Skinner: Customs needs to plug gaps in IT security

Information technology security gaps created a material weakness in the U.S. Customs and Border Protection financial audit statements for fiscal 2007, according to a report released by Homeland Security Inspector General Richard Skinner.

The 70-page IT management letter was prepared by accounting firm KPMG LLP as part of the fiscal 2007 financial statements for the agency.

KPMG concluded that Customs and Border Protection continues to have problems in monitoring and enforcing IT system access controls, implementing security certifications and accreditations, and keeping better track of contractors with access to IT systems.

The problems have existed for more than a year, the report stated. "Many of the conditions identified at CBP in fiscal 2006 have not been corrected because CBP still faces challenges related to the merging of numerous IT functions, controls, processes, and organizational resource shortages."

During the year, CBP improved its IT security program planning and management. However, the report found continuing gaps in access controls and other areas.

"We noted significant access control vulnerabilities," the report stated. In some cases these involved users being able to access IT systems with group passwords and default passwords. The auditors recommended that the agency comply with departmental standards for password controls.

KPMG also recommended that the agency work toward implementing a more effective system of tracking contractor access to IT systems. The auditors classified this area as high risk.

"Deactivation of all systems access of terminated contractors should occur immediately upon separation from CBP. A listing of terminated contract personnel should be periodically distributed to information system administrators so they remove user access and periodically assess contractor access to CBP systems," the report stated.

In response, CBP officials said they are taking steps to ensure that the proper controls are in place.