conference into this updated Draft Report. The updated Draft has addressed many of our initial concerns.

Responses to Recommendations

• Recommendation 1: Establish a policy that takes an enterprise approach to defining the roles, responsibilities, and overall principles and management expectations for performing configuration management on operating system software. The policy should address requirements for developing and maintaining configuration management plans and performing periodic self-assessments of configuration management processes and practices.

  Response: Partially Concur. DIT does agree that configuration management for operating systems is an area that should be covered by DIT policies. We do not believe that it is necessarily best to attempt to treat this issue within a single policy document covering all types of software. We agree to take a look at our policies to determine how most effectively to cover configuration management of the various operating systems and will develop appropriate modifications to existing policies or a new policy as required to meet the objectives of the recommendation. The new and/or revised policy will be established from a high-level, enterprise approach that will address requirements for configuration management plans and periodic self assessments. The new/revised policy will be approved and posted on the DIT Web site by November 30, 2005. (Infrastructure Services (Laterra), and Delivery Management (Livesay))

• Recommendation 2: Develop configuration management plan(s) covering the four operating system software platforms addressed in this report consistent with federal standards and guidelines and industry accepted practices. DIT should determine whether other operating system software platforms require configuration management plan(s) and develop such plans where appropriate.

  Response: Concur. While DIT does have procedures for configuring the servers indicated, DIT will formalize these into configuration management plans consistent with federal standards and guidelines for the four operating systems, as well as any other operating systems, by March 15, 2006. (Infrastructure Services (Laterra))

• Recommendation 3: Ensure that the certification and accreditation of the FDIC’s general support systems incorporate an evaluation and testing of the FDIC’s configuration management policy and plans referenced in recommendations I and 2 of this report.

  Response: Partially Concur. The FDIC’s Security Test and Evaluation (ST&E) program, a component of the Certification and Accreditation (C&A) program, is currently testing using NIST 800-53 requirements to determine the level of compliance with NIST- specific guidance and industry best practices as they relate to configuration management policies, procedures, and plans. As new configuration management policy and procedures are implemented, DIT will include the evaluation and testing of updated policies to future C&A cycles, beginning in June 2006. (Information Security (Seborg))

• Recommendation 4: Document the minimum required configuration settings for the Windows® server and desktop operating system platforms and develop procedures to ensure that changes to baseline configuration settings are documented.

  Response: Partially Concur. DIT currently has several processes to document the required configuration setting for Windows® servers and desktop operating systems.

  DIT uses server build documents to detail the required hardware and software configuration settings for its Windows® servers. All server builds are based upon the build documents to ensure that minimum configuration settings are adhered to. Configuration settings supplied by the software manufacturer are modified as required for the FDIC technical requirements for each platform. In addition to the minimum configuration settings, additional settings, such as application specific SQL sort parameters, are also detailed in the build documents. When a server- related problem requires a configuration change, it is referred to Server Software. Server Software evaluates the issue to determine whether the proposed fix is needed. Once the fix is tested, approved and implemented, the server build is updated to reflect the fix and to ensure that all future builds incorporate the new configuration change. Significant exceptions to the standard build and reasons for the exception are documented as part of this process.

  DIT will review the current procedures to ensure that the documentation will include the standard baseline configuration and approved exceptions to the configuration settings. We will also re-emphasize compliance with operational procedures established to ensure server and desktop build procedures are consistently applied for each operating system. Finally, DIT will investigate automated tools that may facilitate periodic review of configuration settings to monitor compliance with the standard build, and will implement the tool if it is determined to be beneficial. The required updates to documentation and related procedures, the management action to ensure procedural compliance with build standards and the investigation of possible automated tools for review of configuration settings will be completed by April 15, 2006. (Infrastructure Services (Laterra))

• Recommendation 5: Standardize and integrate the recording, tracking, and reporting of operating system software configuration changes to the maximum extent practical. As part of this effort. DIT should consider using automated mechanisms to improve performance metric reporting for configuration changes from a system-specific and enterprise perspective.

  Response: Concur. DIT has been working to standardize on a single system for tracking and documenting all configuration changes. This tool will provide improved performance metric reporting for configuration changes. The consolidation of the various systems into a single management tool will be completed by August 31, 2006. (Infrastructure Services (Laterra))

If you have any questions, please contact Rack Campbell, Chief ITES, on (703) 516-1422.