Skinner: DHS financial systems lack strong security

The Transportation Security Administration has inadequate computer security controls on its financial systems, according to a new report released today by Homeland Security Department Inspector General Richard L. Skinner.

The special report is a letter from KPMG LLP accounting firm on IT matters related to TSA's fiscal 2005 financial statements. KPMG was hired to audit the TSA's finances; however, it did not complete its audit because it did not receive final financial statements from the agency. The letter was released in a redacted form with sensitive portions blacked out.

The accounting firm examined both TSA and Coast Guard systems because the Coast Guard's IT systems host key financial applications for the TSA.

It found continuing IT control weaknesses that put at risk the confidentiality, integrity and availability of critical data.

"We noted that many of the conditions identified during our prior year audits, which impact TSA financial processing, have not been corrected because challenges continue to exist related to the merging of numerous IT functions, controls, processes and overall organizational shortages," the KPMG letter states.

Problems identified were:

• Missing or weak passwords;
  
• Missing security patches or improper configurations for computers, servers and network devices;
  
• Lack of procedures for revalidating users;
  
• Lack of monitoring for high-level IT administration accounts; and
  
• Lack of procedures and monitoring for overseeing access to the TSA's data centers.