The Department of Homeland Security worked to repair holes in its information systems last year, but ongoing weaknesses dogged the agencys networks, most notably in managing IT security.
According to a July audit letter from KPMG LLP released last week, the DHS did not correct vulnerabilities in access controls and systems software that had been identified previously, limiting its ability to ensure that data is maintained with confidentiality, integrity and availability. The audit focused on the agencys financial reporting, and the weaknesses found had a negative impact on the financial internal controls, in particular.
One of the most significant problems was found with access control inside the departments firewalls. Reminiscent of the weak "yellow sticky note" password system found all too frequently in the private sector, users at the DHS were sometimes able to use sensitive testing and development devices with a group password or system default password.
Are biometrics the answer to the password problem? Click here to read more.
Personnel "inside the organization who best understand the organizations systems, applications and business processes are able to make unauthorized access to some systems and applications," KPMG warned. "As a result, test and development devices could be a target of hackers/crackers to obtain information (i.e., user password listings) that can be used to attempt further access into DHS IT environment."
KPMG also found that many user accounts were not configured for automatic log-off or lockout and that some workstations and servers were configured without necessary security patches.
Last year, the DHS took several steps to correct IT security weaknesses, such as completing agencywide training and awareness sessions and moving to consolidate IT functions throughout the department.
Another area of potential vulnerability for the DHS is in segregating duties that involve access to sensitive data. KPMG noted that despite previous...