fingerprint

Audits of DHS Find IT Security Lapses

A recent audit of the U.S. Department of Homeland Security (DHS) by the independent public accounting firm KPMG LLP cited “a material weakness in information technology (IT) controls and financial system functionality at the DHS Department-wide level,” according to the final report.

The audit also included looking at “additional nontechnical information security procedures to identify instances in which OFM and OCIO personnel did not adequately comply with requirements for safeguarding sensitive material or assets from unauthorized access or disclosure.”

The stated purpose of the audit was to “identify component-level information technology (IT) control deficiencies as part of the DHS consolidated financial statement audit.”

Buried in the 17-page documents are concerning security lapses. The report notes that, “During after-hours physical security walkthroughs performed at DHS, we inspected a total of 69 workspaces. Of those, 3 were observed to have material – including, but not limited to, system passwords, information marked ‘FOUO’ (For Official Use Only) or otherwise meeting the criteria established by DHS MD 11042.1, documents containing sensitive PII (Personally Identifying Information), and government-issued laptops, mobile devices, or storage media – left unattended and unsecured after business hours in violation of DHS policy.”

Auditors also found that the OFM and OCIO’s password configurations do not comply with DHS standards.

The report concludes, “The deficiencies collectively limited OFM and OCIO’s ability to ensure that critical financial and operational data were maintained in such a manner as to ensure their confidentiality, integrity, and availability. In addition, certain of these deficiencies adversely impacted internal controls over DHS’ financial reporting and its operation and therefore are considered to collectively represent a material weakness.”

A separate audit of the National Protection and Programs Directorate at DHS, released the week prior, found similar concerns, including the fact that “account management policies did not exist or were lacking sufficient detail in areas such as segregation of duties, recertification, elevated privileges, and disabling accounts upon user separation,” the audit states.

 

 

 

 

 

 

Posted in The Takedown

Tags: DHS, cybersecurity, information technology

Print

This Week on FEDtalk

Preparing Young People for Public Service

Tune in to FEDtalk this week for a discussion on the transition between college and government. The guests will cover how the federal government is currently struggling to recruit and retain young people in public service. Guests will also highlight projects by both government entities and stakeholders to encourage individuals to join the next generation of federal government work.

Read more ...

Hear it from FLEOA

FLEOA Encourages Passage of EAGLES Act Following Wave of Mass Public Violence

Nathan Catura, President of the Federal Law Enforcement Officers Association (FLEOA), the nation’s largest non-partisan, not-for-profit professional association representing more than 27,000 federal law enforcement officers and agents across 65 federal agencies, today issued the following statement in support of the EAGLES Act.

Read more ...
FEDagent

FEDagent.com

The free weekly e-report for Federal Law Enforcement

Get in touch with us

Email FEDagent publisher

Copyright 2019 FEDagent.com
Hosted by Peak Media Company, LLC