IG: Weak controls jeopardize TSA's financial data
Agency's failure to limit access to computer systems to the employees who need it leaves information vulnerable, auditors say.
Lax control of access to information technology systems makes the Transportation Security Administration's financial statements vulnerable to tampering, according to a new inspector general report.
An audit by the consulting firm KPMG identified 15 control deficiencies that could affect the reliability of TSA's financial data, 13 of which were repeats from fiscal 2008, the Homeland Security Department IG noted in the report.
"Collectively, the IT control weaknesses limited TSA's ability to ensure that critical financial and operational data were maintained in such a manner to ensure confidentiality, integrity and availability," the report stated. "In addition, these weaknesses negatively impacted the internal controls over TSA financial reporting and its operation, and we consider them to collectively represent a material weakness for TSA."
TSA does not review computer accounts to ensure people who have left the agency are locked out, and does not check the privileges associated with each active account regularly to ensure that level of access remains necessary, the IG found. The report also noted weaknesses related to security patch and security configuration management for the financial reporting system.
"The weaknesses identified within TSA's access controls increase the risk that employees and contractors may have access to a system that is outside the realm of their job responsibilities or that a separated individual, or another person with knowledge of an active account of a terminated employee, could use the account to alter the data contained within the application or database," the IG said.
Auditors also noted cracks in TSA's procedures for recovering data following a disaster. The agency made strides in testing recovery procedures during fiscal 2008 and improved emergency response training for personnel with data center access, but failed to incorporate the results of the tests in its continuity of operations plan, the report said.
TSA officials generally agreed with the report's findings and said they plan to implement the IG's recommendations.
NEXT STORY: Mega Cyber Brief Coming Soon