Footnote 1: Appendix C contains additional information on the laws and regulations referenced in this report.
Footnote 2: CMMI Version 1.1 for Systems Engineering, Software Engineering, Integrated Product and Process Development, and Supplier Sourcing (Continuous Representation), dated March 2002. The CMMI is a process improvement methodology that defines six capability levels reflecting an organization’s ability to perform, control, and improve its performance. Appendix B contains additional information on the CMMI. CMMI is a service mark of Carnegie Mellon University.
Footnote 3: DIT established the FDIC Infrastructure Change Control Board in February 2005 to formally review and approve changes to the information technology infrastructure and technical architecture; ensure that changes are well planned, communicated, and coordinated; and manage the change control process.
Footnote 4: SEI is a federally funded software engineering research and development center sponsored by the Department of Defense. Founded in 1984, SEI’s mission is to assist organizations in improving their software engineering capabilities.
Footnote 5: Examples of configuration changes resulting from defects in work products include (1) the redeployment of a software patch because the original deployment did not successfully install on all target servers or workstations or (2) corrective actions to address a software functionality problem caused by incompatibility. Tracking such changes is important because they could be an indication of inadequate testing or other configuration management problems.
Footnote 6: DIT Policy Memorandum 04-004, Policy on Security Patch Management, dated April 15, 2004.
Footnote 7: DIT began using the Harris Corporation’s Security Threat Avoidance Technology (STAT®) vulnerability assessment scanner in December 2004.
Footnote 8: SMS is a key configuration management tool used on the Windows® server and desktop computing platforms. DIT uses SMS to remotely scan devices on these software platforms, inventory installed software, distribute security patches and other software, and generate reports on installed/uninstalled software.
Footnote 9: Organizations can use different criteria for determining when a work product subject to configuration management should be revised. For example, an organization may require that its desktop build procedures and associated software image files be updated only following a major operating system upgrade, while another organization may require updates to these same work products periodically, such as monthly.
Footnote 10: Software-related changes include, for example, the installation or removal of items such as service packs, security patches, and software programs.
Footnote 11: Hardware-related changes include, for example, the installation or removal of items such as network interface cards and server hard drives. Hardware-related changes can directly impact the performance of operating system software.
Footnote 12: The tool used was the FDIC Change Management System (FCMS). FCMS has formal automated workflow process capabilities, such as the ability to track, record, and report configuration change requests.
Footnote 13: Sometimes referred to as a “back-out plan,” a roll-back plan describes the system recovery steps to be followed should a configuration change cause an unexpected, negative effect on an organization’s IT operations.
Footnote 14: Such tools included SMS, the Foundstone vulnerability scanner, the Harris Corporation’s STAT scanner, and the Shavlik patch scanner.
Footnote 15: Accreditation is the official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations, agency assets, or individuals based on the implementation of an agreed-upon set of security controls. Certification is a comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
Footnote 16: REMEDY is used to track trouble tickets and IT hardware inventory.
Footnote 17: IBM was unable to determine the number of configuration changes relating to the infrastructure because infrastructure changes were not stored separately from application changes.
Footnote 18: Federal Agency Security Practices (FASP). The FASP effort was initiated as a result of the success of the Federal CIO Council’s Federal Best Security Practices pilot effort to identify, evaluate, and disseminate best practices for critical infrastructure protection and security.
Footnote 19: The FDIC’s standard server-based operating system in the network environment is Microsoft Windows® 2000 Advance Server. At the time of our audit, DIT was maintaining a limited number of servers operating the Windows NT® and Windows® 2003 operating systems.
Footnote 20: The manual provides guidance for reviewing information system controls (including software configuration management controls) that affect the integrity, confidentiality, and availability of computerized data.
