IG: ICE IT system deficiencies threaten data integrity

Deficiencies in Immigration and Customs Enforcement's general IT controls could jeopardize the integrity and security of sensitive financial and operational data, according to a recent annual audit by the Department of Homeland Security's Office of Inspector General.

The audit, conducted by KPMG, noted seven deficiencies, two of which were repeat issues.

Auditors found that some peripheral financial systems were not fully integrated with the core financial system, which limits optimal data processing and reporting. Additionally, they said the primary financial system permitted users to enter data for dates in the future and enter dollar amounts that exceeded the available funding.

The report notes that users circumvented supervisor approval for access to ICE's property system, user activity was not consistently documented, and there was no documentation of user account review or renewal of access credentials.

User authorization approval was not documented for the property system, the primary financial system, or the time and attendance system.

The report characterizes the improper approvals (a repeat finding) and the absence of authorization documentation as the most significant weaknesses "from a financial statement audit perspective."

In addition, auditors said there was no formal documentation for a configuration management plan, although managers did adhere to a consistent practice for carrying out changes.

KPMG also assessed social engineering vulnerabilities and administered after-hours walkthroughs. The social engineering test consisted of calling 45 employees and contractors in an attempt to solicit password information. The calls only reached 10 people, two of whom revealed sensitive information.

During the walkthroughs, auditors randomly inspected 84 workspaces, 34 of which were observed to have unattended sensitive material -- including unsecured laptops, system passwords and access credentials, and information marked for official use only -- in plain sight, a violation of DHS policy. That represented the other repeat audit finding.

The IG's report recommends updating the financial system so that obligations cannot be entered with future dates and cannot exceed available funding, updating user and account management plans to ensure documentation of user access controls and authorization, developing stricter controls for access authorization and annual recertification of users, and documenting a formal configuration management plan.

The audit states that ICE is responsible for determining the best course of action to address the recommendations. ICE's response was not included in the report.