Watchdog finds IT issues at Secret Service, TSA
Financial systems at both agencies need better management, according to DHS inspector general IT audits.
The Secret Service and Transportation Security Administration have access control and configuration management issues for their financial systems, according to reports recently posted by the DHS Inspector General.
The reports were compiled in 2016, but released publicly by the DHS IG on June 20. They were included as part of the IG's audit of the consolidated DHS financial statements for the 2016 fiscal year that ended last September.
The IG tapped the auditing and accounting firm KPMG to look at both agencies. The firm reported deficiencies in the USSS access controls, segregation of duties, and configuration management of the agency's financial systems.
In its report on TSA, KPMG said that although the agency had moved to take corrective action on an IT control deficiency a year ago, it found new control deficiencies to access controls for its core financial and feeder systems in 2016.
Specifically, the report said TSA didn't consistently enforce password requirements for its access to the databases that support its financial applications and it didn't do the required annual recertification requirements for user accounts.
The Secret Service, said KPMG, didn't have acceptable protections in place on systems scheduled to host sensitive information. Further, Secret Service IT management didn't include adequate system security plans, but did have systems with expired authorities to operate, inadequate access and audit controls and inadequate privacy protections. It also tended to over-retain records, said the report.
Both agencies, however, faired better in a test of their resistance to "social engineering."
KPMG tested Secret Service and TSA personnel to see if they would divulge passwords over the phone to someone they didn't know, but professed to be part of their agency's technical support.
It said neither agency's personnel were particularly talkative targets.
Of the 11 employees the auditors got randomly on the phone at Secret Service, only two gave up passwords. Of the 32 TSA employees KPMG got on the phone, it said none gave up the secure information.
Technology management at the Secret Service has been a longstanding concern, from oversight committees in Congress and from the Department of Homeland Security Office of Inspector General.
Last October, the DHS IG reported on unauthorized security access, unprotected data files and "ineffective" IT management practices at the Secret Service.
That report stated that IT management had not been an agency priority, and concluded that until Secret Service improved its IT governance, its systems and data would remain vulnerable.