FEMA still weak on IT security, auditors say

The Federal Emergency Management Agency is still struggling to secure its information technology systems with 31 weaknesses carried over from previous years and 13 new weaknesses identified in fiscal 2007, according to a new audit report released by Homeland Security Department Inspector General Richard Skinner. FEMA corrected 10 weaknesses last year, and it developed new policies, processes and procedures to comply with cybersecurity guidelines, states the report on FEMA’s IT issues related to financial controls, written by the KPMG LLP auditing firm. Overall, FEMA continues to suffer from weak controls on employee and contractor passwords, shortcomings in application service development and service continuity, and a weakness in its systemwide documentation, among other problems, the report states. “These issues collectively limit FEMA’s ability to ensure that critical financial and operational data is maintained in a manner to ensure confidentiality, integrity and availability,” the report states. “Consequently, these weaknesses negatively impacted the internal controls over FEMA financial reporting and its operation,” KPMG said. FEMA managers generally agreed with the findings. Among the problems identified in the report: