In performing our audit, we tested system security and disaster recovery capabilities for Education's key financial systems. Education's Primary Accounting System (PAS) is the general accounting system for the Department. Another key financial system is the Payment Management System (PMS), which is used to process approximately $28 billion in grant and contract disbursements annually. Funds are disbursed through PMS to government and private institutions.
During our audit testing, we identified system security problems within the PMS system. Specifically, we found a mainframe-based security package (Resource Access Control Facility -- RACF) which would provide the necessary security for PMS is available to Education. RACF provides many features to limit access such as password controls, transaction controls, and logging/reporting functionality. If properly implemented, the RACF security software will greatly reduce the risk of unauthorized access to PMS and provide increased assurance as to the integrity of Education's disbursement data. Education is currently analyzing the cost feasibility of implementing RACF.
Because the security package has not been implemented, Education must rely upon application level security that is built into the PMS system. The application level security does not provide a sufficient level of security for PMS, particularly given this system's role in controlling disbursements of over $28 billion annually. The deficiencies in PMS security could enable unauthorized users to access confidential data, change data, make unauthorized payments, or bring down the system. Details as to specific security vulnerabilities that exist in PMS are being reported to Education's management under separate confidential cover.
We also identified deficiencies in disaster recovery capabilities for both PAS and PMS. Although a high level framework for disaster recovery exists, a formal, detailed plan has not been established, approved and tested. The absence of a formal, tested data recovery plan means that Education may not be able to recover critical systems and data and resume processing in the event of a disaster at one of its principal data centers.
Education has already begun to respond to this concern raised during our audit. A statement of work has been drafted to obtain contractor assistance in developing a disaster recovery plan for PAS. With regard to PMS, Education has begun to work with the existing contractor that operates this system to develop a disaster recovery plan. We note that these plans must not only address how to recover from the occurrence of a disaster, but also how to continue to support critical functions during the recovery stage.