Controls Over Operating System and Security Software Supporting the Defense Finance and Accounting Service

Abstract : This is the final in a series of three audits of management controls over the operating systems and security software used by the information processing centers that support the Defense Finance and Accounting Centers (DFAS). The audit concentrated on the operating system and security software used by four organizations to provide computer support to the DFAS Centers in Kansas City, Missouri (DFAS- Kansas City), and Denver, Colorado (DFAS-Denver). Those two DFAS Centers make about $22.6 billion in annual payments on more than 390,000 payroll accounts. The four organizations audited were the Defense Information Services Organization (DISO) Information Processing Center in Kansas City, Missouri (DISO-Kansas City); the DFAS Financial Systems Activity in Pensacola, Florida (DFAS-Pensacola); and the Marine Corps Computer and Telecommunications Activity (MCCTA) and its Worldwide Support Division, both in Quantico, Virginia. Objective. Our objective was to determine whether management controls over selected features of the operating system and security software used on the production and test systems were adequate to safeguard the integrity of DFAS data. To accomplish this objective, we evaluated nine operating system features and management controls to determine whether unauthorized functions could be performed. We also reviewed the implementation of security software to determine whether controls prevented unauthorized personnel from gaining access to the systems, and authorized users from accessing unauthorized programs and data.