Oversight

IG: ICE IT system deficiencies threaten data integrity

Shutterstock image (by Robert Adrian Hillman): Abstract design for broken code.

Deficiencies in Immigration and Customs Enforcement's general IT controls could jeopardize the integrity and security of sensitive financial and operational data, according to a recent annual audit by the Department of Homeland Security's Office of Inspector General.

The audit, conducted by KPMG, noted seven deficiencies, two of which were repeat issues.

Auditors found that some peripheral financial systems were not fully integrated with the core financial system, which limits optimal data processing and reporting. Additionally, they said the primary financial system permitted users to enter data for dates in the future and enter dollar amounts that exceeded the available funding.

The report notes that users circumvented supervisor approval for access to ICE's property system, user activity was not consistently documented, and there was no documentation of user account review or renewal of access credentials.

User authorization approval was not documented for the property system, the primary financial system, or the time and attendance system.

The report characterizes the improper approvals (a repeat finding) and the absence of authorization documentation as the most significant weaknesses "from a financial statement audit perspective."

In addition, auditors said there was no formal documentation for a configuration management plan, although managers did adhere to a consistent practice for carrying out changes.

KPMG also assessed social engineering vulnerabilities and administered after-hours walkthroughs. The social engineering test consisted of calling 45 employees and contractors in an attempt to solicit password information. The calls only reached 10 people, two of whom revealed sensitive information.

During the walkthroughs, auditors randomly inspected 84 workspaces, 34 of which were observed to have unattended sensitive material -- including unsecured laptops, system passwords and access credentials, and information marked for official use only -- in plain sight, a violation of DHS policy. That represented the other repeat audit finding.

The IG's report recommends updating the financial system so that obligations cannot be entered with future dates and cannot exceed available funding, updating user and account management plans to ensure documentation of user access controls and authorization, developing stricter controls for access authorization and annual recertification of users, and documenting a formal configuration management plan.

The audit states that ICE is responsible for determining the best course of action to address the recommendations. ICE's response was not included in the report.

About the Author

Chase Gunter is a staff writer covering civilian agencies, workforce issues, health IT, open data and innovation.

Prior to joining FCW, Gunter reported for the C-Ville Weekly in Charlottesville, Va., and served as a college sports beat writer for the South Boston (Va.) News and Record. He started at FCW as an editorial fellow before joining the team full-time as a reporter.

Gunter is a graduate of the University of Virginia, where his emphases were English, history and media studies.

Click here for previous articles by Gunter, or connect with him on Twitter: @WChaseGunter

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.