Table Of Content

Philip Kiko Chet aia Oncae OMtice ot he Chiet Aoministeative @tticer G.&. Bouse of Representatives ‘Washington, WE 20515-9860 February 3, 2017 To: ‘The Honorable Gregg Harper Chairman, Commitice on House Administration ‘The Honorable Rovert A. Brady Ranking Member, Committee on House Administration Philip G. Kiko ‘Chief Administrative Officer Paul D. frving ‘Sergeant at Arms Gencral (O1G) and HIR Cybersecurity have documented mul artis, IT security violations, and shared employee policy violations by five [by multiple House offices, hereafter referred to as “the employees ice gathered to this poinl, we have concluded thatthe employees aro an ak to the House of Representatives, possloly threatening the intcgricy of ms and thereby Moniber's capacity to serve constituents fembers and the House, we (GAO) aad the Sergeant stems and non-public Tesponsiye to the needs of the juiry and their Full support has greatly informed this Tecommendation. a ae - With the approval of the Commnitic, the CAO and the SAA will take the following actions: * Disable and remove all access to House information technology sesources otk network and local accounts, Disable and remove access (o email accounts, remote aesess accouunt/tokens, mobile phones and devices, Disable any prox card access. Demand that these individuals surrender equipr Revoke all parking posses and privileges. Instruct all House office Members’ and their staff where these employees 1 change their House account passwords and personal passwords (c.2., ‘Vunes) “may have shared with these employees. ‘that the House Superintendent rekey any room or facility used by s to store data or equipment to protect Member's inventory, alert the Unized States Capitol Pol: ‘any suspicious activity related to House assets and property by the including 992016, the CAO Office of Acquisitions Managemen! discovered suspicious for mobile equipment by Mr. Omar Awan’, a shared employ: er offices. Me. Awan structured these purchase orders in such a fice below the accountable equipment thresholé of $500 © Officer reporied the suspicious activity to the Commit ‘The Committee on Hose Administration requested the O1G to ofthis activity. purchase orders, vouchers, and emails, the O1Gs ina ‘above referenced individuals. While performing the inquiry ‘of iregular procurements as well as violations of both [7 We have determined twenty House offices wer 3s, and potentially over 40 House Offices may ‘of the inquiry widened, the Commitee on ‘Chairman of the Democratic the OIG identified. As2 ‘he CAO to copy the data matter to the epee oe Aditinistration directed the Inspector General to refer ‘ater to the United States Capitol Police (USCP). The SCP inkinad cr eae that continues to this day. In late 2016, the former Chairman of the Demoer tesign from Congress to assume a new position. The CAO and SAA worked eatiate Chairman to account for his inventory, including the one server. While reviewing the inventory, the CAO discovered id not match that of the onc imaged in Seplember. The CAO alse discovered that he Servet in question was still operating unécr the employee's conuol, contrary to the explicit instructions of the former Chairman to turn over all equip-nent, and fully ooperate with the inquiry and investigation, ‘The USCP interviewed relevant staff regarding the missing server. On January 24, 2017, the CAO acquired the serve: fram the control ofthe empl ‘transferred that server to the USCP. Caucus announced his intention to tthe serial number of the server of Evidence Gathered by the House O1G ng over the inguiry tothe USCP, the OIG guheted signa! even ev tthe ‘irregularities und IT security policy violations by the employees. The ev bby the OIG has been provided to you. of House vouchers documenting irregular transuctions: Sf CDWG doraneatings et ss c ‘and vouchers documenting structured purchases; es House Member's Chiefs of Stall, Pact cauipent vendor ‘wages of each employee: ‘end computer access logs; of stored equipment; and, es issued US. House of Representatives is ne Se dpe CAO to mstain an insti of all re price of $500 or more ing purchases and comingliag “lurty “tour purchases totaling nearly $38,000 where the employ to avoid the $500 accountable equipment thresh: $219,000 in outstanding invoices owed to C. employees, some of which were ic known to the Member's office. Eighty-three pieces of missing equipm been “written off” from the House inventory by CAO employees. Missing equipment ‘equipment, and computers Fourteen examples of equipment delivered to Of the House af Representatives, thus process. Examples of unopened equipment being stored et uknown all prohibit the ee or subleting of jo ) different Member or Committee offices o: 2) individuals w ¢my job duties nor sublet any portion of =, assigned email accounts for all of: Summary of House IT Security Poti bet office's equipment ut they belonged to another office.” She tld him to ge ‘them out of her Member's office. Pee © Gas Member office believed the employees were contactors, not House employees. Furthermore, the office believed that one ofthe employees cathe entecon hue with the other four employees effectively reporting #0 hien * One of he employees appears to have violated outside fiduciary sa business, esttictios on senio: staff. Violations ‘The OIG documented numerous and egregious violations of House [1 Security, including Principles of Behavior for Information Systems Users: Users must access and use only {information for which they have official authorization SPOL 002.0 Protecting Systems from Unauthorized Use Section 2.2 Users shal use only information for which they have officiel authorization, :00 Password Protection: Policy 2.6 - Do not share UserlDs and passwords |= Protection of Sensitive Information, Section 2.3 ~ All Hou: ‘be stored on Iouse ovmed equipment. curity Policy for Privileged Account Management - Sccuity See ‘shall not share access to an individual Privileged Account ed permissions in pffives so thal cach of he five cay ces. This could have resulted in Member's data being aco unauthorized by the office, HIR Cybersecurity iden iby he shared eyslom mimisirors tat have groups outside admisiative permissions accounts, including some assigned to Members, nine U1 Poffices who owned these secounts did noc enpiay ta exp [Demoeratic Caucus compiter, even tough the en je Caucus computers 5735 times, even joy these employees, HIR Cybersecuriy ‘Caucus server as an entry point snd

ebook img

Feb. 2017 House CAO 'Urgent' Cybersecurity Memo PDF

9.2 MB·English
by  
#additional_collections #documentcloud
Save to my drive
Quick download
Download
Upgrade Premium
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Feb. 2017 House CAO 'Urgent' Cybersecurity Memo

Philip Kiko Chet aia Oncae OMtice ot he Chiet Aoministeative @tticer G.&. Bouse of Representatives ‘Washington, WE 20515-9860 February 3, 2017 To: ‘The Honorable Gregg Harper Chairman, Commitice on House Administration ‘The Honorable Rovert A. Brady Ranking Member, Committee on House Administration Philip G. Kiko ‘Chief Administrative Officer Paul D. frving ‘Sergeant at Arms Gencral (O1G) and HIR Cybersecurity have documented mul artis, IT security violations, and shared employee policy violations by five [by multiple House offices, hereafter referred to as “the employees ice gathered to this poinl, we have concluded thatthe employees aro an ak to the House of Representatives, possloly threatening the intcgricy of ms and thereby Moniber's capacity to serve constituents fembers and the House, we (GAO) aad the Sergeant stems and non-public Tesponsiye to the needs of the juiry and their Full support has greatly informed this Tecommendation. a ae - With the approval of the Commnitic, the CAO and the SAA will take the following actions: * Disable and remove all access to House information technology sesources otk network and local accounts, Disable and remove access (o email accounts, remote aesess accouunt/tokens, mobile phones and devices, Disable any prox card access. Demand that these individuals surrender equipr Revoke all parking posses and privileges. Instruct all House office Members’ and their staff where these employees 1 change their House account passwords and personal passwords (c.2., ‘Vunes) “may have shared with these employees. ‘that the House Superintendent rekey any room or facility used by s to store data or equipment to protect Member's inventory, alert the Unized States Capitol Pol: ‘any suspicious activity related to House assets and property by the including 992016, the CAO Office of Acquisitions Managemen! discovered suspicious for mobile equipment by Mr. Omar Awan’, a shared employ: er offices. Me. Awan structured these purchase orders in such a fice below the accountable equipment thresholé of $500 © Officer reporied the suspicious activity to the Commit ‘The Committee on Hose Administration requested the O1G to ofthis activity. purchase orders, vouchers, and emails, the O1Gs ina ‘above referenced individuals. While performing the inquiry ‘of iregular procurements as well as violations of both [7 We have determined twenty House offices wer 3s, and potentially over 40 House Offices may ‘of the inquiry widened, the Commitee on ‘Chairman of the Democratic the OIG identified. As2 ‘he CAO to copy the data matter to the epee oe Aditinistration directed the Inspector General to refer ‘ater to the United States Capitol Police (USCP). The SCP inkinad cr eae that continues to this day. In late 2016, the former Chairman of the Demoer tesign from Congress to assume a new position. The CAO and SAA worked eatiate Chairman to account for his inventory, including the one server. While reviewing the inventory, the CAO discovered id not match that of the onc imaged in Seplember. The CAO alse discovered that he Servet in question was still operating unécr the employee's conuol, contrary to the explicit instructions of the former Chairman to turn over all equip-nent, and fully ooperate with the inquiry and investigation, ‘The USCP interviewed relevant staff regarding the missing server. On January 24, 2017, the CAO acquired the serve: fram the control ofthe empl ‘transferred that server to the USCP. Caucus announced his intention to tthe serial number of the server of Evidence Gathered by the House O1G ng over the inguiry tothe USCP, the OIG guheted signa! even ev tthe ‘irregularities und IT security policy violations by the employees. The ev bby the OIG has been provided to you. of House vouchers documenting irregular transuctions: Sf CDWG doraneatings et ss c ‘and vouchers documenting structured purchases; es House Member's Chiefs of Stall, Pact cauipent vendor ‘wages of each employee: ‘end computer access logs; of stored equipment; and, es issued US. House of Representatives is ne Se dpe CAO to mstain an insti of all re price of $500 or more ing purchases and comingliag “lurty “tour purchases totaling nearly $38,000 where the employ to avoid the $500 accountable equipment thresh: $219,000 in outstanding invoices owed to C. employees, some of which were ic known to the Member's office. Eighty-three pieces of missing equipm been “written off” from the House inventory by CAO employees. Missing equipment ‘equipment, and computers Fourteen examples of equipment delivered to Of the House af Representatives, thus process. Examples of unopened equipment being stored et uknown all prohibit the ee or subleting of jo ) different Member or Committee offices o: 2) individuals w ¢my job duties nor sublet any portion of =, assigned email accounts for all of: Summary of House IT Security Poti bet office's equipment ut they belonged to another office.” She tld him to ge ‘them out of her Member's office. Pee © Gas Member office believed the employees were contactors, not House employees. Furthermore, the office believed that one ofthe employees cathe entecon hue with the other four employees effectively reporting #0 hien * One of he employees appears to have violated outside fiduciary sa business, esttictios on senio: staff. Violations ‘The OIG documented numerous and egregious violations of House [1 Security, including Principles of Behavior for Information Systems Users: Users must access and use only {information for which they have official authorization SPOL 002.0 Protecting Systems from Unauthorized Use Section 2.2 Users shal use only information for which they have officiel authorization, :00 Password Protection: Policy 2.6 - Do not share UserlDs and passwords |= Protection of Sensitive Information, Section 2.3 ~ All Hou: ‘be stored on Iouse ovmed equipment. curity Policy for Privileged Account Management - Sccuity See ‘shall not share access to an individual Privileged Account ed permissions in pffives so thal cach of he five cay ces. This could have resulted in Member's data being aco unauthorized by the office, HIR Cybersecurity iden iby he shared eyslom mimisirors tat have groups outside admisiative permissions accounts, including some assigned to Members, nine U1 Poffices who owned these secounts did noc enpiay ta exp [Demoeratic Caucus compiter, even tough the en je Caucus computers 5735 times, even joy these employees, HIR Cybersecuriy ‘Caucus server as an entry point snd

See more

The list of books you might like

Upgrade Premium
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.
DMCA & Copyright: Dear all, most of the website is community built, users are uploading hundred of books everyday, which makes really hard for us to identify copyrighted material, please contact us if you want any material removed.
Copyright @ PDFdrive.to, 2022 | We love our users