Annual Audit in 2002 Confirms Security of Titan, South, and EOS

Every year, the Center for Information Technology (CIT) engages independent auditors—under the direction of the DHHS Office of Inspector General (OIG)—to perform security reviews of the general support systems—Titan, South, and EOS—hosting critical applications and highly sensitive data. The reviews are scheduled in conformance with the OMB Circular A-130 Appendix III requirement to periodically review the security controls of general support systems. The reviews are also undertaken to assist customers’ independent auditors in their reviews of customer applications.

In conducting their reviews, the auditors use the SAS 70 Type II audit standard established by the American Institute of Certified Public Accountants. SAS 70 reviews verify that appropriate security controls are in place, and "Type II" indicates that these controls are fully tested by the auditor. The SAS 70 Type II audit is a standard accepted by industry and government.

Ernst & Young, the independent auditors engaged by OIG, performed a complete audit and tested the policies and procedures as applied to the Titan and South (OS/390) and EOS (Unix) operating environments. Conducted this year between July and September 2002, the audit included interviews with CIT personnel, a complete review of the system documentation, and tests of controls as implemented on Titan, South, and EOS.

Once again, Ernst & Young LLP has determined that CIT provides a computing environment suitable for hosting critical applications and highly sensitive data. The auditors found that CIT’s controls for Titan, South, and EOS are suitably designed, implemented, and managed to reasonably ensure that all security objectives are achieved.

The final SAS 70 Report has been submitted to OIG and is in final OIG review. The report contains sufficient information to certify that Titan, South, and EOS are operated at DHHS Security Level 3. The report is expected to be available by the end of December. Customers who wish to obtain a copy of the report for their auditors should contact TASC at (301) 594-6248 and ask to speak to the DCSS Security Coordinator.