Appendix A
Purpose, Scope, and Methodology
Our purpose was to determine whether actions taken by CBP to
address the August 11, 2007, outage at LAX were sufficient to
minimize the effects of a potential future outage. Specifically, we
evaluated whether the controls that CBP implemented would assist
in identifying the cause of an outage, facilitate deployment of
backup systems, and recover from the outage.
We coordinated the implementation of this technical security
evaluation program with the DHS Chief Information Security
Officer. We mutually agreed to the wording for the Rules of
Engagement for the technical testing.
5
We reviewed applicable
DHS and CBP policies, procedures, and CBP’s responses to our
site surveys and technical questionnaires. Prior to performing our
onsite review, we used CBP’s responses to identify occupied
space, server rooms, and telecommunications closets. Our onsite
review included a physical review of CBP space and interviews
with CBP staff. Our technical review included reviews of
workstations that may have been involved in the outage at LAX.
6
We provided CBP with briefings concerning the results of
fieldwork and the information summarized in this report. We
conducted this review between August 2007 and March 2008.
We performed our work according to the Quality Standards for
Inspection of the President’s Council on Integrity and Efficiency,
and pursuant to the Inspector General Act of 1978, as amended.
We appreciate the efforts by DHS management and staff to provide
the information and access necessary to accomplish this review.
Our points of contact for this report are Frank Deffer, Assistant
Inspector General for Information Technology, (202) 254-4100,
and Roger Dressler, Director for Information Systems and
Architectures, (202) 254-5441. Major Office of Inspector General
(OIG) contributors to the review are identified in Appendix D.
5
The Rules of Engagement established the boundaries and schedules for the technical evaluations.
6
Our analysis of three devices that may have been involved in the August 11, 2007 outage was
inconclusive.
Lessons Learned from the August 11, 2007, Network Outage at Los Angeles International Airport
(Redacted)
Page 15