Audits of DHS Find IT Security Lapses

A recent audit of the U.S. Department of Homeland Security (DHS) by the independent public accounting firm KPMG LLP cited “a material weakness in information technology (IT) controls and financial system functionality at the DHS Department-wide level,” according to the final report.

The audit also included looking at “additional nontechnical information security procedures to identify instances in which OFM and OCIO personnel did not adequately comply with requirements for safeguarding sensitive material or assets from unauthorized access or disclosure.”

The stated purpose of the audit was to “identify component-level information technology (IT) control deficiencies as part of the DHS consolidated financial statement audit.”

Buried in the 17-page documents are concerning security lapses. The report notes that, “During after-hours physical security walkthroughs performed at DHS, we inspected a total of 69 workspaces. Of those, 3 were observed to have material – including, but not limited to, system passwords, information marked ‘FOUO’ (For Official Use Only) or otherwise meeting the criteria established by DHS MD 11042.1, documents containing sensitive PII (Personally Identifying Information), and government-issued laptops, mobile devices, or storage media – left unattended and unsecured after business hours in violation of DHS policy.”

Auditors also found that the OFM and OCIO’s password configurations do not comply with DHS standards.

The report concludes, “The deficiencies collectively limited OFM and OCIO’s ability to ensure that critical financial and operational data were maintained in such a manner as to ensure their confidentiality, integrity, and availability. In addition, certain of these deficiencies adversely impacted internal controls over DHS’ financial reporting and its operation and therefore are considered to collectively represent a material weakness.”

A separate audit of the National Protection and Programs Directorate at DHS, released the week prior, found similar concerns, including the fact that “account management policies did not exist or were lacking sufficient detail in areas such as segregation of duties, recertification, elevated privileges, and disabling accounts upon user separation,” the audit states.