IG report calls DHS IT security inadequate
- By Alice Lipowicz
- Aug 23, 2005
The Homeland Security Department's IT systems continue to be plagued by weak access controls and a lack of contingency planning, according to a new report released by the department's Office of the Inspector General.
'The most significant weaknesses from a financial audit perspective relate to information security (entity-wide security, access controls and systems software),' states the IT Management Letter for the Fiscal 2004 Financial Statement Audit, written by the KPMG LLP accounting firm in December 2004. A redacted version of the management letter has been made public by the inspector general.
'Collectively, the IT control weaknesses limit DHS' ability to ensure that critical financial and operational data is maintained in such a manner to ensure confidentiality, integrity and availability,' the letter stated.
KPMG found significant access control vulnerabilities with internal IT devices inside firewalls that may allow some personnel unauthorized access. 'In some cases, users are able to access test and development devices with group passwords, system default passwords or the same passwords with which they log into production devices,' the letter said.
The department took steps last year to correct IT control deficiencies identified the year before, including restructuring the chief information officer's role and functions, improving IT security by completing departmentwide training and awareness sessions, holding biweekly meetings on information security and awarding the Emerge2 contract
to help consolidate IT functions.
Although some improvements were noted, 'many of the conditions identified in fiscal 2003 have not been corrected, because DHS still faces challenges related to the merging of numerous entities that have had their own IT functions, controls, processes and overall organizational shortages,' the report said.
Recommendations made by KPMG to improve IT systems security include:
- Additional security plans and risk assessments
- Implementation and enforcement of the security certification and accreditation program
- Enforcement of all password controls
- Enforcement of policies with regard to monitoring, use and changes of operating systems
- Implementing policies to segregate duties between IT and accounting functions
- Completing business continuity plans and improving documentation of software changes
- Performing periodic verifications of data input and output.
The report reviewed IT controls at the Transportation Security Administration, Coast Guard, Customs and Border Patrol, and other agencies within the Homeland Security Department. Many of the findings have been blacked out from the redacted report for national-security reasons.
In a written response, Homeland Security CIO Steve Cooper concurred with most of the audit findings and noted that several projects were under way to address most of the recommendations. Cooper resigned from the department in April.
The report is available online here
Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.