DHS OIG, OIG-12-77, Information Technology Management Letter for the FY 2011 U.S. Customs and Border Protection Financial Statement Audit (2012)

DHS OIG

Section: Information Technology Management Letter for the FY 2011 U.S. Customs and Border Protection Financial Statement Audit

Effective: 5/1/2012

Bluebook Citation: DHS OIG, OIG-12-77, Information Technology Management Letter for the FY 2011 U.S. Customs and Border Protection Financial Statement Audit (2012)

Department of Homeland Security Information Technology Management Letter for the FY 2011 U.S. Customs and Border Protection Financial Statement Audit OIG-12-77 May 2012 Office of Inspector General U.S. Department of Homeland Security Washington, DC 20528 May 1, 2012 Preface The Department of Homeland Security (DHS) Office of Inspector General (OIG) was established by the Homeland Security Act of 2002 (Public Law 107-296) by amendment to the Inspector General Act of 1978. This is one of a series of audit, inspection, and special reports prepared as part of our oversight responsibilities to promote economy, efficiency, and effectiveness within the Department. This report presents the information technology (IT) management letter for the FY 2011 U.S. Customs and Border Protection (CBP) Component financial statement audit as of September 30, 2011. It contains observations and recommendations related to information technology internal control that were summarized in the Independent Auditors’ Report dated January 27, 2012 and presents the separate restricted distribution report mentioned in that report.

The independent accounting firm KPMG LLP (KPMG) performed the audit procedures at the CBP component in support of the DHS FY 2011 financial statements and prepared this IT management letter. KPMG is responsible for the attached IT management letter and the conclusions expressed in it. We do not express opinions on DHS’ financial statements or internal control or conclusion on compliance with laws and regulations. The recommendations herein have been developed to the best knowledge available to our office, and have been discussed in draft with those responsible for implementation.

We trust that this report will result in more effective, efficient, and economical operations. We express our appreciation to all of those who contributed to the preparation of this report. Frank Deffer Assistant Inspector General Office of Information Technology Audits KPMG LLP Suite 12000 1801 K Street, NW Washington, DC 20006 March 28, 2012 Acting Inspector General U.S. Department of Homeland Security Chief Information Officer and Chief Financial Officer U.S. Customs and Border Protection We have audited the consolidated balance sheets of the U.S. Customs and Border Protection (CBP), a Component of the U.S. Department of Homeland Security (DHS), as of September 30, 2011 and 2010, and the related consolidated statements of net cost, changes in net position, and custodial activity, and the combined statements of budgetary resources (hereinafter referred to as “consolidated financial statements”) for the years then ended. In planning and performing our audit of CBP’s consolidated financial statements, we considered CBP’s internal control over financial reporting in order to determine our auditing procedures for the purpose of expressing our opinion on the consolidated financial statements.

In connection with our fiscal year (FY) 2011 engagement, we considered CBP’s internal control over financial reporting by obtaining an understanding of CBP’s internal controls, determining whether internal controls had been placed in operation, assessing control risk, and performing tests of controls in order to determine our procedures. We limited our internal control testing to those controls necessary to achieve the objectives described in Government Auditing Standards and the Office of Management and Budget (OMB) Bulletin No. 07-04, Audit Requirements for Federal Financial Statements, as amended. We did not test all internal controls relevant to operating objectives as broadly defined by the Federal Managers’ Financial Integrity Act of 1982. The objective of our engagement was not to provide an opinion on the effectiveness of CBP’s internal control over financial reporting.

Accordingly, we do not express an opinion on the effectiveness of CBP’s internal control over financial reporting. A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct misstatements on a timely basis. A material weakness is a deficiency, or combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected on a timely basis. A significant deficiency is a deficiency, or combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance.

Our audit of CBP as of, and for the year ended, September 30, 2011, disclosed a significant deficiency in the areas of Information Technology (IT) security management, access controls, configuration management, segregation of duties, contingency planning, and application controls. These matters are described in the General IT Control Findings and Recommendations and the Application Control Finding and Recommendation sections of this letter. The significant deficiency described above is presented in our Independent Auditors’ Report, dated January 27, 2012. This letter represents the separate restricted distribution letter mentioned in that report.

KPMG LLP is a Delaware limited liability partnership, the U.S. member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity. The control deficiencies described herein have been discussed with the appropriate members of management, and communicated through a Notice of Finding and Recommendation (NFR), and are intended For Official Use Only. Because of its inherent limitations, internal control over financial reporting may not prevent, or detect and correct misstatements. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate.

We aim to use our knowledge of CBP gained during our audit engagement to make comments and suggestions that are intended to improve internal control over financial reporting or result in other operating efficiencies. The Table of Contents on the next page identifies each section of the letter. We have provided a description of key CBP financial systems and IT infrastructure within the scope of the FY 2011 CBP consolidated financial statement audit in Appendix A; a description of each internal control finding in Appendix B; and the current status of the prior year NFRs in Appendix C. This communication is intended solely for the information and use of DHS and CBP management, the DHS Office of Inspector General (OIG), the OMB, the U.S. Government Accountability Office, and the U.S. Congress, and is not intended to be and should not be used by anyone other than these specified parties. Very truly yours, Department of Homeland Security U.S. Customs and Border Protection Information Technology Management Letter September 30, 2011 INFORMATION TECHNOLOGY MANAGEMENT LETTER TABLE OF CONTENTS Objective, Scope, and Approach Summary of Findings and Recommendations General IT Control Findings and Recommendations Security Management After-Hours Physical Security Testing Social Engineering Testing Access Control Configuration Management Segregation of Duties Contingency Planning Application Control Finding and Recommendation Appendix Subject APPENDICES A B C D Description of Key CBP Financial Systems and IT Infrastructure within the Scope of the FY 2011 DHS Financial Statement Audit FY 2011 Notices of IT Findings and Recommendations at CBP - Notices of Findings and Recommendations – Definition of Severity Ratings Status of Prior Year Notices of Findings and Recommendations and Comparison to Current Year Notices of Findings and Recommendations at CBP Report Distribution Page 1 2 3 3 4 5 5 5 5 6 8 Page 9 12 13 17 19 Department of Homeland Security U.S Customs and Border Protection Information Technology Management Letter September 30, 2011 OBJECTIVE, SCOPE, AND APPROACH We have audited the consolidated balance sheets of the U.S. Customs and Border Protection (CBP), a component of the U.S. Department of Homeland Security (DHS), and related consolidated statements of net cost, changes in net position, and custodial activity, and the combined statements of budgetary resources (hereinafter, referred to as “consolidated financial statements”) as of September 30, 2011 and 2010.

In connection with our audit of CBP’s consolidated financial statements, we performed an evaluation of general information technology controls (GITCs), to assist in planning and performing our audit. The Federal Information System Controls Audit Manual (FISCAM), issued by the Government Accountability Office (GAO), formed the basis of our GITC evaluation procedures. The scope of the GITC evaluation is further described in Appendix A. FISCAM was designed to inform financial auditors about information technology (IT) controls and related audit concerns to assist them in planning their audit work and to integrate the work of auditors with other aspects of the financial audit. FISCAM also provides guidance to IT auditors when considering the scope and extent of review that generally should be performed when evaluating general controls and the IT environment of a federal agency.

FISCAM defines the following five control functions to be essential to the effective operation of the general IT controls environment: • Security Management (SM) – Controls provide reasonable assurance that security management is effective. • Access Control (AC) – Controls provide reasonable assurance that access to computer resources (data, equipment, and facilities) is reasonable and restricted to authorized individuals. • Configuration Management (CM) – Controls provide reasonable assurance that changes to information system resources are authorized and systems are configured and operated securely and as intended. • Segregation of Duties (SD) – Controls provide reasonable assurance that incompatible duties are effectively segregated. • Contingency Planning (CP) – Controls provide reasonable assurance that contingency planning: (1) protects information resources and minimizes the risk of unplanned interruptions and (2) provides for recovery of critical operations should interruptions occur. To complement our general IT controls audit procedures, we also performed technical security testing for key network and system devices, as well as testing over key financial application controls in the CBP environment. The technical security testing was performed from within select CBP facilities, and focused on production devices that directly support key general support systems. In addition, we performed application control tests on a limited number of CBP’s financial systems.

The application control testing was performed to assess the controls that support the financial systems’ internal controls over the input, processing, and output of financial data and transactions. FISCAM defines application controls as follows: Application controls are the structure, policies, and procedures that apply to separate, individual application systems, such as accounts payable, inventory, or payroll. Information Technology Management Letter for the FY 2011 U.S. Customs and Border Protection Financial Statement Audit Department of Homeland Security U.S Customs and Border Protection Information Technology Management Letter September 30, 2011 SUMMARY OF FINDINGS AND RECOMMENDATIONS During FY 2011, CBP took corrective action to address prior year IT control weaknesses. For example, CBP made improvements over various system logical access processes and system security settings.

However, during FY 2011, we identified new and continuing general IT control weaknesses that could potentially impact CBP’s financial data. The most significant weaknesses from a financial statement audit perspective related to controls over access to programs and data. Collectively, the IT control weaknesses limited CBP’s ability to ensure that critical financial and operational data were maintained in such a manner to ensure confidentiality, integrity, and availability. In addition, these weaknesses negatively impacted the internal controls over CBP financial reporting and its operation, and we considered them to collectively represent a significant deficiency for CBP under standards established by the American Institute of Certified Public Accountants.

The IT findings were combined into a significant deficiency regarding IT for the FY 2011 audit of the CBP consolidated financial statements. In FY 2011, our IT audit work identified 36 IT findings, of which 19 were repeat findings from the prior year and 17 were new findings. In addition, we determined that CBP remediated 4 IT findings identified in previous years. Collectively, these findings represent deficiencies in all five FISCAM key control areas, as well as deficiencies related to financial system functionality.

These weaknesses may increase the risk that the confidentiality, integrity, and availability of system controls and CBP financial data could be exploited thereby compromising the integrity of financial data used by management and reported in CBP’s financial statements. The recommendations made by us in this report are intended to be helpful, and may not fully remediate the related deficiency. CBP management has the responsibility to determine the most appropriate methods for addressing the weaknesses identified based on their system capabilities and available resources. Information Technology Management Letter for the FY 2011 U.S. Customs and Border Protection Financial Statement Audit Department of Homeland Security U.S Customs and Border Protection Information Technology Management Letter September 30, 2011 GENERAL IT CONTROL FINDINGS AND RECOMMENDATIONS Findings: During the FY 2011 CBP financial statement audit, we identified the following IT and financial system control deficiencies that in the aggregate are considered a significant deficiency: Security Management • Systems certification and accreditation: - - - System security plan updates were not current or effectively communicated for one system; Security test and evaluation documentation was not completed annually for multiple systems, in accordance with DHS policy; and Interconnection security agreements (ISA) were not fully documented for one system. • Non-current policies and procedures: - Separation procedures for contract employees were out of date and included incomplete and inaccurate references. • Lack of compliance with existing policies: - - IT-based specialized security training requirements had not been fully implemented and enforced; Several instances where background investigations of federal employees and contractors employed to operate, manage and provide security over IT systems were not being properly conducted; - Non-disclosure agreements were not consistently completed; - - Exit processing procedures for transferred/terminated personnel, including contractors, were not consistently followed or communicated internally in a timely manner; and Evidence on whether CBP workstations that are not currently part of the Microsoft Active Directory are being managed to receive current security patches could not be provided.

Information Technology Management Letter for the FY 2011 U.S. Customs and Border Protection Financial Statement Audit Department of Homeland Security U.S Customs and Border Protection Information Technology Management Letter September 30, 2011 After-Hours Physical Security Testing During the after-hours physical security walkthrough of selected CBP locations in the Washington, D.C. area, 18 instances were identified where assets and information with inadequate protection against unauthorized access, misuse, or misappropriation. Specific weaknesses identified and the locations where the instances were identified are included in the following matrix: Exceptions Noted Passwords For Official Use Only (FOUO) Keys/Badges Personally Identifiable Information (PII) Server Names/IP Addresses External Drives, Removable Media, Blackberries, or Other Unsecured Property Credit Card Numbers Classified Documents Total Exceptions by Location NDC-7 (BLM Building) 0 0 0 1 1 1 1 0 4 CBP Locations Tested NDC-1 Beauregard (Alexandria) Tyson’s Corner National Place Total Exceptions by Type 2 2 0 5 1 0 0 0 10 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 1 0 1 0 0 4 4 2 0 7 2 2 1 0 18 Note that approximately 15 desks / offices were examined at each of the locations above. Information Technology Management Letter for the FY 2011 U.S. Customs and Border Protection Financial Statement Audit Department of Homeland Security U.S Customs and Border Protection Information Technology Management Letter September 30, 2011 Social Engineering Testing Social engineering is defined as the act of attempting to manipulate or deceive individuals into taking action that is inconsistent with DHS policies, such as divulging sensitive information or allowing /enabling computer system access. The term typically applies to deception for the purpose of information gathering, or gaining computer system access, shown in the following table: Total Called 36 Total Answered Number of people who provided a username and/or password 25 1 – Both User Name and Password Access Control • Deficiencies in management of application and/or database accounts, network, and remote user accounts: - Strong password requirements were not enforced for network accounts; - User account lists were not periodically reviewed for appropriateness, and users were not disabled or removed promptly upon personnel termination; and - Initial access and modified access granted to application and/or database, network, and remote users were not properly documented and authorized. • Ineffective or insufficient use of available audit logs: - Logs of auditable events were not being reviewed to identify potential incidents, or were reviewed by those with conflicting roles; and - Documented procedures for audit log follow-up did not meet DHS requirements.

Configuration Management • Lack of documented policies and procedures: - Configuration, vulnerability, and patch management plans had not been established and implemented, or did not comply with DHS policy. • Security patch management and configuration deficiencies were identified during the vulnerability assessment on hosts supporting the key financial applications and general support systems. Segregation of Duties • Lack of evidence to show that least privilege and segregation of duties controls exist for one system; and • Users with privileged access were granted conflicting roles which compromised segregation of duties principles. Further, mitigating controls were not in place to identify unauthorized activities performed by individuals with conflicting access roles. Information Technology Management Letter for the FY 2011 U.S. Customs and Border Protection Financial Statement Audit Department of Homeland Security U.S Customs and Border Protection Information Technology Management Letter September 30, 2011 Contingency Planning • One system’s contingency plan was not updated based on recent testing results; and • Access to backup media was not regularly reviewed and updated based on changes to personnel staffing and job roles.

Recommendations: We recommend that the CBP Chief Information Officer (CIO) and Chief Financial Officer (CFO), in coordination with the DHS Office of Chief Financial Officer and the DHS Office of the Chief Information Officer, make the following improvements to CBP’s financial management systems and associated information technology security program. Security Management • Update systems security policies and procedures to be in compliance with DHS policy. • Maintain and update and system security plans and other relevant system documentation to reflect current conditions and results of testing and control reviews. • Maintain current ISAs for in-scope applications, and maintain a current listing of these interconnections. • Maintain, update, and communicate personnel hiring and termination policies. In addition, enforce the implementation of internal controls for the personnel processes including the completion of non-disclosure agreements. • Complete all investigations and periodic reinvestigations of personnel as required by DHS policy during fiscal year 2012. • Continue with the development and testing of a Role-Based Security Training (RBST) pilot program based on the DHS RBST program model. • Develop a process to ensure workstations are properly updated with security patches. After-Hours Physical Security Testing: • Continue efforts to enhance the CBP security awareness campaigns.

Social Engineering Testing: • Implement multiple types of security awareness reminders and opportunities to educate users on the importance of protecting CBP information systems and data. Access Control • Implement and configure technology to record user account changes. In addition, implement a process to regularly and independently reconcile changes made to user accounts within the application to source authorization documentation. Information Technology Management Letter for the FY 2011 U.S. Customs and Border Protection Financial Statement Audit Department of Homeland Security U.S Customs and Border Protection Information Technology Management Letter September 30, 2011 • Ensure that all requests for general and emergency access to applications, systems, and networks, including remote users, are supported by an appropriately authorized request for access.

Conduct training for security administrators as necessary to ensure compliance with this process. • Recertify, revalidate, and update privileged and non-privileged user access. • Revoke user access in a timely manner when personnel are transferred, separated from the organization, or when job duties change and no longer necessitate a need for system access. • • Implement a process for logging changes to critical and sensitive data and regularly reviewing the contents of these logs. Maintain evidence of the review of these logs. Implement controls to enforce password complexity requirements including protecting against the use of passwords that contain dictionary-based words. Configuration Management • Finalize and formally distribute an updated configuration management plan. • Patch, upgrade, correct, or obtain waivers for any identified weaknesses as a result of the IT technical vulnerabilities assessment.

Segregation of Duties • Identify system and application roles that should not be combined based on the principles of segregation of duties. When segregation of duties are compromised based on a valid business reason, perform and document independent reviews of activities executed by users with non­ segregated access. Contingency Planning • Maintain current contingency plans for the in-scope systems that reflect current conditions and the results of testing the contingency plans. • Periodically recertify personnel with access to backup media stored off site. Maintain documentation of this recertification of access.

Information Technology Management Letter for the FY 2011 U.S. Customs and Border Protection Financial Statement Audit Department of Homeland Security U.S Customs and Border Protection Information Technology Management Letter September 30, 2011 APPLICATION CONTROL FINDING AND RECOMMENDATION During the FY 2011 CBP financial statement audit, we identified the following application control and financial system functionality deficiency that, when aggregated with the GITC deficiencies, is considered a significant deficiency: Finding: • One financial system lacks the controls necessary to prevent, or detect and correct excessive drawback claims. Specifically, the programming logic for the system does not link drawback claims to imports at a detailed, line item level. This would potentially allow the importer to receive claims in excess of an allowable amount. Recommendation: • We recommend that the CBP CIO and CFO, in coordination with the DHS Office of Chief Financial Officer and the DHS Office of the Chief Information Officer prioritize, develop, and deploy functionality that will allow CBP to prevent or detect and correct excessive drawback claims.

Information Technology Management Letter for the FY 2011 U.S. Customs and Border Protection Financial Statement Audit Department of Homeland Security U.S. Customs and Border Protection Information Technology Management Letter September 30, 2011 Appendix A Appendix A Description of Key CBP Financial Systems and IT Infrastructure within the Scope of the FY 2011 DHS Financial Statement Audit Information Technology Management Letter for the FY 2011 U.S. Customs and Border Protection Financial Statement Audit Department of Homeland Security U.S. Customs and Border Protection Information Technology Management Letter September 30, 2011 Appendix A Below is a description of significant U.S. Customs and Border Protection (CBP) financial management systems and supporting IT infrastructure included in the scope of CBP’s FY 2011 financial statement audit. Automated Commercial Environment (ACE) ACE is the commercial trade processing system being developed by CBP to facilitate trade while strengthening border security. It is CBP’s plan that this system will replace ACS when ACE is fully implemented. The mission of ACE is to implement a secure, integrated, government-wide system for the electronic collection, use, and dissemination of international trade and transportation data essential to Federal agencies.

ACE is being deployed in phases, without a final, full deployment date due to funding setbacks. As ACE is partially implemented now and processes a significant amount of revenue for CBP, ACE was included in full scope in the FY 2011 financial statement audit. The ACE system is located in Virginia (VA). Automated Commercial System (ACS) ACS is a collection of mainframe-based business process systems used to track, control, and process commercial goods and conveyances entering the United States territory, for the purpose of collecting import duties, fees, and taxes owed to the Federal government.

ACS collects duties at ports, collaborates with financial institutions to process duty and tax payments, provides automated duty filing for trade clients, and shares information with the Federal Trade Commission on trade violations and illegal imports. The ACS system was included in full scope in the FY 2011 financial statement audit. The ACS system is located in VA. National Data Center – Local Area Network (NDC LAN) The NDC-LAN was absorbed by the DC Metro LAN and the Data Center Infrastructure LAN during the end of FY 2011.

The NDC-LAN provided more than 1,200 CBP contractor and employee user’s access to enterprise-wide applications and systems. The mission of the NDC-LAN was to the support Field Offices/Agents with applications and technologies in the securing and protection of our nation's borders. The NDC-LAN consisted of five Novell NetWare 6.5 servers, various workstations and printers/plotters, 11 Cisco switches, and the associated Novell Netware management applications. There were no major or minor applications running on the NDC-LAN other than the file and print services associated with the Novell NetWare servers.

The NDC-LAN was an unclassified system processing For Official Use Only (FOUO) data. As the NDC-LAN included the environment where the ACE, ACS, and SAP applications physically reside, the NDC- LAN was included in limited scope in the FY 2011 financial statement audit. The NDC LAN is located in VA. Information Technology Management Letter for the FY 2011 U.S. Customs and Border Protection Financial Statement Audit Department of Homeland Security U.S. Customs and Border Protection Information Technology Management Letter September 30, 2011 Appendix A Systems, Applications, and Products, Enterprise Central Component (SAP ECC) SAP is a client/server-based financial management system and includes the Funds Management, Budget Control System, General Ledger, Real Estate, Property, Internal Orders, Sales and Distribution, Special Purpose Ledger, and Accounts Payable modules.

These modules are used by CBP to manage assets (e.g., budget, logistics, procurement, and related policy), revenue (e.g., accounting and commercial operations: trade, tariff, and law enforcement), and to provide information for strategic decision making. The SAP ECC financial management system was included in full scope in the FY 2011 financial statement audit. The SAP ECC system is located in VA. Information Technology Management Letter for the FY 2011 U.S. Customs and Border Protection Financial Statement Audit Department of Homeland Security U.S. Customs and Border Protection Information Technology Management Letter September 30, 2011 Appendix B FY 2011 Notices of IT Findings and Recommendations at CBP Appendix B Information Technology Management Letter for the FY 2011 U.S. Customs and Border Protection Financial Statement Audit Department of Homeland Security U.S. Customs and Border Protection Information Technology Management Letter September 30, 2011 Appendix B Notices of Findings and Recommendations (NFR) – Definition of Severity Ratings: Each NFR listed in Appendix B is assigned a severity rating from 1 to 3 indicating the influence on the CBP Independent Auditors’ Report.

1 – Not substantial 2 – Less significant 3 – More significant The severity ratings indicate the degree to which the deficiency influenced the determination of severity for reporting purposes. These ratings are provided only to assist CBP in prioritizing the development of its corrective action plans for remediation of the deficiency. Information Technology Management Letter for the FY 2011 U.S. Customs and Border Protection Financial Statement Audit B x i d n e p p A t a e p e R e u s s I w e N e u s s I 1 1 0 2 y t i r e v e S g n i t a R X X X X X X X X X X X X X X X X 2 2 2 3 3 3 2 1 2 2 2 2 3 3 3 2 y t i r u c e S d n a l e m o H f o t n e m t r a p e D n o i t c e t o r P r e d r o B d n a s m o t s u C . . S U r e t t e L t n e m e g a n a M y g o l o n h c e T n o i t a m r o f n I 1 1 0 2 , 0 3 r e b m e t p e S a e r A l o r t n o C M A C S I F e l t i T R F N s l o r t n o C s s e c c A y t i r u c e S d e c n a h n E g n i r u D d e i f i t n e d I d e u s s I s s e n e r a w A y t i r u c e S g n i t s e T # R F N 1 1 0 2 Y F 1 0 - 1 1 - T I - P B C t n e m e g a n a M y t i r u c e S m a r g o r P g n i n i a r T y t i r u c e S d e s a b - e l o R e t a u q e d a n I 3 0 - 1 1 - T I - P B C s l o r t n o C s s e c c A g n i t s e T y t i r u c e S d e c n a h n E g n i r u D d e i f i t n e d I s e u s s I y t i r u c e S l a c i s y h P 2 0 - 1 1 - T I - P B C s l o r t n o C s s e c c A s l o r t n o C s s e c c A s l o r t n o C s s e c c A s l o r t n o C s s e c c A g n i n n a l P y c n e g n i t n o C t n e m e g a n a M y t i r u c e S t n e m e g a n a M y t i r u c e S s l o r t n o C s s e c c A o t s s e c c A y r a r o p m e T / y c n e g r e m E r e p o l e v e D f o g n i r o t i n o M f o k c a L n o i t c u d o r P m e t s y S P B C 7 0 - 1 1 - T I - P B C s e s s e n k a e W w e i v e R s g o L t i d u A r e v r e S l l e v o N m e t s y S P B C 8 0 - 1 1 - T I - P B C d e w e i v e R t o N e r a s g o L e g n a h C e l i f o r P r e s U m e t s y S P B C 5 0 - 1 1 - T I - P B C m e t s y S P B C a n i h t i W s e s s e n k a e W l o r t n o C s e i t u D f o n o i t a g e r g e S 4 0 - 1 1 - T I - P B C d e t a d p U n e e B t o N s a H n a l P y c n e g n i t n o C m e t s y S P B C 9 0 - 1 1 - T I - P B C P B C r o f s n o i t a g i t s e v n i e R d n a s n o i t a g i t s e v n I d n u o r g k c a B e t e l p m o c n I s r o t c a r t n o C d n a s e e y o l p m E r o t c a r t n o C d n a d e t a d p U t o N e r e W s e r u d e c o r P n o i t a r a p e S r o t c a r t n o C d e n i a t n i a M t o N e r a s m r o F n o i t a r a p e S 1 1 - 1 1 - T I - P B C 2 1 - 1 1 - T I - P B C n a l P y t i r u c e S m e t s y S P B C o t e t a d p U f o k c a L 0 1 - 1 1 - T I - P B C s l o r t n o C s s e c c A s t s e u q e R e g n a h C s s e c c A m e t s y S P B C f o n o i t a t n e m u c o D e t a u q e d a n I 3 1 - 1 1 - T I - P B C s l o r t n o C s s e c c A s l o r t n o C s s e c c A s l o r t n o C s s e c c A s l o r t n o C s s e c c A s s e c c A e t o m e R w e N r o f s m r o F l a v o r p p A t s e u q e R s s e c c A e t e l p m o c n I s t n u o c c A r e s U 7 1 - 1 1 - T I - P B C P B C w e N r o f s l a v o r p p A d n a s m r o F t s e u q e R s s e c c A e t e l p m o c n I s t n u o c c A m e t s y S 5 1 - 1 1 - T I - P B C d e w e i v e R t o N e r A s g o L e g n a h C e l i f o r P r e s U m e t s y S P B C 4 1 - 1 1 - T I - P B C s r e s U m e t s y S P B C f o n o i t a c i f i t r e c e R l a u n n A f o k c a L 6 1 - 1 1 - T I - P B C t i d u A t n e m e t a t S l a i c n a n i F n o i t c e t o r P r e d r o B d n a s m o t s u C . .

S U 1 1 0 2 Y F e h t r o f r e t t e L t n e m e g a n a M y g o l o n h c e T n o i t a m r o f n I 4 1 e g a P B x i d n e p p A y t i r u c e S d n a l e m o H f o t n e m t r a p e D n o i t c e t o r P r e d r o B d n a s m o t s u C . . S U r e t t e L t n e m e g a n a M y g o l o n h c e T n o i t a m r o f n I 1 1 0 2 , 0 3 r e b m e t p e S t a e p e R e u s s I w e N e u s s I 1 1 0 2 y t i r e v e S g n i t a R a e r A l o r t n o C M A C S I F e l t i T R F N X X X X X X X X X X X X X X X X X X 2 2 2 3 3 2 2 2 3 2 2 3 3 2 2 2 1 3 s l o r t n o C s s e c c A s l o r t n o C s s e c c A s l o r t n o C s s e c c A s l o r t n o C s s e c c A s l o r t n o C s s e c c A r o f s t n e m e e r g A y t i r u c e S n o i t c e n n o c r e t n I f o n o i t a t n e m u c o D e t e l p m o c n I s n o i t c e n n o C m e t s y S P B C s t n u o c c A m e t s y S P B C r o f s l a v o r p p A d n a s t s e u q e R s s e c c A f o k c a L 2 2 - 1 1 - T I - P B C e t e l p m o c n I e r a s t n e m e e r g A e r u s o l c s i D - n o N r o t c a r t n o C 9 1 - 1 1 - T I - P B C d e w e i v e R y l e t a i r p o r p p A t o N s g o L t i d u A m e t s y S P B C 1 2 - 1 1 - T I - P B C s s e c o r P n o i t a r a p e S e e y o l p m E e h t r e v O s e s s e n k a e W 0 2 - 1 1 - T I - P B C t n e m e g a n a M n o i t a r u g i f n o C t o N s e r u d e c o r P d n a s e i c i l o P t n e m e g a n a M n o i t a r u g i f n o C m e t s y S P B C d e t n e m u c o D y l l a m r o F 4 2 - 1 1 - T I - P B C t n e m e g a n a M y t i r u c e S ) E & T S ( n o i t a u l a v E & t s e T y t i r u c e S m e t s y S P B C o t e t a d p U f o k c a L 3 2 - 1 1 - T I - P B C s l o r t n o C s s e c c A s l o r t n o C s s e c c A t n e m e g a n a M y t i r u c e S t n e m e g a n a M y t i r u c e S s l o r t n o C s s e c c A s l o r t n o C n o i t a c i l p p A y t i l i b a r e n l u V l a c i n h c e T e h t g n i r u D d e i f i t n e d I s e s s e n k a e W y t i r u c e S t n e m s s e s s A 7 2 - 1 1 - T I - P B C s r o t a c i t n e h t u A k r o w t e N d e w o l l A n i s e s s e n k a e W 5 2 - 1 1 - T I - P B C s e s s e n k a e W w e i v e R s g o L t i d u A m e t s y S P B C 6 2 - 1 1 - T I - P B C g n i t s i L r e s U m e t s y S P B C n o l e n n o s r e P d e t a r a p e S 0 3 - 1 1 - T I - P B C m e t s y S P B C a n i y t i l a n o i t c n u F f o k c a L 1 3 - 1 1 - T I - P B C s n o i t a t s k r o W P B C f o e r u t s o P y t i r u c e S 8 2 - 1 1 - T I - P B C s l o r t n o C s s e c c A m e t s y S P B C o t s e g e l i v i r P s s e c c A e v i t c A h t i w l e n n o s r e P d e t a r a p e S 2 3 - 1 1 - T I - P B C t n e m e g a n a M y t i r u c e S t n e m e g a n a M y t i r u c e S g n i n n a l P y c n e g n i t n o C s l o r t n o C s s e c c A s r e s U m e t s y S P B C f o n o i t a c i f i t r e c e R l a u n n A f o k c a L 6 3 - 1 1 - T I - P B C e t e l p m o c n I s i n o i t a c i f i t r e c e R a i d e M o t s s e c c A 5 3 - 1 1 - T I - P B C E & T S m e t s y S P B C o t e t a d p U f o k c a L 3 3 - 1 1 - T I - P B C E & T S m e t s y S P B C o t e t a d p U f o k c a L 4 3 - 1 1 - T I - P B C # R F N 1 1 0 2 Y F 8 1 - 1 1 - T I - P B C t i d u A t n e m e t a t S l a i c n a n i F n o i t c e t o r P r e d r o B d n a s m o t s u C . . S U 1 1 0 2 Y F e h t r o f r e t t e L t n e m e g a n a M y g o l o n h c e T n o i t a m r o f n I 5 1 e g a P B x i d n e p p A t a e p e R e u s s I w e N e u s s I X X 1 1 0 2 y t i r e v e S g n i t a R 3 3 y t i r u c e S d n a l e m o H f o t n e m t r a p e D n o i t c e t o r P r e d r o B d n a s m o t s u C . . S U r e t t e L t n e m e g a n a M y g o l o n h c e T n o i t a m r o f n I 1 1 0 2 , 0 3 r e b m e t p e S a e r A l o r t n o C M A C S I F e l t i T R F N # R F N 1 1 0 2 Y F s l o r t n o C s s e c c A s l o r t n o C s s e c c A n o i t c u d o r P e h t r e v o s e s s e n k a e W s e i t u D f o n o i t a g e r g e S m e t s y S P B C t n e m n o r i v n E 8 3 - 1 1 - T I - P B C s e s s e n k a e W s s e c c A r e s U d e g e l i v i r P m e t s y S P B C 7 3 - 1 1 - T I - P B C . e c n e u q e s s i h t n i d e s u t o n e r e w 9 2 - 1 1 - T I - P B C d n a 6 0 - 1 1 - T I - P B C s r e b m u n s R F N : 1 e t o N s e s o p r u p y t i r u c e s r o f ” m e t s y S P B C “ h t i w d e c a l p e r e r e w s e m a n m e t s y s c i f i c e p S : 2 e t o N t i d u A t n e m e t a t S l a i c n a n i F n o i t c e t o r P r e d r o B d n a s m o t s u C . .

S U 1 1 0 2 Y F e h t r o f r e t t e L t n e m e g a n a M y g o l o n h c e T n o i t a m r o f n I 6 1 e g a P Department of Homeland Security U.S. Customs and Border Protection Information Technology Management Letter September 30, 2011 Appendix C Appendix C Status of Prior Year Notices of Findings and Recommendations and Comparison to Current Year Notices of Findings and Recommendations at CBP Information Technology Management Letter for the FY 2011 U.S. Customs and Border Protection Financial Statement Audit Department of Homeland Security U.S. Customs and Border Protection Information Technology Management Letter September 30, 2011 NFR # Description CBP-IT-10-01 Separated Employees on System User Listings CBP-IT-10-02 Segregation of Duties Control Weaknesses Within a CBP System CBP-IT-10-03 CBP System Audit Log Reviews are Not Formally Documented to Include All Appropriate Information and Detail CBP-IT-10-04 Recertification Review of CBP System User Accounts CBP-IT-10-05 CBP-IT-10-06 Security Awareness Issue Identified During Enhanced Security Testing Incomplete Access Request Forms and Approvals For New CBP System Accounts Appendix C Disposition Closed Repeat X X CBP-IT-11-04 CBP-IT-11-26 CBP-IT-11-01 CBP-IT-11-15 CBP-IT-10-07 Physical Security Issues Identified During Enhanced Security Testing CBP-IT-11-02 CBP-IT-10-08 Contractor Separation Procedures are Not Updated and Contractor Separation Forms are Not Maintained CBP-IT-10-09 Employee Separation Forms are not Maintained CBP-IT-10-10 Non-Disclosure Agreements for CBP Contractors in Moderate and High-level Risk Positions are Not Completed CBP-IT-10-11 Installation of Virus Protections on CBP Workstations CBP-IT-10-12 Inadequate Role-Based Security Training Program CBP-IT-10-13 Raised Floor Access Authorization Process Weaknesses X CBP-IT-10-14 CBP System User Profile Change Logs are Not Reviewed CBP-IT-10-15 Vulnerability Assessment Weaknesses with CBP Systems CBP-IT-10-16 Incomplete Documentation of Interconnection Security Agreements (ISA) for CBP System Participating Government Agencies (PGA) Connections CBP-IT-10-17 Lack of Access Requests and Approval for CBP System Account CBP-IT-10-18 CBP-IT-10-19 CBP-IT-10-20 CBP-IT-10-21 CBP-IT-10-22 Evidence of Personnel Authorization to Access Backup Media Not Available CBP System User Access Profile Change Log Review Procedures Have Not Been Implemented Unauthorized Access Attempt Setting for the Mainframe Have Not Been Configured Background Investigations and Reinvestigations for CBP Employees and Contractors are Not Completed Lack of Monitoring of Developer Emergency/Temporary Access to CBP System Production CBP-IT-10-23 Lack of Access Requests and Approval for CBP System Accounts CBP-IT-10-24 CBP System Functionality Issues Note: Specific system names were replaced with “CBP System” for security purposes. X CBP-IT-11-12 CBP-IT-11-20 CBP-IT-11-19 CBP-IT-11-28 CBP-IT-11-03 CBP-IT-11-05 CBP-IT-11-27 CBP-IT-11-18 CBP-IT-11-22 CBP-IT-11-35 CBP-IT-11-05 CBP-IT-11-11 CBP-IT-11-07 CBP-IT-11-13 CBP-IT-11-31 Information Technology Management Letter for the FY 2011 U.S. Customs and Border Protection Financial Statement Audit Appendix D Department of Homeland Security Immigration and Customs Enforcement Information Technology Management Letter September 30, 2011 Report Distribution Department of Homeland Security Secretary Deputy Secretary General Counsel Chief of Staff Deputy Chief of Staff Executive Secretariat Under Secretary, Management Commissioner, CBP DHS Chief Information Officer DHS Chief Financial Officer Chief Financial Officer, CBP Chief Information Officer, CBP Chief Information Security Officer Assistant Secretary for Office of Policy Assistant Secretary for Office of Public Affairs Assistant Secretary for Office of Legislative Affairs DHS GAO/OIG Audit Liaison Chief Information Officer, Audit Liaison CBP Audit Liaison Office of Management and Budget Chief, Homeland Security Branch DHS OIG Budget Examiner Congress Congressional Oversight and Appropriations Committees, as appropriate Information Technology Management Letter for the FY 2011 U.S. Customs and Border Protection Financial Statement Audit ADDITIONAL INFORMATION AND COPIES To obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202)254-4100, fax your request to (202)254-4305, or e-mail your request to our OIG Office of Public Affairs at [email protected]. For additional information, visit our OIG website at www.oig.dhs.gov or follow us on Twitter @dhsoig.

OIG HOTLINE

To report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal misconduct relative to Department of Homeland Security programs and operations: • Call our Hotline at 1-800-323-8603 • Fax the complaint directly to us at (202)254-4292 • E-mail us at [email protected]; or • Write to us at: DHS Office of Inspector General/MAIL STOP 2600, Attention: Office of Investigation - Hotline, 245 Murray Drive SW, Building 410 Washington, DC 20528 The OIG seeks to protect the identity of each writer and caller.

Chat with this agency guidance using AI

Ask CiteLaw's AI Navigator anything about this agency guidance, verify citations, and research related authorities. Sign up for CiteLaw free today to get started.