Department of Homeland Security Ofﬁce of Inspector General · DHS FY 2009 financial statements...

Department of Homeland Security Office of Inspector General

Information Technology Management Letter for the FY 2009 U.S. Citizenship

and Immigration Services Financial Statement Audit

OIG-10-93 June 2010

Office of Inspector General

U.S. Department ofHomeland Security Washington, DC 25028

Homeland Security

JUN - 8 ZUlU

Preface

The Department of Homeland Security (DHS) Office ofInspector General (OIG) was established by the Homeland Security Act of2002 (Public Law 107-296) by amendment to the Inspector General Act of1978. This is one of a series of audit, inspection, and special reports prepared as part of our oversight responsibilities to promote economy, efficiency, and effectiveness within the department.

This report presents the information technology (IT) management letter for the FY 2009 U.S. Citizenship and Immigration Services (USCIS) financial statement audit as of September 30, 2009. It contains observations and recommendations related to information technology internal control that were summarized in the Independent Auditors J Report dated January 15, 2010 and presents the separate restricted distribution report mentioned in that report. The independent accounting firm KPMG LLP (KPMG) performed the audit procedures at USCIS in support of the DHS FY 2009 financial statements and prepared this IT management letter. KPMG is responsible for the attached IT management letter dated March 10,2010, and the conclusions expressed in it. We do not express opinions on DHS' financial statements or internal control or conclusion on compliance with laws and regulations.

The recommendations herein have been developed to the best knowledge available to our office, and have been discussed in draft with those responsible for implementation. We trust that this report will result in more effective, efficient, and economical operations. We express our appreciation to all of those who contributed to the preparation of this report.

~A Frank DeffePf-Assistant Inspector General Information Technology Audits

KPMG LLP 2001 M Street, NW Washington, DC 20036

March 10, 2010

Inspector General U.S. Department of Homeland Security Chief Information Officer and Chief Financial Officer U.S. Citizenship and Immigration Services

Ladies and Gentlemen:

We have audited the consolidated balance sheet of the U.S. Citizenship and Immigration Services (USCIS), a component of the U.S. Department of Homeland Security (DHS), as of September 30, 2009 and the related consolidated statements of net cost, changes in net position, and the combined statement of budgetary resources (hereinafter referred to as “consolidated financial statements”) for the years then ended. In planning and performing our audit of the consolidated financial statements of USCIS, in accordance with auditing standards generally accepted in the United States of America, we considered USCIS’s internal control over financial reporting (internal control) as a basis for designing our auditing procedures for the purpose of expressing our opinion on the consolidated financial statements but not for the purpose of expressing an opinion on the effectiveness of USCIS’s internal control. Accordingly, we do not express an opinion on the effectiveness of USCIS’s internal control.

In planning and performing our fiscal year 2009 audit, we considered USCIS’s internal control over financial reporting by obtaining an understanding of the design effectiveness of USCIS’s internal control, determining whether internal controls had been placed in operation, assessing control risk, and performing tests of controls as a basis for designing our auditing procedures for the purpose of expressing our opinion on the consolidated financial statements. To achieve this purpose, we did not test all internal controls relevant to operating objectives as broadly defined by the Federal Managers’ Financial Integrity Act of 1982. The objective of our audit was not to express an opinion on the effectiveness of USCIS’s internal control over financial reporting. Accordingly, we do not express an opinion on the effectiveness of USCIS’s internal control over financial reporting.

A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct misstatements on a timely basis. A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. A material weakness is a deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected on a timely basis.

Our audit of USCIS as of, and for the year ended, September 30, 2009 disclosed a material weakness in the areas of information technology (IT) configuration management, security management, access controls, and segregation of duties. These matters are described in the IT General Control Findings by Audit Area section of this letter.

KPMG LLP, a U.S. limited liability partnership, is the U.S. member firm of KPMG International, a Swiss cooperative.

The material weakness described above is presented in our Independent Auditors’ Report, dated January 15, 2010. This letter represents the separate restricted distribution letter mentioned in that report.

The control deficiencies described herein have been discussed with the appropriate members of management, and communicated through a Notice of Finding and Recommendation (NFR). Our audit procedures are designed primarily to enable us to form an opinion on the consolidated financial statements, and therefore may not bring to light all weaknesses in policies or procedures that may exist. We aim to use our knowledge of USCIS gained during our audit engagement to make comments and suggestions that are intended to improve internal control over financial reporting or result in other operating efficiencies.

The Table of Contents on the next page identifies each section of the letter. We have provided a description of key USCIS financial systems and IT infrastructure within the scope of the FY 2009 USCIS consolidated financial statement audit in Appendix A; a description of each internal control finding in Appendix B; and the current status of the prior year NFRs in Appendix C. Our comments related to certain additional matters have been presented in a separate letter to the Office of Inspector General and the USCIS Chief Financial Officer dated January 15, 2010.

This communication is intended solely for the information and use of DHS and USCIS management, DHS Office of Inspector General, OMB, U.S. Government Accountability Office, and the U.S. Congress, and is not intended to be and should not be used by anyone other than these specified parties.

Very truly yours,

Department of Homeland Security United States Citizenship and Immigration Services

Information Technology Management Letter September 30, 2009

INFORMATION TECHNOLOGY MANAGEMENT LETTER

TABLE OF CONTENTS

Page

Objective, Scope and Approach 1

Summary of Findings and Recommendations 3

IT General Control Findings by Audit Area 4

Findings Contributing to a Material Weakness Deficiency in IT 4

Configuration Management 4

Security Management 4

Access Controls 4

Segregation of Duties 4

Application Controls 8

8 Management’s Comments and OIG Response

APPENDICES

Appendix Subject Page

Description of Key USCIS Financial Systems and IT Infrastructure within the Scope of A 9the FY 2009 Financial Statement Audit

B FY 2009 Notices of IT Findings and Recommendations at USCIS 11

- Notice of Findings and Recommendations – Definition of 12 Severity Ratings

C Status of Prior Year Notices of Findings and Recommendations and Comparison to 21 Current Year Notices of Findings and Recommendations at USCIS

D Management’s Comments 23

E Report Distribution 29



OBJECTIVE, SCOPE AND APPROACH

We have audited the US Citizenship and Immigration Services (USCIS) balance sheet as of September 30, 2009. In connection with our audit of USCIS’s balance sheet we performed an evaluation of information technology general controls (ITGC), to assist in planning and performing our audit. The U.S. Department of Homeland Security – Bureau of Immigration and Customs Enforcement (ICE) hosts key financial applications for USCIS. As such, our audit procedures over information technology (IT) general controls for USCIS included testing of the ICE’s Active Directory\Exchange (ADEX) network and the Federal Financial Management System (FFMS) policies, procedures, and practices, as well as USCIS policies, procedures and practices at USCIS Headquarters.

The Federal Information System Controls Audit Manual (FISCAM), issued by the Government Accountability Office (GAO), formed the basis of our audit. The scope of the USCIS IT general controls assessment is described in Appendix A. FISCAM was designed to inform financial auditors about IT controls and related audit concerns to assist them in planning their audit work and to integrate the work of auditors with other aspects of the financial audit. FISCAM also provides guidance to IT auditors when considering the scope and extent of review that generally should be performed when evaluating general controls and the IT environment of a federal agency. FISCAM defines the following five control functions to be essential to the effective operation of the general IT controls environment.

�

�

�

�

�

Security Management (SM) – Controls that provide a framework and continuing cycle of activity for managing risk, developing security policies, assigning responsibilities, and monitoring the adequacy of computer-related security controls. Access Control (AC) – Controls that limit or detect access to computer resources (data, programs, equipment, and facilities) and protect against unauthorized modification, loss, and disclosure. Configuration Management (CM) – Controls that help to prevent unauthorized changes to information system resources (software programs and hardware configurations) and provides reasonable assurance that systems are configured and operating securely and as intended. Segregation of duties (SD) – Controls that constitute policies, procedures, and an organizational structure to manage who can control key aspects of computer-related operations. Contingency Planning (CP) – Controls that involve procedures for continuing critical operations without interruption, or with prompt resumption, when unexpected events occur.

To complement our general IT controls audit procedures, we also performed technical security testing for key network and system devices, as well as testing over key financial application controls in the ICE environment. The technical security testing was performed both over the Internet and from within select ICE facilities, and focused on test, development, and production devices that directly support USCIS general support systems.

1 Information Technology Management Letter for the FY 2009 USCIS Financial Statement

Audit



In addition to testing the general control environment, we performed application control tests on a limited number of ICE’s financial systems and applications. The application control testing was performed to assess the controls that support USCIS financial systems’ internal controls over the input, processing, and output of financial data and transactions.

� Application Controls (APC) - Application controls are the structure, policies, and procedures that apply to separate, individual application systems, such as accounts payable, inventory, or payroll.


Audit



SUMMARY OF FINDINGS AND RECOMMENDATIONS

During FY 2009, we noted that USCIS made minimal progress in addressing its previously identified IT internal control weaknesses. Therefore, due to USCIS’s lack of prioritization of the issues, all seven (7) were reissued. During our review, we continued to identify IT general control weaknesses that could potentially impact USCIS’s financial data. The most significant weaknesses from a financial statement audit perspective related to controls over the FFMS and the weaknesses over physical security and security awareness. Collectively, the IT control weaknesses limited USCIS’s ability to ensure that critical financial and operational data were maintained in such a manner to ensure confidentiality, integrity, and availability. In addition, these weaknesses negatively impacted the internal controls over USCIS financial reporting and its operation and we consider them to collectively represent a material weakness for USCIS under standards established by the American Institute of Certified Public Accountants (AICPA). In addition, based upon the results of our test work, we noted that USCIS did not fully comply with the requirements of the Federal Financial Management Improvement Act (FFMIA).

Of the 19 findings identified during our FY 2009 testing, 12 were new IT findings. These findings represent weaknesses in four of the five FISCAM key control areas. Specifically, 1) a lack of strong password management and audit logging within the financial applications, 2) security management issues involving staff security training and exit processing procedure weaknesses, 3) inadequately designed and operating configuration management, and 4) the lack of effective segregation of duties controls within financial applications. These weaknesses may increase the risk that the confidentiality, integrity, and availability of system controls and USCIS financial data could be exploited thereby compromising the integrity of financial data used by management and reported in USCIS’s financial statements.

USCIS management should ensure that there is emphasis placed on the completion, monitoring and enforcement of IT security-related policies and procedures. On-going measures to improve the IT security considerations for key financial systems utilized by USCIS and implement effective access controls, segregation of duties and configuration management controls need to be completed.

While the recommendations made by KPMG should be considered by USCIS, it is the ultimate responsibility of USCIS management to determine the most appropriate method(s) for addressing the weaknesses identified based on their system capabilities and available resources.


Audit



IT GENERAL CONTROL FINDINGS BY AUDIT AREA

Findings Contributing to a Material Weakness Deficiency in IT

During the FY 2009 financial statement audit, we identified the following IT control deficiencies that are considered a material weakness:

1. Configuration Management – we noted:

� Security configuration management weaknesses on the Active Directory Exchange (ADEX). These weaknesses included default configuration settings, inadequate patches, and weak password management.

2. Security Management – we identified:

�

�

�

Background investigations are not conducted in a timely manner.

Procedures for transferred/terminated personnel exit processing are not finalized.

IT Security training is not mandatory nor is compliance monitored.

3. Access controls – we identified:

�

�

Ineffective safeguards over physical access to sensitive facilities and resources.

The following account management weaknesses over ADEX, CLAIMS 3 LAN, and CLAIMS 4:

�

�

�

�

�

�

The lack of recertification of system administrators and system users.

Inefficient definition and documentation of CLAIMS 3 LAN and CLAIMS 4 access roles were noted.

User access is not documented and maintained for CLAIMS 3 LAN and CLAIMS 4.

CLAIMS 3 LAN and CLAIMS 4 password configurations do not meet DHS requirements.

Terminated personnel still have active user accounts within CLAIMS 3 LAN and CLAIMS 4.

Generic user accounts exist for the CLAIMS 3 LAN.

�

�

Lack of policies and procedures for maintaining and reviewing CLAIMS 3 LAN and CLAIMS 4 audit logs.

Lack of processes in place for sanitization of equipment and media.

4. Segregation of Duties– we identified: � Segregation of duties controls were not enforced through access authorizations in

CLAIMS 4.


Audit



Recommendations: Unless specifically noted where USCIS needs to take specific corrective action, we recommend that the USCIS Chief Information Officer (CIO) and Chief Financial Officer (CFO), in coordination with the ICE Office of Chief Financial Officer and the ICE Office of the Chief Information Officer, make the following improvements to ICE’s information technology:

1. Configuration Management:

�

�

�

�

�

Redistribute procedures and train employees on continuously monitoring and mitigating vulnerabilities. In addition, we recommend that ICE periodically monitor the existence of unnecessary services and protocols running on their servers and network devices, in addition to deploying patches.

Perform vulnerability assessments and penetration tests on all offices of the ICE, from a centrally managed location with a standardized reporting mechanism that allows for trending, on a regularly scheduled basis in accordance with NIST guidance.

Develop a more thorough approach to track and mitigate configuration management and resource vulnerabilities identified during monthly scans. ICE should monitor the vulnerability reports for necessary or required configuration changes to their environment.

Develop a process to verify that systems identified with “HIGH/MEDUIM Risk” configuration vulnerabilities do not appear on subsequent monthly vulnerability scan reports, unless they are verified and documented as a false-positive. All risks identified during the monthly scans should be mitigated immediately, and not be allowed to remain dormant.

Implement the corrective actions identified during the audit vulnerability assessment as identified in the issued NFR.

2. Security Management:

�

�

�

�

Periodically review personnel files to confirm background investigations have been completed in accordance with DHS standards.

Adhere to exit clearance procedures and enforce personnel adherence in the event of transfer\termination.

Implement mandatory requirements for IT security personnel to complete training consistent with their job duties.

Establish and implement requirements for personnel to complete Computer Security Awareness training annually. Also, develop a process to disable user accounts and access privileges for non compliant staff.

3. Access Controls:

� Establish and implement emergency exit and re-entry procedures at the Technology Engineering Consolidation Center (TECC).


Audit



�

�

�

�

�

�

Implement effective physical access controls over the server cage which houses USCIS servers at the TECC. Conduct and document annual reviews of application users and users with system administrator access to ADEX. Establish and enforce procedures for the completion and maintenance of user access forms for CLAIMS 3 LAN and CLAIMS 4 across all service centers. Establish a process to ensure CLAIMS 3 LAN and CLAIMS 4 are configured to meet DHS password configuration requirements. Develop and implement policies and procedures to remove terminated users and generic accounts from the CLAIMS 3 LAN. Establish a process to review and maintain system audit logs.

4. Segregation of Duties: � Define and document the policies and procedures for identifying and approving

CLAIMS 4 user roles\profiles to include user responsibilities and segregation of duties initiatives.

USCIS Specific Recommendations:

5. We recommend that the offices of the USCIS CIO, ICE CIO, and DHS CIO coordinate to develop an Interagency Agreement for the ICE/USCIS relationship. The agreement should be developed using appropriate guidance from NIST 800-53. Specific to this NFR, the Interagency Agreement should document the processes by which ICE will notify USCIS of its planned remediation of the ADEX security vulnerabilities. USCIS should further take a proactive approach in monitoring the resolution of the ADEX vulnerabilities.

6. The USCIS CIO should ensure that USCIS has a sound understanding of the ICE security vulnerabilities that affect USCIS data integrity. USCIS should then develop remediation plans and compensating controls, as applicable, to address potential data integrity issues. For example, more frequent reconciliation of financial accounts may be required.

Cause\Effect: The ICE agency is not continuously monitoring the ICE ADEX General Support System (GSS) vulnerability assessment scans for patch and configuration management vulnerabilities. USCIS management has not proactively coordinated with ICE to establish a detailed and documented Interagency Agreement for the IT services provided by ICE. As a result, default configuration installations and unnecessary services operating on the ICE ADEX devices increases the ability to compromise the availability, integrity, and confidentiality of financial data on the network. Additionally, failure to apply critical vendor security patches exposes system and network devices to new and existing vulnerabilities. This can expose the information system controls environment


Audit



to security breaches, unauthorized access, service interruptions, and denial of service attacks. These weak IT controls at ICE, specifically with ADEX, have a direct and significant negative impact on USCIS financial data integrity. Consequently, USCIS requires additional resources to implement compensating controls needed to ensure fair presentation of its financial statements.

Due to a lack of USCIS management oversight, the controls environment remains weak and needs overall improvement. The lack of a strong controls environment increases the risk of improper handling of sensitive information, unauthorized access to financial data, improper staff training, and improper segregation of duties and least privilege principles.

Reasonable assurance should be provided that system user access levels are limited and monitored for appropriateness. The weaknesses identified within USCIS’s access controls increases the risk that staff may have access to a system that is outside the realm of their job responsibilities. This access could allow a person to intentionally or inadvertently use various functions to alter the integrity of executable files and scripts within the financial system.

Criteria: The Federal Information Security Management Act (FISMA) passed as part of the Electronic Government Act of 2002, mandates that Federal entities maintain IT security programs in accordance with OMB and NIST guidance. OMB Circular No. A-130, Management of Federal Information Resources, and various NIST guidelines describe specific essential criteria for maintaining effective general IT controls. FFMIA sets forth legislation prescribing policies and standards for executive departments and agencies to follow in developing, operating, evaluating, and reporting on financial management systems. The purpose of FFMIA is to: (1) to provide for consistency of accounting by an agency from one fiscal year to the next, and uniform accounting standards throughout the Federal Government; (2) require Federal financial management systems to support full disclosure of Federal financial data, including the full costs of Federal programs and activities; (3) increase the accountability and credibility of federal financial management; (4) improve performance, productivity and efficiency of Federal Government financial management; and (5) establish financial management systems to support controlling the cost of the Federal Government. In closing, for this year’s IT audit we assessed the DHS component’s compliance with DHS Sensitive System Policy Directive 4300A.


Audit



APPLICATION CONTROL FINDINGS

We did not identify any IT findings in the area of application controls during the FY 2009 Financial Statement Audit Engagement.

MANAGEMENT’S COMMENTS AND OIG RESPONSE

We obtained written comments on a draft of this report from the USCIS management. USCIS management agreed with our findings and recommendations. USCIS management has developed a remediation plan to address these findings and recommendations. A copy of the comments is included in Appendix D.

OIG Response

We agree with the steps that USCIS management is taking to satisfy these recommendations.


Audit

Appendix A



Appendix A

Description of Key USCIS Financial Systems and IT Infrastructure within the Scope of the FY 2009 Financial Statement Audit


Audit

Appendix A



Below is a description of significant USCIS and ICE financial management systems and supporting information technology (IT) infrastructure included in the scope of USCIS’s fiscal year (FY) 2009 Financial Statement Audit.

Locations of Review: USCIS Headquarters, Washington, DC; Verizon Data Center, Manassas, VA; Vermont Service Center, Burlington, VT.

ICE Headquarters, Washington, DC; The Burlington Finance Center (BFC), Burlington, VT; Department of Commerce (DOC) Office of Computer Services (OCS), Springfield, VA.

Systems Subject to Audit:

�

�

�

Federal Financial Management System (FFMS): It is used to create and maintain a record of each allocation, commitment, obligation, travel advance and accounts receivable issued. It is the system of record for the agency and supports all internal and external reporting requirements.

ICE Network: The ICE Network, also known as the Active Directory\Exchange (ADEX) E-mail System, is the general support system (GSS) for ICE and other DHS components, such as the USCIS.

Computer-Linked Application Management System (CLAIMS)3 Local Area Network (LAN): Provides a decentralized LAN based system that supports the requirements of the Direct Mail Phase I and II, Immigration Act of 1990 (IMMACT 90) and USCIS forms improvement projects. The Claims 3 LAN is located at each of the service centers (Nebraska, California, Texas, Vermont, and the National Benefits Center).

� CLAIMS 4: The system is a client/server application that tracks and manages naturalization applications. The central Oracle Database is located in Washington, DC while application servers and client components are located throughout USCIS service centers and district offices.


Audit

Appendix B



Appendix B FY 2009 Notices of IT Findings and Recommendations at USCIS


Audit

Appendix B



Notice of Findings and Recommendations (NFR) – Definition of Severity Ratings:

Each NFR listed in Appendix B is assigned a severity rating from 1 to 3 indicating the influence on the Department of Homeland Security (DHS) Consolidated Independent Auditors Report.

1 – Not substantial

2 – Less significant

3 – More significant

The severity ratings indicate the degree to which the deficiency influenced the determination of severity for consolidated reporting purposes.

These rating are provided only to assist USCIS in the development of its corrective action plans for remediation of the deficiency.


Audit

App

endi

x B

Dep

artm

ent o

f Hom

elan

d Se

curi

ty

Uni

ted

Stat

es C

itize

nshi

p an

d Im

mig

ratio

n Se

rvic

es

Info

rmat

ion

Tech

nolo

gy M

anag

emen

t Let

ter

Sept

embe

r 30,

200

9

NFR

#

Con

ditio

n R

ecom

men

datio

n N

ew Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

CIS

-IT

09-0

1 W

e in

spec

ted

the

Nat

iona

l B

enef

its C

ente

r (N

BC

) C

LAIM

S 3

LAN

us

er

role

/resp

onsi

bilit

ies

docu

men

tatio

n an

d de

term

ined

that

the

syst

em se

tting

s an

d as

sign

ed u

ser

role

s w

ithin

the

sys

tem

do

not

accu

rate

ly re

flect

doc

umen

ted

user

resp

onsi

bilit

ies.

Con

tinue

to

de

fine

and

docu

men

t th

e va

rious

C

LAIM

S 3

LAN

ro

les

and

thei

r as

soci

ated

re

spon

sibi

litie

s for

the

rem

aini

ng se

rvic

e ce

nter

s.

X

2

CIS

-IT

09-0

2 N

BC

doe

s no

t per

form

per

iodi

c C

LAIM

S 3

LAN

use

r ac

cess

rev

iew

s to

ens

ure

that

use

rs'

leve

l of

acc

ess

rem

ains

ap

prop

riate

an

d th

ere

are

no

proc

edur

es

esta

blis

hed

for p

erfo

rmin

g pe

riodi

c re

view

s.

Esta

blis

h an

d im

plem

ent

polic

ies

and

proc

edur

es

for h

andl

ing,

revi

ewin

g, a

nd re

tent

ion

of C

laim

s 3

LAN

use

r acc

ount

requ

est f

orm

s.

X

2

CIS

-IT

09-0

3 M

anag

emen

t at t

he U

SCIS

Hea

dqua

rters

(HQ

) and

the

Serv

ice

Cen

ter,

Ver

mon

t ha

s no

t co

mpl

eted

or

in

adeq

uate

ly d

ocum

ente

d ac

cess

form

s fo

r CLA

IMS

3 LA

N a

nd C

LAIM

S 4,

syst

em u

sers

.

Esta

blis

h an

d en

forc

e pr

oced

ures

fo

r th

e co

mpl

etio

n an

d m

aint

enan

ce o

f us

er a

cces

s fo

rms

for

CLA

IMS

3LA

N a

nd C

LAIM

S 4

for

all

the

serv

ice

cent

ers.

X

2

CIS

-IT

09-0

4 Th

e U

SCIS

HQ

has

not

mai

ntai

ned

or d

ocum

ente

d a

sele

ctio

n of

sy

stem

ad

min

istra

tor’

s ac

cess

au

thor

izat

ion

form

s.

Con

duct

and

doc

umen

t ann

ual r

evie

ws

of a

ll us

ers

with

Act

ive

Dire

ctor

y sy

stem

adm

inis

trato

r acc

ess.

X

2

13

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

200

9 U

SCIS

Fin

anci

al S

tate

men

t Aud

it

� � � �

App

endi

x B

Dep

artm

ent o

f Hom

elan

d Se

curi

ty

Uni

ted

Stat

es C

itize

nshi

p an

d Im

mig

ratio

n Se

rvic

es

Info

rmat

ion

Tech

nolo

gy M

anag

emen

t Let

ter

Sept

embe

r 30,

200

9

NFR

#

Con

ditio

n R

e om

men

datio

n c

New

Issu

e R

epea

t Is

sue

Seve

rity

Rat

ing

CIS

-IT

09-0

6 Th

e bi

omet

ric

faci

al

reco

gniti

on

scan

ner

allo

wed

un

auth

oriz

ed p

erso

nnel

acc

ess

to U

SCIS

ser

ver r

oom

, an

d pr

oced

ures

reg

ardi

ng r

emov

al, a

utho

rizat

ion,

and

lo

ggin

g of

USC

IS b

acku

p m

edia

are

not

in p

lace

for

th

e Te

chno

logy

En

gine

erin

g C

onso

lidat

ion

Cen

ter

(TEC

C).

Esta

blis

h an

d im

plem

ent

back

up

med

ia

rete

ntio

n an

d ro

tatio

n po

licie

s. Es

tabl

ish

a nd

impl

emen

t em

erge

ncy

exit

and

re-e

ntry

pro

cedu

res .

Dev

elop

a p

roce

ss t

hat

assu

res

all

reso

urce

s w

ith a

cces

s to

the

USC

IS r

e sou

rces

adh

ere

to

the

polic

y an

d pr

oced

ure.

Im

plem

ent

stro

nger

phy

sica

l ac

cess

con

trols

ov

er t

he s

erve

r ca

ge d

oor

to p

reve

nt f

urth

er

unau

thor

ized

acc

ess

X

2

CIS

-IT

09-0

7 U

SCIS

has

not

fin

aliz

ed a

pol

icy

that

out

lines

the

proc

ess

for d

evel

opin

g fo

rms

for l

abel

ing

and

track

ing

the

disp

ositi

on p

roce

ss o

r pr

ovid

ed c

lear

ins

truct

ions

fo

r con

duct

ing

med

ia w

ipes

or p

urge

s of d

ata.

Upd

ate

and

final

ize

thei

r po

licie

s an

d pr

oced

ures

to

re

flect

th

eir

curr

ent

med

ia

sani

tizat

ion

oper

atio

n.

X

2

CIS

-IT

09-0

8 U

SCIS

doe

s no

t re

certi

fy i

ts s

yste

m a

dmin

istra

tor

acco

unts

on

an a

nnua

l bas

is.

Man

agem

ent

shou

ld

esta

blis

h a

mor

e tim

ely

proc

ess

to p

erfo

rm a

per

iodi

c re

view

of

user

ac

coun

ts

ensu

ring

prop

er

auth

oriz

atio

n an

d tra

inin

g.

X

2

CIS

-IT

09-0

9 C

LAIM

S 3

LAN

pa

ssw

ord

re-u

se

and

leng

th

conf

igur

atio

ns

does

no

t m

eet

DH

S st

anda

rds.

CLA

IMS

3 LA

N g

ener

ic u

ser a

ccou

nts

was

not

tim

ely

rem

oved

be

caus

e of

a

lack

of

us

er

acco

unt

rece

rtific

atio

n.

� � Es

tabl

ish

a pr

oces

s to

en

sure

th

at

USC

IS

syst

ems

are

conf

igur

ed to

mee

t min

imum

DH

S pa

ssw

ord

conf

igur

atio

ns a

nd re

quire

men

ts.

Rem

ove

all

gene

ric a

ccou

nts

to C

LAIM

S 3

LAN

pro

duct

ion

syst

ems

and

perf

orm

per

iodi

c re

view

s of

th

e us

er

acce

ss

list

to

ensu

re

com

plia

nce.

X

2

14In

form

atio

n T

echn

olog

y M

anag

emen

t Let

ter

for

the

FY 2

009

USC

IS F

inan

cial

Sta

tem

ent A

udit

� � �

App

endi

x B

Dep

artm

ent o

f Hom

elan

d Se

curi

ty

Uni

ted

Stat

es C

itize

nshi

p an

d Im

mig

ratio

n Se

rvic

es

Info

rmat

ion

Tech

nolo

gy M

anag

emen

t Let

ter

Sept

embe

r 30,

200

9

NFR

#

Con

ditio

n R

ecom

men

datio

n N

ew Is

sue

Rep

eat

Issu

e Se

veri

tyR

atin

g C

IS-I

T09

-10

CLA

IMS

4 LA

N p

assw

ord

conf

igur

atio

n se

tting

s do

es

not m

eet D

HS4

300A

pas

swor

d st

anda

rds.

We

reco

mm

end

that

USC

IS e

stab

lish

a pr

oces

s to

en

sure

CLA

IMS

4 LA

N i

s co

nfig

ured

to

mee

t D

HS4

300A

pas

swor

d co

nfig

urat

ion

stan

dard

s.

X

2

CIS

-IT

09-1

1 W

e id

entif

ied

that

an

in

adeq

uate

ba

ckgr

ound

inve

stig

atio

n w

as p

erfo

rmed

and

doc

umen

ted

for

one

new

hire

per

sonn

el fr

om a

sam

ple

of 2

5.

We

reco

mm

end

that

U

SCIS

m

anag

emen

t pe

riodi

cally

re

view

pe

rson

nel

files

to

co

nfirm

back

grou

nd in

vest

igat

ions

hav

e be

en c

ompl

eted

in

acco

rdan

ce w

ith D

HS

stan

dard

s.

X

2

CIS

-IT

09-1

2 W

e in

spec

ted

a sa

mpl

e of

pe

rson

nel

that

ha

dte

rmin

ated

/tran

sfer

red

from

the

ir em

ploy

men

t w

ith

USC

IS.

Of

the

28

term

inat

ed/tr

ansf

erre

d U

SCIS

pers

onne

l sam

pled

, evi

denc

e of

com

plia

nce

with

exi

t cl

eara

nce

proc

edur

es c

ould

not

be

prov

ided

for

19

empl

oyee

s.

We

reco

mm

end

that

USC

IS m

anag

emen

t adh

ere

to

exit

clea

ranc

e pr

oced

ures

and

requ

ire p

erso

nnel

to

follo

w th

em in

an

even

t of t

rans

fer/t

erm

inat

ion.

X

2

CIS

-IT

09-1

3 V

erm

ont

Serv

ice

Cen

ter

(VSC

) ha

s in

effe

ctiv

esa

fegu

ards

ove

r th

e co

mpu

ter

room

in

the

Off

ice

of

Info

rmat

ion

Tech

nolo

gy

(OIT

).

VSC

pr

oced

ures

re

gard

ing

the

rem

oval

, au

thor

izat

ion

and

logg

ing

of

back

up m

edia

are

not

in

plac

e.

VSC

pro

cedu

res

for

ensu

ring

accu

racy

and

com

plet

enes

s ov

er v

isito

r lo

gs

are

not e

nfor

ced.

Esta

blis

h an

d im

plem

ent

proc

edur

es

for

mai

ntai

ning

an

d au

thor

izin

g th

e O

IT’s

co

mpu

ter r

oom

acc

ess l

ist.

Esta

blis

h an

d im

plem

ent

back

up

med

ia

rete

ntio

n an

d ro

tatio

n po

licie

s.

Enfo

rce

com

plet

enes

s an

d ac

cura

cy o

ver v

isito

r in

form

atio

n in

logs

.

X

2

15In

form

atio

n T

echn

olog

y M

anag

emen

t Let

ter

for

the

FY 2

009

USC

IS F

inan

cial

Sta

tem

ent A

udit

App

endi

x B

Dep

artm

ent o

f Hom

elan

d Se

curi

ty

Uni

ted

Stat

es C

itize

nshi

p an

d Im

mig

ratio

n Se

rvic

es

Info

rmat

ion

Tech

nolo

gy M

anag

emen

t Let

ter

Sept

embe

r 30,

200

9

NFR

#

Con

ditio

n R

ecom

men

datio

n N

ew Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

CIS

-IT

09-1

4 D

urin

g ou

r tes

ting

of a

cces

s co

ntro

ls fo

r FFM

S, in

our

sa

mpl

e of

25

activ

e us

ers,

we

note

d on

e us

er’s

acc

ess

was

exc

essi

ve, b

ased

on

the

acce

ss a

ppro

ved

by th

eir

pres

ent s

uper

viso

r. W

e le

arne

d th

at th

is u

ser’

s pr

ofile

w

as c

hang

ed a

s the

use

r rel

ocat

ed to

a d

iffer

ent s

ervi

ce

cent

er.

How

ever

, w

hen

the

prof

ile

chan

ge

was

re

ques

ted,

the

FFM

S ad

min

istra

tor

did

not r

emov

e al

l pr

evio

us a

cces

s no

r as

sure

that

the

acce

ss r

ight

s w

ere

curr

ent

and

auth

oriz

ed.

As

a re

sult,

the

use

r ha

d ex

cess

ive

priv

ilege

s fo

r he

r ro

le a

nd r

espo

nsib

ilitie

s. W

e al

so n

oted

that

the

USC

IS S

OP

did

not r

efle

ct th

is

proc

edur

e th

ough

we

lear

ned

thro

ugh

inqu

iry th

at th

e FF

MS

adm

inis

trato

rs a

re r

equi

red

to r

emov

e al

l prio

r ac

cess

whe

n pe

rfor

min

g a

prof

ile c

hang

e.

As

a re

sult

of o

ur t

est

wor

k, U

SCIS

res

pond

ed b

y re

mov

ing

the

exce

ssiv

e ac

cess

to re

flect

the

user

’s ro

le

and

resp

onsi

bilit

ies.

In a

dditi

on, U

SCIS

upd

ated

thei

r SO

P to

requ

ire a

ll pr

evio

us a

cces

s to

be c

onfir

med

and

re

mov

ed p

rior t

o gr

antin

g ne

w a

cces

s rol

es.

We

reco

mm

end

that

USC

IS e

stab

lish

and

enfo

rce

polic

ies

and

proc

edur

es th

at e

nsur

e th

at r

oles

and

re

spon

sibi

litie

s ar

e co

mm

ensu

rate

with

the

ir jo

b fu

nctio

n.

X

2

CIS

-IT

09-1

5 W

e id

entif

ied

a la

ck o

f aud

it lo

ggin

g po

licie

s ov

er th

e ap

plic

atio

n an

d se

rver

log

s fo

r th

e C

LAIM

S 3

and

CLA

IMS

4 LA

N sy

stem

.

We

reco

mm

end

that

USC

IS e

stab

lish

and

enfo

rce

polic

ies

and

proc

edur

es

for

mai

nten

ance

an

d re

view

of a

udit

logg

ing.

X

2

16

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

200

9 U

SCIS

Fin

anci

al S

tate

men

t Aud

it

� �

App

endi

x B

Dep

artm

ent o

f Hom

elan

d Se

curi

ty

Uni

ted

Stat

es C

itize

nshi

p an

d Im

mig

ratio

n Se

rvic

es

Info

rmat

ion

Tech

nolo

gy M

anag

emen

t Let

ter

Sept

embe

r 30,

200

9

NFR

#

Con

ditio

n R

ecom

men

datio

n N

ew Is

sue

Rep

eat

Issu

e Se

veri

tyR

atin

g C

IS-I

T09

-16

We

iden

tifie

d w

eakn

esse

s w

ithin

acc

ess

cont

rols

for

C

LAIM

S 4

over

lac

k of

pro

cedu

res

for

rece

rtify

ing

user

acc

ess,

lack

of

evid

ence

of

leas

t pr

ivile

ge a

nd

segr

egat

ion

of d

utie

s co

ntro

ls,

and

untim

ely

rem

oval

of

term

inat

ed p

erso

nnel

acc

ount

s.

� � �

Esta

blis

h an

d im

plem

ent

polic

ies

and

proc

edur

es

for

the

hand

ling,

pe

riodi

cally

re

view

ing,

an

d re

tain

ing

CLA

IMS

4 us

er

acco

unt r

eque

st fo

rms.

Def

ine

and

docu

men

t po

licie

s an

d pr

oced

ures

fo

r id

entif

ying

and

app

rovi

ng C

LAIM

S 4

user

ro

les/

prof

iles

to

incl

ude

the

user

’sre

spon

sibi

litie

s. In

add

ition

, th

e po

licie

s an

d pr

oced

ures

sh

ould

ad

dres

s an

d im

plem

ent

segr

egat

ion

of d

utie

s pro

cedu

res.

Dev

elop

po

licie

s an

d pr

oced

ures

fo

r th

ere

mov

al o

f tra

nsfe

rred

/term

inat

ed u

sers

with

in

CLA

IMS

4 up

on th

eir s

epar

atio

n fr

om U

SCIS

.

X

2

CIS

-IT

09-1

7 W

e id

entif

ied

wea

knes

ses

with

in m

onth

ly tr

aini

ngs

of

USC

IS’ I

SSO

s. W

e re

com

men

d th

at

USC

IS

man

agem

ent

impl

emen

t man

dato

ry tr

aini

ng re

quire

men

ts fo

r IT

secu

rity

pers

onne

l to

com

plet

e tra

inin

g co

nsis

tent

w

ith th

eir j

ob fu

nctio

n du

ties.

X

2

CIS

-IT

09-1

8 W

e de

term

ined

th

at

wea

knes

ses

exis

t re

late

d to

CLA

IMS3

LA

N a

cces

s. Sp

ecifi

cally

, we

iden

tifie

d 21

us

ers

whi

ch w

ere

sepa

rate

d fr

om U

SCIS

and

stil

l re

tain

ed a

cces

s to

the

CLA

IM3

LAN

.

We

reco

mm

end

that

USC

IS m

anag

emen

t dev

elop

an

d im

plem

ent

polic

ies

and

proc

edur

es f

or t

he

rem

oval

of

sepa

rate

d us

ers

with

in C

LAIM

S 3

LAN

upo

n th

eir s

epar

atio

n.

X

2

CIS

-IT

09-1

9 W

e te

sted

a s

ampl

e of

per

sonn

el th

at w

ere

requ

ired

to

com

plet

e an

nual

C

ompu

ter

Secu

rity

Aw

aren

ess

Trai

ning

dur

ing

the

fisca

l ye

ar.

Of

the

thirt

y (3

0)pe

rson

nel s

ampl

ed, e

vide

nce

of c

ompl

ianc

e co

uld

not

be p

rovi

ded

for

two

(2)

empl

oyee

s. A

dditi

onal

ly,

proc

edur

es a

re n

ot i

n pl

ace

to d

isab

le u

ser

acco

unts

Esta

blis

h an

d im

plem

ent

requ

irem

ents

fo

r pe

rson

nel

to

com

plet

e C

ompu

ter

Secu

rity

Aw

aren

ess T

rain

ing

annu

ally

. D

evel

op a

pro

cess

to d

isab

le u

ser a

ccou

nts a

nd

acce

ss p

rivile

ges

in a

ccor

danc

e w

ith D

HS

polic

ies f

or e

mpl

oyee

s not

in c

ompl

ianc

e.

X

2

17In

form

atio

n T

echn

olog

y M

anag

emen

t Let

ter

for

the

FY 2

009

USC

IS F

inan

cial

Sta

tem

ent A

udit

� � �

App

endi

x B

Dep

artm

ent o

f Hom

elan

d Se

curi

ty

Uni

ted

Stat

es C

itize

nshi

p an

d Im

mig

ratio

n Se

rvic

es

Info

rmat

ion

Tech

nolo

gy M

anag

emen

t Let

ter

Sept

embe

r 30,

200

9

NFR

#

Con

ditio

n R

ecom

men

datio

n N

ew Is

sue

Rep

eat

Issu

e Se

veri

tyR

atin

g an

d ac

cess

pr

ivile

ges

if an

nual

tra

inin

g is

no

t co

mpl

eted

on

a tim

ely

basi

s.

CIS

-IT

09-2

0 D

urin

g th

e in

tern

al v

ulne

rabi

lity

asse

ssm

ent e

ffor

ts o

f ne

twor

k se

rver

s an

d sy

stem

s w

e id

entif

ied

seve

ral

Hig

h/

Med

ium

R

isk

vuln

erab

ilitie

s, re

late

d to

co

nfig

urat

ion

man

agem

ent.

We

dete

rmin

ed

that

secu

rity

conf

igur

atio

n m

anag

emen

t w

eakn

esse

s (i.

e.,

mis

sing

sec

urity

pat

ches

and

inc

orre

ct c

onfig

urat

ion

setti

ngs)

exi

st o

n ho

sts s

uppo

rting

the

ICE.

In

addi

tion

to

addr

essi

ng

the

spec

ific

vuln

erab

ilitie

s id

entif

ied

in

the

cond

ition

, IC

E sh

ould

: Red

istri

bute

pro

cedu

res

and

train

em

ploy

ees

on c

ontin

uous

ly m

onito

ring

and

miti

gatin

g vu

lner

abili

ties.

In a

dditi

on,

we

reco

mm

end

that

ICE

perio

dica

lly m

onito

r the

exi

sten

ce o

f un

nece

ssar

y se

rvic

es a

nd p

roto

cols

run

ning

on

th

eir

serv

ers

and

netw

ork

devi

ces,

in

addi

tion

to d

eplo

ying

pat

ches

. Pe

rfor

m

vuln

erab

ility

as

sess

men

ts

and

pene

tratio

n te

sts

on a

ll of

fices

of

the

ICE,

fr

om a

cen

trally

man

aged

loc

atio

n w

ith a

st

anda

rdiz

ed

repo

rting

m

echa

nism

th

atal

low

s fo

r tre

ndin

g, o

n a

regu

larly

sch

edul

ed

basi

s in

acco

rdan

ce w

ith N

IST

guid

ance

. D

evel

op a

mor

e th

orou

gh a

ppro

ach

to t

rack

an

d m

itiga

te

conf

igur

atio

n m

anag

emen

t vu

lner

abili

ties

iden

tifie

d du

ring

mon

thly

sc

ans.

ICE

shou

ld m

onito

r th

e vu

lner

abili

ty

repo

rts

for

nece

ssar

y or

re

quire

dco

nfig

urat

ion

chan

ges t

o th

eir e

nviro

nmen

t.

X

N\A

-Is

sued

af

ter

rele

ase

ofD

HS

audi

tre

port

18In

form

atio

n T

echn

olog

y M

anag

emen

t Let

ter

for

the

FY 2

009

USC

IS F

inan

cial

Sta

tem

ent A

udit

� � �

App

endi

x B

Dep

artm

ent o

f Hom

elan

d Se

curi

ty

Uni

ted

Stat

es C

itize

nshi

p an

d Im

mig

ratio

n Se

rvic

es

Info

rmat

ion

Tech

nolo

gy M

anag

emen

t Let

ter

Sept

embe

r 30,

200

9

NFR

#

Con

ditio

n R

ec m

men

datio

n o

New

Issu

e R

epea

t Is

sue

Seve

rity

Rat

ing

Dev

elop

a p

roce

ss t

o ve

rify

that

sys

tem

s id

entif

ied

with

“H

IGH

/MED

UIM

R

isk”

conf

igur

atio

n vu

lner

abili

ties d

o no

t app

ear o

n su

bseq

uent

m

onth

ly

vuln

erab

ility

sc

an

repo

rts,

unle

ss

they

ar

e ve

rifie

d an

d do

cum

ente

d as

a f

alse

-pos

itive

. A

ll ris

ksid

entif

ied

durin

g th

e m

onth

ly sc

ans s

houl

d be

m

itiga

ted

imm

edia

tely

, and

not

be

allo

wed

to

rem

ain

dorm

ant.

USC

IS sh

ould

:

We

reco

mm

end

that

the

offic

es o

f th

e U

SCIS

C

IO,

ICE

CIO

, an

d D

HS

CIO

coo

rdin

ate

to

deve

lop

an I

nter

agen

cy A

gree

men

t fo

r th

e IC

E/U

SCIS

re

latio

nshi

p.

The

agre

emen

t sh

ould

be

de

velo

ped

usin

g ap

prop

riate

gu

idan

ce f

rom

NIS

T 80

0-53

. Spe

cific

to

this

N

FR,

the

Inte

rage

ncy

Agr

eem

ent

shou

lddo

cum

ent

the

proc

esse

s by

whi

ch I

CE

will

no

tify

USC

IS o

f its

pla

nned

rem

edia

tion

of th

e A

DEX

sec

urity

vul

nera

bilit

ies.

USC

IS s

houl

d fu

rther

ta

ke

a pr

oact

ive

appr

oach

in

m

onito

ring

the

reso

lutio

n of

th

e A

DEX

vu

lner

abili

ties.

The

USC

IS C

IO sh

ould

ens

ure

that

USC

IS h

as

a so

und

unde

rsta

ndin

g of

the

IC

E se

curit

y vu

lner

abili

ties

that

af

fect

U

SCIS

da

ta

inte

grity

. U

SCIS

sh

ould

th

en

deve

lop

rem

edia

tion

plan

s an

d co

mpe

nsat

ing

cont

rols

,

19In

form

atio

n T

echn

olog

y M

anag

emen

t Let

ter

for

the

FY 2

009

USC

IS F

inan

cial

Sta

tem

ent A

udit

App

endi

x B

Dep

artm

ent o

f Hom

elan

d Se

curi

ty

Uni

ted

Stat

es C

itize

nshi

p an

d Im

mig

ratio

n Se

rvic

es

Info

rmat

ion

Tech

nolo

gy M

anag

emen

t Let

ter

Sept

embe

r 30,

200

9

NFR

#

Con

ditio

n R

ecom

men

datio

n N

ew Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

as

appl

icab

le,

to

addr

ess

pote

ntia

l da

ta

inte

grity

iss

ues.

For

exam

ple,

mor

e fr

eque

nt

reco

ncili

atio

n of

fin

anci

al a

ccou

nts

may

be

requ

ired.

20

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

200

9 U

SCIS

Fin

anci

al S

tate

men

t Aud

it

Appendix C



Appendix C

Status of Prior Year Notices of Findings and Recommendations and Comparison to

Current Year Notices of Findings and Recommendations at USCIS


Audit

Appendix C



Disposition

NFR No. Description Closed Repeat

CIS-IT-08-01 Lack of Definition and Documentation of Access Roles at the National Benefits Center for CLAIMS 3 LAN 09-01

CIS-IT-08-02 Periodic CLAIMS 3 LAN User Access Reviews are not Performed at the NBC 09-02

CIS-IT-08-03 Incomplete or Inadequate Access Request Forms for CLAIMS 3 LAN, CLAIMS 4, and CISCOR System Users at Headquarters and the Service Centers

09-03

CIS-IT-08-04 Ineffective Controls for Restricting Security Software Exist

09-04

CIS-IT-08-06 Weak Data Center Access Controls 09-06

CIS-IT-08-07 Equipment and Media Policies and Procedures are not Current 09-07

CIS-IT-08-08 Weak Access Controls for Security Software Exist

09-08


Audit

Appendix D



Appendix D

USCIS Management’s Comments


Audit

U.S. Ut.>llartmcnl of Ilumcl:md St'curilJU.S. Cnizcnship :lml IrnrlllgrauQn Sen icesUbic/! ufl/I/! Cltif'f"!forl/ltl//Ull Ubic<'"Waihwgtol1. DC 2052')

u.s. Citizenshipand IrrunigrationServices

April 28. 2010

Memorandum

TO: Frank DefferAssistant Inspector General for Information Technology AuditU.S. Dcpartment of Homeland Security

FROM: LeSlie Hope ,-1/ IJ;~ati[ b'mccr, ActingVC'hief Inform

SUBJ ECT: Managcment Rcsponse to the IT Managemcnt Letter for the FY 2009 U.S.Citizenship and Immigration Services Financial Integrated Audit

We would like to thank you for the opp0rlunity to review and comment on the rr ManagcmentLeiter for the FY 2009 U.S. Citizenship and Immigration Services Financial Integratcd Audit.USCIS requests that your Office make the following changes to the Independent Auditor's ITManagement Letter report.

Except for the items notcd below, USCIS agrees <lnd accepts all finding, cOl11ments. andconclusions the independent auditors exprcssed in the IT Management Letter report.

Findings Contributing to .a Material Weakness Deficiencv in IT

During the FY 2009 financial statemcnt audit, we identified the following IT control deficiencythat is considered a material weakness:

I. Configuration Management - we noted:

• Security configuration management weakncsses on the Active Directory Exchangc(ADEX). These weaknesses included default configuration scttings, inadequate patchcs,and weak password management.

Recommendations: Unless specifically noted where USCIS needs to take specific correctiveaction, we recommend that the USCIS Chief Infonnation Officer (CIO) and Chief FinancialOfficer (CFO), in coordination with the ICE Office of Chief Financial Officer and the ICE Oflice

www.u:.cis.go\,

Appendix D Department of Homeland Security

Immigration and Customs Enforcement Information Technology Management Letter

September 30, 2009

24 Information Technology Management Letter for the FY 2009 USCIS Financial Statement Audit

Management Response to the IT Management Letter for the FY 2009 U.S. Citizenship andImmigration Services Financial Integrated AuditPage 2

of the Chieflnfonnation Officer, make the following improvemems to ICE's infonnationtechnology security program:

Suggested Change:

"During the FY 2009 financial statement audit, we identified that the Immigration and CustomsEnforcement (ICE) Headquarters hosts the Active Directory Exchange (ADEX), GeneralSupport System (GSS) and a key financial application for USCIS. We identified the followingICE IT control deficiencies that significantly impact USCIS and are considered materialweaknesses:

I. Configuration Management - we noted:

Several HighlMedium risk vulnerabilities related to configuration management were identified.

• Security configuration management weaknesses on the ICE's ADEX. These weaknessesincluded default configuration settings, inadequate patches, and weak passwordmanagement.

Recommendations: Unless specifically noted where USCIS needs to take specific correctiveaction, we recommend that the USCIS Chieflnfonnation Officer (CIO) and Chief FinancialOfficer (CFO), in coordination with the ICE Office orChid Financial Officer and the ICE Officeof the Chief Infonnation Officer, make the following improvemcnts to ICE's infonnationtechnology security program:

"ICE Specific Recommendations"

Your recommendation statement alludes to USCIS having control over actions to be perfonnedby ICE. Recommendations I through 5 are strictly ICE's actions within their control. Yourstatement does not clearly identify these as actions ICE must take.

Other Findings

The following IT and financial system control deficiencies that contributed to a materialweakness are noted below:

I. Securily Management - we identified:

• Background investigations are not conducted in a timely manner.• Procedures for transferredltenninated personnel exit processing are not finalized.• IT Security training is not mandatory nor is compliance monitored...

Recommendations: We recommend that the USCIS CIO and CFO, in coordination with the DHSOffice ofChief Financial Officer and the DHS Office ofthc Chieflnfonnation Officer, make the



September 30, 2009


Management Response to the IT Management Letter for the FY 2009 U.S. Citizenship andImmigntion Services Financial Integrated AuditPage 3

following improvements to USCIS' financial management systems and associated informationtechnology security program."

Response Comment;

USCIS has realigned its mission support activitics undcr an Associate Director Management.The new Associate Director has taken action to correct the three deficiencies under his span ofcontrol.

Appendix A

Systems SubjectJO Audit

• Computer Linked Application Management System (CLAIMS) 3 Local Area Network(LAN): Provides a decentralized LAN based system that supports the requirements ofthe Direct Mail Phase I and U, Immigntion Act of 1990 (IMMACT 90) and USCISfonns improvement projects. The Claims 3 LAN is located at each of the service centC13(Nebraska, California, Texas., Vermont) and the National Benefits Center.

Suggested Change:

• Computer Linked Application Management System (CLAIMS) 3 Local Area Network(LAN): Provides a decentralized LAN based system that supports the requirements ofthe Direct Mail Phase I and II, Immigration Act of 1990 (IMMACT 90) and USCISfonns improvement projccts. The CLAIMS 3 LAN is located at each of the servicecenters (i.e., Nebraska, California, Texas, and Vermont) and the National BenefitsCenter.

Appendix B - Notice of Findings and Recommendations Table

NFR II; CIS-IT-09-04

Condition; The USCIS HQ has not maintained or documented a selection of systemadministrator's access authorization forms.

Recommendation: Conduct and document annual reviews of all users with Active Directorysystems administrator access."

Suggested Ch3llge:

Condition: The USCIS has not maintained or documented a selection ofADEX systemadministrator's access authorization fonns.

Recommendation: Conduct and document annual reviews ofall users with Active Directorysystems administrator access in coordination with ICE."



September 30, 2009


Management Response to the IT Management Letter for the FY 2009 U.S. Citizenship andImmigrntion Services Financial Integrated AuditPage 4

NFR #: CIS-IT-09-08

Condition: USCIS does not recertify its systcm administrator accounts on an annual basis.

Suggested Change:

Condition: USCIS does not recertify its Local PICS Officer (LPO) accounts on an annual basis.

NFR #: CIS·IT·09·10

Condition: CLAIMS 4 LAN password configuration settings does not meet DHS 4300Apassword standards.

Recommendation: We recommend that USCIS establish a process to ensure CLAIMS 4 LAN isconfigured to meet DHS 4300A password configuration standards.

Suggested Change:

Condition: CLAIMS 4 password configuration setting for password history does not meet DHS4300A password standards.

Recommendation: We recommend CLAIMS 4 password history selling be changed from 6generations to 8 generations to meet DHS 4300A password configuration standards.

NFR II: CIS-IT-II and CIS-IT-12

Note: The OCIO is not the owner ofthcse processes. These NFRs were signed by and are theresponsibility of the Office ofSecurity and Integrity (OSI) and the Office of Human Capital andTraining (HCT).

NFR #: CIS-IT-09-14

Note: The OCIO is not the owner of this process. This NFR was signed by and is theresponsibility of the OCFO. They grant, remove, and monitor access to FFMS.

NFR II: CIS·IT·OS·OJDescription: Lack of Definition and Documentation of Access Roles at the National BenefitsCenter for CLAlMS 3 LAN.

NFR II: CIS~IT-08-04Description: Ineffective Controls for Restricting Security Software Exist.

NFR#: CIS-IT-08-08Description: Weak Access Controls for Security Software Exist.



September 30, 2009


Management Response to the IT Management Letter for the FY 2009 U.S. Citizenship andImmigration Services Financial Integrated AuditPageS

Suggested Change:

NFR #: CIS-IT-OS-QlDescription: Inefficient Definition and Documentation of Access Roles at the National BenefitsCenter for CLAIMS 3 LAN.

As stated, it gives the impression that Definition and Documentation of Access Roles do notexist.

NFR #: CIS-IT-08-04Description: Periodic Active Directory and Eltchange (ADEX) system administrator accessreviews are not perfonned at USCIS.

As stated, it gives the impression all controls related to security software are ineffective. Thesigned NFR specifically addresses ADEX.

NFR #: CIS·IT·08·08Description: Weak Access Controls for Security Software Eltist within the Password Issuanceand Control System (PIeS).

As stated. it gives the impression all controls related to security software are weak. The signedNFR specifically addresses PICS.

USCIS is committed to resolving all control deficiencies and weaknesses idenlified in the auditand have prepared Mission Action Plans to resolve and improve the Agency's infomtationtechnology controls.

USCIS appreciates the cooperation and respect that your staff provided during the course of theaudit and looks forward to continuing our strong working relationship with your office.

If you have any questions regarding our comments, plcase cOnlnct Leslie Hope, Acting ChiefInfonnation Officer at (202) 272-1018.



September 30, 2009


Appendix E

Department of Homeland Security Immigration and Customs Enforcement


Appendix D

Report Distribution


Appendix E

Department of Homeland Security Immigration and Customs Enforcement


Report Distribution

Department of Homeland Security

Secretary Deputy Secretary General Counsel Chief of Staff Deputy Chief of Staff Executive Secretariat Under Secretary, Management Director, USCIS DHS Chief Information Officer DHS Chief Financial Officer Associate Director-Management, USCIS Acting Chief Financial Officer, USCIS Acting Chief Information Officer, USCIS Chief Information Security Officer Assistant Secretary, Policy Assistant Secretary for Public Affairs Assistant Secretary for Legislative Affairs DHS GAO OIG Audit Liaison Chief Information Officer, Audit Liaison USCIS Audit Liaison

Office of Management and Budget

Chief, Homeland Security Branch DHS OIG Budget Examiner

Congress

Congressional Oversight and Appropriations Committees as Appropriate


ADDITIONAL INFORMATION AND COPIES To obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4100, fax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig. OIG HOTLINE To report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal misconduct relative to department programs or operations: • Call our Hotline at 1-800-323-8603; • Fax the complaint directly to us at (202) 254-4292; • Email us at [email protected]; or • Write to us at:

DHS Office of Inspector General/MAIL STOP 2600, Attention: Office of Investigations - Hotline, 245 Murray Drive, SW, Building 410, Washington, DC 20528.

The OIG seeks to protect the identity of each writer and caller.

Department of Homeland Security Ofﬁce of Inspector General · DHS FY 2009 financial statements...

Documents

Transcript of Department of Homeland Security Ofﬁce of Inspector General · DHS FY 2009 financial statements...