State IG: Broadcasters need tighter controls over user accounts

The Broadcasting Board of Governors needs to do a better job tallying and disabling inactive user accounts to protect sensitive agency data, according to a recent oversight report.

An audit by the State Department's Office of Inspector General found that some accounts on the BBG's Microsoft Windows directory database are misidentified, and others lack an appropriately defined policy for when they become inactive and should be disabled. Auditors discovered 98 duplicate accounts, and eight accounts deemed inactive that were identified as privileged. Those privileged accounts were allowed increased network access and were exempted from log-ins to avoid being disabled.

Auditors were concerned that hackers who gained control over one of these non-user or privileged accounts could access BBG's servers, applications or confidential directory information.

The report also noted that, since fiscal 2010, OIG has repeatedly found issues with BBG's account management protocol, including insufficient password management standards and not following its own internal policies for disabling user accounts after the defined inactivity period.

OIG recommended that the agency CIO develop a way to separate and accurately identify user and non-user accounts, and issue definitions of when privileged and non-user accounts become inactive and should be disabled. BBG concurred with the recommendations, and said it will take corrective action.