Audit shows continued weaknesses in FEMA's IT security
Amid a growing list of problems, agency still must address inadequate control over access to computer systems.
A recent audit found that the Federal Emergency Management Agency has failed to correct a number of information technology security weaknesses flagged last year.
Comment on this article in The Forum.The audit, conducted by the accounting firm KPMG on behalf of Homeland Security Inspector General Richard Skinner and released Monday, found that FEMA failed to correct 31 security issues discovered in fiscal 2007. The agency successfully addressed only 10 of the issues identified. Moreover, auditors found 13 new weaknesses for fiscal 2008.
"These issues collectively limit FEMA's ability to ensure that critical financial and operational data is maintained in a manner to ensure confidentiality, integrity and availability," the report stated.
The audit, which was heavily redacted before release, identified problems in areas such as agencywide security and disaster planning, access and password controls, and documentation of security tests.
For example, auditors found that almost 800 former FEMA employees and contractors still had active accounts for the agency's computer systems. Auditors classified FEMA's password management controls as weak, adding the agency gave excessive access to certain sensitive or critical files and applications.
FEMA's strategy for continuing operations in the event of a disaster or service interruption has not been adequately tested, the report noted. In addition, the agency has not updated its list of mission-critical IT systems that would have to be restored at an alternate site in the event of an emergency.
Auditors recommended that FEMA officials address the remaining issues by focusing on monitoring and enforcing IT security policies and procedures. Many older vulnerabilities could be addressed by reconfiguring the agency's software to comply with DHS and National Institute of Standards and Technology requirements, the report stated.
FEMA officials concurred with the auditors' recommendations and detailed some steps they have taken to deal with the security issues. For example, the agency is developing a semiautomated, semiannual process to validate employees' access to systems and remove unnecessary accounts. In addition, the agency changed its wait for dropping locked accounts of terminated employees to 45 days from 90 days in accordance with DHS policy. The inspector general's office confirmed that FEMA is working to address the known weaknesses.
NEXT STORY: EPA site teaches children about fish