Department of Homeland Security Office of Inspector General · DHS FY 2009 financial statements...
Transcript of Department of Homeland Security Office of Inspector General · DHS FY 2009 financial statements...
![Page 1: Department of Homeland Security Office of Inspector General · DHS FY 2009 financial statements and prepared this IT management letter. KPMG is responsible for the attached IT management](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f937e3145b111511e6d9800/html5/thumbnails/1.jpg)
Department of Homeland Security Office of Inspector General
Information Technology Management Letter for the FY 2009 U.S. Citizenship
and Immigration Services Financial Statement Audit
OIG-10-93 June 2010
![Page 2: Department of Homeland Security Office of Inspector General · DHS FY 2009 financial statements and prepared this IT management letter. KPMG is responsible for the attached IT management](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f937e3145b111511e6d9800/html5/thumbnails/2.jpg)
Office of Inspector General
U.S. Department ofHomeland Security Washington, DC 25028
Homeland Security
JUN - 8 ZUlU
Preface
The Department of Homeland Security (DHS) Office ofInspector General (OIG) was established by the Homeland Security Act of2002 (Public Law 107-296) by amendment to the Inspector General Act of1978. This is one of a series of audit, inspection, and special reports prepared as part of our oversight responsibilities to promote economy, efficiency, and effectiveness within the department.
This report presents the information technology (IT) management letter for the FY 2009 U.S. Citizenship and Immigration Services (USCIS) financial statement audit as of September 30, 2009. It contains observations and recommendations related to information technology internal control that were summarized in the Independent Auditors J Report dated January 15, 2010 and presents the separate restricted distribution report mentioned in that report. The independent accounting firm KPMG LLP (KPMG) performed the audit procedures at USCIS in support of the DHS FY 2009 financial statements and prepared this IT management letter. KPMG is responsible for the attached IT management letter dated March 10,2010, and the conclusions expressed in it. We do not express opinions on DHS' financial statements or internal control or conclusion on compliance with laws and regulations.
The recommendations herein have been developed to the best knowledge available to our office, and have been discussed in draft with those responsible for implementation. We trust that this report will result in more effective, efficient, and economical operations. We express our appreciation to all of those who contributed to the preparation of this report.
~A Frank DeffePf-Assistant Inspector General Information Technology Audits
![Page 3: Department of Homeland Security Office of Inspector General · DHS FY 2009 financial statements and prepared this IT management letter. KPMG is responsible for the attached IT management](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f937e3145b111511e6d9800/html5/thumbnails/3.jpg)
KPMG LLP 2001 M Street, NW Washington, DC 20036
March 10, 2010
Inspector General U.S. Department of Homeland Security Chief Information Officer and Chief Financial Officer U.S. Citizenship and Immigration Services
Ladies and Gentlemen:
We have audited the consolidated balance sheet of the U.S. Citizenship and Immigration Services (USCIS), a component of the U.S. Department of Homeland Security (DHS), as of September 30, 2009 and the related consolidated statements of net cost, changes in net position, and the combined statement of budgetary resources (hereinafter referred to as “consolidated financial statements”) for the years then ended. In planning and performing our audit of the consolidated financial statements of USCIS, in accordance with auditing standards generally accepted in the United States of America, we considered USCIS’s internal control over financial reporting (internal control) as a basis for designing our auditing procedures for the purpose of expressing our opinion on the consolidated financial statements but not for the purpose of expressing an opinion on the effectiveness of USCIS’s internal control. Accordingly, we do not express an opinion on the effectiveness of USCIS’s internal control.
In planning and performing our fiscal year 2009 audit, we considered USCIS’s internal control over financial reporting by obtaining an understanding of the design effectiveness of USCIS’s internal control, determining whether internal controls had been placed in operation, assessing control risk, and performing tests of controls as a basis for designing our auditing procedures for the purpose of expressing our opinion on the consolidated financial statements. To achieve this purpose, we did not test all internal controls relevant to operating objectives as broadly defined by the Federal Managers’ Financial Integrity Act of 1982. The objective of our audit was not to express an opinion on the effectiveness of USCIS’s internal control over financial reporting. Accordingly, we do not express an opinion on the effectiveness of USCIS’s internal control over financial reporting.
A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct misstatements on a timely basis. A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. A material weakness is a deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected on a timely basis.
Our audit of USCIS as of, and for the year ended, September 30, 2009 disclosed a material weakness in the areas of information technology (IT) configuration management, security management, access controls, and segregation of duties. These matters are described in the IT General Control Findings by Audit Area section of this letter.
KPMG LLP, a U.S. limited liability partnership, is the U.S. member firm of KPMG International, a Swiss cooperative.
![Page 4: Department of Homeland Security Office of Inspector General · DHS FY 2009 financial statements and prepared this IT management letter. KPMG is responsible for the attached IT management](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f937e3145b111511e6d9800/html5/thumbnails/4.jpg)
The material weakness described above is presented in our Independent Auditors’ Report, dated January 15, 2010. This letter represents the separate restricted distribution letter mentioned in that report.
The control deficiencies described herein have been discussed with the appropriate members of management, and communicated through a Notice of Finding and Recommendation (NFR). Our audit procedures are designed primarily to enable us to form an opinion on the consolidated financial statements, and therefore may not bring to light all weaknesses in policies or procedures that may exist. We aim to use our knowledge of USCIS gained during our audit engagement to make comments and suggestions that are intended to improve internal control over financial reporting or result in other operating efficiencies.
The Table of Contents on the next page identifies each section of the letter. We have provided a description of key USCIS financial systems and IT infrastructure within the scope of the FY 2009 USCIS consolidated financial statement audit in Appendix A; a description of each internal control finding in Appendix B; and the current status of the prior year NFRs in Appendix C. Our comments related to certain additional matters have been presented in a separate letter to the Office of Inspector General and the USCIS Chief Financial Officer dated January 15, 2010.
This communication is intended solely for the information and use of DHS and USCIS management, DHS Office of Inspector General, OMB, U.S. Government Accountability Office, and the U.S. Congress, and is not intended to be and should not be used by anyone other than these specified parties.
Very truly yours,
![Page 5: Department of Homeland Security Office of Inspector General · DHS FY 2009 financial statements and prepared this IT management letter. KPMG is responsible for the attached IT management](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f937e3145b111511e6d9800/html5/thumbnails/5.jpg)
Department of Homeland Security United States Citizenship and Immigration Services
Information Technology Management Letter September 30, 2009
INFORMATION TECHNOLOGY MANAGEMENT LETTER
TABLE OF CONTENTS
Page
Objective, Scope and Approach 1
Summary of Findings and Recommendations 3
IT General Control Findings by Audit Area 4
Findings Contributing to a Material Weakness Deficiency in IT 4
Configuration Management 4
Security Management 4
Access Controls 4
Segregation of Duties 4
Application Controls 8
8 Management’s Comments and OIG Response
APPENDICES
Appendix Subject Page
Description of Key USCIS Financial Systems and IT Infrastructure within the Scope of A 9the FY 2009 Financial Statement Audit
B FY 2009 Notices of IT Findings and Recommendations at USCIS 11
- Notice of Findings and Recommendations – Definition of 12 Severity Ratings
C Status of Prior Year Notices of Findings and Recommendations and Comparison to 21 Current Year Notices of Findings and Recommendations at USCIS
D Management’s Comments 23
E Report Distribution 29
![Page 6: Department of Homeland Security Office of Inspector General · DHS FY 2009 financial statements and prepared this IT management letter. KPMG is responsible for the attached IT management](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f937e3145b111511e6d9800/html5/thumbnails/6.jpg)
Department of Homeland Security United States Citizenship and Immigration Services
Information Technology Management Letter September 30, 2009
OBJECTIVE, SCOPE AND APPROACH
We have audited the US Citizenship and Immigration Services (USCIS) balance sheet as of September 30, 2009. In connection with our audit of USCIS’s balance sheet we performed an evaluation of information technology general controls (ITGC), to assist in planning and performing our audit. The U.S. Department of Homeland Security – Bureau of Immigration and Customs Enforcement (ICE) hosts key financial applications for USCIS. As such, our audit procedures over information technology (IT) general controls for USCIS included testing of the ICE’s Active Directory\Exchange (ADEX) network and the Federal Financial Management System (FFMS) policies, procedures, and practices, as well as USCIS policies, procedures and practices at USCIS Headquarters.
The Federal Information System Controls Audit Manual (FISCAM), issued by the Government Accountability Office (GAO), formed the basis of our audit. The scope of the USCIS IT general controls assessment is described in Appendix A. FISCAM was designed to inform financial auditors about IT controls and related audit concerns to assist them in planning their audit work and to integrate the work of auditors with other aspects of the financial audit. FISCAM also provides guidance to IT auditors when considering the scope and extent of review that generally should be performed when evaluating general controls and the IT environment of a federal agency. FISCAM defines the following five control functions to be essential to the effective operation of the general IT controls environment.
�
�
�
�
�
Security Management (SM) – Controls that provide a framework and continuing cycle of activity for managing risk, developing security policies, assigning responsibilities, and monitoring the adequacy of computer-related security controls. Access Control (AC) – Controls that limit or detect access to computer resources (data, programs, equipment, and facilities) and protect against unauthorized modification, loss, and disclosure. Configuration Management (CM) – Controls that help to prevent unauthorized changes to information system resources (software programs and hardware configurations) and provides reasonable assurance that systems are configured and operating securely and as intended. Segregation of duties (SD) – Controls that constitute policies, procedures, and an organizational structure to manage who can control key aspects of computer-related operations. Contingency Planning (CP) – Controls that involve procedures for continuing critical operations without interruption, or with prompt resumption, when unexpected events occur.
To complement our general IT controls audit procedures, we also performed technical security testing for key network and system devices, as well as testing over key financial application controls in the ICE environment. The technical security testing was performed both over the Internet and from within select ICE facilities, and focused on test, development, and production devices that directly support USCIS general support systems.
1 Information Technology Management Letter for the FY 2009 USCIS Financial Statement
Audit
![Page 7: Department of Homeland Security Office of Inspector General · DHS FY 2009 financial statements and prepared this IT management letter. KPMG is responsible for the attached IT management](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f937e3145b111511e6d9800/html5/thumbnails/7.jpg)
Department of Homeland Security United States Citizenship and Immigration Services
Information Technology Management Letter September 30, 2009
In addition to testing the general control environment, we performed application control tests on a limited number of ICE’s financial systems and applications. The application control testing was performed to assess the controls that support USCIS financial systems’ internal controls over the input, processing, and output of financial data and transactions.
� Application Controls (APC) - Application controls are the structure, policies, and procedures that apply to separate, individual application systems, such as accounts payable, inventory, or payroll.
2 Information Technology Management Letter for the FY 2009 USCIS Financial Statement
Audit
![Page 8: Department of Homeland Security Office of Inspector General · DHS FY 2009 financial statements and prepared this IT management letter. KPMG is responsible for the attached IT management](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f937e3145b111511e6d9800/html5/thumbnails/8.jpg)
Department of Homeland Security United States Citizenship and Immigration Services
Information Technology Management Letter September 30, 2009
SUMMARY OF FINDINGS AND RECOMMENDATIONS
During FY 2009, we noted that USCIS made minimal progress in addressing its previously identified IT internal control weaknesses. Therefore, due to USCIS’s lack of prioritization of the issues, all seven (7) were reissued. During our review, we continued to identify IT general control weaknesses that could potentially impact USCIS’s financial data. The most significant weaknesses from a financial statement audit perspective related to controls over the FFMS and the weaknesses over physical security and security awareness. Collectively, the IT control weaknesses limited USCIS’s ability to ensure that critical financial and operational data were maintained in such a manner to ensure confidentiality, integrity, and availability. In addition, these weaknesses negatively impacted the internal controls over USCIS financial reporting and its operation and we consider them to collectively represent a material weakness for USCIS under standards established by the American Institute of Certified Public Accountants (AICPA). In addition, based upon the results of our test work, we noted that USCIS did not fully comply with the requirements of the Federal Financial Management Improvement Act (FFMIA).
Of the 19 findings identified during our FY 2009 testing, 12 were new IT findings. These findings represent weaknesses in four of the five FISCAM key control areas. Specifically, 1) a lack of strong password management and audit logging within the financial applications, 2) security management issues involving staff security training and exit processing procedure weaknesses, 3) inadequately designed and operating configuration management, and 4) the lack of effective segregation of duties controls within financial applications. These weaknesses may increase the risk that the confidentiality, integrity, and availability of system controls and USCIS financial data could be exploited thereby compromising the integrity of financial data used by management and reported in USCIS’s financial statements.
USCIS management should ensure that there is emphasis placed on the completion, monitoring and enforcement of IT security-related policies and procedures. On-going measures to improve the IT security considerations for key financial systems utilized by USCIS and implement effective access controls, segregation of duties and configuration management controls need to be completed.
While the recommendations made by KPMG should be considered by USCIS, it is the ultimate responsibility of USCIS management to determine the most appropriate method(s) for addressing the weaknesses identified based on their system capabilities and available resources.
3 Information Technology Management Letter for the FY 2009 USCIS Financial Statement
Audit
![Page 9: Department of Homeland Security Office of Inspector General · DHS FY 2009 financial statements and prepared this IT management letter. KPMG is responsible for the attached IT management](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f937e3145b111511e6d9800/html5/thumbnails/9.jpg)
Department of Homeland Security United States Citizenship and Immigration Services
Information Technology Management Letter September 30, 2009
IT GENERAL CONTROL FINDINGS BY AUDIT AREA
Findings Contributing to a Material Weakness Deficiency in IT
During the FY 2009 financial statement audit, we identified the following IT control deficiencies that are considered a material weakness:
1. Configuration Management – we noted:
� Security configuration management weaknesses on the Active Directory Exchange (ADEX). These weaknesses included default configuration settings, inadequate patches, and weak password management.
2. Security Management – we identified:
�
�
�
Background investigations are not conducted in a timely manner.
Procedures for transferred/terminated personnel exit processing are not finalized.
IT Security training is not mandatory nor is compliance monitored.
3. Access controls – we identified:
�
�
Ineffective safeguards over physical access to sensitive facilities and resources.
The following account management weaknesses over ADEX, CLAIMS 3 LAN, and CLAIMS 4:
�
�
�
�
�
�
The lack of recertification of system administrators and system users.
Inefficient definition and documentation of CLAIMS 3 LAN and CLAIMS 4 access roles were noted.
User access is not documented and maintained for CLAIMS 3 LAN and CLAIMS 4.
CLAIMS 3 LAN and CLAIMS 4 password configurations do not meet DHS requirements.
Terminated personnel still have active user accounts within CLAIMS 3 LAN and CLAIMS 4.
Generic user accounts exist for the CLAIMS 3 LAN.
�
�
Lack of policies and procedures for maintaining and reviewing CLAIMS 3 LAN and CLAIMS 4 audit logs.
Lack of processes in place for sanitization of equipment and media.
4. Segregation of Duties– we identified: � Segregation of duties controls were not enforced through access authorizations in
CLAIMS 4.
4 Information Technology Management Letter for the FY 2009 USCIS Financial Statement
Audit
![Page 10: Department of Homeland Security Office of Inspector General · DHS FY 2009 financial statements and prepared this IT management letter. KPMG is responsible for the attached IT management](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f937e3145b111511e6d9800/html5/thumbnails/10.jpg)
Department of Homeland Security United States Citizenship and Immigration Services
Information Technology Management Letter September 30, 2009
Recommendations: Unless specifically noted where USCIS needs to take specific corrective action, we recommend that the USCIS Chief Information Officer (CIO) and Chief Financial Officer (CFO), in coordination with the ICE Office of Chief Financial Officer and the ICE Office of the Chief Information Officer, make the following improvements to ICE’s information technology:
1. Configuration Management:
�
�
�
�
�
Redistribute procedures and train employees on continuously monitoring and mitigating vulnerabilities. In addition, we recommend that ICE periodically monitor the existence of unnecessary services and protocols running on their servers and network devices, in addition to deploying patches.
Perform vulnerability assessments and penetration tests on all offices of the ICE, from a centrally managed location with a standardized reporting mechanism that allows for trending, on a regularly scheduled basis in accordance with NIST guidance.
Develop a more thorough approach to track and mitigate configuration management and resource vulnerabilities identified during monthly scans. ICE should monitor the vulnerability reports for necessary or required configuration changes to their environment.
Develop a process to verify that systems identified with “HIGH/MEDUIM Risk” configuration vulnerabilities do not appear on subsequent monthly vulnerability scan reports, unless they are verified and documented as a false-positive. All risks identified during the monthly scans should be mitigated immediately, and not be allowed to remain dormant.
Implement the corrective actions identified during the audit vulnerability assessment as identified in the issued NFR.
2. Security Management:
�
�
�
�
Periodically review personnel files to confirm background investigations have been completed in accordance with DHS standards.
Adhere to exit clearance procedures and enforce personnel adherence in the event of transfer\termination.
Implement mandatory requirements for IT security personnel to complete training consistent with their job duties.
Establish and implement requirements for personnel to complete Computer Security Awareness training annually. Also, develop a process to disable user accounts and access privileges for non compliant staff.
3. Access Controls:
� Establish and implement emergency exit and re-entry procedures at the Technology Engineering Consolidation Center (TECC).
5 Information Technology Management Letter for the FY 2009 USCIS Financial Statement
Audit
![Page 11: Department of Homeland Security Office of Inspector General · DHS FY 2009 financial statements and prepared this IT management letter. KPMG is responsible for the attached IT management](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f937e3145b111511e6d9800/html5/thumbnails/11.jpg)
Department of Homeland Security United States Citizenship and Immigration Services
Information Technology Management Letter September 30, 2009
�
�
�
�
�
�
Implement effective physical access controls over the server cage which houses USCIS servers at the TECC. Conduct and document annual reviews of application users and users with system administrator access to ADEX. Establish and enforce procedures for the completion and maintenance of user access forms for CLAIMS 3 LAN and CLAIMS 4 across all service centers. Establish a process to ensure CLAIMS 3 LAN and CLAIMS 4 are configured to meet DHS password configuration requirements. Develop and implement policies and procedures to remove terminated users and generic accounts from the CLAIMS 3 LAN. Establish a process to review and maintain system audit logs.
4. Segregation of Duties: � Define and document the policies and procedures for identifying and approving
CLAIMS 4 user roles\profiles to include user responsibilities and segregation of duties initiatives.
USCIS Specific Recommendations:
5. We recommend that the offices of the USCIS CIO, ICE CIO, and DHS CIO coordinate to develop an Interagency Agreement for the ICE/USCIS relationship. The agreement should be developed using appropriate guidance from NIST 800-53. Specific to this NFR, the Interagency Agreement should document the processes by which ICE will notify USCIS of its planned remediation of the ADEX security vulnerabilities. USCIS should further take a proactive approach in monitoring the resolution of the ADEX vulnerabilities.
6. The USCIS CIO should ensure that USCIS has a sound understanding of the ICE security vulnerabilities that affect USCIS data integrity. USCIS should then develop remediation plans and compensating controls, as applicable, to address potential data integrity issues. For example, more frequent reconciliation of financial accounts may be required.
Cause\Effect: The ICE agency is not continuously monitoring the ICE ADEX General Support System (GSS) vulnerability assessment scans for patch and configuration management vulnerabilities. USCIS management has not proactively coordinated with ICE to establish a detailed and documented Interagency Agreement for the IT services provided by ICE. As a result, default configuration installations and unnecessary services operating on the ICE ADEX devices increases the ability to compromise the availability, integrity, and confidentiality of financial data on the network. Additionally, failure to apply critical vendor security patches exposes system and network devices to new and existing vulnerabilities. This can expose the information system controls environment
6 Information Technology Management Letter for the FY 2009 USCIS Financial Statement
Audit
![Page 12: Department of Homeland Security Office of Inspector General · DHS FY 2009 financial statements and prepared this IT management letter. KPMG is responsible for the attached IT management](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f937e3145b111511e6d9800/html5/thumbnails/12.jpg)
Department of Homeland Security United States Citizenship and Immigration Services
Information Technology Management Letter September 30, 2009
to security breaches, unauthorized access, service interruptions, and denial of service attacks. These weak IT controls at ICE, specifically with ADEX, have a direct and significant negative impact on USCIS financial data integrity. Consequently, USCIS requires additional resources to implement compensating controls needed to ensure fair presentation of its financial statements.
Due to a lack of USCIS management oversight, the controls environment remains weak and needs overall improvement. The lack of a strong controls environment increases the risk of improper handling of sensitive information, unauthorized access to financial data, improper staff training, and improper segregation of duties and least privilege principles.
Reasonable assurance should be provided that system user access levels are limited and monitored for appropriateness. The weaknesses identified within USCIS’s access controls increases the risk that staff may have access to a system that is outside the realm of their job responsibilities. This access could allow a person to intentionally or inadvertently use various functions to alter the integrity of executable files and scripts within the financial system.
Criteria: The Federal Information Security Management Act (FISMA) passed as part of the Electronic Government Act of 2002, mandates that Federal entities maintain IT security programs in accordance with OMB and NIST guidance. OMB Circular No. A-130, Management of Federal Information Resources, and various NIST guidelines describe specific essential criteria for maintaining effective general IT controls. FFMIA sets forth legislation prescribing policies and standards for executive departments and agencies to follow in developing, operating, evaluating, and reporting on financial management systems. The purpose of FFMIA is to: (1) to provide for consistency of accounting by an agency from one fiscal year to the next, and uniform accounting standards throughout the Federal Government; (2) require Federal financial management systems to support full disclosure of Federal financial data, including the full costs of Federal programs and activities; (3) increase the accountability and credibility of federal financial management; (4) improve performance, productivity and efficiency of Federal Government financial management; and (5) establish financial management systems to support controlling the cost of the Federal Government. In closing, for this year’s IT audit we assessed the DHS component’s compliance with DHS Sensitive System Policy Directive 4300A.
7 Information Technology Management Letter for the FY 2009 USCIS Financial Statement
Audit
![Page 13: Department of Homeland Security Office of Inspector General · DHS FY 2009 financial statements and prepared this IT management letter. KPMG is responsible for the attached IT management](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f937e3145b111511e6d9800/html5/thumbnails/13.jpg)
Department of Homeland Security United States Citizenship and Immigration Services
Information Technology Management Letter September 30, 2009
APPLICATION CONTROL FINDINGS
We did not identify any IT findings in the area of application controls during the FY 2009 Financial Statement Audit Engagement.
MANAGEMENT’S COMMENTS AND OIG RESPONSE
We obtained written comments on a draft of this report from the USCIS management. USCIS management agreed with our findings and recommendations. USCIS management has developed a remediation plan to address these findings and recommendations. A copy of the comments is included in Appendix D.
OIG Response
We agree with the steps that USCIS management is taking to satisfy these recommendations.
8 Information Technology Management Letter for the FY 2009 USCIS Financial Statement
Audit
![Page 14: Department of Homeland Security Office of Inspector General · DHS FY 2009 financial statements and prepared this IT management letter. KPMG is responsible for the attached IT management](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f937e3145b111511e6d9800/html5/thumbnails/14.jpg)
Appendix A
Department of Homeland Security United States Citizenship and Immigration Services
Information Technology Management Letter September 30, 2009
Appendix A
Description of Key USCIS Financial Systems and IT Infrastructure within the Scope of the FY 2009 Financial Statement Audit
9 Information Technology Management Letter for the FY 2009 USCIS Financial Statement
Audit
![Page 15: Department of Homeland Security Office of Inspector General · DHS FY 2009 financial statements and prepared this IT management letter. KPMG is responsible for the attached IT management](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f937e3145b111511e6d9800/html5/thumbnails/15.jpg)
Appendix A
Department of Homeland Security United States Citizenship and Immigration Services
Information Technology Management Letter September 30, 2009
Below is a description of significant USCIS and ICE financial management systems and supporting information technology (IT) infrastructure included in the scope of USCIS’s fiscal year (FY) 2009 Financial Statement Audit.
Locations of Review: USCIS Headquarters, Washington, DC; Verizon Data Center, Manassas, VA; Vermont Service Center, Burlington, VT.
ICE Headquarters, Washington, DC; The Burlington Finance Center (BFC), Burlington, VT; Department of Commerce (DOC) Office of Computer Services (OCS), Springfield, VA.
Systems Subject to Audit:
�
�
�
Federal Financial Management System (FFMS): It is used to create and maintain a record of each allocation, commitment, obligation, travel advance and accounts receivable issued. It is the system of record for the agency and supports all internal and external reporting requirements.
ICE Network: The ICE Network, also known as the Active Directory\Exchange (ADEX) E-mail System, is the general support system (GSS) for ICE and other DHS components, such as the USCIS.
Computer-Linked Application Management System (CLAIMS)3 Local Area Network (LAN): Provides a decentralized LAN based system that supports the requirements of the Direct Mail Phase I and II, Immigration Act of 1990 (IMMACT 90) and USCIS forms improvement projects. The Claims 3 LAN is located at each of the service centers (Nebraska, California, Texas, Vermont, and the National Benefits Center).
� CLAIMS 4: The system is a client/server application that tracks and manages naturalization applications. The central Oracle Database is located in Washington, DC while application servers and client components are located throughout USCIS service centers and district offices.
10 Information Technology Management Letter for the FY 2009 USCIS Financial Statement
Audit
![Page 16: Department of Homeland Security Office of Inspector General · DHS FY 2009 financial statements and prepared this IT management letter. KPMG is responsible for the attached IT management](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f937e3145b111511e6d9800/html5/thumbnails/16.jpg)
Appendix B
Department of Homeland Security United States Citizenship and Immigration Services
Information Technology Management Letter September 30, 2009
Appendix B FY 2009 Notices of IT Findings and Recommendations at USCIS
11 Information Technology Management Letter for the FY 2009 USCIS Financial Statement
Audit
![Page 17: Department of Homeland Security Office of Inspector General · DHS FY 2009 financial statements and prepared this IT management letter. KPMG is responsible for the attached IT management](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f937e3145b111511e6d9800/html5/thumbnails/17.jpg)
Appendix B
Department of Homeland Security United States Citizenship and Immigration Services
Information Technology Management Letter September 30, 2009
Notice of Findings and Recommendations (NFR) – Definition of Severity Ratings:
Each NFR listed in Appendix B is assigned a severity rating from 1 to 3 indicating the influence on the Department of Homeland Security (DHS) Consolidated Independent Auditors Report.
1 – Not substantial
2 – Less significant
3 – More significant
The severity ratings indicate the degree to which the deficiency influenced the determination of severity for consolidated reporting purposes.
These rating are provided only to assist USCIS in the development of its corrective action plans for remediation of the deficiency.
12 Information Technology Management Letter for the FY 2009 USCIS Financial Statement
Audit
![Page 18: Department of Homeland Security Office of Inspector General · DHS FY 2009 financial statements and prepared this IT management letter. KPMG is responsible for the attached IT management](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f937e3145b111511e6d9800/html5/thumbnails/18.jpg)
App
endi
x B
Dep
artm
ent o
f Hom
elan
d Se
curi
ty
Uni
ted
Stat
es C
itize
nshi
p an
d Im
mig
ratio
n Se
rvic
es
Info
rmat
ion
Tech
nolo
gy M
anag
emen
t Let
ter
Sept
embe
r 30,
200
9
NFR
#
Con
ditio
n R
ecom
men
datio
n N
ew Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
CIS
-IT
09-0
1 W
e in
spec
ted
the
Nat
iona
l B
enef
its C
ente
r (N
BC
) C
LAIM
S 3
LAN
us
er
role
/resp
onsi
bilit
ies
docu
men
tatio
n an
d de
term
ined
that
the
syst
em se
tting
s an
d as
sign
ed u
ser
role
s w
ithin
the
sys
tem
do
not
accu
rate
ly re
flect
doc
umen
ted
user
resp
onsi
bilit
ies.
Con
tinue
to
de
fine
and
docu
men
t th
e va
rious
C
LAIM
S 3
LAN
ro
les
and
thei
r as
soci
ated
re
spon
sibi
litie
s for
the
rem
aini
ng se
rvic
e ce
nter
s.
X
2
CIS
-IT
09-0
2 N
BC
doe
s no
t per
form
per
iodi
c C
LAIM
S 3
LAN
use
r ac
cess
rev
iew
s to
ens
ure
that
use
rs'
leve
l of
acc
ess
rem
ains
ap
prop
riate
an
d th
ere
are
no
proc
edur
es
esta
blis
hed
for p
erfo
rmin
g pe
riodi
c re
view
s.
Esta
blis
h an
d im
plem
ent
polic
ies
and
proc
edur
es
for h
andl
ing,
revi
ewin
g, a
nd re
tent
ion
of C
laim
s 3
LAN
use
r acc
ount
requ
est f
orm
s.
X
2
CIS
-IT
09-0
3 M
anag
emen
t at t
he U
SCIS
Hea
dqua
rters
(HQ
) and
the
Serv
ice
Cen
ter,
Ver
mon
t ha
s no
t co
mpl
eted
or
in
adeq
uate
ly d
ocum
ente
d ac
cess
form
s fo
r CLA
IMS
3 LA
N a
nd C
LAIM
S 4,
syst
em u
sers
.
Esta
blis
h an
d en
forc
e pr
oced
ures
fo
r th
e co
mpl
etio
n an
d m
aint
enan
ce o
f us
er a
cces
s fo
rms
for
CLA
IMS
3LA
N a
nd C
LAIM
S 4
for
all
the
serv
ice
cent
ers.
X
2
CIS
-IT
09-0
4 Th
e U
SCIS
HQ
has
not
mai
ntai
ned
or d
ocum
ente
d a
sele
ctio
n of
sy
stem
ad
min
istra
tor’
s ac
cess
au
thor
izat
ion
form
s.
Con
duct
and
doc
umen
t ann
ual r
evie
ws
of a
ll us
ers
with
Act
ive
Dire
ctor
y sy
stem
adm
inis
trato
r acc
ess.
X
2
13
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
200
9 U
SCIS
Fin
anci
al S
tate
men
t Aud
it
![Page 19: Department of Homeland Security Office of Inspector General · DHS FY 2009 financial statements and prepared this IT management letter. KPMG is responsible for the attached IT management](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f937e3145b111511e6d9800/html5/thumbnails/19.jpg)
� � � �
App
endi
x B
Dep
artm
ent o
f Hom
elan
d Se
curi
ty
Uni
ted
Stat
es C
itize
nshi
p an
d Im
mig
ratio
n Se
rvic
es
Info
rmat
ion
Tech
nolo
gy M
anag
emen
t Let
ter
Sept
embe
r 30,
200
9
NFR
#
Con
ditio
n R
e om
men
datio
n c
New
Issu
e R
epea
t Is
sue
Seve
rity
Rat
ing
CIS
-IT
09-0
6 Th
e bi
omet
ric
faci
al
reco
gniti
on
scan
ner
allo
wed
un
auth
oriz
ed p
erso
nnel
acc
ess
to U
SCIS
ser
ver r
oom
, an
d pr
oced
ures
reg
ardi
ng r
emov
al, a
utho
rizat
ion,
and
lo
ggin
g of
USC
IS b
acku
p m
edia
are
not
in p
lace
for
th
e Te
chno
logy
En
gine
erin
g C
onso
lidat
ion
Cen
ter
(TEC
C).
Esta
blis
h an
d im
plem
ent
back
up
med
ia
rete
ntio
n an
d ro
tatio
n po
licie
s. Es
tabl
ish
a nd
impl
emen
t em
erge
ncy
exit
and
re-e
ntry
pro
cedu
res .
Dev
elop
a p
roce
ss t
hat
assu
res
all
reso
urce
s w
ith a
cces
s to
the
USC
IS r
e sou
rces
adh
ere
to
the
polic
y an
d pr
oced
ure.
Im
plem
ent
stro
nger
phy
sica
l ac
cess
con
trols
ov
er t
he s
erve
r ca
ge d
oor
to p
reve
nt f
urth
er
unau
thor
ized
acc
ess
X
2
CIS
-IT
09-0
7 U
SCIS
has
not
fin
aliz
ed a
pol
icy
that
out
lines
the
proc
ess
for d
evel
opin
g fo
rms
for l
abel
ing
and
track
ing
the
disp
ositi
on p
roce
ss o
r pr
ovid
ed c
lear
ins
truct
ions
fo
r con
duct
ing
med
ia w
ipes
or p
urge
s of d
ata.
Upd
ate
and
final
ize
thei
r po
licie
s an
d pr
oced
ures
to
re
flect
th
eir
curr
ent
med
ia
sani
tizat
ion
oper
atio
n.
X
2
CIS
-IT
09-0
8 U
SCIS
doe
s no
t re
certi
fy i
ts s
yste
m a
dmin
istra
tor
acco
unts
on
an a
nnua
l bas
is.
Man
agem
ent
shou
ld
esta
blis
h a
mor
e tim
ely
proc
ess
to p
erfo
rm a
per
iodi
c re
view
of
user
ac
coun
ts
ensu
ring
prop
er
auth
oriz
atio
n an
d tra
inin
g.
X
2
CIS
-IT
09-0
9 C
LAIM
S 3
LAN
pa
ssw
ord
re-u
se
and
leng
th
conf
igur
atio
ns
does
no
t m
eet
DH
S st
anda
rds.
CLA
IMS
3 LA
N g
ener
ic u
ser a
ccou
nts
was
not
tim
ely
rem
oved
be
caus
e of
a
lack
of
us
er
acco
unt
rece
rtific
atio
n.
� � Es
tabl
ish
a pr
oces
s to
en
sure
th
at
USC
IS
syst
ems
are
conf
igur
ed to
mee
t min
imum
DH
S pa
ssw
ord
conf
igur
atio
ns a
nd re
quire
men
ts.
Rem
ove
all
gene
ric a
ccou
nts
to C
LAIM
S 3
LAN
pro
duct
ion
syst
ems
and
perf
orm
per
iodi
c re
view
s of
th
e us
er
acce
ss
list
to
ensu
re
com
plia
nce.
X
2
14In
form
atio
n T
echn
olog
y M
anag
emen
t Let
ter
for
the
FY 2
009
USC
IS F
inan
cial
Sta
tem
ent A
udit
![Page 20: Department of Homeland Security Office of Inspector General · DHS FY 2009 financial statements and prepared this IT management letter. KPMG is responsible for the attached IT management](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f937e3145b111511e6d9800/html5/thumbnails/20.jpg)
� � �
App
endi
x B
Dep
artm
ent o
f Hom
elan
d Se
curi
ty
Uni
ted
Stat
es C
itize
nshi
p an
d Im
mig
ratio
n Se
rvic
es
Info
rmat
ion
Tech
nolo
gy M
anag
emen
t Let
ter
Sept
embe
r 30,
200
9
NFR
#
Con
ditio
n R
ecom
men
datio
n N
ew Is
sue
Rep
eat
Issu
e Se
veri
tyR
atin
g C
IS-I
T09
-10
CLA
IMS
4 LA
N p
assw
ord
conf
igur
atio
n se
tting
s do
es
not m
eet D
HS4
300A
pas
swor
d st
anda
rds.
We
reco
mm
end
that
USC
IS e
stab
lish
a pr
oces
s to
en
sure
CLA
IMS
4 LA
N i
s co
nfig
ured
to
mee
t D
HS4
300A
pas
swor
d co
nfig
urat
ion
stan
dard
s.
X
2
CIS
-IT
09-1
1 W
e id
entif
ied
that
an
in
adeq
uate
ba
ckgr
ound
inve
stig
atio
n w
as p
erfo
rmed
and
doc
umen
ted
for
one
new
hire
per
sonn
el fr
om a
sam
ple
of 2
5.
We
reco
mm
end
that
U
SCIS
m
anag
emen
t pe
riodi
cally
re
view
pe
rson
nel
files
to
co
nfirm
back
grou
nd in
vest
igat
ions
hav
e be
en c
ompl
eted
in
acco
rdan
ce w
ith D
HS
stan
dard
s.
X
2
CIS
-IT
09-1
2 W
e in
spec
ted
a sa
mpl
e of
pe
rson
nel
that
ha
dte
rmin
ated
/tran
sfer
red
from
the
ir em
ploy
men
t w
ith
USC
IS.
Of
the
28
term
inat
ed/tr
ansf
erre
d U
SCIS
pers
onne
l sam
pled
, evi
denc
e of
com
plia
nce
with
exi
t cl
eara
nce
proc
edur
es c
ould
not
be
prov
ided
for
19
empl
oyee
s.
We
reco
mm
end
that
USC
IS m
anag
emen
t adh
ere
to
exit
clea
ranc
e pr
oced
ures
and
requ
ire p
erso
nnel
to
follo
w th
em in
an
even
t of t
rans
fer/t
erm
inat
ion.
X
2
CIS
-IT
09-1
3 V
erm
ont
Serv
ice
Cen
ter
(VSC
) ha
s in
effe
ctiv
esa
fegu
ards
ove
r th
e co
mpu
ter
room
in
the
Off
ice
of
Info
rmat
ion
Tech
nolo
gy
(OIT
).
VSC
pr
oced
ures
re
gard
ing
the
rem
oval
, au
thor
izat
ion
and
logg
ing
of
back
up m
edia
are
not
in
plac
e.
VSC
pro
cedu
res
for
ensu
ring
accu
racy
and
com
plet
enes
s ov
er v
isito
r lo
gs
are
not e
nfor
ced.
Esta
blis
h an
d im
plem
ent
proc
edur
es
for
mai
ntai
ning
an
d au
thor
izin
g th
e O
IT’s
co
mpu
ter r
oom
acc
ess l
ist.
Esta
blis
h an
d im
plem
ent
back
up
med
ia
rete
ntio
n an
d ro
tatio
n po
licie
s.
Enfo
rce
com
plet
enes
s an
d ac
cura
cy o
ver v
isito
r in
form
atio
n in
logs
.
X
2
15In
form
atio
n T
echn
olog
y M
anag
emen
t Let
ter
for
the
FY 2
009
USC
IS F
inan
cial
Sta
tem
ent A
udit
![Page 21: Department of Homeland Security Office of Inspector General · DHS FY 2009 financial statements and prepared this IT management letter. KPMG is responsible for the attached IT management](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f937e3145b111511e6d9800/html5/thumbnails/21.jpg)
App
endi
x B
Dep
artm
ent o
f Hom
elan
d Se
curi
ty
Uni
ted
Stat
es C
itize
nshi
p an
d Im
mig
ratio
n Se
rvic
es
Info
rmat
ion
Tech
nolo
gy M
anag
emen
t Let
ter
Sept
embe
r 30,
200
9
NFR
#
Con
ditio
n R
ecom
men
datio
n N
ew Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
CIS
-IT
09-1
4 D
urin
g ou
r tes
ting
of a
cces
s co
ntro
ls fo
r FFM
S, in
our
sa
mpl
e of
25
activ
e us
ers,
we
note
d on
e us
er’s
acc
ess
was
exc
essi
ve, b
ased
on
the
acce
ss a
ppro
ved
by th
eir
pres
ent s
uper
viso
r. W
e le
arne
d th
at th
is u
ser’
s pr
ofile
w
as c
hang
ed a
s the
use
r rel
ocat
ed to
a d
iffer
ent s
ervi
ce
cent
er.
How
ever
, w
hen
the
prof
ile
chan
ge
was
re
ques
ted,
the
FFM
S ad
min
istra
tor
did
not r
emov
e al
l pr
evio
us a
cces
s no
r as
sure
that
the
acce
ss r
ight
s w
ere
curr
ent
and
auth
oriz
ed.
As
a re
sult,
the
use
r ha
d ex
cess
ive
priv
ilege
s fo
r he
r ro
le a
nd r
espo
nsib
ilitie
s. W
e al
so n
oted
that
the
USC
IS S
OP
did
not r
efle
ct th
is
proc
edur
e th
ough
we
lear
ned
thro
ugh
inqu
iry th
at th
e FF
MS
adm
inis
trato
rs a
re r
equi
red
to r
emov
e al
l prio
r ac
cess
whe
n pe
rfor
min
g a
prof
ile c
hang
e.
As
a re
sult
of o
ur t
est
wor
k, U
SCIS
res
pond
ed b
y re
mov
ing
the
exce
ssiv
e ac
cess
to re
flect
the
user
’s ro
le
and
resp
onsi
bilit
ies.
In a
dditi
on, U
SCIS
upd
ated
thei
r SO
P to
requ
ire a
ll pr
evio
us a
cces
s to
be c
onfir
med
and
re
mov
ed p
rior t
o gr
antin
g ne
w a
cces
s rol
es.
We
reco
mm
end
that
USC
IS e
stab
lish
and
enfo
rce
polic
ies
and
proc
edur
es th
at e
nsur
e th
at r
oles
and
re
spon
sibi
litie
s ar
e co
mm
ensu
rate
with
the
ir jo
b fu
nctio
n.
X
2
CIS
-IT
09-1
5 W
e id
entif
ied
a la
ck o
f aud
it lo
ggin
g po
licie
s ov
er th
e ap
plic
atio
n an
d se
rver
log
s fo
r th
e C
LAIM
S 3
and
CLA
IMS
4 LA
N sy
stem
.
We
reco
mm
end
that
USC
IS e
stab
lish
and
enfo
rce
polic
ies
and
proc
edur
es
for
mai
nten
ance
an
d re
view
of a
udit
logg
ing.
X
2
16
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
200
9 U
SCIS
Fin
anci
al S
tate
men
t Aud
it
![Page 22: Department of Homeland Security Office of Inspector General · DHS FY 2009 financial statements and prepared this IT management letter. KPMG is responsible for the attached IT management](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f937e3145b111511e6d9800/html5/thumbnails/22.jpg)
� �
App
endi
x B
Dep
artm
ent o
f Hom
elan
d Se
curi
ty
Uni
ted
Stat
es C
itize
nshi
p an
d Im
mig
ratio
n Se
rvic
es
Info
rmat
ion
Tech
nolo
gy M
anag
emen
t Let
ter
Sept
embe
r 30,
200
9
NFR
#
Con
ditio
n R
ecom
men
datio
n N
ew Is
sue
Rep
eat
Issu
e Se
veri
tyR
atin
g C
IS-I
T09
-16
We
iden
tifie
d w
eakn
esse
s w
ithin
acc
ess
cont
rols
for
C
LAIM
S 4
over
lac
k of
pro
cedu
res
for
rece
rtify
ing
user
acc
ess,
lack
of
evid
ence
of
leas
t pr
ivile
ge a
nd
segr
egat
ion
of d
utie
s co
ntro
ls,
and
untim
ely
rem
oval
of
term
inat
ed p
erso
nnel
acc
ount
s.
� � �
Esta
blis
h an
d im
plem
ent
polic
ies
and
proc
edur
es
for
the
hand
ling,
pe
riodi
cally
re
view
ing,
an
d re
tain
ing
CLA
IMS
4 us
er
acco
unt r
eque
st fo
rms.
Def
ine
and
docu
men
t po
licie
s an
d pr
oced
ures
fo
r id
entif
ying
and
app
rovi
ng C
LAIM
S 4
user
ro
les/
prof
iles
to
incl
ude
the
user
’sre
spon
sibi
litie
s. In
add
ition
, th
e po
licie
s an
d pr
oced
ures
sh
ould
ad
dres
s an
d im
plem
ent
segr
egat
ion
of d
utie
s pro
cedu
res.
Dev
elop
po
licie
s an
d pr
oced
ures
fo
r th
ere
mov
al o
f tra
nsfe
rred
/term
inat
ed u
sers
with
in
CLA
IMS
4 up
on th
eir s
epar
atio
n fr
om U
SCIS
.
X
2
CIS
-IT
09-1
7 W
e id
entif
ied
wea
knes
ses
with
in m
onth
ly tr
aini
ngs
of
USC
IS’ I
SSO
s. W
e re
com
men
d th
at
USC
IS
man
agem
ent
impl
emen
t man
dato
ry tr
aini
ng re
quire
men
ts fo
r IT
secu
rity
pers
onne
l to
com
plet
e tra
inin
g co
nsis
tent
w
ith th
eir j
ob fu
nctio
n du
ties.
X
2
CIS
-IT
09-1
8 W
e de
term
ined
th
at
wea
knes
ses
exis
t re
late
d to
CLA
IMS3
LA
N a
cces
s. Sp
ecifi
cally
, we
iden
tifie
d 21
us
ers
whi
ch w
ere
sepa
rate
d fr
om U
SCIS
and
stil
l re
tain
ed a
cces
s to
the
CLA
IM3
LAN
.
We
reco
mm
end
that
USC
IS m
anag
emen
t dev
elop
an
d im
plem
ent
polic
ies
and
proc
edur
es f
or t
he
rem
oval
of
sepa
rate
d us
ers
with
in C
LAIM
S 3
LAN
upo
n th
eir s
epar
atio
n.
X
2
CIS
-IT
09-1
9 W
e te
sted
a s
ampl
e of
per
sonn
el th
at w
ere
requ
ired
to
com
plet
e an
nual
C
ompu
ter
Secu
rity
Aw
aren
ess
Trai
ning
dur
ing
the
fisca
l ye
ar.
Of
the
thirt
y (3
0)pe
rson
nel s
ampl
ed, e
vide
nce
of c
ompl
ianc
e co
uld
not
be p
rovi
ded
for
two
(2)
empl
oyee
s. A
dditi
onal
ly,
proc
edur
es a
re n
ot i
n pl
ace
to d
isab
le u
ser
acco
unts
Esta
blis
h an
d im
plem
ent
requ
irem
ents
fo
r pe
rson
nel
to
com
plet
e C
ompu
ter
Secu
rity
Aw
aren
ess T
rain
ing
annu
ally
. D
evel
op a
pro
cess
to d
isab
le u
ser a
ccou
nts a
nd
acce
ss p
rivile
ges
in a
ccor
danc
e w
ith D
HS
polic
ies f
or e
mpl
oyee
s not
in c
ompl
ianc
e.
X
2
17In
form
atio
n T
echn
olog
y M
anag
emen
t Let
ter
for
the
FY 2
009
USC
IS F
inan
cial
Sta
tem
ent A
udit
![Page 23: Department of Homeland Security Office of Inspector General · DHS FY 2009 financial statements and prepared this IT management letter. KPMG is responsible for the attached IT management](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f937e3145b111511e6d9800/html5/thumbnails/23.jpg)
� � �
App
endi
x B
Dep
artm
ent o
f Hom
elan
d Se
curi
ty
Uni
ted
Stat
es C
itize
nshi
p an
d Im
mig
ratio
n Se
rvic
es
Info
rmat
ion
Tech
nolo
gy M
anag
emen
t Let
ter
Sept
embe
r 30,
200
9
NFR
#
Con
ditio
n R
ecom
men
datio
n N
ew Is
sue
Rep
eat
Issu
e Se
veri
tyR
atin
g an
d ac
cess
pr
ivile
ges
if an
nual
tra
inin
g is
no
t co
mpl
eted
on
a tim
ely
basi
s.
CIS
-IT
09-2
0 D
urin
g th
e in
tern
al v
ulne
rabi
lity
asse
ssm
ent e
ffor
ts o
f ne
twor
k se
rver
s an
d sy
stem
s w
e id
entif
ied
seve
ral
Hig
h/
Med
ium
R
isk
vuln
erab
ilitie
s, re
late
d to
co
nfig
urat
ion
man
agem
ent.
We
dete
rmin
ed
that
secu
rity
conf
igur
atio
n m
anag
emen
t w
eakn
esse
s (i.
e.,
mis
sing
sec
urity
pat
ches
and
inc
orre
ct c
onfig
urat
ion
setti
ngs)
exi
st o
n ho
sts s
uppo
rting
the
ICE.
In
addi
tion
to
addr
essi
ng
the
spec
ific
vuln
erab
ilitie
s id
entif
ied
in
the
cond
ition
, IC
E sh
ould
: Red
istri
bute
pro
cedu
res
and
train
em
ploy
ees
on c
ontin
uous
ly m
onito
ring
and
miti
gatin
g vu
lner
abili
ties.
In a
dditi
on,
we
reco
mm
end
that
ICE
perio
dica
lly m
onito
r the
exi
sten
ce o
f un
nece
ssar
y se
rvic
es a
nd p
roto
cols
run
ning
on
th
eir
serv
ers
and
netw
ork
devi
ces,
in
addi
tion
to d
eplo
ying
pat
ches
. Pe
rfor
m
vuln
erab
ility
as
sess
men
ts
and
pene
tratio
n te
sts
on a
ll of
fices
of
the
ICE,
fr
om a
cen
trally
man
aged
loc
atio
n w
ith a
st
anda
rdiz
ed
repo
rting
m
echa
nism
th
atal
low
s fo
r tre
ndin
g, o
n a
regu
larly
sch
edul
ed
basi
s in
acco
rdan
ce w
ith N
IST
guid
ance
. D
evel
op a
mor
e th
orou
gh a
ppro
ach
to t
rack
an
d m
itiga
te
conf
igur
atio
n m
anag
emen
t vu
lner
abili
ties
iden
tifie
d du
ring
mon
thly
sc
ans.
ICE
shou
ld m
onito
r th
e vu
lner
abili
ty
repo
rts
for
nece
ssar
y or
re
quire
dco
nfig
urat
ion
chan
ges t
o th
eir e
nviro
nmen
t.
X
N\A
-Is
sued
af
ter
rele
ase
ofD
HS
audi
tre
port
18In
form
atio
n T
echn
olog
y M
anag
emen
t Let
ter
for
the
FY 2
009
USC
IS F
inan
cial
Sta
tem
ent A
udit
![Page 24: Department of Homeland Security Office of Inspector General · DHS FY 2009 financial statements and prepared this IT management letter. KPMG is responsible for the attached IT management](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f937e3145b111511e6d9800/html5/thumbnails/24.jpg)
� � �
App
endi
x B
Dep
artm
ent o
f Hom
elan
d Se
curi
ty
Uni
ted
Stat
es C
itize
nshi
p an
d Im
mig
ratio
n Se
rvic
es
Info
rmat
ion
Tech
nolo
gy M
anag
emen
t Let
ter
Sept
embe
r 30,
200
9
NFR
#
Con
ditio
n R
ec m
men
datio
n o
New
Issu
e R
epea
t Is
sue
Seve
rity
Rat
ing
Dev
elop
a p
roce
ss t
o ve
rify
that
sys
tem
s id
entif
ied
with
“H
IGH
/MED
UIM
R
isk”
conf
igur
atio
n vu
lner
abili
ties d
o no
t app
ear o
n su
bseq
uent
m
onth
ly
vuln
erab
ility
sc
an
repo
rts,
unle
ss
they
ar
e ve
rifie
d an
d do
cum
ente
d as
a f
alse
-pos
itive
. A
ll ris
ksid
entif
ied
durin
g th
e m
onth
ly sc
ans s
houl
d be
m
itiga
ted
imm
edia
tely
, and
not
be
allo
wed
to
rem
ain
dorm
ant.
USC
IS sh
ould
:
We
reco
mm
end
that
the
offic
es o
f th
e U
SCIS
C
IO,
ICE
CIO
, an
d D
HS
CIO
coo
rdin
ate
to
deve
lop
an I
nter
agen
cy A
gree
men
t fo
r th
e IC
E/U
SCIS
re
latio
nshi
p.
The
agre
emen
t sh
ould
be
de
velo
ped
usin
g ap
prop
riate
gu
idan
ce f
rom
NIS
T 80
0-53
. Spe
cific
to
this
N
FR,
the
Inte
rage
ncy
Agr
eem
ent
shou
lddo
cum
ent
the
proc
esse
s by
whi
ch I
CE
will
no
tify
USC
IS o
f its
pla
nned
rem
edia
tion
of th
e A
DEX
sec
urity
vul
nera
bilit
ies.
USC
IS s
houl
d fu
rther
ta
ke
a pr
oact
ive
appr
oach
in
m
onito
ring
the
reso
lutio
n of
th
e A
DEX
vu
lner
abili
ties.
The
USC
IS C
IO sh
ould
ens
ure
that
USC
IS h
as
a so
und
unde
rsta
ndin
g of
the
IC
E se
curit
y vu
lner
abili
ties
that
af
fect
U
SCIS
da
ta
inte
grity
. U
SCIS
sh
ould
th
en
deve
lop
rem
edia
tion
plan
s an
d co
mpe
nsat
ing
cont
rols
,
19In
form
atio
n T
echn
olog
y M
anag
emen
t Let
ter
for
the
FY 2
009
USC
IS F
inan
cial
Sta
tem
ent A
udit
![Page 25: Department of Homeland Security Office of Inspector General · DHS FY 2009 financial statements and prepared this IT management letter. KPMG is responsible for the attached IT management](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f937e3145b111511e6d9800/html5/thumbnails/25.jpg)
App
endi
x B
Dep
artm
ent o
f Hom
elan
d Se
curi
ty
Uni
ted
Stat
es C
itize
nshi
p an
d Im
mig
ratio
n Se
rvic
es
Info
rmat
ion
Tech
nolo
gy M
anag
emen
t Let
ter
Sept
embe
r 30,
200
9
NFR
#
Con
ditio
n R
ecom
men
datio
n N
ew Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
as
appl
icab
le,
to
addr
ess
pote
ntia
l da
ta
inte
grity
iss
ues.
For
exam
ple,
mor
e fr
eque
nt
reco
ncili
atio
n of
fin
anci
al a
ccou
nts
may
be
requ
ired.
20
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
200
9 U
SCIS
Fin
anci
al S
tate
men
t Aud
it
![Page 26: Department of Homeland Security Office of Inspector General · DHS FY 2009 financial statements and prepared this IT management letter. KPMG is responsible for the attached IT management](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f937e3145b111511e6d9800/html5/thumbnails/26.jpg)
Appendix C
Department of Homeland Security United States Citizenship and Immigration Services
Information Technology Management Letter September 30, 2009
Appendix C
Status of Prior Year Notices of Findings and Recommendations and Comparison to
Current Year Notices of Findings and Recommendations at USCIS
21 Information Technology Management Letter for the FY 2009 USCIS Financial Statement
Audit
![Page 27: Department of Homeland Security Office of Inspector General · DHS FY 2009 financial statements and prepared this IT management letter. KPMG is responsible for the attached IT management](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f937e3145b111511e6d9800/html5/thumbnails/27.jpg)
Appendix C
Department of Homeland Security United States Citizenship and Immigration Services
Information Technology Management Letter September 30, 2009
Disposition
NFR No. Description Closed Repeat
CIS-IT-08-01 Lack of Definition and Documentation of Access Roles at the National Benefits Center for CLAIMS 3 LAN 09-01
CIS-IT-08-02 Periodic CLAIMS 3 LAN User Access Reviews are not Performed at the NBC 09-02
CIS-IT-08-03 Incomplete or Inadequate Access Request Forms for CLAIMS 3 LAN, CLAIMS 4, and CISCOR System Users at Headquarters and the Service Centers
09-03
CIS-IT-08-04 Ineffective Controls for Restricting Security Software Exist
09-04
CIS-IT-08-06 Weak Data Center Access Controls 09-06
CIS-IT-08-07 Equipment and Media Policies and Procedures are not Current 09-07
CIS-IT-08-08 Weak Access Controls for Security Software Exist
09-08
22 Information Technology Management Letter for the FY 2009 USCIS Financial Statement
Audit
![Page 28: Department of Homeland Security Office of Inspector General · DHS FY 2009 financial statements and prepared this IT management letter. KPMG is responsible for the attached IT management](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f937e3145b111511e6d9800/html5/thumbnails/28.jpg)
Appendix D
Department of Homeland Security United States Citizenship and Immigration Services
Information Technology Management Letter September 30, 2009
Appendix D
USCIS Management’s Comments
23 Information Technology Management Letter for the FY 2009 USCIS Financial Statement
Audit
![Page 29: Department of Homeland Security Office of Inspector General · DHS FY 2009 financial statements and prepared this IT management letter. KPMG is responsible for the attached IT management](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f937e3145b111511e6d9800/html5/thumbnails/29.jpg)
U.S. Ut.>llartmcnl of Ilumcl:md St'curilJU.S. Cnizcnship :lml IrnrlllgrauQn Sen icesUbic/! ufl/I/! Cltif'f"!forl/ltl//Ull Ubic<'"Waihwgtol1. DC 2052')
u.s. Citizenshipand IrrunigrationServices
April 28. 2010
Memorandum
TO: Frank DefferAssistant Inspector General for Information Technology AuditU.S. Dcpartment of Homeland Security
FROM: LeSlie Hope ,-1/ IJ;~ati[ b'mccr, ActingVC'hief Inform
SUBJ ECT: Managcment Rcsponse to the IT Managemcnt Letter for the FY 2009 U.S.Citizenship and Immigration Services Financial Integrated Audit
We would like to thank you for the opp0rlunity to review and comment on the rr ManagcmentLeiter for the FY 2009 U.S. Citizenship and Immigration Services Financial Integratcd Audit.USCIS requests that your Office make the following changes to the Independent Auditor's ITManagement Letter report.
Except for the items notcd below, USCIS agrees <lnd accepts all finding, cOl11ments. andconclusions the independent auditors exprcssed in the IT Management Letter report.
Findings Contributing to .a Material Weakness Deficiencv in IT
During the FY 2009 financial statemcnt audit, we identified the following IT control deficiencythat is considered a material weakness:
I. Configuration Management - we noted:
• Security configuration management weakncsses on the Active Directory Exchangc(ADEX). These weaknesses included default configuration scttings, inadequate patchcs,and weak password management.
Recommendations: Unless specifically noted where USCIS needs to take specific correctiveaction, we recommend that the USCIS Chief Infonnation Officer (CIO) and Chief FinancialOfficer (CFO), in coordination with the ICE Office of Chief Financial Officer and the ICE Oflice
www.u:.cis.go\,
Appendix D Department of Homeland Security
Immigration and Customs Enforcement Information Technology Management Letter
September 30, 2009
24 Information Technology Management Letter for the FY 2009 USCIS Financial Statement Audit
![Page 30: Department of Homeland Security Office of Inspector General · DHS FY 2009 financial statements and prepared this IT management letter. KPMG is responsible for the attached IT management](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f937e3145b111511e6d9800/html5/thumbnails/30.jpg)
Management Response to the IT Management Letter for the FY 2009 U.S. Citizenship andImmigration Services Financial Integrated AuditPage 2
of the Chieflnfonnation Officer, make the following improvemems to ICE's infonnationtechnology security program:
Suggested Change:
"During the FY 2009 financial statement audit, we identified that the Immigration and CustomsEnforcement (ICE) Headquarters hosts the Active Directory Exchange (ADEX), GeneralSupport System (GSS) and a key financial application for USCIS. We identified the followingICE IT control deficiencies that significantly impact USCIS and are considered materialweaknesses:
I. Configuration Management - we noted:
Several HighlMedium risk vulnerabilities related to configuration management were identified.
• Security configuration management weaknesses on the ICE's ADEX. These weaknessesincluded default configuration settings, inadequate patches, and weak passwordmanagement.
Recommendations: Unless specifically noted where USCIS needs to take specific correctiveaction, we recommend that the USCIS Chieflnfonnation Officer (CIO) and Chief FinancialOfficer (CFO), in coordination with the ICE Office orChid Financial Officer and the ICE Officeof the Chief Infonnation Officer, make the following improvemcnts to ICE's infonnationtechnology security program:
"ICE Specific Recommendations"
Your recommendation statement alludes to USCIS having control over actions to be perfonnedby ICE. Recommendations I through 5 are strictly ICE's actions within their control. Yourstatement does not clearly identify these as actions ICE must take.
Other Findings
The following IT and financial system control deficiencies that contributed to a materialweakness are noted below:
I. Securily Management - we identified:
• Background investigations are not conducted in a timely manner.• Procedures for transferredltenninated personnel exit processing are not finalized.• IT Security training is not mandatory nor is compliance monitored...
Recommendations: We recommend that the USCIS CIO and CFO, in coordination with the DHSOffice ofChief Financial Officer and the DHS Office ofthc Chieflnfonnation Officer, make the
Appendix D Department of Homeland Security
Immigration and Customs Enforcement Information Technology Management Letter
September 30, 2009
25 Information Technology Management Letter for the FY 2009 USCIS Financial Statement Audit
![Page 31: Department of Homeland Security Office of Inspector General · DHS FY 2009 financial statements and prepared this IT management letter. KPMG is responsible for the attached IT management](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f937e3145b111511e6d9800/html5/thumbnails/31.jpg)
Management Response to the IT Management Letter for the FY 2009 U.S. Citizenship andImmigntion Services Financial Integrated AuditPage 3
following improvements to USCIS' financial management systems and associated informationtechnology security program."
Response Comment;
USCIS has realigned its mission support activitics undcr an Associate Director Management.The new Associate Director has taken action to correct the three deficiencies under his span ofcontrol.
Appendix A
Systems SubjectJO Audit
• Computer Linked Application Management System (CLAIMS) 3 Local Area Network(LAN): Provides a decentralized LAN based system that supports the requirements ofthe Direct Mail Phase I and U, Immigntion Act of 1990 (IMMACT 90) and USCISfonns improvement projects. The Claims 3 LAN is located at each of the service centC13(Nebraska, California, Texas., Vermont) and the National Benefits Center.
Suggested Change:
• Computer Linked Application Management System (CLAIMS) 3 Local Area Network(LAN): Provides a decentralized LAN based system that supports the requirements ofthe Direct Mail Phase I and II, Immigration Act of 1990 (IMMACT 90) and USCISfonns improvement projccts. The CLAIMS 3 LAN is located at each of the servicecenters (i.e., Nebraska, California, Texas, and Vermont) and the National BenefitsCenter.
Appendix B - Notice of Findings and Recommendations Table
NFR II; CIS-IT-09-04
Condition; The USCIS HQ has not maintained or documented a selection of systemadministrator's access authorization forms.
Recommendation: Conduct and document annual reviews of all users with Active Directorysystems administrator access."
Suggested Ch3llge:
Condition: The USCIS has not maintained or documented a selection ofADEX systemadministrator's access authorization fonns.
Recommendation: Conduct and document annual reviews ofall users with Active Directorysystems administrator access in coordination with ICE."
Appendix D Department of Homeland Security
Immigration and Customs Enforcement Information Technology Management Letter
September 30, 2009
26 Information Technology Management Letter for the FY 2009 USCIS Financial Statement Audit
![Page 32: Department of Homeland Security Office of Inspector General · DHS FY 2009 financial statements and prepared this IT management letter. KPMG is responsible for the attached IT management](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f937e3145b111511e6d9800/html5/thumbnails/32.jpg)
Management Response to the IT Management Letter for the FY 2009 U.S. Citizenship andImmigrntion Services Financial Integrated AuditPage 4
NFR #: CIS-IT-09-08
Condition: USCIS does not recertify its systcm administrator accounts on an annual basis.
Suggested Change:
Condition: USCIS does not recertify its Local PICS Officer (LPO) accounts on an annual basis.
NFR #: CIS·IT·09·10
Condition: CLAIMS 4 LAN password configuration settings does not meet DHS 4300Apassword standards.
Recommendation: We recommend that USCIS establish a process to ensure CLAIMS 4 LAN isconfigured to meet DHS 4300A password configuration standards.
Suggested Change:
Condition: CLAIMS 4 password configuration setting for password history does not meet DHS4300A password standards.
Recommendation: We recommend CLAIMS 4 password history selling be changed from 6generations to 8 generations to meet DHS 4300A password configuration standards.
NFR II: CIS-IT-II and CIS-IT-12
Note: The OCIO is not the owner ofthcse processes. These NFRs were signed by and are theresponsibility of the Office ofSecurity and Integrity (OSI) and the Office of Human Capital andTraining (HCT).
NFR #: CIS-IT-09-14
Note: The OCIO is not the owner of this process. This NFR was signed by and is theresponsibility of the OCFO. They grant, remove, and monitor access to FFMS.
NFR II: CIS·IT·OS·OJDescription: Lack of Definition and Documentation of Access Roles at the National BenefitsCenter for CLAlMS 3 LAN.
NFR II: CIS~IT-08-04Description: Ineffective Controls for Restricting Security Software Exist.
NFR#: CIS-IT-08-08Description: Weak Access Controls for Security Software Exist.
Appendix D Department of Homeland Security
Immigration and Customs Enforcement Information Technology Management Letter
September 30, 2009
27 Information Technology Management Letter for the FY 2009 USCIS Financial Statement Audit
![Page 33: Department of Homeland Security Office of Inspector General · DHS FY 2009 financial statements and prepared this IT management letter. KPMG is responsible for the attached IT management](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f937e3145b111511e6d9800/html5/thumbnails/33.jpg)
Management Response to the IT Management Letter for the FY 2009 U.S. Citizenship andImmigration Services Financial Integrated AuditPageS
Suggested Change:
NFR #: CIS-IT-OS-QlDescription: Inefficient Definition and Documentation of Access Roles at the National BenefitsCenter for CLAIMS 3 LAN.
As stated, it gives the impression that Definition and Documentation of Access Roles do notexist.
NFR #: CIS-IT-08-04Description: Periodic Active Directory and Eltchange (ADEX) system administrator accessreviews are not perfonned at USCIS.
As stated, it gives the impression all controls related to security software are ineffective. Thesigned NFR specifically addresses ADEX.
NFR #: CIS·IT·08·08Description: Weak Access Controls for Security Software Eltist within the Password Issuanceand Control System (PIeS).
As stated. it gives the impression all controls related to security software are weak. The signedNFR specifically addresses PICS.
USCIS is committed to resolving all control deficiencies and weaknesses idenlified in the auditand have prepared Mission Action Plans to resolve and improve the Agency's infomtationtechnology controls.
USCIS appreciates the cooperation and respect that your staff provided during the course of theaudit and looks forward to continuing our strong working relationship with your office.
If you have any questions regarding our comments, plcase cOnlnct Leslie Hope, Acting ChiefInfonnation Officer at (202) 272-1018.
Appendix D Department of Homeland Security
Immigration and Customs Enforcement Information Technology Management Letter
September 30, 2009
28 Information Technology Management Letter for the FY 2009 USCIS Financial Statement Audit
![Page 34: Department of Homeland Security Office of Inspector General · DHS FY 2009 financial statements and prepared this IT management letter. KPMG is responsible for the attached IT management](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f937e3145b111511e6d9800/html5/thumbnails/34.jpg)
Appendix E
Department of Homeland Security Immigration and Customs Enforcement
Information Technology Management Letter September 30, 2009
Appendix D
Report Distribution
29 Information Technology Management Letter for the FY 2009 USCIS Financial Statement Audit
![Page 35: Department of Homeland Security Office of Inspector General · DHS FY 2009 financial statements and prepared this IT management letter. KPMG is responsible for the attached IT management](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f937e3145b111511e6d9800/html5/thumbnails/35.jpg)
Appendix E
Department of Homeland Security Immigration and Customs Enforcement
Information Technology Management Letter September 30, 2009
Report Distribution
Department of Homeland Security
Secretary Deputy Secretary General Counsel Chief of Staff Deputy Chief of Staff Executive Secretariat Under Secretary, Management Director, USCIS DHS Chief Information Officer DHS Chief Financial Officer Associate Director-Management, USCIS Acting Chief Financial Officer, USCIS Acting Chief Information Officer, USCIS Chief Information Security Officer Assistant Secretary, Policy Assistant Secretary for Public Affairs Assistant Secretary for Legislative Affairs DHS GAO OIG Audit Liaison Chief Information Officer, Audit Liaison USCIS Audit Liaison
Office of Management and Budget
Chief, Homeland Security Branch DHS OIG Budget Examiner
Congress
Congressional Oversight and Appropriations Committees as Appropriate
30 Information Technology Management Letter for the FY 2009 USCIS Financial Statement Audit
![Page 36: Department of Homeland Security Office of Inspector General · DHS FY 2009 financial statements and prepared this IT management letter. KPMG is responsible for the attached IT management](https://reader033.fdocuments.net/reader033/viewer/2022050501/5f937e3145b111511e6d9800/html5/thumbnails/36.jpg)
ADDITIONAL INFORMATION AND COPIES To obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4100, fax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig. OIG HOTLINE To report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal misconduct relative to department programs or operations: • Call our Hotline at 1-800-323-8603; • Fax the complaint directly to us at (202) 254-4292; • Email us at [email protected]; or • Write to us at:
DHS Office of Inspector General/MAIL STOP 2600, Attention: Office of Investigations - Hotline, 245 Murray Drive, SW, Building 410, Washington, DC 20528.
The OIG seeks to protect the identity of each writer and caller.