[ISN] IG: Coast Guard IT controls leave TSA data vulnerable

From: InfoSec News (alerts@private)
Date: Wed Jan 17 2007 - 22:07:05 PST


By Brian Robinson
Jan. 17, 2007

Information technology management problems at the U.S. Coast Guard are 
causing concerns about the Transportation Security Administration's 
financial and operational data, according to an inspector general's 
report [1].

The problem is that the Coast Guard, which hosts several key financial 
applications for TSA, needs to improve the internal controls over its 
information systems and processes, according to the recent report by the 
Department of Homeland Security's Inspector General.

The agency has made some gains since an earlier audit by the IG's 
office, but more needs to be done, according to the report. Until that 
happens, the confidentiality, integrity and availability of the TSA data 
cannot be assured, the report states.

The redacted report does not identify the particular system in question, 
but the problems, according to the document, stem from challenges 
related to the merging of numerous IT functions and processes, as well 
as overall organizational shortages.

In some cases, auditors found instances of missing or weak user 
passwords and missing or poorly configured security patches. They found 
that weaknesses in some system software could enable users to skirt 
security control and allow authorized system users to gain unauthorized 
access to certain system privileges.

Application software development and change control procedures were also 
found to be inconsistent with both DHS and federal guidance, the IG 
said. For example, auditors found incomplete documentation of risk 
assessments for software patches and for test plans and their results.

Officials at both TSA and the Coast Guard agreed with the observations 
in the report, which covered fiscal year 2005. However, agency officials 
also responded that they had already begun to address many of the 
weaknesses in fiscal 2006 and that the remainder would be tackled during 
fiscal 2007.

[1] http://www.dhs.gov/xoig/assets/mgmtrpts/OIGr_07-18_Dec06.pdf

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Wed Jan 17 2007 - 22:24:18 PST