fingerprint

Audits of DHS Find IT Security Lapses

A recent audit of the U.S. Department of Homeland Security (DHS) by the independent public accounting firm KPMG LLP cited “a material weakness in information technology (IT) controls and financial system functionality at the DHS Department-wide level,” according to the final report.

The audit also included looking at “additional nontechnical information security procedures to identify instances in which OFM and OCIO personnel did not adequately comply with requirements for safeguarding sensitive material or assets from unauthorized access or disclosure.”

The stated purpose of the audit was to “identify component-level information technology (IT) control deficiencies as part of the DHS consolidated financial statement audit.”

Buried in the 17-page documents are concerning security lapses. The report notes that, “During after-hours physical security walkthroughs performed at DHS, we inspected a total of 69 workspaces. Of those, 3 were observed to have material – including, but not limited to, system passwords, information marked ‘FOUO’ (For Official Use Only) or otherwise meeting the criteria established by DHS MD 11042.1, documents containing sensitive PII (Personally Identifying Information), and government-issued laptops, mobile devices, or storage media – left unattended and unsecured after business hours in violation of DHS policy.”

Auditors also found that the OFM and OCIO’s password configurations do not comply with DHS standards.

The report concludes, “The deficiencies collectively limited OFM and OCIO’s ability to ensure that critical financial and operational data were maintained in such a manner as to ensure their confidentiality, integrity, and availability. In addition, certain of these deficiencies adversely impacted internal controls over DHS’ financial reporting and its operation and therefore are considered to collectively represent a material weakness.”

A separate audit of the National Protection and Programs Directorate at DHS, released the week prior, found similar concerns, including the fact that “account management policies did not exist or were lacking sufficient detail in areas such as segregation of duties, recertification, elevated privileges, and disabling accounts upon user separation,” the audit states.

 

 

 

 

 

 

Posted in The Takedown

Tags: DHS, cybersecurity, information technology

Print

This Week on FEDtalk

Navigating Plans for Summer with the National Park Service

Do you know what you are doing this summer? To find out what our National Parks have to offer, tune in to FEDtalk this Friday and start planning your trip!

Read more ...

Hear it from FLEOA

FLEOA Highlights Important Policy, People During Police Week

The Federal Law Enforcement Officers Association (FLEOA) is continually committed to serving our members and the federal law enforcement community. This Police Week, FLEOA has dedicated special time and attention to pushing policy that helps the law enforcement community protect and serve their community. From events highlighting the importance of police to meetings on the Hill, FLEOA is excited to engage the public and policy makers on law enforcement issues during this time of heightened awareness.

Read more ...
FEDagent

FEDagent.com

The free weekly e-report for Federal Law Enforcement

Get in touch with us

Email FEDagent publisher

Copyright 2019 FEDagent.com
Hosted by Peak Media Company, LLC