Audit: CBP weak on IT security

Information technology security remains a significant deficiency at U.S. Customs and Border Protection but is no longer a material weakness, according to an independent audit released today by Homeland Security Department Inspector General Richard Skinner.

In a previous review in September 2007, audit firm KPMG noted a material weakness in entitywide security of CBP computer systems, including problems with system access controls,service continuity and software change management.

In the current audit, which took place in September 2008, KPMG auditors said CBP had corrected some of the shortcomings, and the material weakness was downgraded to a significant deficiency, which reflects a lower level of concern.

“Improvements were made to correct the material weakness; however, significant deficiencies remain in all areas noted during fiscal 2008,” the audit stated.

However, in both the 2007 and 2008 audits, CBP continued to be out of compliance with the Federal Information Security Management Act, which sets up requirements for reporting of IT security protocols and problems.

Although upgrades were made, CBP did not substantially comply with all categories of FISMA during fiscal 2008, the audit stated.

“Collectively, the IT control deficiencies limit CBP’s ability to ensure that critical financial and operational data is maintained in such a manner to ensure confidentiality, integrity and availability,” the auditors wrote. However, due to the sensitive nature of the security issues identified, the auditors said they would issue a separate report on the details of their findings.

Overall, the auditors reported a material weakness in drawback of duties, taxes and fees, continued from 2007. There also were three other significant deficiencies reported in the CBP entry process for shipments. A previous deficiency regarding refunds for a dumping offset program was removed. CBP officials agreed with the audit.