U.S. Citizenship and Immigration Services has made progress in implementing elements of an effective insider threat program, but the homeland security inspector general has cited opportunities to improve its security posture against threats posed by employees and contractors.
USCIS has established a "conviction task force" to review former employees convicted of criminal misconduct within the scope of their duties, it performs risk management for IT and financial management, developed exit procedures for employees, improved protection of its facilities and assets, and it adheres to formalized processes for some systems, according to OIG-11-33.
It said the agency is also implementing homeland security presidential directive 12, intended to improve physical and electronic account management.
However, the agency could improve security by putting in place an enterprise risk management plan and incorporate insider threat risk mitigation strategies into its new business processes, the IG said.
It said USCIS could also centralize records of misconduct and violations, institute a logging strategy to preserve system activities, implement separation of duties for adjudicative decisions, conduct audits of non-USCIS accounts, employ consistent policies for physical security, and consistently enforce employee exit procedures.
The agency concurred with all of the recommendations and has reportedly begun taking action to implement them.