Oversight

IG: ICE IT system deficiencies threaten data integrity

Shutterstock image (by Robert Adrian Hillman): Abstract design for broken code.

Deficiencies in Immigration and Customs Enforcement's general IT controls could jeopardize the integrity and security of sensitive financial and operational data, according to a recent annual audit by the Department of Homeland Security's Office of Inspector General.

The audit, conducted by KPMG, noted seven deficiencies, two of which were repeat issues.

Auditors found that some peripheral financial systems were not fully integrated with the core financial system, which limits optimal data processing and reporting. Additionally, they said the primary financial system permitted users to enter data for dates in the future and enter dollar amounts that exceeded the available funding.

The report notes that users circumvented supervisor approval for access to ICE's property system, user activity was not consistently documented, and there was no documentation of user account review or renewal of access credentials.

User authorization approval was not documented for the property system, the primary financial system, or the time and attendance system.

The report characterizes the improper approvals (a repeat finding) and the absence of authorization documentation as the most significant weaknesses "from a financial statement audit perspective."

In addition, auditors said there was no formal documentation for a configuration management plan, although managers did adhere to a consistent practice for carrying out changes.

KPMG also assessed social engineering vulnerabilities and administered after-hours walkthroughs. The social engineering test consisted of calling 45 employees and contractors in an attempt to solicit password information. The calls only reached 10 people, two of whom revealed sensitive information.

During the walkthroughs, auditors randomly inspected 84 workspaces, 34 of which were observed to have unattended sensitive material -- including unsecured laptops, system passwords and access credentials, and information marked for official use only -- in plain sight, a violation of DHS policy. That represented the other repeat audit finding.

The IG's report recommends updating the financial system so that obligations cannot be entered with future dates and cannot exceed available funding, updating user and account management plans to ensure documentation of user access controls and authorization, developing stricter controls for access authorization and annual recertification of users, and documenting a formal configuration management plan.

The audit states that ICE is responsible for determining the best course of action to address the recommendations. ICE's response was not included in the report.

About the Author

Chase Gunter is a staff writer covering civilian agencies, workforce issues, health IT, open data and innovation.

Prior to joining FCW, Gunter reported for the C-Ville Weekly in Charlottesville, Va., and served as a college sports beat writer for the South Boston (Va.) News and Record. He started at FCW as an editorial fellow before joining the team full-time as a reporter.

Gunter is a graduate of the University of Virginia, where his emphases were English, history and media studies.

Click here for previous articles by Gunter, or connect with him on Twitter: @WChaseGunter

Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.