DHS OIG, OIG-10-93, Information Technology Management Letter for the FY 2009 U.S. Citizenship and Immigration Services Financial Statement Audit (2010)

DHS OIG

Section: Information Technology Management Letter for the FY 2009 U.S. Citizenship and Immigration Services Financial Statement Audit

Effective: 6/8/2010

Bluebook Citation: DHS OIG, OIG-10-93, Information Technology Management Letter for the FY 2009 U.S. Citizenship and Immigration Services Financial Statement Audit (2010)

Department of Homeland Security Office of Inspector General Information Technology Management Letter for the FY 2009 U.S. Citizenship and Immigration Services Financial Statement Audit OIG-10-93 June 2010 Office of Inspector General U.S. Department ofHomeland Security Washington, DC 25028 Homeland Security JUN - 8 ZUlU Preface The Department of Homeland Security (DHS) Office ofInspector General (OIG) was established by the Homeland Security Act of2002 (Public Law 107-296) by amendment to the Inspector General Act of1978. This is one of a series of audit, inspection, and special reports prepared as part of our oversight responsibilities to promote economy, efficiency, and effectiveness within the department. This report presents the information technology (IT) management letter for the FY 2009 U.S. Citizenship and Immigration Services (USCIS) financial statement audit as of September 30, 2009. It contains observations and recommendations related to information technology internal control that were summarized in the Independent Auditors J Report dated January 15, 2010 and presents the separate restricted distribution report mentioned in that report.

The independent accounting firm KPMG LLP (KPMG) performed the audit procedures at USCIS in support of the DHS FY 2009 financial statements and prepared this IT management letter. KPMG is responsible for the attached IT management letter dated March 10,2010, and the conclusions expressed in it. We do not express opinions on DHS' financial statements or internal control or conclusion on compliance with laws and regulations. The recommendations herein have been developed to the best knowledge available to our office, and have been discussed in draft with those responsible for implementation.

We trust that this report will result in more effective, efficient, and economical operations. We express our appreciation to all of those who contributed to the preparation of this report. ~A Frank DeffePf- Assistant Inspector General Information Technology Audits KPMG LLP 2001 M Street, NW Washington, DC 20036 March 10, 2010 Inspector General U.S. Department of Homeland Security Chief Information Officer and Chief Financial Officer U.S. Citizenship and Immigration Services Ladies and Gentlemen: We have audited the consolidated balance sheet of the U.S. Citizenship and Immigration Services (USCIS), a component of the U.S. Department of Homeland Security (DHS), as of September 30, 2009 and the related consolidated statements of net cost, changes in net position, and the combined statement of budgetary resources (hereinafter referred to as “consolidated financial statements”) for the years then ended. In planning and performing our audit of the consolidated financial statements of USCIS, in accordance with auditing standards generally accepted in the United States of America, we considered USCIS’s internal control over financial reporting (internal control) as a basis for designing our auditing procedures for the purpose of expressing our opinion on the consolidated financial statements but not for the purpose of expressing an opinion on the effectiveness of USCIS’s internal control. Accordingly, we do not express an opinion on the effectiveness of USCIS’s internal control.

In planning and performing our fiscal year 2009 audit, we considered USCIS’s internal control over financial reporting by obtaining an understanding of the design effectiveness of USCIS’s internal control, determining whether internal controls had been placed in operation, assessing control risk, and performing tests of controls as a basis for designing our auditing procedures for the purpose of expressing our opinion on the consolidated financial statements. To achieve this purpose, we did not test all internal controls relevant to operating objectives as broadly defined by the Federal Managers’ Financial Integrity Act of 1982. The objective of our audit was not to express an opinion on the effectiveness of USCIS’s internal control over financial reporting. Accordingly, we do not express an opinion on the effectiveness of USCIS’s internal control over financial reporting.

A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct misstatements on a timely basis. A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. A material weakness is a deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected on a timely basis. Our audit of USCIS as of, and for the year ended, September 30, 2009 disclosed a material weakness in the areas of information technology (IT) configuration management, security management, access controls, and segregation of duties.

These matters are described in the IT General Control Findings by Audit Area section of this letter. KPMG LLP, a U.S. limited liability partnership, is the U.S. member firm of KPMG International, a Swiss cooperative. The material weakness described above is presented in our Independent Auditors’ Report, dated January 15, 2010. This letter represents the separate restricted distribution letter mentioned in that report.

The control deficiencies described herein have been discussed with the appropriate members of management, and communicated through a Notice of Finding and Recommendation (NFR). Our audit procedures are designed primarily to enable us to form an opinion on the consolidated financial statements, and therefore may not bring to light all weaknesses in policies or procedures that may exist. We aim to use our knowledge of USCIS gained during our audit engagement to make comments and suggestions that are intended to improve internal control over financial reporting or result in other operating efficiencies. The Table of Contents on the next page identifies each section of the letter.

We have provided a description of key USCIS financial systems and IT infrastructure within the scope of the FY 2009 USCIS consolidated financial statement audit in Appendix A; a description of each internal control finding in Appendix B; and the current status of the prior year NFRs in Appendix C. Our comments related to certain additional matters have been presented in a separate letter to the Office of Inspector General and the USCIS Chief Financial Officer dated January 15, 2010. This communication is intended solely for the information and use of DHS and USCIS management, DHS Office of Inspector General, OMB, U.S. Government Accountability Office, and the U.S. Congress, and is not intended to be and should not be used by anyone other than these specified parties. Very truly yours, Department of Homeland Security United States Citizenship and Immigration Services Information Technology Management Letter September 30, 2009 INFORMATION TECHNOLOGY MANAGEMENT LETTER TABLE OF CONTENTS Objective, Scope and Approach Summary of Findings and Recommendations IT General Control Findings by Audit Area Findings Contributing to a Material Weakness Deficiency in IT Configuration Management Security Management Access Controls Segregation of Duties Application Controls Management’s Comments and OIG Response APPENDICES Page 1 3 4 4 4 4 4 4 8 8 Appendix Subject Page A B C D E Description of Key USCIS Financial Systems and IT Infrastructure within the Scope of the FY 2009 Financial Statement Audit 9 FY 2009 Notices of IT Findings and Recommendations at USCIS Notice of Findings and Recommendations – Definition of - Severity Ratings Status of Prior Year Notices of Findings and Recommendations and Comparison to Current Year Notices of Findings and Recommendations at USCIS Management’s Comments Report Distribution 11 12 21 23 29 Department of Homeland Security United States Citizenship and Immigration Services Information Technology Management Letter September 30, 2009 OBJECTIVE, SCOPE AND APPROACH We have audited the US Citizenship and Immigration Services (USCIS) balance sheet as of September 30, 2009. In connection with our audit of USCIS’s balance sheet we performed an evaluation of information technology general controls (ITGC), to assist in planning and performing our audit.

The U.S. Department of Homeland Security – Bureau of Immigration and Customs Enforcement (ICE) hosts key financial applications for USCIS. As such, our audit procedures over information technology (IT) general controls for USCIS included testing of the ICE’s Active Directory\Exchange (ADEX) network and the Federal Financial Management System (FFMS) policies, procedures, and practices, as well as USCIS policies, procedures and practices at USCIS Headquarters. The Federal Information System Controls Audit Manual (FISCAM), issued by the Government Accountability Office (GAO), formed the basis of our audit. The scope of the USCIS IT general controls assessment is described in Appendix A. FISCAM was designed to inform financial auditors about IT controls and related audit concerns to assist them in planning their audit work and to integrate the work of auditors with other aspects of the financial audit.

FISCAM also provides guidance to IT auditors when considering the scope and extent of review that generally should be performed when evaluating general controls and the IT environment of a federal agency. FISCAM defines the following five control functions to be essential to the effective operation of the general IT controls environment. � � � � � Security Management (SM) – Controls that provide a framework and continuing cycle of activity for managing risk, developing security policies, assigning responsibilities, and monitoring the adequacy of computer-related security controls. Access Control (AC) – Controls that limit or detect access to computer resources (data, programs, equipment, and facilities) and protect against unauthorized modification, loss, and disclosure. Configuration Management (CM) – Controls that help to prevent unauthorized changes to information system resources (software programs and hardware configurations) and provides reasonable assurance that systems are configured and operating securely and as intended.

Segregation of duties (SD) – Controls that constitute policies, procedures, and an organizational structure to manage who can control key aspects of computer-related operations. Contingency Planning (CP) – Controls that involve procedures for continuing critical operations without interruption, or with prompt resumption, when unexpected events occur. To complement our general IT controls audit procedures, we also performed technical security testing for key network and system devices, as well as testing over key financial application controls in the ICE environment. The technical security testing was performed both over the Internet and from within select ICE facilities, and focused on test, development, and production devices that directly support USCIS general support systems.

1 Information Technology Management Letter for the FY 2009 USCIS Financial Statement Audit Department of Homeland Security United States Citizenship and Immigration Services Information Technology Management Letter September 30, 2009 In addition to testing the general control environment, we performed application control tests on a limited number of ICE’s financial systems and applications. The application control testing was performed to assess the controls that support USCIS financial systems’ internal controls over the input, processing, and output of financial data and transactions. � Application Controls (APC) - Application controls are the structure, policies, and procedures that apply to separate, individual application systems, such as accounts payable, inventory, or payroll. 2 Information Technology Management Letter for the FY 2009 USCIS Financial Statement Audit Department of Homeland Security United States Citizenship and Immigration Services Information Technology Management Letter September 30, 2009 SUMMARY OF FINDINGS AND RECOMMENDATIONS During FY 2009, we noted that USCIS made minimal progress in addressing its previously identified IT internal control weaknesses. Therefore, due to USCIS’s lack of prioritization of the issues, all seven (7) were reissued.

During our review, we continued to identify IT general control weaknesses that could potentially impact USCIS’s financial data. The most significant weaknesses from a financial statement audit perspective related to controls over the FFMS and the weaknesses over physical security and security awareness. Collectively, the IT control weaknesses limited USCIS’s ability to ensure that critical financial and operational data were maintained in such a manner to ensure confidentiality, integrity, and availability. In addition, these weaknesses negatively impacted the internal controls over USCIS financial reporting and its operation and we consider them to collectively represent a material weakness for USCIS under standards established by the American Institute of Certified Public Accountants (AICPA).

In addition, based upon the results of our test work, we noted that USCIS did not fully comply with the requirements of the Federal Financial Management Improvement Act (FFMIA). Of the 19 findings identified during our FY 2009 testing, 12 were new IT findings. These findings represent weaknesses in four of the five FISCAM key control areas. Specifically, 1) a lack of strong password management and audit logging within the financial applications, 2) security management issues involving staff security training and exit processing procedure weaknesses, 3) inadequately designed and operating configuration management, and 4) the lack of effective segregation of duties controls within financial applications.

These weaknesses may increase the risk that the confidentiality, integrity, and availability of system controls and USCIS financial data could be exploited thereby compromising the integrity of financial data used by management and reported in USCIS’s financial statements. USCIS management should ensure that there is emphasis placed on the completion, monitoring and enforcement of IT security-related policies and procedures. On-going measures to improve the IT security considerations for key financial systems utilized by USCIS and implement effective access controls, segregation of duties and configuration management controls need to be completed. While the recommendations made by KPMG should be considered by USCIS, it is the ultimate responsibility of USCIS management to determine the most appropriate method(s) for addressing the weaknesses identified based on their system capabilities and available resources.

3 Information Technology Management Letter for the FY 2009 USCIS Financial Statement Audit Department of Homeland Security United States Citizenship and Immigration Services Information Technology Management Letter September 30, 2009 IT GENERAL CONTROL FINDINGS BY AUDIT AREA Findings Contributing to a Material Weakness Deficiency in IT During the FY 2009 financial statement audit, we identified the following IT control deficiencies that are considered a material weakness: 1. Configuration Management – we noted: � Security configuration management weaknesses on the Active Directory Exchange (ADEX). These weaknesses included default configuration settings, inadequate patches, and weak password management. Background investigations are not conducted in a timely manner.

Procedures for transferred/terminated personnel exit processing are not finalized. IT Security training is not mandatory nor is compliance monitored. 2. 3.

Security Management – we identified: � � � Access controls – we identified: � � Ineffective safeguards over physical access to sensitive facilities and resources. The following account management weaknesses over ADEX, CLAIMS 3 LAN, and CLAIMS 4: � � The lack of recertification of system administrators and system users. Inefficient definition and documentation of CLAIMS 3 LAN and CLAIMS 4 access roles were noted. � � � � User access is not documented and maintained for CLAIMS 3 LAN and CLAIMS 4. CLAIMS 3 LAN and CLAIMS 4 password configurations do not meet DHS requirements.

Terminated personnel still have active user accounts within CLAIMS 3 LAN and CLAIMS 4. Generic user accounts exist for the CLAIMS 3 LAN. � � Lack of policies and procedures for maintaining and reviewing CLAIMS 3 LAN and CLAIMS 4 audit logs. Lack of processes in place for sanitization of equipment and media. 4.

Segregation of Duties– we identified: � Segregation of duties controls were not enforced through access authorizations in CLAIMS 4. 4 Information Technology Management Letter for the FY 2009 USCIS Financial Statement Audit Department of Homeland Security United States Citizenship and Immigration Services Information Technology Management Letter September 30, 2009 Recommendations: Unless specifically noted where USCIS needs to take specific corrective action, we recommend that the USCIS Chief Information Officer (CIO) and Chief Financial Officer (CFO), in coordination with the ICE Office of Chief Financial Officer and the ICE Office of the Chief Information Officer, make the following improvements to ICE’s information technology: 1. 2. Configuration Management: � Redistribute procedures and train employees on continuously monitoring and mitigating vulnerabilities.

In addition, we recommend that ICE periodically monitor the existence of unnecessary services and protocols running on their servers and network devices, in addition to deploying patches. � � � � Perform vulnerability assessments and penetration tests on all offices of the ICE, from a centrally managed location with a standardized reporting mechanism that allows for trending, on a regularly scheduled basis in accordance with NIST guidance. Develop a more thorough approach to track and mitigate configuration management and resource vulnerabilities identified during monthly scans. ICE should monitor the vulnerability reports for necessary or required configuration changes to their environment. Develop a process to verify that systems identified with “HIGH/MEDUIM Risk” configuration vulnerabilities do not appear on subsequent monthly vulnerability scan reports, unless they are verified and documented as a false- positive.

All risks identified during the monthly scans should be mitigated immediately, and not be allowed to remain dormant. Implement the corrective actions identified during the audit vulnerability assessment as identified in the issued NFR. Security Management: � Periodically review personnel files to confirm background investigations have been completed in accordance with DHS standards. � � � Adhere to exit clearance procedures and enforce personnel adherence in the event of transfer ermination. Implement mandatory requirements for IT security personnel to complete training consistent with their job duties.

Establish and implement requirements for personnel to complete Computer Security Awareness training annually. Also, develop a process to disable user accounts and access privileges for non compliant staff. 3. Access Controls: � Establish and implement emergency exit and re-entry procedures at the Technology Engineering Consolidation Center (TECC).

5 Information Technology Management Letter for the FY 2009 USCIS Financial Statement Audit Department of Homeland Security United States Citizenship and Immigration Services Information Technology Management Letter September 30, 2009 � � � � � � Implement effective physical access controls over the server cage which houses USCIS servers at the TECC. Conduct and document annual reviews of application users and users with system administrator access to ADEX. Establish and enforce procedures for the completion and maintenance of user access forms for CLAIMS 3 LAN and CLAIMS 4 across all service centers. Establish a process to ensure CLAIMS 3 LAN and CLAIMS 4 are configured to meet DHS password configuration requirements.

Develop and implement policies and procedures to remove terminated users and generic accounts from the CLAIMS 3 LAN. Establish a process to review and maintain system audit logs. 4. Segregation of Duties: � Define and document the policies and procedures for identifying and approving CLAIMS 4 user roles\profiles to include user responsibilities and segregation of duties initiatives.

USCIS

Specific Recommendations: 5. We recommend that the offices of the USCIS CIO, ICE CIO, and DHS CIO coordinate to develop an Interagency Agreement for the ICE/USCIS relationship. The agreement should be developed using appropriate guidance from NIST 800-53. Specific to this NFR, the Interagency Agreement should document the processes by which ICE will notify USCIS of its planned remediation of the ADEX security vulnerabilities.

USCIS should further take a proactive approach in monitoring the resolution of the ADEX vulnerabilities. 6. The USCIS CIO should ensure that USCIS has a sound understanding of the ICE security vulnerabilities that affect USCIS data integrity. USCIS should then develop remediation plans and compensating controls, as applicable, to address potential data integrity issues.

For example, more frequent reconciliation of financial accounts may be required. Cause\Effect: The ICE agency is not continuously monitoring the ICE ADEX General Support System (GSS) vulnerability assessment scans for patch and configuration management vulnerabilities. USCIS management has not proactively coordinated with ICE to establish a detailed and documented Interagency Agreement for the IT services provided by ICE. As a result, default configuration installations and unnecessary services operating on the ICE ADEX devices increases the ability to compromise the availability, integrity, and confidentiality of financial data on the network.

Additionally, failure to apply critical vendor security patches exposes system and network devices to new and existing vulnerabilities. This can expose the information system controls environment 6 Information Technology Management Letter for the FY 2009 USCIS Financial Statement Audit Department of Homeland Security United States Citizenship and Immigration Services Information Technology Management Letter September 30, 2009 to security breaches, unauthorized access, service interruptions, and denial of service attacks. These weak IT controls at ICE, specifically with ADEX, have a direct and significant negative impact on USCIS financial data integrity. Consequently, USCIS requires additional resources to implement compensating controls needed to ensure fair presentation of its financial statements.

Due to a lack of USCIS management oversight, the controls environment remains weak and needs overall improvement. The lack of a strong controls environment increases the risk of improper handling of sensitive information, unauthorized access to financial data, improper staff training, and improper segregation of duties and least privilege principles. Reasonable assurance should be provided that system user access levels are limited and monitored for appropriateness. The weaknesses identified within USCIS’s access controls increases the risk that staff may have access to a system that is outside the realm of their job responsibilities.

This access could allow a person to intentionally or inadvertently use various functions to alter the integrity of executable files and scripts within the financial system. Criteria: The Federal Information Security Management Act (FISMA) passed as part of the Electronic Government Act of 2002, mandates that Federal entities maintain IT security programs in accordance with OMB and NIST guidance. OMB Circular No. A-130, Management of Federal Information Resources, and various NIST guidelines describe specific essential criteria for maintaining effective general IT controls. FFMIA sets forth legislation prescribing policies and standards for executive departments and agencies to follow in developing, operating, evaluating, and reporting on financial management systems.

The purpose of FFMIA is to: (1) to provide for consistency of accounting by an agency from one fiscal year to the next, and uniform accounting standards throughout the Federal Government; (2) require Federal financial management systems to support full disclosure of Federal financial data, including the full costs of Federal programs and activities; (3) increase the accountability and credibility of federal financial management; (4) improve performance, productivity and efficiency of Federal Government financial management; and (5) establish financial management systems to support controlling the cost of the Federal Government. In closing, for this year’s IT audit we assessed the DHS component’s compliance with DHS Sensitive System Policy Directive 4300A. 7 Information Technology Management Letter for the FY 2009 USCIS Financial Statement Audit Department of Homeland Security United States Citizenship and Immigration Services Information Technology Management Letter September 30, 2009 APPLICATION CONTROL FINDINGS We did not identify any IT findings in the area of application controls during the FY 2009 Financial Statement Audit Engagement. MANAGEMENT’S COMMENTS AND OIG RESPONSE We obtained written comments on a draft of this report from the USCIS management.

USCIS management agreed with our findings and recommendations. USCIS management has developed a remediation plan to address these findings and recommendations. A copy of the comments is included in Appendix D. OIG Response We agree with the steps that USCIS management is taking to satisfy these recommendations. 8 Information Technology Management Letter for the FY 2009 USCIS Financial Statement Audit Department of Homeland Security United States Citizenship and Immigration Services Information Technology Management Letter September 30, 2009 Appendix A Appendix A Description of Key USCIS Financial Systems and IT Infrastructure within the Scope of the FY 2009 Financial Statement Audit 9 Information Technology Management Letter for the FY 2009 USCIS Financial Statement Audit Department of Homeland Security United States Citizenship and Immigration Services Information Technology Management Letter September 30, 2009 Appendix A Below is a description of significant USCIS and ICE financial management systems and supporting information technology (IT) infrastructure included in the scope of USCIS’s fiscal year (FY) 2009 Financial Statement Audit.

Locations of Review: USCIS Headquarters, Washington, DC; Verizon Data Center, Manassas, VA; Vermont Service Center, Burlington, VT. ICE Headquarters, Washington, DC; The Burlington Finance Center (BFC), Burlington, VT; Department of Commerce (DOC) Office of Computer Services (OCS), Springfield, VA. Systems Subject to Audit: � Federal Financial Management System (FFMS): It is used to create and maintain a record of each allocation, commitment, obligation, travel advance and accounts receivable issued. It is the system of record for the agency and supports all internal and external reporting requirements. � � ICE Network: The ICE Network, also known as the Active Directory\Exchange (ADEX) E-mail System, is the general support system (GSS) for ICE and other DHS components, such as the USCIS.

Computer-Linked Application Management System (CLAIMS)3 Local Area Network (LAN): Provides a decentralized LAN based system that supports the requirements of the Direct Mail Phase I and II, Immigration Act of 1990 (IMMACT 90) and USCIS forms improvement projects. The Claims 3 LAN is located at each of the service centers (Nebraska, California, Texas, Vermont, and the National Benefits Center). � CLAIMS 4: The system is a client/server application that tracks and manages naturalization applications. The central Oracle Database is located in Washington, DC while application servers and client components are located throughout USCIS service centers and district offices. 10 Information Technology Management Letter for the FY 2009 USCIS Financial Statement Audit Department of Homeland Security United States Citizenship and Immigration Services Information Technology Management Letter September 30, 2009 Appendix B FY 2009 Notices of IT Findings and Recommendations at USCIS Appendix B 11 Information Technology Management Letter for the FY 2009 USCIS Financial Statement Audit Department of Homeland Security United States Citizenship and Immigration Services Information Technology Management Letter September 30, 2009 Appendix B Notice of Findings and Recommendations (NFR) – Definition of Severity Ratings: Each NFR listed in Appendix B is assigned a severity rating from 1 to 3 indicating the influence on the Department of Homeland Security (DHS) Consolidated Independent Auditors Report.

1 – Not substantial 2 – Less significant 3 – More significant The severity ratings indicate the degree to which the deficiency influenced the determination of severity for consolidated reporting purposes. These rating are provided only to assist USCIS in the development of its corrective action plans for remediation of the deficiency. 12 Information Technology Management Letter for the FY 2009 USCIS Financial Statement Audit B x i d n e p p A 2 2 2 2 y t i r e v e S g n i t a R X X X X t a e p e R e u s s I e u s s I w e N s u o i r a v e h t t n e m u c o d d n a e n i f e d d e t a i c o s s a r i e h t d n a s e l o r N A L o t 3 e u n i t n o C I S M A L C ) C B N ( r e t n e C s t i f e n e B l a n o i t a N e h t d e t c e p s n i e W s e i t i l i b i s n o p s e r / e l o r r e s u N A L 3 I S M A L C ­ T I - S I C 1 0 - 9 0 . s r e t n e c e c i v r e s g n i n i a m e r e h t r o f s e i t i l i b i s n o p s e r s g n i t t e s m e t s y s e h t t a h t d e n i m r e t e d d n a n o i t a t n e m u c o d t o n o d m e t s y s e h t n i h t i w s e l o r r e s u d e n g i s s a d n a . s e i t i l i b i s n o p s e r r e s u d e t n e m u c o d t c e l f e r y l e t a r u c c a s e r u d e c o r p d n a s e i c i l o p t n e m e l p m i d n a h s i l b a t s E r e s u N A L 3 I S M A L C c i d o i r e p m r o f r e p t o n s e o d C B N 3 s m i a l C f o n o i t n e t e r d n a , g n i w e i v e r , g n i l d n a h r o f s s e c c a f o l e v e l ' s r e s u t a h t e r u s n e o t s w e i v e r s s e c c a ­ T I - S I C 2 0 - 9 0 . s m r o f t s e u q e r t n u o c c a r e s u N A L s e r u d e c o r p o n e r a e r e h t d n a e t a i r p o r p p a s n i a m e r . s w e i v e r c i d o i r e p g n i m r o f r e p r o f d e h s i l b a t s e e h t r o f s e r u d e c o r p e c r o f n e d n a h s i l b a t s E e h t d n a ) Q H ( s r e t r a u q d a e H S I C S U e h t t a t n e m e g a n a M s m r o f s s e c c a r e s u f o e c n a n e t n i a m d n a n o i t e l p m o c r o d e t e l p m o c t o n s a h t n o m r e V , r e t n e C e c i v r e S e h t l l a r o f 4 I S M A L C d n a N A L 3 I S M A L C r o f 3 S M A L C I r o f s m r o f s s e c c a d e t n e m u c o d y l e t a u q e d a n i ­ T I - S I C 3 0 - 9 0 . s r e t n e c e c i v r e s . s r e s u m e t s y s I , 4 S M A L C d n a N A L y t i r u c e S d n a l e m o H f o t n e m t r a p e D s e c i v r e S n o i t a r g i m m I d n a p i h s n e z i t i C s e t a t S d e t i n U r e t t e L t n e m e g a n a M y g o l o n h c e T n o i t a m r o f n I 9 0 0 2 , 0 3 r e b m e t p e S n o i t a d n e m m o c e R n o i t i d n o C # R F N s r e s u l l a f o s w e i v e r l a u n n a t n e m u c o d d n a t c u d n o C a d e t n e m u c o d r o d e n i a t n i a m t o n s a h Q H S I C S U e h T . s s e c c a r o t a r t s i n i m d a m e t s y s y r o t c e r i D e v i t c A h t i w s s e c c a s ’ r o t a r t s i n i m d a m e t s y s f o n o i t c e l e s . s m r o f n o i t a z i r o h t u a ­ T I - S I C 4 0 - 9 0 3 1 t i d u A t n e m e t a t S l a i c n a n i F S I C S U 9 0 0 2 Y F e h t r o f r e t t e L t n e m e g a n a M y g o l o n h c e T n o i t a m r o f n I B x i d n e p p A 2 y t i r e v e S g n i t a R X t a e p e R e u s s I e u s s I w e N y t i r u c e S d n a l e m o H f o t n e m t r a p e D s e c i v r e S n o i t a r g i m m I d n a p i h s n e z i t i C s e t a t S d e t i n U r e t t e L t n e m e g a n a M y g o l o n h c e T n o i t a m r o f n I 9 0 0 2 , 0 3 r e b m e t p e S a i d e m p u k c a b t n e m e l p m i d n a h s i l b a t s E . s e i c i l o p n o i t a t o r d n a n o i t n e t e r d n a t i x e y c n e g r e m e t n e m e l p m i d n a h s i l b a t s E . s e r u d e c o r p y r t n e - e r s e c r u o s e r l l a s e r u s s a t a h t s s e c o r p a p o l e v e D o t e r e h d a s e c r u o s e r S I C S U e h t o t s s e c c a h t i w . e r u d e c o r p d n a y c i l o p e h t s l o r t n o c s s e c c a l a c i s y h p r e g n o r t s t n e m e l p m I r e h t r u f t n e v e r p o t r o o d e g a c r e v r e s e h t r e v o s s e c c a d e z i r o h t u a n u � � � � d e w o l l a r e n n a c s n o i t i n g o c e r l a i c a f c i r t e m o i b e h T , m o o r r e v r e s S I C S U o t s s e c c a l e n n o s r e p d e z i r o h t u a n u d n a , n o i t a z i r o h t u a , l a v o m e r g n i d r a g e r s e r u d e c o r p d n a r o f e c a l p n i t o n e r a a i d e m p u k c a b S I C S U f o g n i g g o l r e t n e C n o i t a d i l o s n o C g n i r e e n i g n E y g o l o n h c e T e h t ­ T I - S I C 6 0 - 9 0 . ) C C E T ( n o i t a d n e m m o c e R n o i t i d n o C # R F N 2 2 2 X X s e r u d e c o r p d n a s e i c i l o p r i e h t e z i l a n i f d n a e t a d p U e h t s e n i l t u o t a h t y c i l o p a d e z i l a n i f t o n s a h S I C S U n o i t a z i t i n a s a i d e m t n e r r u c r i e h t t c e l f e r o t . n o i t a r e p o g n i k c a r t d n a g n i l e b a l r o f s m r o f g n i p o l e v e d r o f s s e c o r p s n o i t c u r t s n i r a e l c d e d i v o r p r o s s e c o r p n o i t i s o p s i d . a t a d f o s e g r u p r o s e p i w a i d e m g n i t c u d n o c e h t r o f y l e m i t e r o m a h s i l b a t s e d l u o h s t n e m e g a n a M r o t a r t s i n i m d a m e t s y s s t i y f i t r e c e r t o n s e o d S I C S U r e s u d n a n o i t a z i r o h t u a r e p o r p g n i r u s n e s t n u o c c a . g n i n i a r t f o w e i v e r c i d o i r e p a m r o f r e p o t s s e c o r p . s i s a b l a u n n a n a n o s t n u o c c a X S I C S U t a h t e r u s n e o t s s e c o r p a h s i l b a t s E S H D m u m i n i m t e e m o t d e r u g i f n o c e r a s m e t s y s . s t n e m e r i u q e r d n a s n o i t a r u g i f n o c d r o w s s a p 3 I S M A L C o t s t n u o c c a c i r e n e g l l a e v o m e R c i d o i r e p m r o f r e p d n a s m e t s y s n o i t c u d o r p N A L e r u s n e o t t s i l s s e c c a r e s u e h t f o s w e i v e r . e c n a i l p m o c � � h t g n e l d n a e s u - e r d r o w s s a p N A L 3 I S M A L C . s d r a d n a t s S H D t e e m t o n s e o d s n o i t a r u g i f n o c y l e m i t t o n s a w s t n u o c c a r e s u c i r e n e g N A L 3 S M A L C I t n u o c c a r e s u f o k c a l a f o e s u a c e b d e v o m e r . n o i t a c i f i t r e c e r ­ T I - S I C 7 0 - 9 0 ­ T I - S I C 8 0 - 9 0 ­ T I - S I C 9 0 - 9 0 4 1 t i d u A t n e m e t a t S l a i c n a n i F S I C S U 9 0 0 2 Y F e h t r o f r e t t e L t n e m e g a n a M y g o l o n h c e T n o i t a m r o f n I B x i d n e p p A y t i r e v e S g n i t a R t a e p e R e u s s I e u s s I w e N 2 2 2 2 X X X X y t i r u c e S d n a l e m o H f o t n e m t r a p e D s e c i v r e S n o i t a r g i m m I d n a p i h s n e z i t i C s e t a t S d e t i n U r e t t e L t n e m e g a n a M y g o l o n h c e T n o i t a m r o f n I 9 0 0 2 , 0 3 r e b m e t p e S o t s s e c o r p a h s i l b a t s e S I C S U t a h t d n e m m o c e r e W s e o d s g n i t t e s n o i t a r u g i f n o c d r o w s s a p N A L 4 S M A L C I t e e m o t d e r u g i f n o c s i N A L 4 I S M A L C e r u s n e . s d r a d n a t s n o i t a r u g i f n o c d r o w s s a p A 0 0 3 4 S H D . s d r a d n a t s d r o w s s a p A 0 0 3 4 S H D t e e m t o n ­ T I - S I C 0 1 - 9 0 n o i t a d n e m m o c e R n o i t i d n o C # R F N . s d r a d n a t s S H D h t i w e c n a d r o c c a n i d e t e l p m o c n e e b e v a h s n o i t a g i t s e v n i d n u o r g k c a b . 5 2 f o e l p m a s a m o r f l e n n o s r e p e r i h w e n t n e m e g a n a m S I C S U t a h t d n e m m o c e r e W d n u o r g k c a b e t a u q e d a n i n a t a h t d e i f i t n e d i e W m r i f n o c o t s e l i f l e n n o s r e p w e i v e r y l l a c i d o i r e p e n o r o f d e t n e m u c o d d n a d e m r o f r e p s a w n o i t a g i t s e v n i ­ T I - S I C 1 1 - 9 0 . n o i t a n i m r e t / r e f s n a r t f o t n e v e n a n i m e h t w o l l o f S I C S U d e r r e f s n a r t / d e t a n i m r e t 8 2 e h t f O .

S I C S U o t o t e r e h d a t n e m e g a n a m S I C S U t a h t d n e m m o c e r e W l e n n o s r e p e r i u q e r d n a s e r u d e c o r p e c n a r a e l c t i x e d a h h t i w t a h t l e n n o s r e p f o e l p m a s a d e t c e p s n i e W t n e m y o l p m e r i e h t m o r f d e r r e f s n a r t / d e t a n i m r e t ­ T I - S I C 2 1 - 9 0 r o f s e r u d e c o r p t n e m e l p m i d n a h s i l b a t s E s ’ T I O e h t g n i z i r o h t u a d n a g n i n i a t n i a m . t s i l s s e c c a m o o r r e t u p m o c a i d e m p u k c a b t n e m e l p m i d n a h s i l b a t s E . s e i c i l o p n o i t a t o r d n a n o i t n e t e r r o t i s i v r e v o y c a r u c c a d n a s s e n e t e l p m o c e c r o f n E . s g o l n i n o i t a m r o f n i � � � e v i t c e f f e n i s a h ) C S V ( r e t n e C e c i v r e S t n o m r e V f o e c i f f O e h t n i m o o r r e t u p m o c e h t r e v o s d r a u g e f a s s e r u d e c o r p C S V . ) T I O ( y g o l o n h c e T n o i t a m r o f n I f o g n i g g o l d n a n o i t a z i r o h t u a , l a v o m e r e h t g n i d r a g e r r o f s e r u d e c o r p C S V . e c a l p n i t o n e r a a i d e m p u k c a b s g o l r o t i s i v r e v o s s e n e t e l p m o c d n a y c a r u c c a g n i r u s n e . d e c r o f n e t o n e r a ­ T I - S I C 3 1 - 9 0 t i x e h t i w e c n a i l p m o c f o e c n e d i v e , d e l p m a s l e n n o s r e p 9 1 r o f d e d i v o r p e b t o n d l u o c s e r u d e c o r p e c n a r a e l c . s e e y o l p m e 5 1 t i d u A t n e m e t a t S l a i c n a n i F S I C S U 9 0 0 2 Y F e h t r o f r e t t e L t n e m e g a n a M y g o l o n h c e T n o i t a m r o f n I B x i d n e p p A y t i r u c e S d n a l e m o H f o t n e m t r a p e D s e c i v r e S n o i t a r g i m m I d n a p i h s n e z i t i C s e t a t S d e t i n U r e t t e L t n e m e g a n a M y g o l o n h c e T n o i t a m r o f n I 9 0 0 2 , 0 3 r e b m e t p e S 2 y t i r e v e S g n i t a R t a e p e R e u s s I e u s s I w e N n o i t a d n e m m o c e R n o i t i d n o C # R F N X e c r o f n e d n a h s i l b a t s e S I C S U t a h t d n e m m o c e r e W r u o n i , S M F F r o f s l o r t n o c s s e c c a f o g n i t s e t r u o g n i r u D d n a s e l o r t a h t e r u s n e t a h t s e r u d e c o r p d n a s e i c i l o p s s e c c a s ’ r e s u e n o d e t o n e w , s r e s u e v i t c a 5 2 f o e l p m a s b o j r i e h t h t i w e t a r u s n e m m o c e r a s e i t i l i b i s n o p s e r r i e h t y b d e v o r p p a s s e c c a e h t n o d e s a b , e v i s s e c x e s a w ­ T I - S I C 4 1 - 9 0 . n o i t c n u f e l i f o r p s ’ r e s u s i h t t a h t d e n r a e l e W . r o s i v r e p u s t n e s e r p e c i v r e s t n e r e f f i d a o t d e t a c o l e r r e s u e h t s a d e g n a h c s a w s a w e g n a h c e l i f o r p e h t n e h w , r e v e w o H . r e t n e c l l a e v o m e r t o n d i d r o t a r t s i n i m d a S M F F e h t , d e t s e u q e r e r e w s t h g i r s s e c c a e h t t a h t e r u s s a r o n s s e c c a s u o i v e r p d a h r e s u e h t , t l u s e r a s A . d e z i r o h t u a d n a t n e r r u c . s e i t i l i b i s n o p s e r d n a e l o r r e h r o f s e g e l i v i r p e v i s s e c x e s i h t t c e l f e r t o n d i d P O S S I C S U e h t t a h t d e t o n o s l a e W e h t t a h t y r i u q n i h g u o r h t d e n r a e l e w h g u o h t e r u d e c o r p r o i r p l l a e v o m e r o t d e r i u q e r e r a s r o t a r t s i n i m d a S M F F . e g n a h c e l i f o r p a g n i m r o f r e p n e h w s s e c c a y b d e d n o p s e r S I C S U , k r o w t s e t r u o f o t l u s e r a s A e l o r s ’ r e s u e h t t c e l f e r o t s s e c c a e v i s s e c x e e h t g n i v o m e r r i e h t d e t a d p u S I C S U , n o i t i d d a n I . s e i t i l i b i s n o p s e r d n a d n a d e m r i f n o c e b o t s s e c c a s u o i v e r p l l a e r i u q e r o t P O S . s e l o r s s e c c a w e n g n i t n a r g o t r o i r p d e v o m e r 2 X e c r o f n e d n a h s i l b a t s e S I C S U t a h t d n e m m o c e r e W e h t r e v o s e i c i l o p g n i g g o l t i d u a f o k c a l a d e i f i t n e d i e W d n a e c n a n e t n i a m r o f s e r u d e c o r p d n a s e i c i l o p d n a 3 I S M A L C e h t r o f s g o l r e v r e s d n a n o i t a c i l p p a ­ T I - S I C 5 1 - 9 0 . g n i g g o l t i d u a f o w e i v e r . m e t s y s N A L 4 S M A L C I 6 1 t i d u A t n e m e t a t S l a i c n a n i F S I C S U 9 0 0 2 Y F e h t r o f r e t t e L t n e m e g a n a M y g o l o n h c e T n o i t a m r o f n I B x i d n e p p A 2 y t i r e v e S g n i t a R t a e p e R e u s s I e u s s I w e N X d n a s e i c i l o p t n e m e l p m i y l l a c i d o i r e p , g n i l d n a h e h t r e s u 4 I S M A L C g n i n i a t e r d n a r o f d n a s e r u d e c o r p , g n i w e i v e r h s i l b a t s E . s m r o f t s e u q e r t n u o c c a s e r u d e c o r p d n a s e i c i l o p t n e m u c o d d n a e n i f e D r e s u 4 I S M A L C g n i v o r p p a d n a g n i y f i t n e d i r o f s ’ r e s u e h t e d u l c n i d n a s e i c i l o p e h t , n o i t i d d a o t n I . s e i t i l i b i s n o p s e r s e l i f o r p / s e l o r t n e m e l p m i d n a s s e r d d a d l u o h s s e r u d e c o r p . s e r u d e c o r p s e i t u d f o n o i t a g e r g e s e h t r o f s e r u d e c o r p d n a s e i c i l o p p o l e v e D n i h t i w s r e s u d e t a n i m r e t / d e r r e f s n a r t f o l a v o m e r . S I C S U m o r f n o i t a r a p e s r i e h t n o p u 4 S M A L C I � � � r o f s l o r t n o c s s e c c a n i h t i w s e s s e n k a e w d e i f i t n e d i e W g n i y f i t r e c e r r o f s e r u d e c o r p f o k c a l r e v o 4 I S M A L C d n a e g e l i v i r p t s a e l f o e c n e d i v e f o k c a l , s s e c c a r e s u l a v o m e r y l e m i t n u d n a , s l o r t n o c s e i t u d f o n o i t a g e r g e s . s t n u o c c a l e n n o s r e p d e t a n i m r e t f o ­ T I - S I C 6 1 - 9 0 y t i r u c e S d n a l e m o H f o t n e m t r a p e D s e c i v r e S n o i t a r g i m m I d n a p i h s n e z i t i C s e t a t S d e t i n U r e t t e L t n e m e g a n a M y g o l o n h c e T n o i t a m r o f n I 9 0 0 2 , 0 3 r e b m e t p e S n o i t a d n e m m o c e R n o i t i d n o C # R F N 2 2 2 X X X t n e m e g a n a m S I C S U t a h t d n e m m o c e r e W f o s g n i n i a r t y l h t n o m n i h t i w s e s s e n k a e w d e i f i t n e d i e W T I r o f s t n e m e r i u q e r g n i n i a r t y r o t a d n a m t n e m e l p m i t n e t s i s n o c g n i n i a r t e t e l p m o c o t l e n n o s r e p y t i r u c e s . s e i t u d n o i t c n u f b o j r i e h t h t i w . s O S S I ’ S I C S U ­ T I - S I C 7 1 - 9 0 3 I S M A L C n i h t i w s r e s u d e t a r a p e s f o l a v o m e r l l i t s d n a S I C S U m o r f d e t a r a p e s e r e w h c i h w s r e s u p o l e v e d t n e m e g a n a m S I C S U t a h t d n e m m o c e r e h t r o f s e r u d e c o r p d n a s e i c i l o p t n e m e l p m i e W d n a o t d e t a l e r t s i x e s e s s e n k a e w t a h t d e n i m r e t e d e W 1 2 d e i f i t n e d i e w , y l l a c i f i c e p S . s s e c c a N A L 3 S M A L C I ­ T I - S I C 8 1 - 9 0 . n o i t a r a p e s r i e h t n o p u N A L . N A L 3 M A L C e h t I o t s s e c c a d e n i a t e r r o f s t n e m e r i u q e r t n e m e l p m i d n a h s i l b a t s E y t i r u c e S r e t u p m o C e t e l p m o c o t l e n n o s r e p . y l l a u n n a g n i n i a r T s s e n e r a w A d n a s t n u o c c a r e s u e l b a s i d o t s s e c o r p a p o l e v e D S H D h t i w e c n a d r o c c a n i s e g e l i v i r p s s e c c a . e c n a i l p m o c n i t o n s e e y o l p m e r o f s e i c i l o p � � o t d e r i u q e r e r e w t a h t l e n n o s r e p f o e l p m a s a d e t s e t e W s s e n e r a w A y t i r u c e S r e t u p m o C l a u n n a e t e l p m o c ) 0 3 ( y t r i h t e h t f O . r a e y l a c s i f e h t g n i r u d g n i n i a r T t o n d l u o c e c n a i l p m o c f o e c n e d i v e , d e l p m a s l e n n o s r e p , y l l a n o i t i d d A . s e e y o l p m e ) 2 ( o w t r o f d e d i v o r p e b s t n u o c c a r e s u e l b a s i d o t e c a l p n i t o n e r a s e r u d e c o r p ­ T I - S I C 9 1 - 9 0 7 1 t i d u A t n e m e t a t S l a i c n a n i F S I C S U 9 0 0 2 Y F e h t r o f r e t t e L t n e m e g a n a M y g o l o n h c e T n o i t a m r o f n I B x i d n e p p A y t i r u c e S d n a l e m o H f o t n e m t r a p e D s e c i v r e S n o i t a r g i m m I d n a p i h s n e z i t i C s e t a t S d e t i n U r e t t e L t n e m e g a n a M y g o l o n h c e T n o i t a m r o f n I 9 0 0 2 , 0 3 r e b m e t p e S y t i r e v e S g n i t a R t a e p e R e u s s I e u s s I w e N n o i t a d n e m m o c e R n o i t i d n o C # R F N t o n s i g n i n i a r t l a u n n a f i s e g e l i v i r p s s e c c a d n a . s i s a b y l e m i t a n o d e t e l p m o c f o e s a e l e r t i d u a S H D t r o p e r d e u s s I r e t f a - A N \ s e e y o l p m e n i a r t d n a s e r u d e c o r p e t u b i r t s i d e R g n i t a g i t i m d n a g n i r o t i n o m y l s u o u n i t n o c n o d n e m m o c e r e w , n o i t i d d a n I . s e i t i l i b a r e n l u v f o e c n e t s i x e e h t r o t i n o m y l l a c i d o i r e p E C I t a h t g n i n n u r s l o c o t o r p d n a s e c i v r e s y r a s s e c e n n u n i , s e c i v e d k r o w t e n d n a s r e v r e s r i e h t n o . s e h c t a p g n i y o l p e d o t n o i t i d d a d n a s t n e m s s e s s a y t i l i b a r e n l u v m r o f r e P , E C I e h t f o s e c i f f o l l a n o s t s e t n o i t a r t e n e p a h t i w n o i t a c o l d e g a n a m y l l a r t n e c a m o r f t a h t m s i n a h c e m g n i t r o p e r d e z i d r a d n a t s d e l u d e h c s y l r a l u g e r a n o , g n i d n e r t r o f s w o l l a . e c n a d i u g T S I N h t i w e c n a d r o c c a n i s i s a b k c a r t o t h c a o r p p a h g u o r o h t e r o m a p o l e v e D t n e m e g a n a m n o i t a r u g i f n o c e t a g i t i m d n a y l h t n o m g n i r u d d e i f i t n e d i s e i t i l i b a r e n l u v y t i l i b a r e n l u v e h t r o t i n o m d l u o h s E C I . s n a c s d e r i u q e r r o y r a s s e c e n r o f s t r o p e r . t n e m n o r i v n e r i e h t o t s e g n a h c n o i t a r u g i f n o c � � 8 1 � , . e . i ( s e s s e n k a e w t n e m e g a n a m n o i t a r u g i f n o c y t i r u c e s n o i t a r u g i f n o c t c e r r o c n i d n a s e h c t a p y t i r u c e s g n i s s i m . E C I e h t g n i t r o p p u s s t s o h n o t s i x e ) s g n i t t e s t i d u A t n e m e t a t S l a i c n a n i F S I C S U 9 0 0 2 Y F e h t r o f r e t t e L t n e m e g a n a M y g o l o n h c e T n o i t a m r o f n I X c i f i c e p s e h t g n i s s e r d d a o t n o i t i d d a n I E C I , n o i t i d n o c e h t n i d e i f i t n e d i s e i t i l i b a r e n l u v : d l u o h s o t t a h t d e t a l e r , s e i t i l i b a r e n l u v k s i R m u i d e M / h g i H d e n i m r e t e d e W . t n e m e g a n a m n o i t a r u g i f n o c f o s t r o f f e t n e m s s e s s a y t i l i b a r e n l u v l a n r e t n i e h t g n i r u D l a r e v e s d e i f i t n e d i e w s m e t s y s d n a s r e v r e s k r o w t e n ­ T I - S I C 0 2 - 9 0 B x i d n e p p A y t i r u c e S d n a l e m o H f o t n e m t r a p e D s e c i v r e S n o i t a r g i m m I d n a p i h s n e z i t i C s e t a t S d e t i n U r e t t e L t n e m e g a n a M y g o l o n h c e T n o i t a m r o f n I 9 0 0 2 , 0 3 r e b m e t p e S s m e t s y s t a h t y f i r e v o t s s e c o r p a p o l e v e D � y t i r e v e S g n i t a R t a e p e R e u s s I e u s s I w e N n o i t a d n e m m o c e R n o i t i d n o C # R F N ” k s i R I M U D E M H G H “ I / h t i w d e i f i t n e d i n o r a e p p a t o n o d s e i t i l i b a r e n l u v n o i t a r u g i f n o c n a c s d n a d e i f i r e v e r a y e h t s s e l n u , s t r o p e r y t i l i b a r e n l u v y l h t n o m t n e u q e s b u s s k s i r l l A . e v i t i s o p - e s l a f a s a d e t n e m u c o d e b d l u o h s s n a c s y l h t n o m e h t g n i r u d d e i f i t n e d i o t d e w o l l a e b t o n d n a , y l e t a i d e m m i d e t a g i t i m S I C S U e h t f o s e c i f f o e h t t a h t d n e m m o c e r e W o t e t a n i d r o o c O C I S H D d n a , O C I E C I , O C I e h t r o f t n e m e e r g A y c n e g a r e t n I n a p o l e v e d t n e m e e r g a e t a i r p o r p p a e h T . p i h s n o i t a l e r g n i s u d e p o l e v e d S I C S U E C / I e b d l u o h s s i h t o t c i f i c e p S .

3 5 - 0 0 8 T S I N m o r f e c n a d i u g d l u o h s t n e m e e r g A y c n e g a r e t n I e h t , R F N l l i w E C I h c i h w y b s e s s e c o r p e h t t n e m u c o d e h t f o n o i t a i d e m e r d e n n a l p s t i f o S I C S U y f i t o n d l u o h s S I C S U . s e i t i l i b a r e n l u v y t i r u c e s X E D A n i h c a o r p p a e v i t c a o r p a e k a t r e h t r u f X E D A e h t f o n o i t u l o s e r e h t g n i r o t i n o m . s e i t i l i b a r e n l u v s a h S I C S U t a h t e r u s n e I d l u o h s O C S I C S U e h T y t i r u c e s E C I e h t f o g n i d n a t s r e d n u d n u o s a a t a d S I C S U t c e f f a t a h t s e i t i l i b a r e n l u v p o l e v e d n e h t d l u o h s S I C S U . y t i r g e t n i , s l o r t n o c g n i t a s n e p m o c d n a s n a l p n o i t a i d e m e r � � . t n a m r o d n i a m e r : d l u o h s S I C S U 9 1 t i d u A t n e m e t a t S l a i c n a n i F S I C S U 9 0 0 2 Y F e h t r o f r e t t e L t n e m e g a n a M y g o l o n h c e T n o i t a m r o f n I B x i d n e p p A y t i r u c e S d n a l e m o H f o t n e m t r a p e D s e c i v r e S n o i t a r g i m m I d n a p i h s n e z i t i C s e t a t S d e t i n U r e t t e L t n e m e g a n a M y g o l o n h c e T n o i t a m r o f n I 9 0 0 2 , 0 3 r e b m e t p e S a t a d l a i t n e t o p s s e r d d a o t , e l b a c i l p p a s a t n e u q e r f e r o m , e l p m a x e r o F . s e u s s i y t i r g e t n i e b y a m s t n u o c c a l a i c n a n i f f o n o i t a i l i c n o c e r . d e r i u q e r y t i r e v e S g n i t a R t a e p e R e u s s I e u s s I w e N n o i t a d n e m m o c e R n o i t i d n o C # R F N 0 2 t i d u A t n e m e t a t S l a i c n a n i F S I C S U 9 0 0 2 Y F e h t r o f r e t t e L t n e m e g a n a M y g o l o n h c e T n o i t a m r o f n I Department of Homeland Security United States Citizenship and Immigration Services Information Technology Management Letter September 30, 2009 Appendix C Appendix C Status of Prior Year Notices of Findings and Recommendations and Comparison to Current Year Notices of Findings and Recommendations at USCIS 21 Information Technology Management Letter for the FY 2009 USCIS Financial Statement Audit Department of Homeland Security United States Citizenship and Immigration Services Information Technology Management Letter September 30, 2009 Appendix C NFR No. Description Disposition Closed Repeat CIS-IT-08-01 CIS-IT-08-02 Lack of Definition and Documentation of Access Roles at the National Benefits Center for CLAIMS 3 LAN Periodic CLAIMS 3 LAN User Access Reviews are not Performed at the NBC CIS-IT-08-03 CIS-IT-08-04 CIS-IT-08-06 CIS-IT-08-07 CIS-IT-08-08 Incomplete or Inadequate Access Request Forms for CLAIMS 3 LAN, CLAIMS 4, and CISCOR System Users at Headquarters and the Service Centers Ineffective Controls for Restricting Security Software Exist Weak Data Center Access Controls Equipment and Media Policies and Procedures are not Current Weak Access Controls for Security Software Exist 09-01 09-02 09-03 09-04 09-06 09-07 09-08 22 Information Technology Management Letter for the FY 2009 USCIS Financial Statement Audit Department of Homeland Security United States Citizenship and Immigration Services Information Technology Management Letter September 30, 2009 Appendix D Appendix D USCIS Management’s Comments 23 Information Technology Management Letter for the FY 2009 USCIS Financial Statement Audit Department of Homeland Security Immigration and Customs Enforcement Information Technology Management Letter September 30, 2009 Appendix D U.S. Ut.>llartmcnl of Ilumcl:md St'curilJ U.S. Cnizcnship :lml IrnrlllgrauQn Sen ices Ubic/! ufl/I/! Cltif'f"!forl/ltl//Ull Ubic<'" Waihwgtol1. DC 2052') u.s. Citizenship and Irrunigration Services April 28. 2010 Memorandum TO: Frank Deffer Assistant Inspector General for Information Technology Audit U.S. Dcpartment of Homeland Security FROM: LeSlie Hope V C'hief Inform ,-1/ IJ;~ ati[ b'mccr, Acting SUBJ ECT: Managcment Rcsponse to the IT Managemcnt Letter for the FY 2009 U.S. Citizenship and Immigration Services Financial Integrated Audit We would like to thank you for the opp0rlunity to review and comment on the rr Managcment Leiter for the FY 2009 U.S. Citizenship and Immigration Services Financial Integratcd Audit.

USCIS requests that your Office make the following changes to the Independent Auditor's IT Management Letter report. Except for the items notcd below, USCIS agrees <lnd accepts all finding, cOl11ments. and conclusions the independent auditors exprcssed in the IT Management Letter report. Findings Contributing to .a Material Weakness Deficiencv in IT During the FY 2009 financial statemcnt audit, we identified the following IT control deficiency that is considered a material weakness: I. Configuration Management - we noted: • Security configuration management weakncsses on the Active Directory Exchangc (ADEX). These weaknesses included default configuration scttings, inadequate patchcs, and weak password management.

Recommendations: Unless specifically noted where USCIS needs to take specific corrective action, we recommend that the USCIS Chief Infonnation Officer (CIO) and Chief Financial Officer (CFO), in coordination with the ICE Office of Chief Financial Officer and the ICE Oflice www.u:.cis.go\, 24 Information Technology Management Letter for the FY 2009 USCIS Financial Statement Audit Department of Homeland Security Immigration and Customs Enforcement Information Technology Management Letter September 30, 2009 Appendix D Management Response to the IT Management Letter for the FY 2009 U.S. Citizenship and Immigration Services Financial Integrated Audit Page 2 of the Chieflnfonnation Officer, make the following improvemems to ICE's infonnation technology security program: Suggested Change: "During the FY 2009 financial statement audit, we identified that the Immigration and Customs Enforcement (ICE) Headquarters hosts the Active Directory Exchange (ADEX), General Support System (GSS) and a key financial application for USCIS. We identified the following ICE IT control deficiencies that significantly impact USCIS and are considered material weaknesses: I. Configuration Management - we noted: Several HighlMedium risk vulnerabilities related to configuration management were identified. • Security configuration management weaknesses on the ICE's ADEX. These weaknesses included default configuration settings, inadequate patches, and weak password management. Recommendations: Unless specifically noted where USCIS needs to take specific corrective action, we recommend that the USCIS Chieflnfonnation Officer (CIO) and Chief Financial Officer (CFO), in coordination with the ICE Office orChid Financial Officer and the ICE Office of the Chief Infonnation Officer, make the following improvemcnts to ICE's infonnation technology security program: "ICE Specific Recommendations" Your recommendation statement alludes to USCIS having control over actions to be perfonned by ICE.

Recommendations I through 5 are strictly ICE's actions within their control. Your statement does not clearly identify these as actions ICE must take. Other Findings The following IT and financial system control deficiencies that contributed to a material weakness are noted below: I. Securily Management - we identified: • Background investigations are not conducted in a timely manner. • • Procedures for transferredltenninated personnel exit processing are not finalized. IT Security training is not mandatory nor is compliance monitored...

Recommendations: We recommend that the USCIS CIO and CFO, in coordination with the DHS Office of Chief Financial Officer and the DHS Office ofthc Chieflnfonnation Officer, make the 25 Information Technology Management Letter for the FY 2009 USCIS Financial Statement Audit Department of Homeland Security Immigration and Customs Enforcement Information Technology Management Letter September 30, 2009 Appendix D Management Response to the IT Management Letter for the FY 2009 U.S. Citizenship and Immigntion Services Financial Integrated Audit Page 3 following improvements to USCIS' financial management systems and associated information technology security program." Response Comment; USCIS has realigned its mission support activitics undcr an Associate Director Management. The new Associate Director has taken action to correct the three deficiencies under his span of control. Appendix A Systems SubjectJO Audit • Computer Linked Application Management System (CLAIMS) 3 Local Area Network (LAN): Provides a decentralized LAN based system that supports the requirements of the Direct Mail Phase I and U, Immigntion Act of 1990 (IMMACT 90) and USCIS fonns improvement projects. The Claims 3 LAN is located at each of the service centC13 (Nebraska, California, Texas., Vermont) and the National Benefits Center.

Suggested Change: • Computer Linked Application Management System (CLAIMS) 3 Local Area Network (LAN): Provides a decentralized LAN based system that supports the requirements of the Direct Mail Phase I and II, Immigration Act of 1990 (IMMACT 90) and USCIS fonns improvement projccts. The CLAIMS 3 LAN is located at each of the service centers (i.e., Nebraska, California, Texas, and Vermont) and the National Benefits Center. Appendix B - Notice of Findings and Recommendations Table NFR II; CIS-IT-09-04 Condition; The USCIS HQ has not maintained or documented a selection of system administrator's access authorization forms. Recommendation: Conduct and document annual reviews of all users with Active Directory systems administrator access." Suggested Ch3llge: Condition: The USCIS has not maintained or documented a selection ofADEX system administrator's access authorization fonns.

Recommendation: Conduct and document annual reviews of all users with Active Directory systems administrator access in coordination with ICE." 26 Information Technology Management Letter for the FY 2009 USCIS Financial Statement Audit Department of Homeland Security Immigration and Customs Enforcement Information Technology Management Letter September 30, 2009 Appendix D Management Response to the IT Management Letter for the FY 2009 U.S. Citizenship and Immigrntion Services Financial Integrated Audit NFR #: CIS-IT-09-08 Condition: USCIS does not recertify its systcm administrator accounts on an annual basis. Suggested Change: Condition: USCIS does not recertify its Local PICS Officer (LPO) accounts on an annual basis. NFR #: CIS·IT·09·10 Condition: CLAIMS 4 LAN password configuration settings does not meet DHS 4300A password standards. Recommendation: We recommend that USCIS establish a process to ensure CLAIMS 4 LAN is configured to meet DHS 4300A password configuration standards.

Suggested Change: Condition: CLAIMS 4 password configuration setting for password history does not meet DHS 4300A password standards. Recommendation: We recommend CLAIMS 4 password history selling be changed from 6 generations to 8 generations to meet DHS 4300A password configuration standards. NFR II: CIS-IT-II and CIS-IT-12 Note: The OCIO is not the owner ofthcse processes. These NFRs were signed by and are the responsibility of the Office of Security and Integrity (OSI) and the Office of Human Capital and Training (HCT).

NFR #: CIS-IT-09-14 Note: The OCIO is not the owner of this process. This NFR was signed by and is the responsibility of the OCFO. They grant, remove, and monitor access to FFMS. NFR II: CIS·IT·OS·OJ Description: Lack of Definition and Documentation of Access Roles at the National Benefits Center for CLAlMS 3 LAN.

NFR II: CIS~IT-08-04 Description: Ineffective Controls for Restricting Security Software Exist. NFR#: CIS-IT-08-08 Description: Weak Access Controls for Security Software Exist. 27 Information Technology Management Letter for the FY 2009 USCIS Financial Statement Audit Department of Homeland Security Immigration and Customs Enforcement Information Technology Management Letter September 30, 2009 Appendix D Management Response to the IT Management Letter for the FY 2009 U.S. Citizenship and Immigration Services Financial Integrated Audit PageS Suggested Change: NFR #: CIS-IT-OS-Ql Description: Inefficient Definition and Documentation of Access Roles at the National Benefits Center for CLAIMS 3 LAN. As stated, it gives the impression that Definition and Documentation of Access Roles do not exist.

NFR #: CIS-IT-08-04 Description: Periodic Active Directory and Eltchange (ADEX) system administrator access reviews are not perfonned at USCIS. As stated, it gives the impression all controls related to security software are ineffective. The signed NFR specifically addresses ADEX. NFR #: CIS·IT·08·08 Description: Weak Access Controls for Security Software Eltist within the Password Issuance and Control System (PIeS).

As stated. it gives the impression all controls related to security software are weak. The signed NFR specifically addresses PICS. USCIS is committed to resolving all control deficiencies and weaknesses idenlified in the audit and have prepared Mission Action Plans to resolve and improve the Agency's infomtation technology controls. USCIS appreciates the cooperation and respect that your staff provided during the course of the audit and looks forward to continuing our strong working relationship with your office.

If you have any questions regarding our comments, plcase cOnlnct Leslie Hope, Acting Chief Infonnation Officer at (202) 272-1018. 28 Information Technology Management Letter for the FY 2009 USCIS Financial Statement Audit Department of Homeland Security Immigration and Customs Enforcement Information Technology Management Letter September 30, 2009 Appendix E Appendix D Report Distribution 29 Information Technology Management Letter for the FY 2009 USCIS Financial Statement Audit Department of Homeland Security Immigration and Customs Enforcement Information Technology Management Letter September 30, 2009 Appendix E Report Distribution Department of Homeland Security Secretary Deputy Secretary General Counsel Chief of Staff Deputy Chief of Staff Executive Secretariat Under Secretary, Management Director, USCIS DHS Chief Information Officer DHS Chief Financial Officer Associate Director-Management, USCIS Acting Chief Financial Officer, USCIS Acting Chief Information Officer, USCIS Chief Information Security Officer Assistant Secretary, Policy Assistant Secretary for Public Affairs Assistant Secretary for Legislative Affairs DHS GAO OIG Audit Liaison Chief Information Officer, Audit Liaison USCIS Audit Liaison Office of Management and Budget Chief, Homeland Security Branch DHS OIG Budget Examiner Congress Congressional Oversight and Appropriations Committees as Appropriate 30 Information Technology Management Letter for the FY 2009 USCIS Financial Statement Audit ADDITIONAL INFORMATION AND COPIES To obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4100, fax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig.

OIG HOTLINE

To report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal misconduct relative to department programs or operations: • Call our Hotline at 1-800-323-8603; • Fax the complaint directly to us at (202) 254-4292; • Email us at [email protected]; or • Write to us at: DHS Office of Inspector General/MAIL STOP 2600, Attention: Office of Investigations - Hotline, 245 Murray Drive, SW, Building 410, Washington, DC 20528. The OIG seeks to protect the identity of each writer and caller.

Chat with this agency guidance using AI

Ask CiteLaw's AI Navigator anything about this agency guidance, verify citations, and research related authorities. Sign up for CiteLaw free today to get started.