Oversight

IG: ICE IT system deficiencies threaten data integrity

Shutterstock image (by Robert Adrian Hillman): Abstract design for broken code.

Deficiencies in Immigration and Customs Enforcement's general IT controls could jeopardize the integrity and security of sensitive financial and operational data, according to a recent annual audit by the Department of Homeland Security's Office of Inspector General.

The audit, conducted by KPMG, noted seven deficiencies, two of which were repeat issues.

Auditors found that some peripheral financial systems were not fully integrated with the core financial system, which limits optimal data processing and reporting. Additionally, they said the primary financial system permitted users to enter data for dates in the future and enter dollar amounts that exceeded the available funding.

The report notes that users circumvented supervisor approval for access to ICE's property system, user activity was not consistently documented, and there was no documentation of user account review or renewal of access credentials.

User authorization approval was not documented for the property system, the primary financial system, or the time and attendance system.

The report characterizes the improper approvals (a repeat finding) and the absence of authorization documentation as the most significant weaknesses "from a financial statement audit perspective."

In addition, auditors said there was no formal documentation for a configuration management plan, although managers did adhere to a consistent practice for carrying out changes.

KPMG also assessed social engineering vulnerabilities and administered after-hours walkthroughs. The social engineering test consisted of calling 45 employees and contractors in an attempt to solicit password information. The calls only reached 10 people, two of whom revealed sensitive information.

During the walkthroughs, auditors randomly inspected 84 workspaces, 34 of which were observed to have unattended sensitive material -- including unsecured laptops, system passwords and access credentials, and information marked for official use only -- in plain sight, a violation of DHS policy. That represented the other repeat audit finding.

The IG's report recommends updating the financial system so that obligations cannot be entered with future dates and cannot exceed available funding, updating user and account management plans to ensure documentation of user access controls and authorization, developing stricter controls for access authorization and annual recertification of users, and documenting a formal configuration management plan.

The audit states that ICE is responsible for determining the best course of action to address the recommendations. ICE's response was not included in the report.

About the Author

Chase Gunter is a former FCW staff writer.

Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.