fingerprint

Audits of DHS Find IT Security Lapses

A recent audit of the U.S. Department of Homeland Security (DHS) by the independent public accounting firm KPMG LLP cited “a material weakness in information technology (IT) controls and financial system functionality at the DHS Department-wide level,” according to the final report.

The audit also included looking at “additional nontechnical information security procedures to identify instances in which OFM and OCIO personnel did not adequately comply with requirements for safeguarding sensitive material or assets from unauthorized access or disclosure.”

The stated purpose of the audit was to “identify component-level information technology (IT) control deficiencies as part of the DHS consolidated financial statement audit.”

Buried in the 17-page documents are concerning security lapses. The report notes that, “During after-hours physical security walkthroughs performed at DHS, we inspected a total of 69 workspaces. Of those, 3 were observed to have material – including, but not limited to, system passwords, information marked ‘FOUO’ (For Official Use Only) or otherwise meeting the criteria established by DHS MD 11042.1, documents containing sensitive PII (Personally Identifying Information), and government-issued laptops, mobile devices, or storage media – left unattended and unsecured after business hours in violation of DHS policy.”

Auditors also found that the OFM and OCIO’s password configurations do not comply with DHS standards.

The report concludes, “The deficiencies collectively limited OFM and OCIO’s ability to ensure that critical financial and operational data were maintained in such a manner as to ensure their confidentiality, integrity, and availability. In addition, certain of these deficiencies adversely impacted internal controls over DHS’ financial reporting and its operation and therefore are considered to collectively represent a material weakness.”

A separate audit of the National Protection and Programs Directorate at DHS, released the week prior, found similar concerns, including the fact that “account management policies did not exist or were lacking sufficient detail in areas such as segregation of duties, recertification, elevated privileges, and disabling accounts upon user separation,” the audit states.

 

 

 

 

 

 

Posted in The Takedown

Tags: DHS, cybersecurity, information technology

Print Email

Add comment


Security code
Refresh

You can't afford NOT to have FEDS protection.

Visit FEDS Online

This Week on FEDtalk

Forging Ahead with Federal Leaders

On this week’s FEDtalk, host Ben Carnes will be joined by Senior Executives Association (SEA) President Bill Valdez and Federal Times’ Jessie Bur to discuss current challenges (as well as current opportunities) facing federal leaders.

Read more ...

Hear it from FLEOA

An Update on the OPM Cyber Breach

In the wake of the most recent data breach of Equifax, FLEOA has provided an update on the June 2015 Office of Personnel Management (OPM) data breach to include claims, lawsuits and legislation.

Read more ...
FEDagent

FEDagent.com

The free weekly e-report for Federal Law Enforcement

Get in touch with us

Email FEDagent publisher

Copyright 2018 FEDagent.com
Hosted by Peak Media Company, LLC