DHS OIG, OIG-06-41, Information Technology Management Letter for the FY 2005 Customs and Border Protection Balance Sheet Audit (Redacted) (2006)

DHS OIG

Section: Information Technology Management Letter for the FY 2005 Customs and Border Protection Balance Sheet Audit (Redacted)

Effective: 6/29/2006

Bluebook Citation: DHS OIG, OIG-06-41, Information Technology Management Letter for the FY 2005 Customs and Border Protection Balance Sheet Audit (Redacted) (2006)

DEPARTMENT OF HOMELAND SECURITY

Office of Inspector General Information Technology Management Letter for the FY 2005 Customs and Border Protection Balance Sheet Audit (Redacted) Notice: The Department of Homeland Security, Office of Inspector General, has redacted this report for public release. The redactions are identified as (b)(2), comparable to 5 U.S.C. § 552 (b)(2). A review under the Freedom of Information Act will be conducted upon request. Office of Information Technology OIG-06-41 June 2006 KPMG LLP 2001 M Street, NW Washington, DC 20036 December 2, 2005 Inspector General U.S. Department of Homeland Security Commissioner Bureau of Customs and Border Protection Chief Information Officer Bureau of Customs and Border Protection We have audited the consolidated balance sheet of the U.S. Department of Homeland Security’s Bureau of Customs and Border Protection (CBP) as of September 30, 2005.

In planning and performing our audit of CBP’s consolidated balance sheet, we considered CBP’s internal control over financial reporting in order to determine our auditing procedures for the purpose of expressing our opinion on the consolidated balance sheet. Audit procedures may not include examining the effectiveness of internal controls and an audit does not provide assurance on internal control. We have not considered internal control since the date of our report. During our audit, we noted certain matters involving internal control and other operational matters with respect to information technology that are summarized in the Information Technology Management Letter starting on page 1.

These comments and recommendations, all of which have been discussed with the appropriate members of management, are intended to improve internal control or result in other operating efficiencies. These comments are in addition to the reportable conditions presented in our Independent Auditors’ Report, dated November 2, 2005, and represent the separate restricted distribution report mentioned in that report. A description of each Notice of Findings and Recommendations is provided in Appendix B. We have also included the current status of each prior year Notice of Findings and Recommendations in Appendix C. Our comments related to financial management that are in addition to the reportable conditions presented in our Independent Auditors’ Report will be reported in the DHS consolidated management letter. Our audit procedures were designed primarily to enable us to form an opinion on the consolidated balance sheet and therefore may not bring to light all weaknesses in policies and procedures that may exist.

We aim, however, to use our knowledge of CBP’s organization gained during our work to make comments and suggestions that we hope will be useful to you. We would be pleased to discuss these comments and recommendations with you at any time. This report is intended for the information and use of DHS and CBP management, the DHS Office of Inspector General, the U.S. Office of Management and Budget, the U.S. Congress, and the Government Accountability Office, and is not intended to be and should not be used by anyone other than these specified parties. Very truly yours, Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial Statement Audit KPMG LLP.

KPMG LLP, a U.S. limited liability partnership, is a member of KPMG International, a Swiss association. Department of Homeland Security - Customs and Border Protection Information Technology Management Letter September 30, 2005 Robert Todero Partner Department of Homeland Security - Customs and Border Protection Information Technology Management Letter September 30, 2005 INFORMATION TECHNOLOGY MANAGEMENT LETTER TABLE OF CONTENTS Information Technology Objective, Scope and Approach Summary of Findings and Recommendations Findings by Audit Area Entity-Wide Security Program Planning and Management Access Controls Segregation of Duties Service Continuity Application Software Development and Change Controls Management Comments and OIG Evaluation APPENDICES Appendix Subject A B C D Description of Financial Systems and IT Infrastructure within the Scope of the FY 2005 CBP Balance Sheet Audit FY 2005 CBP Notices of Findings and Recommendations – IT Detail Status of Prior Year Notices of Findings and Recommendations and Comparison to Current Year Notice of Findings and Recommendations Management Response to Draft CBP IT Management Letter Page 1 2 2 2 3 5 6 6 7 Page 8 10 18 21 Department of Homeland Security - Customs and Border Protection Information Technology Management Letter September 30, 2005 INFORMATION TECHNOLOGY OBJECTIVE, SCOPE AND APPROACH KPMG performed a review of CBP’s IT general controls in support of the FY 2005 CBP consolidated balance sheet audit. The overall objective of our review was to evaluate the effectiveness of IT general controls of CBP’s financial processing environment and related IT infrastructure as necessary to support the audit. The Federal Information System Controls Audit Manual (FISCAM), issued by the Government Accountability Office (GAO), formed the basis of our review and was supplemented by the National Institute of Standards and Technology (NIST) Special Publication 800-53 and applicable CBP and DHS policies.

The scope of the IT general controls assessment included testing at CBP’s Office of Finance and Office of Information Technology. FISCAM is designed to inform financial auditors about IT controls and related audit concerns to assist them in planning their audit work and to integrate the work of auditors with other aspects of the financial audit. FISCAM also provides guidance to IT auditors when considering the scope and extent of review that generally should be performed when evaluating general controls and the IT environment of a federal agency. FISCAM defines the following six control functions to be essential to the effective operation of the general IT controls environment. • Entity-wide security program planning and management (EWS) – Controls that provide a framework and continuing cycle of activity for managing risk, developing security policies, assigning responsibilities, and monitoring the adequacy of computer-related security controls. • Access control (AC) – Controls that limit and/or monitor access to computer resources (data, programs, equipment, and facilities) to protect against unauthorized modification, loss, and disclosure. • System software (SS) – Controls that limit and monitor access to powerful programs that operate computer hardware. • Segregation of duties (SD) – Controls that constitute policies, procedures, and an organizational structure to prevent one individual from controlling key aspects of computer- related operations, thus deterring unauthorized actions or access to assets or records. • Service continuity (SC) – Controls that involve procedures for continuing critical operations without interruption, or with prompt resumption, when unexpected events occur. • Application software development and change control (ASDCC) – Controls that help to prevent the implementation of unauthorized programs or modifications to existing programs.

To complement our general IT controls review, we also performed technical security testing for key network and system devices, as well as testing over key financial application controls. The technical security testing was performed from within CBP, and was focused on test, development, and production devices that directly support CBP financial processing and key general support systems. We also tested application controls, which are the structure, policies, and procedures that apply to separate, individual application systems, such as accounts payable, inventory, payroll, grants, or loans. The application control testing was performed to assess the controls that support the financial system’s internal controls over the input, processing, and output of financial data and transactions.

1 Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial Statement Audit Department of Homeland Security - Customs and Border Protection Information Technology Management Letter September 30, 2005 SUMMARY OF FINDINGS AND RECOMMENDATIONS During FY 2005, CBP took corrective action to address prior year IT control weaknesses. However, during FY 2005, we continued to find IT general control weaknesses at CBP. The most significant weaknesses from a balance sheet audit perspective related to entity-wide security and access controls. Collectively, the IT control weaknesses limited CBP’s ability to ensure that critical financial and operational data was maintained in such a manner to ensure confidentiality, integrity, and availability.

In addition, these weaknesses negatively impacted the internal controls over CBP financial reporting and its operation, and we consider them to collectively represent a material weakness under standards established by the AICPA. The information technology findings were consolidated into one material weakness regarding Financial Systems Functionality and Technology for the FY 2005 audit of the CBP consolidated balance sheet. Although we noted improvement, many of the conditions identified at CBP in FY 2004 during our engagement to audit DHS’ consolidated financial statements have not been corrected because CBP still faces challenges related to the merging of numerous IT functions, controls, processes, and overall organizational shortages. During FY 2005, CBP took steps to help address these conditions, such as implementing increased controls over access to sensitive applications functions, improving its IT security program by implementing CBP-wide security training and implementing a new financial management system replacing the legacy mainframe system.

Despite these improvements, CBP needs further emphasis on the monitoring and enforcement of the policies and procedures through the performance of periodic security control assessments and audits. Further improvements are needed in implementing and enforcing the CBP-wide security certification and accreditation (C&A) program, and technical security control training for system administrators and security officers. Many of the technical issues identified during our review, which were also identified during FY 2004, such as weak system access controls and inconsistent contingency planning, can be addressed through a more effective security C&A program and security training program.

FINDINGS BY AUDIT AREA

Entity-Wide Security Program Planning and Management During FY 2005, CBP improved its level of entity-wide security program planning and management. However, continued efforts are needed, especially in the areas of program management related to the detection and monitoring of technical information security weaknesses. Collectively, the identified entity-wide security planning and management issues, coupled with the access control issues described later in this management letter, reduce the overall effectiveness of the entity-wide security programs for CBP. Conditions noted regarding entity-wide security program planning and management at CBP were: • Security risk assessments were not performed regularly and consistently; • CBP has not made efforts to evaluate the need for a separate C&A for the applications remaining in the seven business process areas defined in the Administrative Applications C&A; 2 Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial Statement Audit Department of Homeland Security - Customs and Border Protection Information Technology Management Letter September 30, 2005 • • Initial security awareness training for CBP employees and contractors was not completed; and Improvements are still needed in CBP’s Incident Handling and Response Capability.

Specifically, issues still exist related to incident prevention, response, recovery, and reporting. ---------------- ------------------------------ ---- ---------------- ---------- ---- ---------- --- ------------------------------------------------ ---------------------------- -------------------------------- -------------- ----------------- - ------- - ---------------- There is a process in place for tracking incidents. However, process is not consistent and/or complete. Incidents were not included on requested weekly reports and incident documentation was missing. Recommendations: Entity-wide security program planning and management controls should be in place to establish a framework and continuing cycle of activity to manage security risk, develop security policies, assign responsibilities, and monitor the adequacy of computer security related controls.

We recommend that the CBP Chief Information Officer (CIO), in coordination with the Chief Financial Officer (CFO), other CBP functional leaders, and the DHS CIO continue efforts to fully implement a security program to ensure that: • Security risk assessments are regularly completed in a consistent manner per Office of Management and Budget (OMB) and NIST guidance; • Information security planning efforts more consistently follow Federal guidance (OMB and NIST) specifically regarding the implementation and enforcement of the C&A program and with respect to the applications remaining in the seven business process areas defined in the Administrative Application C&A; • Management consistently applies the requirements for initial security awareness training for all employees and contractors upon initially establishing LAN/mainframe accounts to CBP information systems; and • Continue to test and implement a standard real-time automated reporting process whereby information can be generated on all incidents, response, and recovery activities on a regular basis for servers and workstations. Additionally, management should develop a consistent process to respond to system flaw notifications and track reported security incidents. Access Controls During FY 2005 we noted significant access control vulnerabilities with ----------------------------- -------------------------------- These are significant issues because personnel inside the organization who best understand the organization’s systems, applications, and business processes were able to make unauthorized access to some systems and applications. Some of the identified vulnerable devices were used for test and development purposes.

In some cases, users were able to access ---- ------------------------------ with group passwords, system default passwords, or the same passwords with which they logged into ------------- ---------. As a result, hackers could target---------- 3 Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial Statement Audit Department of Homeland Security - Customs and Border Protection Information Technology Management Letter September 30, 2005 ----------- ---- --------- to obtain information (e.g., - -------------------------) to attempt further access into CBP’s IT environment. Conditions noted regarding access controls at CBP were: • • • • Instances where non-supervisory users had excessive access to sensitive and high-risk -------------------------------------- --------------------- Instances within ----- where certain controls could be overridden without supervisory approval; Instances where policies and procedures for restricting and monitoring access to CBP’s ----- ------------- - - - ------ ----- ----- were not implemented or were inadequate, the ability to monitor security logs did not exist, and separated employees had active accounts in ----- ; Instances of missing user passwords ----------------------------------- weak user passwords, and weaknesses in user account management. We also noted several cases where user accounts were not periodically reviewed for appropriateness, including authorizations to use group user accounts and excessive account privileges; • Instances where legacy point-to-point frame relay connections existed without formal interconnection service agreements (ISA); • No formal process exited to confirm or enforce compliance with the ----- re-certification process at the field sites; • Physical access to the -------------------- ---- --------- was not adequately implemented or enforced; and • Inconsistent authorization and recertification process for virtual private network (VPN) users.

Recommendations: In close concert with an organization’s entity-wide information security program, access controls for general support systems and applications should provide reasonable assurance that computer resources such as data files, application programs, and computer-related facilities and equipment are protected against unauthorized modification, disclosure, loss, or impairment. Access controls are facilitated by an organization’s entity-wide security program. Such controls include physical controls, such as keeping computers in locked rooms to limit physical access, and logical controls, such as security software programs designed to prevent or detect unauthorized access to sensitive files. Inadequate access controls diminish the reliability of computerized data and increase the risk of destruction or inappropriate disclosure of information.

We recommend that the CBP CIO, in coordination with the CFO and other CBP functional leaders: • Ensure that the assignment of sensitive functions and high-risk combinations of functions to non-supervisory users is based on a documented business need and approved by a supervisory 4 Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial Statement Audit Department of Homeland Security - Customs and Border Protection Information Technology Management Letter September 30, 2005 official. Exceptions from the guidance provided in the memorandum should be formally approved and documented. • Develop a process to mitigate the systemic ----- weakness where certain controls can be overridden without supervisory approval. • Implement and enforce a password account management process to ensure the periodic review of user accounts. Develop a formal centralized process for tracking the termination of employee and contract personnel and coordinate the deactivation of all systems access of terminated employees and contractors immediately upon separation from CBP. Design and implement an entity-wide security configuration process to enforce the guideline of least privilege system access and the monitoring of security logs ---------- • Implement a formal vulnerability assessment process whereby systems are periodically reviewed for security weaknesses and ensure that password controls meet DHS and CBP password requirements on all systems; • Complete efforts to identify all connections with the ------ and formally establish ISAs with these entities; • Formalize the process to confirm or enforce compliance with the ------------ ----- --------------- ------------------ and formally document the verification of ------------------------------------- • Perform a formal review of all personnel that have access to ---- ---------------- determine those that do not have a formal user access form in place.

Confirm that current personnel with ----- ----------------- actually need this access to perform their job functions and remove those who do not. Additionally, establish a formal authorized user access form for each person identified; and • Continue to use the official authorization form for new VPN users, formally re-certify all VPN employee accounts on a periodic basis and document results. Segregation of Duties During FY 2005, we continued to note instances where an individual controlled more than one critical function within a process, increasing the risk that erroneous or fraudulent transactions could be processed, improper program changes could be implemented, and computer resources could be damaged or destroyed, without detection. Additionally, we noted a lack of segregation of duties among major operating and programming activities, including duties performed by users, application programmers, and data center staff.

Conditions noted regarding segregation of duties at CBP were: • Instances where individuals were able to perform incompatible functions, such as the changing, testing, and implementation of software, without sufficient compensating controls in place; and 5 Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial Statement Audit Department of Homeland Security - Customs and Border Protection Information Technology Management Letter September 30, 2005 • Instances where key security positions were not defined or assigned, and descriptions of positions were not documented or updated. Recommendations: We recommend that the CBP CIO, in coordination with the CFO and other CBP functional leaders, ensure that: • Responsibilities are documented so that incompatible duties are consistently separated. If this is not feasible given the smaller size of certain functions, then sufficient compensating controls, such as periodic peer reviews, should be implemented; and • Policies and procedures are developed and documented to assign key security positions and maintain current position descriptions. Service Continuity During FY 2005 we noted that CBP took some corrective actions to address IT control issues related to the back-up and protection of critical system data.

Despite these improvements, a weakness related to disaster recovery plans and business continuity plans continued to exist. Service continuity is important because losing the capability to process, retrieve, and protect information maintained electronically can significantly affect an agency’s ability to accomplish its mission. The condition noted regarding service continuity at CBP was: • An incomplete and outdated alternate processing site agreement regarding specifics related to the identified equipment and priority service requirements. Recommendation: We recommend that the CBP CIO, in coordination with the CFO and other CBP functional leaders: • Formally update the alternate processing site agreement to accurately reflect the current hardware and support that will be required of the alternate processing site vendor in the event of an emergency.

Application Software Development and Change Control During FY 2005 we noted that CBP took corrective actions to address IT control issues related to application software changes. However, we noted that in some cases the application software change control documentation was still not consistent with CBP guidance. Conditions noted regarding configuration management and change control at CBP were: • Instances where ----- application developers were found with access to the production environment; 6 Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial Statement Audit Department of Homeland Security - Customs and Border Protection Information Technology Management Letter September 30, 2005 • Instances where ----- codes were not configured to the “Productive” setting, allowing users with "mass deletion/change" access to transactional data; and • Instances where changes to-------were not always documented. Recommendations: We recommend that the CBP CIO, in coordination with the CFO and other CBP functional leaders: • Develop and employ a formally documented process for granting ------------- normal and emergency access to the production environment; • Perform a formal analysis of the new ----- system’s configurations to determine the appropriate settings to prevent users from accidentally or purposely deleting or altering transactional data.

Based on this analysis, the system should be configured accordingly; and • Formally document test plans, test cases, and test results for all ----- changes and formally document business and customer impact analyses for ----- change requests.

MANAGEMENT COMMENTS AND OIG EVALUATION

We obtained written comments on a draft of this report from the CBP CIO. Generally, the CBP CIO agreed with all of the report’s findings and recommendations. We have incorporated the comments where appropriate and included a copy of the comments in their entirety at Appendix D. In his response, the CBP CIO stated that CBP is: • Taking steps to ensure that entity-wide security program planning and management controls are in place to establish a framework and continuing cycle of activity to manage security risk; • Working to ensure that the assignment of sensitive functions is legitimate, that the weaknesses that can lead to a control override in certain systems is mitigated, and that physical and electronic access to sensitive CBP systems is secured and carefully monitored; • Continuing to develop applicable policies and procedures to ensure that certain duties are separated, as necessary and to monitor user roles and new user or access requests to prevent future segregation of duty conflicts; • Working to ensure that the --------------- - ----------------- Continuity of Operations Plan (COOP) is as current as possible, and that the alternate processing site has the hardware and support necessary to continue operations in the event of an emergency; and • Ensuring that proper separation of roles between the development and production environments are established. OIG Response We agree with the steps that CBP is taking to satisfy these recommendations.

7 Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial Statement Audit United States Bureau of Customs and Border Protection Information Technology Management Letter September 30, 2005 Appendix A Appendix A Description of Financial Systems and IT Infrastructure within the Scope of the FY 2005 CBP Balance Sheet Audit 8 Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial Statement Audit United States Bureau of Customs and Border Protection Information Technology Management Letter September 30, 2005 Appendix A Below is a description of significant CBP financial management systems and supporting IT infrastructure included in the scope of the September 30, 2005 CBP consolidated balance sheet audit. Locations of Review: ---------------------------------------------------------------------- ------------------ --------------------------------------------------------------- . Systems Subject to Review: • • • ------------------------------- ---------------- ---------- --------was decommissioned in FY 2005 and replaced by ----- . It was CBP's IBM --- ----- -- - -based financial management system that supported primary financial accounting and reporting processes, and a number of additional subsystems for specific operational and administrative management functions.

The core system consisted of general ledger, accounts receivable, disbursements/payables, purchasing, and budget execution modules. ------- was hosted on a customized version of------------- ------------- ----------- - ------------- ------------------------ ----- -------- ---------- – ----- is a client/server-based financial management system that was implemented beginning in FY 2004 to ultimately replace the ------- -------------------------------- --- ----- ------ - using a phased approach. The---------------------------- -- - ----- ------ was implemented and utilized in FY 2004. Other --------------- were implemented in FY 2005. --------------- - ---------------------------- -------- is a collection of mainframe-based applications used to track, control, and process all commercial goods, conveyances and private aircraft entering the United States territory, for the purpose of collecting import duties, fees, and taxes owed the Federal government. • ---------------- ------------------------------------------------ – Used for tracking seized assets, Customs Forfeiture Fund, and fines & penalties. 9 Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial Statement Audit Department of Homeland Security - Customs and Border Protection Information Technology Management Letter September 30, 2005 Appendix B Appendix B FY 2005 CBP Notices of Findings and Recommendations – IT Detail 10 Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial Statement Audit Department of Homeland Security - Customs and Border Protection Information Technology Management Letter September 30, 2005 FY 2005 CBP Notices of Findings and Recommendations – IT Detail Appendix B NFR # Condition Recommendation CBP-IT-05-01 A number of - --- IDs had a segregation of duties conflict.

CBP-IT-05-02 Three ------------------------ --------------- --- ----- ----------------------------------- - --- - ----- --- ---- - --- ---- - ) to specify security modes for individual users without a justified business need. Two----------------------- ----with ---------- ------ had full security administration privileges, which violated separation of duties principles. One ----- account had not been utilized since August 6, 2004. CBP-IT-05-03 CBP-IT-05-04 After the re-organization of the Office of Information Technology (OIT), security administration functions at the-- ---- including mainframe security, network security, and incident response, were not independent of the operations function.

Rather, the Security Operations Center reported to Technology Operations, which was not an independent security function. Due to the design of ------ certain controls could be overridden without supervisory approval. Management plans to implement functionality in the --- - --- --- -- - ------------ ---- ---- ---- ---------- to prevent the override capability. KPMG noted that although ------ will eventually replace ------- ------ will not be implemented in FY 2005.

CBP-IT-05-05 Formal procedures for granting access to Coordinate with each field office that has a segregation of duties conflict to either (1) correct the problem by removing the conflicting roles, or (2) sign a waiver to accept responsibility for issues arising from the segregation of duties conflict. Continue to prevent new IDs with a segregation of duties conflict from being created. Remove unnecessary privileges and/or accounts given the exceptions we noted related to the authorities/functions granted to certain ------ ----------- Accesses granted should be based on the least privilege concept to the minimum number of personnel with a defined and documented need. As an alternate means of providing availability to functions not used on a regular basis, continue implementation of a --------------- -- ------------------ ---- -------- for use by authorized individuals during pre-determined circumstances.

Establishment of a ‘------------------ would enable the removal of privileges from individuals who do not regularly require such access. ---------- -------- are controlled through the use of a hardcopy log, secure storage of passwords, auditing of all --------- --------activities and suspension after each use. Ensure that security administration functions remain independent of operations. In order to maintain independence, the security administration function should not report to operations management. Develop a process to mitigate the systemic ------ weakness that certain controls can be overridden without supervisory approval.

Considering the number of years necessary to fully replace ------ functionality with ------- this process should be designed in a manner to ensure supervisory review of ------ overrides while maintaining a minimal burden on management. CBP should ensure that the new ------ system has the appropriate requirements for such controls and that these controls are applied prior to implementation. Formally establish a process for granting ----- 11 Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial Statement Audit Department of Homeland Security - Customs and Border Protection Information Technology Management Letter September 30, 2005 NFR # Condition Recommendation Appendix B sensitive ------technical team member roles have not been developed. The ---------contingency plan has not been updated with the results of the FY 2004 continuity of operations plan (COOP) tests.

Additionally, the COOP has not undergone the annual re-evaluation as required. Also, implementation of the new financial management system changed the mainframe environment to a client-server based ----- environment. However, the plan has not been updated and, therefore, might contain outdated and improper contingency procedures for information systems and data. The requirement for initial security awareness training for employees and contractors was not consistently applied.

CBP-IT-05-06 CBP-IT-05-08 CBP-IT-05-09 Improvements were still needed in security controls affecting ----- ---- - -- ---- -------- management and staff’s system access to applications and data. access to sensitive technical team roles (e.g. basis and security team members) and consistently apply these processes. The procedures should include requirements for documenting the authorization request and include the exact roles that should be granted. Additionally, the procedures should require a periodic documented recertification of the user roles within------- Update the -------- COOP with the most recent test results. Additionally, re-evaluate the COOP for overall contingency planning procedures on an annual basis, especially in the event of a major system change or upgrade, such as --- -- Consistently apply the requirements for initial security awareness training for all employees and contractors upon initially establishing LAN/mainframe accounts to information systems.

Coordinate with DHS in developing enterprise- wide solutions for improving network and host- based system configuration design(s) to reduce the risks of compromise. Consider use of system administrator level security management monitoring tools to detect and correct security deficiencies in preventing possible intrusions. Use of such tools should include a planned “prioritized” schedule for checking all servers. Proceed with the implementation of -- ------- -------------------- ----------- ------- ------------ ----- ---------- - ---- - --- Provide and approve more robust standards for -- - - - --- --- -- ---- - ----- - --- - --- -- for a standard and sustainable baseline set of system management security controls.

Consider development of a compliance-level policy that provides for adherence to agency password management policies. This policy should be developed at ------- --- -- --- - -- -------- - where 12 Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial Statement Audit Department of Homeland Security - Customs and Border Protection Information Technology Management Letter September 30, 2005 NFR # Condition Recommendation Appendix B local system administrators and help desk staff may apply such policies (e.g., changing password age, account lockout, password uniqueness, password length, etc.). For -------- ----- ----------- ----------------------- review, justify, and ensure that the level of access is based on strict adherence to least privilege principles where the absolute minimum level necessary is applied. As CBP moves with DHS toward more technology efficient enterprise-wide solutions (e.g., centralized means of managing network assets), the ability to reduce current levels will be enhanced.

Continue to review the audit logs daily and maintain documented evidence. Train backup personnel to perform this task in the event that the primary personnel performing this task are not available. Complete efforts to identify ---------- -- -- - - ------ connections that are considered “legacy” connections and formally establish ISAs with these entities. Complete efforts to identify all connections with the ------ and formally establish ISAs with these entities.

Formally update the alternate processing site agreement to accurately reflect the current hardware and support that will be required of the alternate processing site vendor in the event of an emergency. Formalize the process to confirm or enforce compliance with the ---------------------- - - --------at the field sites and formally document the verification of field site ---------------------- --- Perform a formal review of all personnel who have access to the --------- ---------- - - to determine those who do not have a formal user access form in place. Establish a formally authorized user access form for each person identified. Confirm that current personnel with data center access actually need this access to perform their job CBP-IT-05-10 ----- security audit log reviews were not evidenced for the majority of FY 2005.

CBP-IT-05-11 CBP-IT-05-12 CBP-IT-05-13 CBP-IT-05-14 ----- administrator staff have not documented ISAs for all entities that connect with the ----- . Although there was ---- - -- --------------------- ------------ - -- -- of all partners that have an ISA with CBP, this database failed to capture all connections with ------ The majority of financial institutions connected to ------ have not formally established ISAs. The “equipment” and “priority of service” requirements have not been annually updated. As a result, the agreement was outdated and did not reflect the current operating environment at ------- No formal process existed to confirm or enforce compliance with the ---------------------- - ----------------------------- Although field site administrators were trained to perform the re- certifications every six months, there was no management oversight to ensure that the field site administrators were performing the re- certifications.

Procedures have not been adequately implemented for restricting access to the data center located in ------ --- Specifically, nineteen out of thirty-two individuals selected did not have proper authorizations documented for access to the data center. 13 Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial Statement Audit Department of Homeland Security - Customs and Border Protection Information Technology Management Letter September 30, 2005 NFR # Condition Recommendation Appendix B functions. Promptly remove physical access rights to the ------ facility when an employee is terminated, thus, restricting access to the data center. Develop a formally documented process for granting normal and emergency access for ------ ---- -- to the-- --- production environment.

The access request and authorization should include specific justification for their access and be documented and retained. Develop a process to identify the workstations that have yet to install the ----- ------- - Continue to test and implement a standard real-time automated reporting process whereby information can be generated on all incidents, response, and recovery activities on a regular basis for servers and workstations. Develop a consistent process to respond to system flaw notifications and track reported security incidents. CBP-IT-05-15 ------------------- had access to the production environment.

CBP-IT-05-16 Improvements were still needed in CBP’s Incident Handling and Response Capability. Specifically, issues still exist related to incident prevention, response, recovery, and reporting. --- ---- - - --------------- ------------ - - ------ - - - --- - ---- ------------------------ -- ------ ------ -- ----------- ------ - - - - --- -------- -------- - -- ------ ---------------- -------------- -------- ---- ---- ------------ - -------- - - - ------- - - ------------ - - - -------- A formal automated reporting capability does not exist to report, in a timely manner, on the servers and workstations with identified vulnerabilities, the number that have been patched, and the number of servers that remain vulnerable. There is a process in place for tracking incidents. However, the weekly incident report process is not consistent and/or complete.

Incidents were not included on requested weekly reports and incident documentation was missing. Sample information or evidence was not available for system flaw notifications. CBP-IT-05-17 ------was not configured to indicate a company code setting of “productive.” CBP-IT-05-18 An excessive number of users had access to sensitive ------- unctions and high-risk combinations of functions. Perform a formal analysis of the company code setting to determine if it should be set to “productive.” This will prevent users with "mass deletion/change" access the ability to accidentally or purposely delete transactional data.

Ensure that the assignment of sensitive functions and high-risk combinations of functions to non- supervisory users is based on a documented business need and approved by a supervisory official. Exceptions from the guidance provided in the memorandum should be formally approved and 14 Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial Statement Audit Department of Homeland Security - Customs and Border Protection Information Technology Management Letter September 30, 2005 NFR # Condition Recommendation Appendix B CBP-IT-05-19 A number of separated employees’ names appeared on the ----- active user access listing. CBP-IT-05-20 CBP-IT-05-21 CBP-IT-05-22 No process existed to formally document test plans, test cases, and test results for ----- security and configuration changes. The ----- Change Control Board was not performing formal business and customer impact analyses for ------change requests.

Logging of critical tables within ----- has not been activated. A formal analysis of the tables that should be logged in the-- ---- environment has not been performed, solely relying on recommendations of a previous audit. A certification and accreditation package for all components of the ------ LAN has not been completed. Specifically, a security control assessment was not conducted for the ------ LAN as a whole within the last year.

Also, a formal risk assessment was not conducted for all ------ LAN components. CBP-IT-05-23 NIST 800-26 assessments for the seven business areas within the seven Administrative Applications have not been completed. No efforts have been made to evaluate the need for a separate C&A for the applications remaining in the seven business process areas defined in the Administrative Applications C&A. Also, additional improvements in consolidated guidance were necessary to address the issue of linking risks/threats to requirements. documented. Determine whether the potential matches are actual matches.

Delete the accounts of any confirmed terminated employees. Continue to use the payroll feed to determine if a ----- user has terminated employment. Disable user accounts of separated employees and contractors as stated in CBP and NIST guidance. Formally document test plans, test cases, and test results for all - --- changes.

Formally document business and customer impact analyses for ------change requests. Perform a formally documented assessment of the tables that should be logged by ------ Complete the implementation of table logging within ------ Complete a security control assessment for all ------ LAN components and complete a risk assessment for all -------LAN components. Using federal guidelines outlining what constitutes a major application, consider reviewing the sensitivity of applications classified as part of------- administrative systems separately to determine which applications warrant individual C&As as major applications, and which applications should remain as part of the current Administrative C&A process. Based on results of the sensitivity review, perform separate C&As, where appropriate.

In accepting risks associated with ----- , consider establishing a relationship of identified risks to defined security requirements in ----- . This will assist in understanding what risks are mitigated by existing controls and what residual risks remain that management is willing to accept. Given that the ------ deployment may not be 15 Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial Statement Audit Department of Homeland Security - Customs and Border Protection Information Technology Management Letter September 30, 2005 NFR # Condition Recommendation Appendix B completed by the end of the current ----- certification period, incorporate a risk-based approach for any re-certification efforts performed, where threats identified are tied to security requirements and mitigating controls. Consider development of definitive guidance for risk assessments and security plan criteria.

These criteria should be applied to tie identified risks and threats to security requirements and controls that mitigate risks to acceptable levels. This will allow for the adequate tracking and evaluation of risks and requirements throughout a system’s lifecycle. Therefore, management should be able to definitively recognize what acceptable risks remain. Develop a formal centralized process for tracking the termination of contract personnel.

Deactivate all systems access for terminated contractors immediately upon separation. Periodically distribute a listing of terminated contract personnel to information system administrators so they remove user access and periodically assess contractor access to systems. Modify the setting on the ------- --------- ---- --- -------------------- ----------- - ----- - to disconnect idle sessions as specified by agency policy or ensure the policy is accurate. (Note: ------------- - --------------- -- - ------ - - -- -- - ------------ -- -- - - ----- - ------ ---- -- - - ------ ----------------- - - --- - --- ----------- -- --- -- -- - ----- ------- --- ---- ------- - ---- - - --- ---- ----- ------- ---- ------- ----- ---- Continue to review and deactivate inactive accounts on a monthly basis.

Implement an automated mechanism to detect and deactivate inactive accounts. Continue to use the official authorization form for new VPN users. Re-certify all VPN employee accounts on a periodic basis and document results. Re-certify users with access - ------- ---- ------------ and document the evidence of the re-certification.

A centralized listing of separated contract personnel was not maintained. The only method employed to track terminated contractors was the use of a report of users that had their mainframe account deleted. This list was not representative of all terminated contractors since terminated contract personnel might not have had mainframe access or their access might not have been removed after their termination. The mainframe disconnected idle sessions after 30 minutes of inactivity rather than the prescribed 20 minutes of inactivity noted in the U.S. Customs and Border Protection, Information Systems Security Policies and Procedures Handbook. ----- did not have an automated mechanism to detect and deactivate users that had not logged on for 90 days.

Procedures to perform a monthly review for inactive accounts in July 2005 were implemented. However, for majority of FY 2005, this procedure was not in place. The formal process to grant VPN access using an authorization form was recently implemented. However, VPN access authorization forms were not available for the majority of employees selected.

Also, VPN employee accounts were not periodically re- certified. Action has not been taken to address the prior- year issue that users with access to-- ----- CBP-IT-05-24 CBP-IT-05-25 CBP-IT-05-26 CBP-IT-05-27 CBP-IT-05-28 16 Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial Statement Audit Department of Homeland Security - Customs and Border Protection Information Technology Management Letter September 30, 2005 NFR # Condition Recommendation Appendix B CBP-IT-05-29 CBP-IT-05-30 CBP-IT-05-31 ------------------ --------- --- ----- ----- may be excessive. In FY 2004, issues with access to ----- - -- ----- -- --- - ------- ------- -- -- ------- Some profiles with access to modify the ------------------ - - - - ------- -- represented a segregation of duties conflict. In FY 2005, --------was replaced by --- -- KPMG attempted to determine whether the same issue existed in ------ Information regarding whether --- -- -- ---- ---- - --- - - - - -- -- (or equivalent) were appropriately segregated could not be provided.

Action has not been taken to address the prior- year finding that the number of users with access to--------------------- , Recovery, and Backup datasets may be excessive. As part of the Common Local Area Network (LAN) Operating Environment (CLOE) type accreditation to perform formal risk assessments, ---- LANs dispersed across many field sites were not to be visited. As a result, management asserted that they were requiring each field site on the ‘non-recommended’ listing to submit a formal NIST 800-26 assessment for their LAN. Based on this, a sample of 15 field sites were selected from the non-recommended field site listing and we requested evidence of the NIST 800-26 review of their LAN.

In a sample of 15 field sites, three site assessments were not provided. Document that access to the -------- ------- - -------- - -- ---(or equivalent) is properly segregated. This includes a review -- --- - - - ---- - --- - - - - -- - access to determine if the current granted access is appropriate. Re-certify users with access to - - ------ ----------- Recovery, and Backup datasets.

Document the evidence of the re-certification. Continue to develop a formal process to ensure that all non-recommended field sites submit a NIST 800-26 LAN self-assessment in a timely manner. 17 Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial Statement Audit Department of Homeland Security Information Technology Management Letter September 30, 2005 Appendix C Appendix C Status of Prior Year Notices of Findings and Recommendations And Comparison To Current Year Notices of Findings and Recommendations 18 Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial Statement Audit Department of Homeland Security Information Technology Management Letter September 30, 2005 Appendix C Status of Prior Year Notices of Findings and Recommendations And Comparison To Current Year Notices of Findings and Recommendations Ref Condition Status CBP-IT-04-01 Inconsistent ----------- ------ ------- ----- ----------- to include excessive access to high-level functions Issue noted in FY 2005. See NFRs CBP-IT-05-02 and CBP- IT-05-03.

CBP-IT-04-02 Inconsistent application certification and accreditation for all applications in the seven business process areas defined as Administrative Applications Issue noted in FY 2005. See NFR CBP-IT-05-23. CBP-IT-04-03 Continuity of critical ---------- ------- operational functions is in question at CBP alternate processing site This condition has been corrected. CBP-IT-04-04 Excessive assignment of ----- sensitive functions and high-risk combinations Issue noted in FY 2005.

See NFR CBP-IT-05-18. CBP-IT-04-05 Controls in ------ can be overridden without supervisory approval Issue noted in FY 2005. See NFR CBP-IT-05-04. CBP-IT-04-06 Excessive access to ------ ---------------- - ------ -- -- --------------- ---- --- ----- This condition has been corrected.

CBP-IT-04-07 Inconsistent field site security program management Issue noted in FY 2005. See NFR CBP-IT-05-31. CBP-IT-04-08 Weaknesses identified in system logical access controls over network assets Issue noted in FY 2005. See NFR CBP-IT-05-09.

CBP-IT-04-09 Excessive access to ----- - vendor/bank tables Issue noted in FY 2005. See NFR CBP-IT-05-29. CBP-IT-04-10 Incomplete interconnection security agreements (ISAs) Issue noted in FY 2005. See NFR CBP-IT-05-11.

CBP-IT-04-11 Inconsistent and incomplete ---------------------- risk assessment This condition has been corrected. CBP-IT-04-12 Weaknesses identified in CBP’s on-line Transaction Processing System Security --------- Issue noted in FY 2005. See NFR CBP-IT-05-28. 19 Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial Statement Audit Department of Homeland Security Information Technology Management Letter September 30, 2005 Appendix C Ref Condition Status CBP-IT-04-13 Weaknesses in----------------- ------ Segregation of Duties Issue noted in FY 2005.

See NFR CBP-IT-05-01. CBP-IT-04-14 Weaknesses exist in CBP’s Incident Response Capability, specifically related to Detection and Incident Initiation; Response and Recovery; and Incident Server Patch Management Reporting. Issue noted in FY 2005. See NFR CBP-IT-05-16.

CBP-IT-04-15 Inconsistent review of - ------ ----- ------- logging documentation This condition has been corrected. CBP-IT-04-16 ----- Materials Management access control weakness regarding inconsistently documented authorizations Issue noted in FY 2005. See NFR CBP-IT-05-05. CBP-IT-04-17 ----- General Controls Environment for Materials Management Module: System access, user account management, and configuration weaknesses identified Issue noted in FY 2005.

See NFR CBP-IT-05-09. CBP-IT-04-18 Inconsistent use of least privilege principles regarding Mainframe User Groups’ access to sensitive datasets/utilities Issue noted in FY 2005. See NFR CBP-IT-05-30. 20 Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial Statement Audit Department of Homeland Security Information Technology Management Letter September 30, 2005 Appendix D Appendix D Management Response to Draft CBP IT Management Letter 21 Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial Statement Audit Department of Homeland Security Information Technology Management Letter September 30, 2005 Appendix D 22 Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial Statement Audit Department of Homeland Security Information Technology Management Letter September 30, 2005 Appendix D 23 Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial Statement Audit Department of Homeland Security Information Technology Management Letter September 30, 2005 Appendix D NFR# Condition Recommendation Completion Status Comme nts CBP-IT- 05-01 A number of ------ Ids had a segregation of duties conflict.

CBP-IT- 05-02 Three -------- ----- ----- - - -- -- --- - -- - ------------- --------- ------ - ---------------- ----------- - - - -- - ----------- ---------) to specify security modes for individual users without a justified business need. Two --------- -- ------------- ---- with ------------------- had full security administration privileges, which violated separation of duties principles. One SCA account had not been utilized since August 6, 2004. Completed 7/25/05 Completed 8/1/05 Coordinate with each filed office that has a segregation of duties conflict to either (1) correct the problem by removing the conflicting roles, or (2) sign a waiver to accept responsibility for issues arising from the segregation of duties conflict.

Continue to prevent new IDs with a segregation of duties conflict from being created. Remove unnecessary privileges and/or accounts given the exceptions we noted related to the authorities/functions granted to certain-- ----------------- Accesses granted should be based on the least privilege concept to the minimum number of personnel with a defined and documented need. As an alternate means of providing availability to functions not used on a regular basis, continue implementation of a - ------------ ------ ---- --- --- -- ---- -- --------) for use by authorized individuals during pre- determined circumstances. Establishment of a ----------- ------- would enable the removal of privileges from individuals who do not regularly require such access. --- - ---------- --- are controlled through the use of a hardcopy log, secure storage of passwords, auditing of all --------- --------activities, and suspension after each use.

24 Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial Statement Audit Department of Homeland Security Information Technology Management Letter September 30, 2005 Appendix D CBP-IT- 05-03 CBP-IT- 05-04 After the reorganization of the Office of Information Technology (OIT), security administration functions at the ------- including mainframe security, network securities, and incident response, were not independent of the operations functions. Rather, the Security Operations Center reported to Technology Operations, which was not an independent security function. Due to the design of ------- certain controls could be overridden without supervisory approval. Management plans to implement functionality in the ------------------------------- -------------- - --------- to prevent the override capability.

KPMG noted that although ------ will eventually replace-------------- would not be implemented in FY 2005. CBP-IT- 05-05 Formal procedures for granting access to sensitive ------ technical team member roles have not been developed. Ensure that security administration functions remain independent of operations. In order to maintain independence, the security administration function should not report to operations management.

CBP did not concur Develop a process to mitigate the systemic -------weakness that certain controls can be overridden without supervisory approval. Considering the number of years necessary to fully replace -------functionality with ------- this process should be designed in a manner to ensure supervisory review of ------ overrides while maintaining a minimal burden on management. CBP should ensure that the new ------ system has the appropriate requirements for such controls and that these controls are applied prior to implementation. Formally establish a process for granting ------ access to sensitive technical team roles (e.g. basis and security team members) and consistently apply these processes.

The procedures should include requirements for documenting the authorization request and include the exact roles that should be granted. Additionally, the procedures should require a periodic documented recertification of the user roles within ------ Target completion date 7/31/08 Completed 12/1/05 25 Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial Statement Audit Department of Homeland Security Information Technology Management Letter September 30, 2005 Appendix D CBP-IT- 05-06 The --------- contingency plan has not been updated with the results of the FY 2004 continuity of operations plan (COOP) tests. Additionally, the COP has not undergone the annual re-evaluation as required. Also, implementation of the new financial management system changed the mainframe environment to a client-server based ------ environment.

However, the plan has not been updated and, therefore, might contain outdated and improper contingency procedures for information systems and data. Update the --------- COOP with the most recent test results. Additionally, re-evaluate the COOP for overall contingency planning procedures on an annual basis, especially in the event of a major system change or upgrade, such as------- Completed 12/29/05 CBP-IT- 05-08 The requirement for initial security awareness training for employees and contractors was not consistently applied. Consistently apply the requirements for initial security awareness training for all employees and contractors upon initially establishing LAN/mainframe accounts to information systems.

Target completion date 8/31/06 26 Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial Statement Audit Department of Homeland Security Information Technology Management Letter September 30, 2005 Appendix D Coordinate with DHS in developing enterprise-wide solutions for improving network and host-based system configuration design(s) to reduce the risks of compromise. Consider use of system administrator-level security management monitoring tools to detect and correct security deficiencies in preventing possible intrusions. Use of such tools should include a planned "prioritized" schedule for checking all servers. Proceed with the implementation of ---------------- ------------ -------- ------ - ------- ------ ---------- ---------- --------------- --- Provide and approve more robust standards for -------- ---- ---------------- -------------- -- for a standard and sustainable baseline set of system management security controls.

Consider development of a compliance-level policy that provides for adherence to agency password management policies. This policy should be developed at --------------- ------------------- where local system administrators and help desk staff may apply such policies (e.g. changing password age, account lockout, password uniqueness, password length, etc.). Target completion date 3/31/07 CBP-IT- 05-09 Improvements were still needed in security controls affecting --- - ------ ----------- ------ management and staff's system access to applications and data. For --------------------- -------- ---- ----------------- ---, review, justify, and ensure that the level of access is based on strict adherence to least privilege principles where the absolute minimum level necessary is applied.

As CBP moves with DHS toward more 27 Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial Statement Audit Two years ago CBP began an effort to upgrade our Novell Netware infrastructure from version 5.0 to version 6.5 in order to address the password recommendation and gain other improvements. More recently, CBP has initiated a project to convert to -------- ------------- ----------------- --- ------- -- - -- - in order to support DHS enterprise standards for network operating systems and desktop applications. This project will allow CBP to enforce strong passwords incrementally as ------ --------- - -- ----- - - ---- ---- ----- ------ is deployed to individual sites. Discontinuing the Novell upgrade and putting our efforts into the ------ --------------- ------- Active Directory deployment will allow CBP to comply with both the password recommendation and DHS standards sooner.

Appendix D Department of Homeland Security Information Technology Management Letter September 30, 2005 technologically efficient enterprise-wide solutions (e.g. centralized means of managing network assets), the ability to reduce current levels will be enhanced. CBP-IT- 05-10 ------ security audit log reviews were not evidenced for the majority of FY 2005. CBP-IT- 05-11 ------ administrator staff has not documented ISAs for all entities that connect with the ------- Although there was a ---- - ----------------------- ------ ----------- ----- of all partners that have an ISA with CBP, this database failed Continue to review the audit logs daily and maintain documented evidence. Complete efforts to identify all connections with the ------ and formally establish ISAs with these entities.

Complete efforts to identify ---- ------- ---------- ---- connections that are considered "legacy" connections and formally establish ISAs with these entities. Complete efforts to identify all Completed 5/31/05 Target completion date 6/1/06 28 Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial Statement Audit Appendix D Department of Homeland Security Information Technology Management Letter September 30, 2005 to capture all connections with ------- The majority of financial institutions connected to -------have not formally established ISAs. connections with the -------and formally establish ISAs with these entities. CBP-IT- 05-12 CBP-IT- 05-13 The "equipment" and "priority of service" requirements have not been annually updated. As a result, the agreement was outdated and did not reflect the current operating environment at ------- Nor formal process exists to confirm or enforce compliance with the ------ ----------------- ------------------- ------------ .

Although field site administrators were trained to perform the recertifications every six months, there was no management oversight to ensure that the field site administrators were performing the recertifications. Formally update the alternate processing site agreement to accurately reflect the current hardware and support that will be required of the alternate processing site vendor in the event of an emergency. Target completion date 3/31/06 Formalize the process to confirm or enforce compliance with the --------- -------------------- - - --- at the field sites and formally document the verification of the field site ------------ ---------- ---. Completed 9/12/05 CBP-IT- 05-14 Procedures have not been adequately implemented for restricting access to the data center located in ---------.

Specifically, nineteen out of thirty-two individuals selected did not have proper authorizations documented for access to the data center. Perform a formal review of all personnel who have access to the ------------- ---------- - to determine those who do not have a formal user access form in place. Establish a formally authorized user access form for each person identified. Confirm that current personnel with data center access actually need this access to perform their job functions.

Promptly remove physical access rights to the ------ facility when an employee is terminated, thus restricting access to the data center. Target completion date 3/31/07 29 Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial Statement Audit Department of Homeland Security Information Technology Management Letter September 30, 2005 Appendix D CBP-IT- 05-15 --------------------- had access to the production environment. Develop a formally documented process for granting normal and emergency access for -------------- to the ------ production environment. The access request and authorization should include specific justification for their access and be documented and retained.

Completed 8/1/05 CBP-IT- 05-16 Improvements were still needed in CBP's Incident Handling and Response Capability. Specifically, issues still exist related to incident prevention, response, recovery, and reporting. -------------------------- -------- ---- ------------ - ---------- - ---------- --------------------------------- ---- --------------- - ------- --------------------------------------- -------------------------- - - ---- -- ------------------ --------- -------- ---------------------------------- ----------------- A formal automated reporting capability does not exist to report, in a timely manner, on the servers and workstations with identified vulnerabilities, the number that have been patched, and the number of servers that remain vulnerable. There is a process in place for tracking incidents. However, the weekly incident report process is not consistent and/or complete.

Incidents were not included on requested weekly reports and incident documentation was missing. Sample information or evidence was not available for system flaw notifications. Develop a process to identify the workstations that have yet to install the ---------------- Continue to test and implement a standard real-time automated reporting process whereby information can be generated on all incidents, response, and recovery activities on a regular basis for servers and workstations. Develop a consistent process to respond to system flaw notifications and track reported security incidents.

Target completion date to be determined 30 Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial Statement Audit Department of Homeland Security Information Technology Management Letter September 30, 2005 Appendix D CBP-IT- 05-17 ------ was not configured to indicate a company code setting of "productive." CBP-IT- 05-18 An excessive number of users had access to sensitive ------ functions and high-risk combinations of functions. Completed 10/31/05 Target completion date 3/31/06 Perform a formal analysis of the company code setting to determine if it should be set to "productive." This will prevent users with "mass deletion/change" access the ability to accidentally or purposely delete transactional data. Ensure that the assignment of sensitive functions and high-risk combinations of functions to non- supervisory users is based on a documented business need and approved by a supervisory official. Exceptions from the guidance provided in the memorandum should be formally approved and documented.

Determine whether the potential matches are actual matches. Delete the accounts of any confirmed terminated employees. CBP-IT- 05-19 A number of separated employees' names appeared on the ------ active user access listing. Continue to use the payroll feed to determine if a ------ user has terminated employment.

Completed 1/24/06 Disable user accounts of separated employees and contractors as stated in CBP and NIST guidance. No process existed to formally document test plans, test cases, and test results for ------ security and configuration changes. The ------ Change Control Board was not performing formal business and------ omer impact analyses for ------ change requests. Logging of critical tables with ------ has not been activated.

A formal analysis of the tables that should be logged in the ------ environment has not been performed, solely CBP-IT- 05-20 CBP-IT- 05-21 Formally document test plans, test cases, and test results for all ------ changes. Formally document business and customer impact analyses for ------ change requests. Completed 1/24/06 Perform a formally documented assessment of the tables that should be logged by ------. Complete the implementation of table logging within ------ Completed 1/25/06 31 Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial Statement Audit Department of Homeland Security Information Technology Management Letter September 30, 2005 relying on recommendations of a previous audit.

Appendix D CBP-IT- 05-22 A certification and accreditation package for all components of the------- LAN has not been completed. Specifically, a security control assessment was not conducted for the ------ LAN as a whole within the last year. Also, a formal risk assessment was not conducted for all------- LAN components. Complete a security control assessment for all ------ LAN components and complete a risk assessment for all ------ LAN components.

Target completion date 7/1/06 CBP-IT- 05-23 NIST 800-26 assessments for the seven business areas with the seven Administrative Applications have not been completed. No efforts have been made to evaluate the need for a separate C&A for the applications remaining in the seven business process areas defined in the Administrative Applications C&A. Also, additional improvements in consolidated guidance were necessary to address the issue of linking risks/threats to requirements. Using federal guidelines outlining what constitutes a major application, consider reviewing the sensitivity of applications classified as part of the ------ administrative systems separately to determine which applications warrant individual C&As as major applications, and which applications should remain as part of the current Administrative C&A process. Based on results of the sensitivity review, perform separate C&As, where appropriate.

In accepting risks associated with ------- consider establishing a relationship of identifying risks to defined security requirements in ------- This will assist in understanding what risks are mitigated by existing controls and what residual risks remain that management is willing to accept. Given that the ------ deployment may not be completed by the end of the current ------ certification period, incorporate a Completed 8/15/05 32 Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial Statement Audit Department of Homeland Security Information Technology Management Letter September 30, 2005 Appendix D risk-based approach for any recertification efforts performed, where threats identified are tied to security requirements and mitigating controls. Consider development of definitive guidance for risk assessments and security plan criteria. These criteria should be applied to tie identified risks and threats to security requirements and controls that mitigate risks to acceptable levels.

This will allow for the adequate tracking and evaluation of risks and requirements throughout a systems lifecycle. Therefore, management should be able to definitely recognize what acceptable risks remain. CBP-IT- 05-24 A centralized listing of separated contract personnel was not maintained. The only method employed to track terminated contractors was the use of a report of users that had their mainframe account deleted.

This list was not representative of all terminated contractors since terminated contract personnel might not have had mainframe access or their access might not have been removed after their termination. Develop a formal centralized process for tracking the termination of contract personnel. Deactivate all system access for terminated contractors immediately upon separation. Periodically distribute a listing of terminated contract personnel to information system administrators so they remove user access and periodically assess contractor access to systems.

Target completion date 3/31/07 33 Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial Statement Audit Department of Homeland Security Information Technology Management Letter September 30, 2005 Appendix D CBP-IT- 05-25 CBP-IT- 05-26 CBP-IT- 05-27 CBP-IT- 05-28 CBP-IT- 05-29 The mainframe disconnected idle sessions after 30 minutes of inactivity rather that the prescribed 20 minutes of inactivity noted in the U.S. Customs and Border Protection Information Systems Security Policies and Procedures Handbook. ------ did not have an automated mechanism to detect and deactivate users that had not logged on for 90 days. Procedures to perform a monthly review for inactive accounts in July 2005 were implemented. However, for the majority of FY 2005, this procedure was not in place. The formal process to grant VPN access using an authorization form was recently implemented.

However, VPN access authorization forms were not available for the majority of employees selected. Also, VPN employee accounts were not periodically recertified. Action has not yet been taken to address the prior-year issue that users with access to ------------------------- ----------- ------------------- may be excessive. In FY 2004, issues with access to ------------------- --- ------------- - were reported.

Some profiles with access to modify the ------------------- ---- ------------- - represented a segregation of duties conflict. In FY 2005, ------- was replaced by ------ KPMG attempted to determine whether the same issue Modify the setting on --------------- ---------------------------------- --- ------ ---------------- to disconnect idle sessions as specified by agency policy or ensure the policy is accurate. (Note: -------- ---------------- -------------------------- ----------------- ----- ---- ------- -- ------ --- ----- - - ----- -------------------- ----------------- ------- ----- ---------- --------------- -- ----------- ----- - ------- ------------------ -------------- ---------- Completed 9/29/05 Continue to review and deactivate inactive accounts on a monthly basis. Implement an automated mechanism to detect and deactivate inactive accounts.

Target completion date 5/31/06 Continue to use the official authorization form for new VPN users. Recertify all VPN employee accounts on a periodic basis and document results. Target completion date to be determined Recertify users with access - ----------------- ------ and document the evidence of the recertification. Completed 11/1/05 Document that access to the ---------------------------------- --- (or equivalent) is properly segregated.

This includes a review of ---- -------- ------- -- ------- access to determine if the current granted access is appropriate. Completed 8/30/05 34 Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial Statement Audit Department of Homeland Security Information Technology Management Letter September 30, 2005 Appendix D existed in ------ Information regarding whether------- ----------- ----- ---------- --- (or equivalent) were appropriately segregated could not be provided. Action has not been taken to address the prior-year finding that that number of users with access to --- ------------------ , Recovery, and Backup datasets may be excessive. As part of the Common Local Area Network (LAN) Operating Environment (CLOE) type accreditation to perform formal risk assessment, ----- LANs dispersed across many field sites were not to be visited.

As a result, management asserted that they were requiring each field site on the "non-recommended" listing to submit a formal NIST 800-26 assessment for their LAN. Based on this, a sample of 15 field sites was selected from the non-recommended field site listing and we requested evidence of the NIST 800-26 review of their LAN. In a sample of 15 field sites, three site assessments were not provided. CBP-IT- 05-30 CBP-IT- 05-31 Recertify users with access to ----------------------- Recovery, and Backup datasets.

Document the evidence of the recertification. Completed 8/11/05 Continue to develop a formal process to ensure that all non- recommended field sites submit a NIST 800-26 LAN self- assessment in a timely manner. Completed 9/9/05 35 Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial Statement Audit Report Distribution Department of Homeland Security Secretary Deputy Secretary General Counsel Chief of Staff Executive Secretariat Under Secretary, Management Commissioner, CBP DHS Chief Information Officer DHS Chief Financial Officer Chief Information Officer, CBP Assistant Secretary, DHS Public Affairs Assistant Secretary, DHS Policy DHS Audit Liaison Chief Information Officer Audit Liaison CBP Audit Liaison Office of Management and Budget Chief, Homeland Security Branch DHS OIG Budget Examiner Congress Congressional Oversight and Appropriations Committees as Appropriate Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial Statement Audit Additional Information and Copies To obtain additional copies of this report, call the Office of Inspector General (OIG) at (202) 254-4100, fax your request to (202) 254-4285, or visit the OIG web site at www.dhs.gov/oig. OIG Hotline To report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal misconduct relative to department programs or operations, call the OIG Hotline at 1-800-323-8603; write to DHS Office of Inspector General/MAIL STOP 2600, Attention: Office of Investigations – Hotline, 245 Murray Drive, SW, Building 410, Washington, DC 20528; fax the complaint to (202) 254-4292; or email [email protected].

The OIG seeks to protect the identity of each writer and caller.

Chat with this agency guidance using AI

Ask CiteLaw's AI Navigator anything about this agency guidance, verify citations, and research related authorities. Sign up for CiteLaw free today to get started.