Security weaknesses jeopardize DHS financial data

Continued weaknesses in IT controls at the Homeland Security Department are threatening efforts to maintain the integrity of financial data within the department, according to a new report released by the department's Inspector General Richard L. Skinner.

The 154-page Information Technology Management Letter for the fiscal 2006 DHS Financial Statement Audit is a redacted version of an audit of IT control systems in the financial processing environment at DHS. The audit was performed by KPMG LLP auditing firm of Washington.

The audit identified more than 200 findings in fiscal 2006 related to shortcomings in IT general and application controls. About 150 of the findings were new, and 50 were repeated from prior years, the audit states.

The weaknesses include "excessive access" to key DHS financial applications, incorrect configurations for security controls for key DHS financial applications and support systems and problems with processes in place for making changes to financial applications. Those change control processes were judged to be inappropriate, ineffective, not fully defined or not followed.

"Despite the improvements in a few DHS components, several significant general IT and application control weaknesses remain that collectively limit DHS' ability to ensure that critical financial and operational data is maintained in a manner to ensure confidentiality, integrity and availability," the audit states.

The audit also found numerous other problems, including instances of missing and weak passwords, background checks for contractors not being conducted at three DHS components and work stations configured without security patches.

Still other problems were a lack of IT system security certifications and accreditations, informal procedures and lack of documentation for changes made to financial systems and instances of incompatible functions that led to overrides of IT systems.

DHS Chief Information Officer Scott Charbo and Chief Financial Officer David Norquist agreed with the findings and recommendations, the report states.