OFFICE OF INSPECTOR GENERAL M E M O R A N D U M DATE: February 9, 1998 TO: Daniel Phythyon, Chief Wireless Telecommunications Bureau FROM: H. Walker Feaster III, Inspector General SUBJECT: Special Review of Auction Application Security As part of our on-going effort to ensure protection of the Commission's information resources, this office has recently completed a review of the security of the FCC Auction Application. To conduct this review, the OIG established task order number two (2) under our contract with TWM Associates, Inc. (hereafter referred to as "TWM"). On September 16, 1996, the Office of Inspector General issued a Special Review report, Report No. 96-6, entitled "Special Review of Auction Site Information Technology (IT) Security." This report identified the results of our review of Information Technology (IT) security at the Commission's 2 Massachusetts Avenue facility. Because of the timeframe under which this project was completed, several critical components of the auction system were not evaluated including the auction application (i.e., FCC Auctions System), IT security at the Gettysburg facility, and Internet connectivity (including firewall configuration). This review was intended to evaluate the auction application component of the overall automated auction program. The specific objectives of this task were twofold. The objective of phase one was to identify and evaluate the system of controls established within the FCC Auctions System application to ensure that they provide a secure environment for participants in the spectrum auction process. This evaluation included the complete system of controls including automated controls (e.g., those controls employed by the PowerBuilder and Sybase DBMS software) and manual controls (e.g., distribution of passwords, resetting of accounts, etc.). To accomplish this objective, TWM reviewed system documentation and interviewed system management personnel to identify existing manual and automated controls; designed tests for each control identified and conducted tests to determine operational status; identified areas where controls can be improved; and developed recommendations for specific control improvements. The objective of phase two of the review was to examine the controls associated with system operation and maintenance. These controls should assure that adequate processes have been developed for operating the Auction System and monitoring and controlling changes to the system. To accomplish these objectives, TWM reviewed policies, procedures, and standards associated with Auction System operation and maintenance; interviewed personnel involved in the systems operation and maintenance process; examined system documentation (e.g., flow charts, data diagrams, etc.) to verify that all system modifications are accurately reflected; identified areas where controls can be improved; and developed recommendations for specific control improvements. In general, our review indicates that the Auction Application remote bidding software functions as it was intended for bidders participating in auctions. However, the review team did identify control improvements which can be made in the areas of segregation of duties, accountability within the application, adequacy of contingency planning, and overall access controls. Many of these control improvements were being addressed at the time of review completion. In addition, we observed that Commission employees and contractor personnel managing the site are committed to continual improvement of security as part of their operational mission. A copy of the Special Review Report prepared by TWM and containing specific observations and recommendations is attached. This report, Report No. 97-4 entitled "Special Review Auction Application", contains sensitive information. For that reason, we recommend that you restrict distribution of this report to those personnel in your organization with a need for the information. If you would like to discuss this review please contact me at 418-0470. Attachment CC: John Giuli, WTB Auction Division (with attachment) David Jarrell, Computer Security Officer (with attachment)