fingerprint

Audits of DHS Find IT Security Lapses

A recent audit of the U.S. Department of Homeland Security (DHS) by the independent public accounting firm KPMG LLP cited “a material weakness in information technology (IT) controls and financial system functionality at the DHS Department-wide level,” according to the final report.

The audit also included looking at “additional nontechnical information security procedures to identify instances in which OFM and OCIO personnel did not adequately comply with requirements for safeguarding sensitive material or assets from unauthorized access or disclosure.”

The stated purpose of the audit was to “identify component-level information technology (IT) control deficiencies as part of the DHS consolidated financial statement audit.”

Buried in the 17-page documents are concerning security lapses. The report notes that, “During after-hours physical security walkthroughs performed at DHS, we inspected a total of 69 workspaces. Of those, 3 were observed to have material – including, but not limited to, system passwords, information marked ‘FOUO’ (For Official Use Only) or otherwise meeting the criteria established by DHS MD 11042.1, documents containing sensitive PII (Personally Identifying Information), and government-issued laptops, mobile devices, or storage media – left unattended and unsecured after business hours in violation of DHS policy.”

Auditors also found that the OFM and OCIO’s password configurations do not comply with DHS standards.

The report concludes, “The deficiencies collectively limited OFM and OCIO’s ability to ensure that critical financial and operational data were maintained in such a manner as to ensure their confidentiality, integrity, and availability. In addition, certain of these deficiencies adversely impacted internal controls over DHS’ financial reporting and its operation and therefore are considered to collectively represent a material weakness.”

A separate audit of the National Protection and Programs Directorate at DHS, released the week prior, found similar concerns, including the fact that “account management policies did not exist or were lacking sufficient detail in areas such as segregation of duties, recertification, elevated privileges, and disabling accounts upon user separation,” the audit states.

 

 

 

 

 

 

Posted in The Takedown

Tags: DHS, cybersecurity, information technology

Print

This Week on FEDtalk

Preparing for 2020 with Public Employee Groups

Tune in to FEDtalk this week to hear from public employee groups about their plans for 2020. Guests from across the federal community will discuss the biggest issues of 2019 spilling into the new year, policy priorities for their organization, and important events every federal employee should look out for this year.

Read more ...

Hear it from FLEOA

FLEOA Successfully Advocates for Change to Michigan LEOSA Policy

On Tuesday, FLEOA President Larry Cosme issued a letter on Michigan LEOSA policy.  The full text of the statement is below.

Read more ...
FEDagent

FEDagent.com

The free weekly e-report for Federal Law Enforcement

Get in touch with us

Email FEDagent publisher

Copyright 2020 FEDagent.com
Hosted by Peak Media Company, LLC