Auditors found that 64 percent of separated individuals retained access to DHS systems and information beyond their last workday. Image: grandbrothers/Shutterstock.com
By: FEDweek StaffAn inspector general report has called on DHS to strengthen its internal IT security controls after finding three of its components—USCIS, FEMA and ICE—had similar issues with managing access for employees who leave or change jobs and managing high-level access.
“We attributed these deficiencies to insufficient internal controls and oversight to ensure access controls were administered appropriately and effectively to prevent unauthorized access,” said the report.
For example, it said that even though DHS policy requires that access for separated personnel must be disabled immediately, “we found that, on average, 64 percent of separated individuals we tested had access to DHS systems and information beyond their last workday.” That included 84 percent at ICE, 75 percent at FEMA and 33percent at USCIS.
Supervisors “did not appropriately follow component account deactivation procedures,” it said, adding that while all three components have automated processes that act as a backstop, in the case of FEMA that does not kick in until 45 days after an employee separates.
It said that in reviews of what levels of access individuals were assigned after being transferred within their components, there was no evidence that management had reviewed system access or removed unneeded privileges for 3,700. “Instead of formally tracking and enforcing access control requirements, each component expected personnel, such as supervisors and application gatekeepers, to proactively identify transferred personnel whose access needed to be reviewed,” it said.
The IG also found that although all three had criteria for monitoring privileged user accounts—which it said are a special target of attackers because they give access to the most sensitive assets—USCIS and FEMA “did not monitor these accounts as required” and auditors “identified 436 users who held inappropriate access to privileged accounts and may have had access to sensitive assets.”
“In addition to access control deficiencies, we found all three components did not implement required security settings and updates for their IT systems. This occurred because the components were concerned these IT controls might negatively impact operations. We also found DHS’ information security framework did not include the latest federal requirements for access controls because of an inconsistent process for identifying and implementing required policy changes,” it said.
DHS management did not submit comments to the report, which re-emphasized prior recommendations the IG had made in those areas.
Key Bills Advancing, but No Path to Avoid Shutdown Apparent
TSP Adds Detail to Upcoming Roth Conversion Feature
White House to Issue Rules on RIF, Disciplinary Policy Changes
DoD Announces Civilian Volunteer Detail in Support of Immigration Enforcement
See also,
How Do Age and Years of Service Impact My Federal Retirement
The Best Ages for Federal Employees to Retire
How to Challenge a Federal Reduction in Force (RIF) in 2025
Should I be Shooting for a $1M TSP Balance? Depends…
