The Department of Homeland Security worked to repair holes in its information systems last year, but ongoing weaknesses dogged the agencys networks, most notably in managing IT security.
According to a July audit letter from KPMG LLP released last week, the DHS did not correct vulnerabilities in access controls and systems software that had been identified previously, limiting its ability to ensure that data is maintained with confidentiality, integrity and availability. The audit focused on the agencys financial reporting, and the weaknesses found had a negative impact on the financial internal controls, in particular.
One of the most significant problems was found with access control inside the departments firewalls. Reminiscent of the weak “yellow sticky note” password system found all too frequently in the private sector, users at the DHS were sometimes able to use sensitive testing and development devices with a group password or system default password.
Personnel “inside the organization who best understand the organizations systems, applications and business processes are able to make unauthorized access to some systems and applications,” KPMG warned. “As a result, test and development devices could be a target of hackers/crackers to obtain information (i.e., user password listings) that can be used to attempt further access into DHS IT environment.”
KPMG also found that many user accounts were not configured for automatic log-off or lockout and that some workstations and servers were configured without necessary security patches.
Last year, the DHS took several steps to correct IT security weaknesses, such as completing agencywide training and awareness sessions and moving to consolidate IT functions throughout the department.
Another area of potential vulnerability for the DHS is in segregating duties that involve access to sensitive data. KPMG noted that despite previous recommendations, there were situations where one individual controlled more than one critical function, which increases the risk of fraud or damage to the data without detection. Also, software changes were not consistently documented, and the department was not up to speed on enforcing its certification and accreditation program or on training for administrators and security officers.
In response to KPMGs findings, the DHS said it initiated a number of projects to remedy the weaknesses. However, several significant challenges remain, particularly in implementing an agencywide patch and security process. With more than 22 IT architectures joined in the department, it is a long-term project to design a single patch process.
The high personnel turnover rate has hampered the deployment of an agencywide security training and awareness program. Nonetheless, last year, 85 percent of the DHS system users received IT security awareness training, and 89 percent of the agencys information security professionals received specialized training, according to the DHS.
Newly hired DHS CIO Scott Charbo, who took the reins from Steve Cooper in June, has already moved to create a more unified IT infrastructure throughout the DHS by setting up two new procurement programs. The Enterprise Acquisition Gateway for Leading Edge solutions, or EAGLE, will cover IT services, including engineering design and implementation, testing and verification, software development, and management support. First Source will cover hardware and software, such as networking equipment, imaging products, wireless technology and online data tracking systems.