Security Audit of NIH Computer Center Benefits Customers
The NIH Computer Center passed its annual security audit with flying colors. This successful audit is important to Computer Center customers for two reasons. First, it assures all customers that security policies, procedures and tools are available at the Computer Center to adequately protect their valuable data. Secondly, managers of financial applications subject to audit under the Chief Financial Officersí (CFO) Act will save money because the Computer Center audit fulfills a significant portion of the CFO ADP audit requirements.
The audit, which concluded on October 30, 1998, was performed by an independent auditing firm commissioned by the HHS Office of the Inspector General (OIG). According to the auditorís subsequent briefing to officials from OIG, the General Accounting Office (GAO), and CIT, the final audit report will certify that the Centerís MVS systems are appropriate for applications that are critical to their agencyís mission and for storing highly sensitive data. This degree of security meets requirements of the HHS security level three (only national security, at level, four is higher).
Covering the period since October 1, 1997, the SAS 70 Type II audit examined and tested CITís policies and procedures for the Computer Centerís MVS North and South production systems. Ernst & Young LLP con-ducted the audit using standards established by the American Institute of Certified Public Accountants. The auditors reviewed Computer Center controls for access to data files and programs, systems software implementation and maintenance, disaster recovery services, and physical security. In addition, the audit included a review of the Computer Center implementation of RACF access control software, as well as the Y2K readiness of the MVS system software components.
The fact that the data center is secure and appropriately managed is not sufficient to provide complete application security. Application managers must take steps to identify and protect their sensitive dataand must also incorporate the proper security tools into their applications. CITís enterprise system security staff will be glad to consult with anyone who needs to develop or strengthen the security of their application.
The auditorís final report is currently being reviewed by GAO and OIG, and should be available to CIT early in 1999. Should you need a copy of it to satisfy audit requirements for your application, please call Computer Center Security Officer Mary Boehly at (301) 496-5826.
Interface 208 - December 15, 1998