[ISN] DHS IG: Weak internal controls put financial data at risk

From: InfoSec News (alerts@private)
Date: Tue Aug 14 2007 - 01:04:02 PDT


http://www.fcw.com/article103492-08-13-07-Web

By Mary Mosquera
Aug. 13, 2007

The integrity of the Homeland Security Departments financial data is at 
increased risk because of weak information technology internal controls 
related to financial management systems, the DHS Office of Inspector 
General has said in a report [1].

The report covers the IT management controls that support the 
departments financial statement for fiscal 2006. Internal controls 
reduce the risk of error or fraud in financial reporting.

This is not the first time the IG has pointed out these weaknesses, 
which were the result of DHS not prioritizing the necessary corrective 
actions.

The department has excessive access to and inadequate logical security 
controls for its key financial applications and support systems, in 
addition to incorrect or ineffective application change control 
processes, the IG said in the report.

The effect of these numerous IT weaknesses identified during our testing 
reduces the reliability of DHS financial data, DHS IG Richard Skinner 
said in the report. The weaknesses limit DHS ability to ensure the 
confidentiality, integrity and availability of critical financial and 
operational data.

Many of these weaknesses may result in material errors in DHS financial 
data that are not detected in a timely manner in the normal course of 
business. That means DHS must operate manual controls to reduce that 
risk, the report states.

Since manual controls are operated by people, there cannot be a 
reasonable expectation that they would be able to be in place at all 
times and in all areas, Skinner stated.

Last year, DHS improved its results toward complying with the Federal 
Information Security Management Act. Meanwhile, a few DHS component 
agencies took actions to improve their IT environments and address IT 
control issues.

The IG identified more than 200 separate findings covering all DHS 
agencies. DHS closed about 44 percent of the prior years IT findings, 
but the IG uncovered 150 new ones through testing this year.

The IG audited the financial systems of the U.S. Citizen and Immigration 
Services agency, which is owned and serviced by the Immigration and 
Customs Enforcement agency.

DHS inherited many of its component agencies weaknesses, including 
system development activities that did not incorporate strong security 
controls from the outset, which will take several years to fully 
address. Many of the larger agencies have decentralized IT and financial 
system support.

The fact that DHS does not have an integrated financial system with the 
embedded functionality required by the Office of Management and Budget 
is the major factor for the departments financial management weaknesses, 
the IG said.

DHS outlined a plan to fix the internal control weaknesses in a response 
letter from Robert West, its chief information security officer. For 
example, the department will develop procedures by November for testing 
internal controls for its designated financial systems. Component 
agencies will perform monitoring of key controls by March 2008.

In June, DHS said it will move its agencies to one of two certified 
financial systems under the Transformation and Systems Consolidation 
program. DHS will migrate its small agencies to either a version of 
Oracle Federal Financials that the Transportation Security 
Administration uses or a version of SAP that the Customs and Border 
Protection uses. The Government Accountability Office has said DHS does 
not have a detailed enough strategy for the migration.

[1] http://www.dhs.gov/xoig/assets/mgmtrpts/OIGr_07-53_Aug07.pdf


____________________________________
Attend HITBSecConf2007 - Malaysia 
Taking place September 3-6 2007 featuring seven tracks of technical 
training and a dual-track security conference with keynote speakers 
Lance Spitzner and Mikko Hypponen!  -  Book your seats today! 
http://conference.hitb.org/hitbsecconf2007kl/



This archive was generated by hypermail 2.1.3 : Tue Aug 14 2007 - 01:14:05 PDT