Oversight

IG: ICE IT system deficiencies threaten data integrity

Shutterstock image (by Robert Adrian Hillman): Abstract design for broken code.

Deficiencies in Immigration and Customs Enforcement's general IT controls could jeopardize the integrity and security of sensitive financial and operational data, according to a recent annual audit by the Department of Homeland Security's Office of Inspector General.

The audit, conducted by KPMG, noted seven deficiencies, two of which were repeat issues.

Auditors found that some peripheral financial systems were not fully integrated with the core financial system, which limits optimal data processing and reporting. Additionally, they said the primary financial system permitted users to enter data for dates in the future and enter dollar amounts that exceeded the available funding.

The report notes that users circumvented supervisor approval for access to ICE's property system, user activity was not consistently documented, and there was no documentation of user account review or renewal of access credentials.

User authorization approval was not documented for the property system, the primary financial system, or the time and attendance system.

The report characterizes the improper approvals (a repeat finding) and the absence of authorization documentation as the most significant weaknesses "from a financial statement audit perspective."

In addition, auditors said there was no formal documentation for a configuration management plan, although managers did adhere to a consistent practice for carrying out changes.

KPMG also assessed social engineering vulnerabilities and administered after-hours walkthroughs. The social engineering test consisted of calling 45 employees and contractors in an attempt to solicit password information. The calls only reached 10 people, two of whom revealed sensitive information.

During the walkthroughs, auditors randomly inspected 84 workspaces, 34 of which were observed to have unattended sensitive material -- including unsecured laptops, system passwords and access credentials, and information marked for official use only -- in plain sight, a violation of DHS policy. That represented the other repeat audit finding.

The IG's report recommends updating the financial system so that obligations cannot be entered with future dates and cannot exceed available funding, updating user and account management plans to ensure documentation of user access controls and authorization, developing stricter controls for access authorization and annual recertification of users, and documenting a formal configuration management plan.

The audit states that ICE is responsible for determining the best course of action to address the recommendations. ICE's response was not included in the report.

About the Author

Chase Gunter is a staff writer covering civilian agencies, workforce issues, health IT, open data and innovation.

Prior to joining FCW, Gunter reported for the C-Ville Weekly in Charlottesville, Va., and served as a college sports beat writer for the South Boston (Va.) News and Record. He started at FCW as an editorial fellow before joining the team full-time as a reporter.

Gunter is a graduate of the University of Virginia, where his emphases were English, history and media studies.

Click here for previous articles by Gunter, or connect with him on Twitter: @WChaseGunter

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.