information technology management letter for the fy 2010 dhs

Department of Homeland Security Office of Inspector General

Information Technology Management Letter for the FY 2010 DHS Financial

Statement Audit

(Redacted)

OIG-11-103 August 2011

Office of Inspector General

u.s. Department ofHOllleland Security Washington, DC 25028

Homeland Security

AUG 18 2011

Preface

The Department of Homeland Security (DHS) Office ofInspector General (OIG) was established by the Homeland Security Act of2002 (Public Law 107-296) by amendment to the Inspector General Act of1978. This is one of a series of audit, inspection, and special reports prepared as part of our oversight responsibilities to promote economy, efficiency, and effectiveness within the department.

This report presents the information technology (IT) management letter for the FY 2010 DHS financial statement audit as of September 30,2010. It contains observations and recommendations related to information technology internal control that were summarized within the Independent Auditors' Report, dated November 12, 2010 and represents the separate restricted distribution report mentioned in that report. The independent accounting firm KPMG LLP (KPMG) performed the audit ofthe DHS' FY 2010 financial statements and prepared this IT management letter. KPMG is responsible for the attached IT management letter dated April 26,2011; and the conclusions expressed in it. We do not express opinions on DHS' financial statements or internal control or conclusion in compliance with laws and regulations.

The recommendations herein have been developed to the best knowledge available to our office, and have been discussed in draft with those responsible for implementation. We trust that this report will result in more effective, efficient, and economical operations. We express our appreciation to all of those who contributed to the preparation of this report.

Assistant Inspector General Information Technology Audits

KPMG LLP 2001 M Street, NW Washington, DC 20036-3389

April 26, 2011

Inspector General U.S. Department of Homeland Security

Chief Information Officer U.S. Department of Homeland Security

Chief Financial Officer U.S. Department of Homeland Security

We were engaged to audit the balance sheet of the U.S. Department of Homeland Security (DHS or Department) as of September 30, 2010, and the related statement of custodial activity for the year then ended (referred to herein as “financial statements”). We were also engaged to examine the Department’s internal control over financial reporting of the balance sheet as of September 30, 2010, and statement of custodial activity for the year then ended. In connection with our audit engagement, we also considered DHS’ compliance with certain provisions of applicable laws, regulations, contracts, and grant agreements that could have a direct and material effect on the balance sheet as of September 30, 2010 and the related statement of custodial activity for the year end. We were not engaged to audit the accompanying statements of net cost, changes in net position, and budgetary resources, for the years ended September 30, 2010 (referred to herein as “other fiscal year (FY) 2010 financial statements”), or to examine internal control over financial reporting over the other FY 2010 financial statements. Because of matters discussed in our Independent Auditors’ Report, dated November 12, 2010, the scope of our work was not sufficient to enable us to express, and we did not express, an opinion on the financial statements.

A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect and correct misstatements on a timely basis. A significant deficiency is a deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. A material weakness is a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected on a timely basis.

During our audit engagement, we noted certain matters in the areas of access controls, configuration management, security management, contingency planning, and segregation of duties with respect to DHS’ financial systems Information Technology (IT) general controls which we believe contribute to a DHS-level significant deficiency that is considered a material weakness in IT controls and financial system functionality. We also noted that in some cases, financial system functionality is inhibiting DHS’ ability to implement and maintain internal controls, notably IT applications controls supporting financial data processing and reporting. These matters are described in the IT General Control and Financial System Functionality Findings section of this letter.

The material weakness described above is presented in our Independent Auditors’ Report, dated November 12, 2010. This letter represents the separate limited distribution report mentioned in that report.

KPMG LLP is a Delaware limited liability partnership, the U.S. member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity.

Although not considered to be a material weakness, we also noted certain other items during our audit engagement which we would like to bring to your attention. These matters are also described in the IT General Control and Financial System Functionality Findings section of this letter.

The material weakness and other comments described herein have been discussed with the appropriate members of management, or communicated through a Notice of Finding and Recommendation (NFR), and are intended For Official Use Only. We aim to use our knowledge of DHS’ organization gained during our audit engagement to make comments and suggestions that we hope will be useful to you. We have not considered internal control since the date of our Independent Auditors’ Report.

The Table of Contents on the next page identifies each section of the letter. We have provided a description of key DHS financial systems and IT infrastructure within the scope of the FY 2010 DHS financial statement audit engagement in Appendix A; a description of each internal control finding in Appendix B; and the current status of the prior year NFRs in Appendix C. Our comments related to financial management and reporting internal controls have been presented in a separate letter to the Office of Inspector General and the DHS Chief Financial Officer dated February 1, 2011.

DHS’s written response to our comments and recommendations has not been subjected to auditing procedures and, accordingly, we express no opinion on it.

This report is intended solely for the information and use of DHS management, DHS Office of Inspector General, U.S. Office of Management and Budget, U.S. Government Accountability Office, and the U.S. Congress, and is not intended to be and should not be used by anyone other than these specified parties.

Very truly yours,

Objective, Scope and Approach 1

APPENDICES

Appendix Subject Page

Summary of Findings and Recommendations 2

IT General Control Findings and Recommendations 3

Access Controls 3

Configuration Management 4

Security Management 4

Contingency Planning 5

Segregation of Duties 5

Financial System Functionality 5

Management Comments and OIG Response 6

A Description of Key DHS Financial Systems and IT Infrastructure within the Scope of the 7FY 2010 DHS Financial Statement Audit

B FY 2010 Notices of IT Findings and Recommendations at DHS 19

� Notice of Findings and Recommendations (NFR)– Definition of 20 Severity Ratings

C Status of Prior Year Notices of Findings and Recommendations and Comparison to 147 Current Year Notices of Findings and Recommendations at DHS

D Management Comments 153

E Report Distribution 155

Page

Department of Homeland Security Information Technology Management Letter

September 30, 2010

INFORMATION TECHNOLOGY MANAGEMENT LETTER

TABLE OF CONTENTS


September 30, 2010

OBJECTIVE, SCOPE AND APPROACH During our engagement to perform an integrated audit of Department of Homeland Security (DHS), we evaluated the effectiveness of IT general controls of DHS’ financial processing environment and related IT infrastructure as necessary to support the engagement. The Federal Information System Controls Audit Manual (FISCAM), issued by the Government Accountability Office (GAO), formed the basis of our audit as it relates to IT general controls assessments at DHS. The scope of the DHS IT general controls assessment is described in Appendix A.

FISCAM was designed to inform financial auditors about IT controls and related audit concerns to assist them in planning their audit work and to integrate the work of auditors with other aspects of the financial audit. FISCAM also provides guidance to IT auditors when considering the scope and extent of review that generally should be performed when evaluating general controls and the IT environment of a federal agency. FISCAM defines the following five control functions to be essential to the effective operation of the general IT controls environment.

�

�

�

�

�

Security Management (SM) – Controls that provide a framework and continuing cycle of activity for managing risk, developing security policies, assigning responsibilities, and monitoring the adequacy of computer-related security controls. Access Control (AC) – Controls that limit or detect access to computer resources (data, programs, equipment, and facilities) and protect against unauthorized modification, loss, and disclosure. Configuration Management (CM) – Controls that help to prevent unauthorized changes to information system resources (software programs and hardware configurations) and provides reasonable assurance that systems are configured and operating securely and as intended. Segregation of duties (SD) – Controls that constitute policies, procedures, and an organizational structure to manage who can control key aspects of computer-related operations. Contingency Planning (CP) – Controls that involve procedures for continuing critical operations without interruption, or with prompt resumption, when unexpected events occur.

To complement our general IT controls audit procedures, we also performed technical security testing for key network and system devices, as well as testing over key financial application controls in the DHS environment. The technical security testing was performed both over the Internet and from within select DHS facilities, and focused on test, development, and production devices that directly support key general support systems.

In addition to testing DHS’ general control environment, we performed application control tests on a limited number of DHS’ financial systems and applications. The application control testing was performed to assess the input, processing, and output of financial data and transactions that support the financial systems’ internal controls. Application controls are the structure, policies, and procedures that apply to separate, individual application systems, such as accounts payable, inventory, or payroll.

During FY 2010, we also considered the effects of financial system functionality while testing IT general and application controls and other internal controls over financial reporting. Many of the financial systems in use at DHS components were inherited from the legacy agencies and have not been substantially updated since the department’s inception. As a result, financial system functionality may be inhibiting DHS’ ability to implement and maintain internal controls, notably IT applications controls supporting financial data processing and reporting at some components.

Information Technology Management Letter for the FY 2010 DHS Financial Statement Audit Page 1


September 30, 2010

SUMMARY OF FINDINGS AND RECOMMENDATIONS During our FY 2010 assessment of IT general and application controls and financial system functionality, we noted that the DHS made some progress in remediation of IT findings we reported in FY 2009. We have closed approximately 30 percent of our prior year IT findings. In FY 2010 we identified approximately 161 findings, of which approximately 65 percent are repeated from last year. Nearly one-third of our repeat findings were for IT deficiencies that management represented were corrected during FY 2010. Disagreements with management’s self assessment occurred almost entirely at the Federal Emergency Management Agency (FEMA).

The most significant weaknesses from a financial statement audit perspective include: 1) excessive unauthorized access to key DHS financial applications; 2) configuration management controls that are not fully defined, followed, or effective; 3) security management deficiencies in the area of the certification and accreditation process and the lack of adhering to or developing policies and procedures , 4) contingency planning that lacked current, tested, contingency plans developed to protect DHS resources and financial applications, and 5) lack of proper segregation of duties for roles and responsibilities within financial systems.

Collectively, the IT control deficiencies limited DHS’ ability to ensure that critical financial and operational data were maintained in such a manner to ensure confidentiality, integrity, and availability. In addition, these deficiencies negatively impacted the internal controls over DHS’ financial reporting and its operation and we consider them to collectively represent a material weakness for DHS under standards established by the American Institute of Certified Public Accountants (AICPA) and GAO. The IT findings were combined into one material weakness regarding IT Controls and Financial Systems Functionality for the FY 2010 audit of the DHS consolidated financial statements. As reported last year, both FEMA and Immigration and Customs Enforcement’s (ICE) control deficiencies were found to have a more significant impact on the Department. FEMA continues to have a high number of significant IT general controls findings that repeat each fiscal year. These weaknesses affect our ability to fully audit its financial application controls. In addition, ICE has significant weaknesses in its key financial system which has resulted in duplicate payments, and poor configuration and patch management.



September 30, 2010

IT GENERAL CONTROL FINDINGS AND RECOMMENDATIONS Conditions: In FY 2010, a number of IT and financial system functionality deficiencies were identified at DHS. Approximately 162 findings were identified of which approximately 65 percent are repeated from last year. The findings identified below are a cross-representation of the nature of IT general control deficiencies identified throughout the department’s components which contribute to a material weakness for financial system security as part of the FY 2010 DHS financial statement audit.

Related to IT controls:

1. Access Controls - At the following DHS components: United States Coast Guard (USCG), Customs and Border Protection (CBP), Federal Law Enforcement Training Center (FLETC), FEMA, ICE, DHS Headquarters, Transportation Security Administration (TSA), and United States Citizenship and Immigration Services (USCIS) we noted:

� Deficiencies in management of application and/or database accounts, network, and remote user accounts:

- System administrator root access to financial applications was not properly restricted, logged, and monitored;

- Strong password requirements were not enforced;

- User account lists were not periodically reviewed for appropriateness, inappropriate authorizations and excessive user access privileges were allowed at some DHS components, and users were not disabled or removed promptly upon personnel termination;

- Emergency and temporary access was not properly authorized, and contractor development personnel were granted conflicting access to implement database changes;

- Initial and modified access granted to application and/or database, network, and remote users was not properly documented and authorized; and

- The process for authorizing and managing remote virtual private network (VPN) access to external state emergency management agencies, and component contractors, did not comply with DHS and component requirements.

� Ineffective safeguards over logical and physical access to sensitive facilities and resources:

- While performing after-hours physical access testing, we identified the following unsecured items: Government credit cards; financial system user IDs and passwords; computer laptops; and server names and IP addresses; and

- While performing social engineering testing, we identified instances where DHS employees provided their system user names and passwords to an auditor posing as a help desk employee.

� Ineffective or insufficient use of available audit logs:

- Logs of auditable events are not being reviewed to identify potential incidents, or were reviewed by those with conflicting roles;



September 30, 2010

- Logging of application and/or database events required to be recorded was not enabled;

- Documented procedures for audit log follow-up do not meet DHS requirements; and

- Evidence of audit log reviews was not retained.

2. Configuration Management: At the following DHS components: USCG, CBP, FLETC, FEMA, ICE, USCIS, and TSA we noted:

�

�

�

Lack of documented policies and procedures:

- To prevent users from having concurrent access to the development, test, and production environments of the system at four DHS components; and

- Configuration, vulnerability, and patch management plans have not been established and implemented, or did not comply with DHS policy;

Vulnerabilities were identified during periodic internal scans and related corrective actions were not reported and tracked in accordance with DHS policy; and

Security patch management and configuration deficiencies were identified during the vulnerability assessment on hosts supporting the key financial applications and general support systems.

3. Security Management - At the following DHS components: USCG, CBP, DHS Headquarters, TSA, FLETC, FEMA, USCIS, and ICE we noted:

�

�

�

Systems certification and accreditation:

- Several component financial and associated feeder systems as well as general support systems, were not properly certified and accredited, in compliance with DHS policy;

- Compliance with the Federal Desktop Core Configuration (FDCC) security configurations is in progress, but has not been completed; and

- An instance where Interconnection Security agreements were not documented.

Roles and responsibilities have not been clearly defined:

- Instances of security roles and responsibilities are not adequately defined for financial applications and general support systems; and

- System boundaries have not been adequately and completely defined within the System Security Plan.

Lack of policies and procedures:

- One instance of incomplete or inadequate policies and procedures associated with computer incident response capabilities;

- Procedures for exit processing of transferred/terminated personnel, including contractors, had not been established; and

- Lack of component policies and procedures for IT-based specialized security training.

� Lack of compliance with existing policies:



September 30, 2010

- Several instances where background investigations of federal employees and contractors employed to operate, manage and provide security over IT systems were not being properly conducted;

- Lack of compliance with DHS computer security awareness training requirements;

- Non-disclosure agreements were not completed at one DHS component; and

- A complete and accurate listing of workstations could not be provided at one DHS component and as a result anti-virus protection is not installed on all workstations.

4. Contingency Planning - At the following DHS components: CBP and FEMA, we noted:

� Instances where incomplete or outdated business continuity plans and systems with incomplete or outdated disaster recovery plans. Some plans did not contain current system information, emergency processing priorities, procedures for backup and storage, or other critical information;

� Service continuity plans were not consistently and/or adequately tested, and individuals did not receive training on how to respond to emergency situations;

� An alternate processing site has not been established for high risk systems; and

� Appropriate authorization to access backup media was not made available.

5. Segregation of Duties: At the following DHS components: USCG, CBP, FEMA, ICE, and USCIS we noted:

� Financial system users had conflicting access rights as the Originator, Funds Certification Official, and the Approving Official;

� Lack of evidence to show that least privilege and segregation of duties controls exist; and

� Policy and procedures to define and implement segregation of duties were not properly developed and/or implemented.

These control findings, including other significant deficiencies are described in greater detail in a separate Limited Official Use component-specific Information Technology Management letter provided to DHS component management.

FINANCIAL SYSTEM FUNCTIONALITY

We noted that in some cases, financial system functionality is inhibiting DHS’ ability to implement and maintain internal controls, notably IT applications controls supporting financial data processing and reporting. Financial system functionality limitations also contributes to other control deficiencies reported in our report dated November 12, 2010, and can make compliance with the Federal Financial Management Improvement Act (FFMIA) and the Office of Management and Budget (OMB) Circular A-127 more difficult. At the following DHS components: USCG, CBP, FLETC, ICE, USCIS, and TSA we noted financial system functionality conditions to include:

� Inability to modify IT system core software, and install controls to prevent duplicate payments. One component identified two instances where duplicate payments were made in FY 2009 and FY 2010, and the funds needed to be recovered;

� System limitations lead to extensive manual and redundant procedures to process transactions, to verify the accuracy of data, and to prepare financial statements;



September 30, 2010

� The financial systems in one component cannot be configured to:

- Prevent, detect, and correct excessive refunds;

- Provide summary information of the total unpaid assessments for duties, taxes, and fees by individual importer; and

- Report information on outstanding receivables, the age of receivables, or other data necessary for management to fully monitor collection actions; and

� Two inventory tracking systems are not fully integrated with the financial system of record; and

� Several financial systems do not have the necessary functionality to enforce DHS-required system security requirements. For example, one system does not have the functionality to enforce policy requirements related to password complexity, account lockout, and profile changes. In addition, a system does not have the functionality to track new users or user profile changes.

Recommendations: We recommend that the DHS Office of Chief Information Officer (OCIO), in coordination with the Office of Chief Financial Officer (OCFO), the DHS component OCIOs, OCFOs, and other appropriate component management review each individual IT NFR appropriately to ensure that the DHS components enter the recommendations as Plan of Action and Milestones in Trusted Agent FISMA, and work with the respective components to develop corrective action plans to address the root cause and condition of each NFR.

Financial System Functionality Recommendation: We recommend that the DHS OCIO, in coordination with the OCFO, the DHS component OCIOs, OCFOs, and other appropriate component management address the IT system aspects associated with the financial system functionality issues listed above, or develop compensating/mitigating controls in order to eliminate or reduce the associated risk.

MANAGEMENT COMMENTS AND OIG RESPONSE The OIG obtained written comments on a draft of this report from the DHS CIO, DHS Acting CFO, and DHS CISO. Generally, DHS management agreed with all of our findings and recommendations. DHS management has developed a remediation plan to address these findings and recommendations. A copy of the comments is included in Appendix D.

OIG Response We agree with the steps that DHS management is taking to satisfy these recommendations.


Appendix A Department of Homeland Security

Information Technology Management Letter September 30, 2010

Appendix A

Description of Key DHS Financial Systems and IT Infrastructure within the Scope of the FY 2010 DHS Financial

Statement Audit



September 30, 2010

Below is a description of significant financial management systems and supporting IT infrastructure included in the scope of the engagement to perform the financial statement audit.

United States Coast Guard (USCG)

Core Accounting System (CAS)

CAS is the core accounting system that records financial transactions and generates financial statements for the Coast Guard. CAS is hosted at the Coast Guard’s Finance Center (FINCEN), in Chesapeake, Virginia (VA). The FINCEN is the Coast Guard’s primary data center. CAS interfaces with two other systems located at the FINCEN, the Workflow Imaging Network System (WINS) and the Financial and Procurement Desktop (FPD).

� CAS Version 4.1 � CAS Oracle Database 9.2.0.8.0 – 47 GB 16x750mhz RISC Processor; cgofprod.world � CAS Operating System – HP Unix 11.11; ARGUS Server

Financial Procurement Desktop (FPD)

The FPD application is used to create and post obligations to the core accounting system. It allows users to enter funding, create purchase requests, issue procurement documents, perform system administration responsibilities, and reconcile weekly program element status reports. FPD is interconnected with the CAS system and is located at the FINCEN in Chesapeake, VA.

� FPD Oracle 9.2.0.8.0 Database – 28 GB 12x750mhz RISC Processor; LUFS.world � FPD Operating System – HP UNIX 11.11; Dart Server

Workflow Imaging Network System (WINS)

WINS is the document image processing system, which is integrated with an Oracle Developer/2000 relational database. WINS allows electronic data and scanned paper documents to be imaged and processed for data verification, reconciliation and payment. WINS utilizes MarkView software to scan documents and to view the images of scanned documents and to render images of electronic data received. WINS is interconnected with the CAS and FPD systems and is located at the FINCEN in Chesapeake, VA.

� WINS Oracle 10.2.0.3 Database - 48 GB 12x750mhz RISC Processor; PROD1.world � WINS Operating System – HP Unix 11.11; Vigilant Server

Joint Uniform Military Pay System (JUMPS)

JUMPS is a mainframe application used for paying USCG active and reserve payroll. JUMPS is located at the Pay and Personnel Center (PPC) in Topeka, Kansas.

� IBM Mainframe - z890 � JUMPS Operating System z/OS 1.8 Base

Direct Access

Direct Access is the system of record and all functionality, data entry, and processing of payroll events is conducted exclusively in Direct Access. Direct Access is maintained by IBM Application On Demand (IBM AOD) in the iStructure data center facility at Tempe, AZ with a hotsite located in a Qwest data center in Sterling, VA.

Information Technology Management Letter for the FY 2010 Financial Statement Audit Page 8


September 30, 2010

� Hardware - 1 Sunfire 4800, 2 Sunfire 880, 1 Sunfire 4500, 1 Sunfire v240, 2 Sunfire V440, 2 F5Big-IP, 1IBM 3650

� Software – PeopleTools v8.4, PeopleSoft HCM v8.0, WebLogic v8, Tuxedo v8, MicroFocus Cobol v4, Oracle DB v9, ImageNow v5.4.1, WebNow v3.4.1

Global Pay (Direct Access II)

Global Pay provides retiree and annuitant support services. Global Pay is maintained by IBM AOD in the iStructure data center facility at Tempe, AZ with a hotsite located in a Qwest data center in Sterling, VA.

� Hardware – 2 Database Servers IBM P550, 1 Web/App Server IBM P520, 1 Web/App Server IBM P550, 1 W2K Server IBM x Series 336, 2 F5 BIGIP Load Balancer, 1 Database/App Server IBM P550, 2 Web Server IBM P520, 1 App Server IBM P550, 1 Proxy Server SunFire v240

� Software – 2 PeopleSoft HRMS v 9.0, 2 PeopleTools v 8.46.05, PeopleSoft Enterprise Portal v 8.0, 2 WebLogic v 8.1 sp3, 2 Tuxedo v 8.1 r3, 2 Oracle RDMS v 10.x, 1McAfee Entercept v 5.1 – IDS, 1 Checkpoint NG with Application Intelligence (R55) 105 – Firewall, 1 Legato v 7.x

Shore Asset Management (SAM)

SAM is hosted at the Coast Guard’s Operation System Center (OSC), in Martinsburg, WV. SAM provides core information about the USCG shore facility assets and facility engineering. The application tracks activities and assist in the management of the Civil Engineering (CE) Program and the Facility Engineering (FE) Program. SAM data contributes to the shore facility assets full life cycle Program management, facility engineering full life cycle Program management and rationale to adjust the USCG mission needs through planning, budgeting, and project funding. SAM also provides real property inventory and management of all shore facilities, in addition to the ability to manage and track the facilities engineering equipment and maintenance of that equipment.

� Hardware platform:-Intel MP BladeServer SBXD132, 2x Xeon Dual Core 2.66Ghz, EMT64, 4GB Ram (8GB DB Servers), Mirrored 72GB SAS, 2x 1GB Network Interface

� Operating - Software: Windows 2003 Server Standard 5.2.3790 Service Pack 2 build 3790 � Security Software - McAfee Virus Scan Enterprise 8.0.0 � Database - Oracle 9i, 32 bit

Naval and Electronics Supply Support System (NESSS)

NESSS is one of four automated information systems that comprise the family of Coast Guard logistics systems. NESSS is a fully integrated system linking the functions of provisioning and cataloging, unit configuration, supply and inventory control, procurement, depot-level maintenance and property accountability, and a full financial ledger.

� Hardware platform:-1 HP A7137A, 1 Dell PowerEdge 6450, 2 Dell Power Edge 6650, 2 HP A3639A

� Software - Software: Oracle Application Server Forms and Report Services 10.1.2.02, Xventory Baseline, File Replication Pro, Windows 2003 Server Enterprise Edition, PDF Pagemaster

Aviation Logistics Management Information System (ALMIS)



September 30, 2010

ALMIS provides Coast Guard Aviation logistics management support in the areas of operations, configuration management, maintenance, supply, procurement, financial, and business intelligence. Additionally, ALMIS covers the following types of information: Financial, Budget, Planning, Aircraft & Crew Status, Training & Readiness, and Logistics & Supply. The Aviation Maintenance Management Information System (AMMIS), a subcomponent of ALMIS, functions as the inventory management/fiscal accounting component of the ALMIS application. The Aircraft Repair & Supply Center (ARSC) Information Systems Division (ISD) in Elizabeth City, North Carolina hosts the ALMIS application.

� Linux AS 4.0 (OS for Oracle Databases) � HPUX 11i (OS for Ingres Databases) � Oracle 10g (Database Services) � Ingress 2.6 (Database Services) � Windows 2000 Advanced Server (Web Server)

CG Treasury Information Executive Repository (CG Tier)

CG TIER is a financial data warehouse containing summarized and consolidated financial data relating USCG operations. It is one of several supporting applications within CAS Suite designed to support the core financial services provided by FINCEN. CG TIER provides monthly submissions to DHS Consolidated TIER.

� Database- Oracle v 8.1.7.4 (Tiers) � Operating System- HP-UNIX; v 11.11

Customs and Border Protection (CBP)

SAP Enterprise Central Component (SAP ECC 6.0)

SAP is a client/server-based financial management system and includes the Funds Management, Budget Control System, General Ledger, Real Estate, Property, Internal Orders, Sales and Distribution, Special Purpose Ledger, and Accounts Payable modules. These modules are used by CBP to manage assets (e.g., budget, logistics, procurement, and related policy), revenue (e.g., accounting and commercial operations: trade, tariff, and law enforcement), and to provide information for strategic decision making. The SAP ECC 6.0 financial management system is included in full scope in the FY 2010 financial statement audit. The SAP ECC 6.0 system is located in Newington, VA.

Automated Commercial System (ACS)

ACS is a collection of mainframe-based business process systems used to track, control, and process commercial goods and conveyances entering the United States territory, for the purpose of collecting import duties, fees, and taxes owed the Federal government. ACS collects duties at ports, collaborates with financial institutions to process duty and tax payments, provides automated duty filing for trade clients, and shares information with the Federal Trade Commission on trade violations and illegal imports. The ACS system is included in full scope in the FY 2010 financial statement audit. The ACS system is located in Newington, VA.

Automated Commercial Environment (ACE)

ACE is the commercial trade processing system being developed by CBP to facilitate trade while strengthening border security. It is CBP’s plan that the ACE replaced ACS when ACE is fully



September 30, 2010

implemented. The mission of ACE is to implement a secure, integrated, government-wide system for the electronic collection, use, and dissemination of international trade and transportation data essential to federal agencies. ACE is being deployed in phases, with no set final full deployment date due to funding setbacks. As ACE is partially implemented now and processes a significant amount of revenue for CBP, ACE was included in full scope in the FY 2010 financial statement audit. The ACE system is located in Newington, VA.

Federal Law Enforcement and Training Center (FLETC)

Financial Accounting and Budgeting System (FABS)

Processing Location: FLETC Headquarters in Glynco, GA

The FLETC FABS application is an all-in-one financial processing system. It functions as the computerized accounting and budgeting system for FLETC. The FABS system exists to provide all of the financial and budgeting transactions in which FLETC is involved. The FABS environment primarily consists of the latest version of the Momentum version 6.1 COTS software, an Oracle 10g database and its companion Oracle 10.2 Database Management System (DBMS). An application called “Tuxedo,” also resides on a separate server. The Tuxedo middleware holds 67 executable files. These files are scripts that process daily information and are not directly accessible by users. The FABS application and servers reside on the FLETC LAN in a Hybrid physical network topology and are accessible from four sites: Glynco, GA, Washington D.C., Artesia, New Mexico, and Cheltenham, MD.

� Hardware: Hewlett Packard ProLiant BL465c Blade Servers (web and application) and Hewlett Packard ProLiant BL685c Blade Servers (database)

� Operating System: Microsoft Windows 2003 Server running on virtual machines on top of VMware Infrastructure 3.5 Enterprise hypervisor on the web and application servers

� Database: Red Hat Enterprise Linux � Security Software: FABS system does not currently have a firewall scheme and resides on

FLETC LAN that has a firewall in place

Interfaces:

� National Finance Center (NFC) Payroll System � Student Information System (SIS) � TIER � US Coast Guard Interface � Kansas City Financial Center (KFC)

Glynco Administrative Network Processing Location: FLETC Headquarters in Glynco, GA

The purpose of the Glynco Administrative Network (GLYADLAN) is to provide access to IT network applications and services to include voice to authorized FLETC personnel, contractors and partner organizations located at the Glynco, Georgia facility. It provides authorized users access to email, internet services, required applications such as Financial Management Systems (FMS), Procurement systems, Property management systems, Video conference, and other network services and shared resources.



September 30, 2010

� Hardware: Cisco ACS TACAS Server, Avaya 8700 Media Servers, Dell Poweredge servers 1750, 1850, 1950, 2650, 2850, 2950, and 6650.

� Operating System: Windows XP SP2 (Desktop) � Database: Redhat Linux 4 Enterprise edition � Security Software: ASA 5500 series firewall and static IP addresses

Interfaces:

� FMS � DHS HQ

Federal Emergency Management Agency (FEMA)

Core Integrated Financial Management Information System (IFMIS) (Operational through February 22, 2010

Processing Location: Mount Weather Emergency Operations Center in Bluemont, VA

Core IFMIS was the key financial reporting system, and had several feeder subsystems (budget, procurement, accounting, and other administrative processes and reporting). The application was a Commercial Off-The Shelf (COTS) software package developed and maintained by Digital Systems Group (DSG) Incorporated.

� Hardware: Two (2) HP 9000 servers (operational and standby) � Operating System: HP-UX (Unix) version 11.11 � Database: Oracle 9i Enterprise Edition

� Security Software: Servers are protected by a CISCO PIX Firewall Interfaces:

� NEMIS � Credit Card Transaction Management System (CCTMS) � Fire Grants � Mitigation Grants � eGrants � ProTrac � Payroll � Department of Treasury � Smartlink � TIER

Grants and Training (G&T) IFMIS (Operational through February 22, 2010)


In April 2007, the Office of Grants and Training (G&T) that was previously under the Department of Justice was transferred over to FEMA. Due to the short amount of time given to FEMA to take over the financial management role for G&T in FY 2007, a separate instance of IFMIS was inherited from the Department of Justice, resulting in two separate IFMIS instances at FEMA. G&T IFMIS, held all former G&T financial information. The application is a COTS software package developed and maintained by DSG Incorporated.

� Hardware: HP 9000 server



September 30, 2010

� Operating System: HP-UX (Unix) version 11.11 � Database: Oracle 9i Enterprise Edition � Security Software: Servers are protected by a CISCO PIX Firewall

Interfaces:

� PARS

IFMIS-Merger (Operational as of February 23, 2010)


IFMIS-Merger is the official accounting system of FEMA and maintains all financial data for internal and external reporting. IFMIS-Merger is comprised of five subsystems: Funding, Cost Posting, Disbursements, Accounts Receivable, and General Ledger. The application is a COTS software package developed and maintained by DSG Incorporated.

� Hardware: Two (2) HP 9000 servers � Operating System: HP-UX (Unix) version 11.11 � Database: Oracle 9i Enterprise Edition � Security Software: Servers are protected by a CISCO PIX Firewall

Interfaces:

� Payment and Reporting System (PARS) � ProTrac � Smartlink (Department of Health and Human Services) � TIER (Department of Treasury) � Secure Payment System (SPS) (Department of Treasury) � Grants Management System (Department of Justice) � National Emergency Management Information System (NEMIS) � US Coast Guard Credit Card System � CCTMS � Fire Grants � eGrants � Enterprise Data Warehouse (EDW) � Payroll (National Finance Center)

Payment and Reporting System (PARS)


PARS is a standalone web-based application. The PARS database resides on the IFMIS-Merger UNIX server. Prior to the merger of Core IFMIS and G&T IFMIS, PARS resided on the core IFMIS server. Through its web interface, PARS collects Standard Form 269 information from grantees and stores the information in its Oracle 9i database. Automated chron jobs are run daily to update and interface grant and obligation information between PARS and IFMIS-Merger. All payments to grantees are made through IFMIS-Merger. Prior to the IFMIS-Merger instance in February 2010, the PARS application interfaced with G&T IFMIS.

� Hardware: HP 9000 server � Operating System: HP-UX (Unix) version 11.11



September 30, 2010

� Database: Oracle 9i Enterprise Edition � Security Software: Servers are protected by a CISCO PIX Firewall

Interfaces:

� G&T IFMIS (prior to February 23, 2010) � IFMIS-Merger (as of February 23, 2010)

National Emergency Management Information System (NEMIS)


NEMIS is a FEMA-wide system of hardware, software, telecommunications, services, and applications. NEMIS consists of many integrated subsystems distributed over hundreds of separate servers accessed by thousands of client workstations. NEMIS is an integrated system to provide FEMA, the states, and other federal agencies with automation to perform disaster related operations. NEMIS supports all phases of emergency management and provides financial related data to IFMIS via an automated interface.

� Hardware: Numerous HP ProLiant DL series servers � Operating System: Linux, Microsoft NT and Microsoft 2000 � Database: Replicated Oracle 10g, 9i, and 8i databases � Security Software: Servers are protected by a PIX Firewall Symantec Anti-Virus corporate

edition version 10.1.4.4000

Interfaces:

� IFMIS � US Coast Guard Credit Card System � Small Business Administration

Traverse Processing Location: Lanham, MD (until July 31, 2010), Landover, MD (after August 1, 2010).

Traverse is the general ledger application currently used by the Nation Flood Insurance Program (NFIP) Bureau and Statistical Agent to generate the NFIP financial statements. Traverse is a client-server application that runs on the NFIP Local Area Network (LAN) Windows server environment in Landover, MD. The Traverse client is installed on the desktop computers of the NFIP Bureau of Financial Statistical Control group members.

� Hardware: Hewlett Packard ML530, Dual Xeon 2.8 Processors, 2 GB RAM, Redundant Array of Independent Disks (RAID) Storage

� Operating System: Microsoft Windows Server 2003 � Database: Microsoft Structured Query Language (SQL) � Security Software: CheckPoint firewall

Interfaces:

No known system interfaces

Transaction Recording and Reporting Processing (TRRP)

Processing Location: Norwich, CT



September 30, 2010

The TRRP application acts as a central repository of all data submitted by the Write Your Own (WYO) companies for the NFIP. TRRP also supports the WYO program, primarily by ensuring the quality of financial data submitted by the WYO companies to TRRP. TRRP is a mainframe-based application that runs on the NFIP mainframe logical partition in Norwich, CT.

� Hardware: IBM 2086-220 Mainframe with two central processing units � Operating System: IBM z/OS 1.9 � Database: WebFocus

Interfaces:

No known system interfaces

Immigration and Customs Enforcement (ICE)

Federal Financial Management System (FFMS)

The FFMS is a CFO designated financial system and certified software application that conforms to OMB Circular A-127 and implements the use of a Standard General Ledger for the accounting of agency financial transactions. It is used to create and maintain a record of each allocation, commitment, obligation, travel advance and accounts receivable issued. It is the system of record for the agency and supports all internal and external reporting requirements. FFMS is a commercial off-the-shelf financial reporting system and is built on Oracle 9i Relational Database Management System running off an IBM 9672 Mainframe with ZOS 1.4 platform. The FFMS operating system operates off an IBM ZOS, Version 1.4 Mainframe Server and Microsoft Windows 2000 report servers protected by firewalls. It includes the core system used by accountants, FFMS Desktop that is used by average users, and an NFC payroll interface. As of July 2010, the FFMS mainframe component and two network servers are hosted at the DHS DC2 facility located in Clarksville, Virginia. Prior to July, the system was housed at the Department of Commerce in Springfield, VA. FFMS currently interfaces with the following systems:

� Direct Connect for transmission of DHS payments to Treasury � Fed Travel � The Biweekly Examination Analysis Reporting (BEAR) and Controlling Accounting Data

Inquiry (CADI), for the purpose of processing NFC user account and payroll information. � The Debt Collection System (DCOS) � Bond Management Information System (BMIS) Web

ICE Network

The ICE Network, also known as the Active Directory/Exchange (ADEX) E-mail System, is a major application for ICE and other DHS components, such as the USCIS. The ADEX servers and infrastructure for the headquarters and National Capital Area are located on the third floor of the Potomac Center North Tower in Washington, DC. The ICE Network utilizes a hybrid mesh/hub and mesh network design to maximize redundancy throughout the network. ICE operates off of Dell PowerEdge 2950, HP ProLiant DL 385 Server, HP ProLiant BL45p Server Blade, HP BL 25P Blade Server, and EMC Symmetrix DM. ADEX has implemented Microsoft Windows 2003 Enterprise Server operating system to provide directory, domain control, and network services to clients. For security purposes, ADEX has implemented firewalls and a logical Layer-3 encrypted overlay network through the use of Generic Routing Encapsulation (GRE) and IPSec tunneling. ADEX currently interfaces with the following systems:



September 30, 2010

� Diplomatic Telecommunications Service Program Office (DTSPO) ICENet Infrastructure

Office of Financial Management (OFM)/Consolidated Component

DHS Treasury Information Executive Repository (DHSTIER)

DHSTIER is the system of record for the DHS consolidated financial statements and is used to track, process, and perform validation and edit checks against monthly financial data uploaded from each of the DHS bureaus’ core financial management systems. DHSTIER is administered jointly by the OCFO Resource Management Transformation Office (RMTO) and the OCFO Office of Financial Management (OFM) and is hosted on the DHS OneNet at the Stennis Data Center in Mississippi.

� Database: Oracle DB 10g v10.3 � Operating System: Microsoft Windows 2003 � Hardware: HP ProLiant BL460c G1 server

Chief Financial Office VISION (CFO Vision)

CFO Vision is a subsystem of DHSTIER used for the consolidation of the financial data and the preparation of the DHS financial statements. CFO Vision is also administered by RMTO and OFM and is hosted on the DHS OneNet at the Stennis Data Center in Mississippi.

� COTS Software - SAS Financial Management Solutions version 4.3 (FM 4.3) with its own internal SAS database

� Operating System: Microsoft Windows 2003 Hardware: HP ProLiant BL460c G1 server

Transportation Security Administration (TSA)

Core Accounting System (CAS)

CAS is the core accounting system that records financial transactions and generates financial statements for the United States Coast Guard. CAS is hosted at the Coast Guard’s FINCEN in Chesapeake, VA and is managed by the United States Coast Guard. The FINCEN is the Coast Guard’s primary financial system data center. CAS interfaces with other systems located at the FINCEN, including FPD.

� CAS Version 4.1 � CAS Oracle Database 9.2.0.8.0 – 47 GB 16x750mhz RISC Processor; cgofprod.world � CAS Operating System – HP Unix 11.11; ARGUS Server

Financial Procurement Desktop (FPD)

The FPD application is used to create and post obligations to the core accounting system. It allows users to enter funding, create purchase requests, issue procurement documents, perform system administration responsibilities, and reconcile weekly program element status reports. FPD is interconnected with the CAS system and is hosted at the FINCEN in Chesapeake, VA and is and managed by the United States Coast Guard.

� FPD Oracle 9.2.0.8.0 Database – 28 GB 12x750mhz RISC Processor; LUFS.world � FPD Operating System – HP UNIX 11.11; Dart Server

Sunflower



September 30, 2010

Sunflower is a customized third party COTS product used for TSA and Federal Air Marshals (FAMS) property management. Sunflower interacts directly with the Office of Finance Fixed Assets module in CAS. Additionally, Sunflower is interconnected to the FPD system and is hosted at the FINCEN in Chesapeake, VA and is managed by the United States Coast Guard.

� Sunflower Oracle Database – 10.2.0.3 - 2 x 3.06 GB Xeon Processor – 72 GB � Sunflower Operating System – Red Hat Linux 4.0AS � Sunflower Third Party Software – IBMJava 2.-131RC2

MarkView

MarkView is an imaging and workflow software used to manage invoices in CAS. Each invoice is stored electronically and associated to a business transaction so that users are able to see the image of the invoice. MarkView is interconnected with the CAS system and is located at the FINCEN in Chesapeake, VA and is managed by the United States Coast Guard.

� CAS Oracle Database 9.2.0.8.0 – 47 GB 16x750mhz RISC Processor

� CAS Operating System – HP Unix 11.11; ARGUS Server

United States Citizenship and Immigration Services (USCIS)

CLAIMS 3 LAN

CLAIMS 3 LAN provides USCIS with a decentralized, geographically dispersed LAN based mission support case management system, with participation in the centralized CLAIMS 3 Mainframe data repository. CLAIMS 3 LAN supports the requirements of the Direct Mail Phase I and II, Immigration Act of 1990 (IMMACT 90) and USCIS forms improvement projects. The CLAIMS 3 LAN is located at the following service centers and district offices: Nebraska, California, Texas, Vermont, Baltimore District Office, and Administrative Appeals Office. CLAIMS 3 executes on Dell 220 S (EMC), RAID Controller, Disk Storage servers protected by firewalls, and Windows 2003, MS Sp2 as the operating system and Pervasive database software and is used to enter and track immigration applications. CLAIMS 3 LAN interfaces with the following systems:

� Citizenship and Immigration Services Centralized Oracle Repository (CISCOR) � CLAIMS 3 Mainframe � Integrated Card Production System (ICPS) � CLAIMS 4 � E-filing � Benefits Biometric Support System (BBSS) � Refugee, Asylum, and Parole System (RAPS) � National File Tracking System (NFTS) � Integrated Card Production System (ICPS) � Customer Relationship Interface System (CRIS) � USCIS Enterprise Service Bus (ESB)

CLAIMS 4

The purpose of CLAIMS 4 is to track and manage naturalization applications. Claims 4 is a client/server application. CLAIMS 4 runs off of Sunfire 890, 490, Solaris 9, and Oracle 9iR2 servers with Oracle 9i, Windows NT, and Windows 2000 Server operating systems and are



September 30, 2010

protected by firewalls. The central Oracle Database that runs off Oracle Enterprise 9i is located in Washington, DC while application servers and client components are located throughout USCIS service centers and district offices. CLAIMS 4 interfaces with the following systems:

� Central Index System (CIS) � Reengineered Naturalization Automated Casework System (RNACS) � CLAIMS 3 LAN and Mainframe � Refugee, Asylum, and Parole System (RAPS) � Enterprise Performance Analysis System (ePAS) � National File Tracking System (NFTS) � Asylum Pre-Screening System (APSS) � USCIS Enterprise Service Bus (ESB) � Biometrics Benefits Support System (BBSS) � Enterprise Citizenship and Immigration Service Centralized Operational Repository (eCISOR) � Customer Relationship Interface System (CRIS) � FD 258 Enterprise Editions and Mainframe � Site Profile System (SPS)


Appendix B


September 30, 2010

Appendix B FY 2010 Notices of IT Findings and Recommendations at DHS


Appendix B Department of Homeland Security


Notice of Findings and Recommendations (NFR) – Definition of Severity Ratings:

Each NFR listed in Appendix B is assigned a severity rating from 1 to 3 indicating the influence on the DHS Consolidated Independent Auditors Report.

1 – Not substantial

2 – Less significant

3 – More significant

The severity ratings indicate the degree to which the deficiency influenced the determination of severity for consolidated reporting purposes.

These rating are provided only to assist the DHS in prioritizing the development of its corrective action plans for remediation of the deficiency.


Appendix B


September 30, 2010

Department of Homeland Security FY 2010 Information Technology - Notice of Findings and

Recommendations – Detail

� United States Coast Guard


App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

Not

ice

of F

indi

ngs a

nd R

ecom

men

datio

ns –

Det

ail

Coa

st G

uard

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

CG

-IT-

10-0

1 In

FY

200

9, w

e de

term

ined

tha

t C

oast

Gua

rd w

as

final

izin

g th

e bu

sine

ss p

roce

ss th

at w

ould

be

used

to

rem

edia

te t

he p

rior

year

NFR

. O

nce

this

bus

ines

s pr

oces

s is

fin

aliz

ed, a

tech

nica

l im

plem

enta

tion

coul

d be

gin,

and

Coa

st G

uard

pla

nned

on

usin

g th

e D

irect

A

cces

s H

uman

R

esou

rces

(H

R)

syst

em

to

notif

y sy

stem

ow

ners

of H

R st

atus

cha

nges

for a

ll in

divi

dual

s w

ithin

the

Coa

st G

uard

.

Dur

ing

our

FY

2010

fo

llow

-up

test

w

ork,

w

e de

term

ined

tha

t th

is N

FR r

emed

iatio

n is

stil

l in

the

pl

anni

ng

stag

es.

Req

uire

men

ts

still

ne

ed

to

be

prio

ritiz

ed a

nd c

ost e

stim

ates

nee

d to

be

deve

lope

d in

or

der

to o

btai

n fu

ndin

g.

Coa

st G

uard

stil

l pl

ans

on

usin

g D

irect

Acc

ess

but w

ill o

nly

impl

emen

t thi

s ne

w

proc

ess

once

D

irect

A

cces

s ha

s be

en

upgr

aded

, ho

wev

er,

the

impl

emen

tatio

n da

te h

as n

ot y

et b

een

final

ized

.

We

reco

mm

end

that

Coa

st G

uard

Hea

dqua

rters

co

ntin

ue w

ith th

e fo

llow

ing

effo

rts:

�D

evel

op a

res

ourc

e pl

an (

RP)

with

ass

ocia

ted

supp

ortin

g bu

sine

ss c

ase(

s) to

add

ress

acc

ount

tra

ckin

g fo

r te

rmin

ated

, tra

nsfe

rred

, or

retir

ed

cont

ract

or,

mili

tary

, an

d ci

vilia

n pe

rson

nel;

and,

�

Con

tinue

ex

istin

g pl

anni

ng

effo

rts

and

deve

lop,

doc

umen

t, an

d im

plem

ent e

nter

pris

e-w

ide

proc

esse

s th

at w

ill n

otify

all

impa

cted

sy

stem

ow

ners

of

term

inat

ed,

trans

ferr

ed,

or

retir

ed

cont

ract

or,

mili

tary

, an

d ci

vilia

n pe

rson

nel.

X

2

CG

-IT-

10-0

2 In

FY

200

9, w

e de

term

ined

tha

t D

HS

no l

onge

r re

quire

s al

l con

tract

ed e

mpl

oyee

s to

hav

e a

Min

imum

B

ackg

roun

d In

vest

igat

ion

(MB

I)

if th

ey

have

an

ex

istin

g co

nfid

entia

l or

secr

et c

lear

ance

, and

the

new

m

inim

um s

tand

ard

is th

e N

atio

nal A

genc

y C

heck

and

In

quiri

es (N

AC

I).

In a

dditi

on,

Coa

st G

uard

Hea

dqua

rters

had

in

plac

e si

nce

2007

Com

man

dant

Ins

truct

ion

(CO

MD

TIN

ST)

M55

20.1

2C, w

hich

sta

ted

that

Pro

gram

Man

ager

s ar

e re

spon

sibl

e fo

r det

erm

inin

g th

e ris

k le

vel a

nd p

ositi

on

sens

itivi

ty d

esig

natio

n as

soci

ated

with

eac

h C

ontra

ct

We

reco

mm

end

that

Coa

st G

uard

Hea

dqua

rters

co

ntin

ue w

ith th

e fo

llow

ing

effo

rts:

�C

ontin

ue

to

upda

te

exis

ting

cont

ract

s to

in

clud

e th

e ne

w c

ontra

ctor

bac

kgro

und

chec

k re

quire

men

ts,

and

perf

orm

as

soci

ated

co

ntra

ctor

bac

kgro

und

chec

ks.

�C

ontin

ue

to

incl

ude

new

co

ntra

ctor

ba

ckgr

ound

ch

eck

requ

irem

ents

in

ne

w

cont

ract

s, an

d pe

rfor

m a

ssoc

iate

d ba

ckgr

ound

ch

ecks

.

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 2

2

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

Line

Ite

m N

umbe

r (C

LIN

) an

d/or

lab

or c

ateg

ory

for

proc

ured

con

tract

or s

uppo

rt.

Thes

e w

ill b

e pr

ovid

ed

to t

he C

ontra

ctin

g O

ffic

er w

ho i

s re

spon

sibl

e fo

r in

clud

ing

as s

olic

itatio

n an

d co

ntra

ct r

equi

rem

ents

. U

nfor

tuna

tely

, thi

s in

stru

ctio

n di

d no

t inc

lude

spe

cific

gu

idan

ce fo

r the

Pro

gram

Man

ager

s on

how

to s

et th

e co

rrec

t an

d co

nsis

tent

ris

k le

vels

an

d po

sitio

n se

nsiti

vity

des

igna

tions

.

In

FY

2010

, w

e de

term

ined

th

at

Coa

st

Gua

rd

Hea

dqua

rters

inco

rpor

ated

Pro

gram

Man

ager

gui

danc

e to

the

Com

man

dant

Inst

ruct

ion,

as E

nclo

sure

3, s

o th

at

the

Prog

ram

Man

ager

s co

uld

dete

rmin

e th

e co

rrec

t ris

k le

vel a

nd p

ositi

on s

ensi

tivity

des

igna

tion.

An

All

Coa

st G

uard

(A

LCO

AST

) m

essa

ge w

as a

lso

rele

ased

in

Ju

ne

that

st

ated

al

l co

ntra

ctor

s m

ust

have

a

favo

rabl

e fin

gerp

rint c

heck

and

initi

ated

or c

ompl

eted

m

inim

um i

nves

tigat

ion

(NA

CI)

in

orde

r to

obt

ain

a C

omm

on

Acc

ess

Car

d (C

AC

) ca

rd,

effe

ctiv

e im

med

iate

ly.

This

has

res

ulte

d in

tw

o ac

tiviti

es:

1)

new

con

tract

s w

ill in

corp

orat

e th

ese

new

requ

irem

ents

im

med

iate

ly, a

nd 2

) exi

stin

g co

ntra

cts

will

inco

rpor

ate

thes

e ne

w r

equi

rem

ents

whe

n ne

w t

ask

orde

rs a

re

issu

ed,

optio

ns a

re e

xerc

ised

, co

ntra

ct m

odifi

catio

ns

are

mad

e,

etc.

Th

eref

ore,

ba

sed

upon

th

e re

new

al/o

ptio

n da

te o

f a

cont

ract

in p

lace

prio

r to

the

ALC

OA

ST, i

t cou

ld ta

ke u

p to

two

year

s be

fore

all

of

the

cont

ract

ors

thro

ugho

ut C

oast

Gua

rd w

ill m

eet

thes

e ne

w re

quire

men

ts.

Furth

erm

ore,

as

part

of o

ur a

naly

sis,

we

wer

e un

able

to

de

term

ine

if U

SCG

ha

d th

e ca

pabi

lity

to

�D

evel

op

a R

P w

ith

asso

ciat

ed

supp

ortin

g bu

sine

ss c

ase(

s) t

o ad

dres

s th

e ne

ed f

or a

re

porti

ng m

echa

nism

for

con

tract

or r

isk

leve

l, po

sitio

n se

nsiti

vity

des

igna

tion,

and

ass

ocia

ted

back

grou

nd c

heck

.

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 2

3

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

cons

iste

ntly

pro

duce

a c

urre

nt a

nd c

ompr

ehen

sive

list

of

al

l C

oast

G

uard

co

ntra

ctor

s to

in

clud

e va

lid

back

grou

nd

inve

stig

atio

n in

form

atio

n tie

d to

th

e co

rrec

t ris

k le

vel a

nd p

ositi

on se

nsiti

vity

des

igna

tion.

Alth

ough

Coa

st G

uard

has

take

n co

rrec

tive

actio

ns to

re

med

iate

th

e pr

ior

year

N

FR

CG

-IT-

09-1

0 by

up

datin

g th

e C

omm

anda

nt I

nstru

ctio

n an

d be

gun

the

proc

ess

of

incl

udin

g th

e ne

w

requ

irem

ents

in

co

ntra

cts,

we

belie

ve t

hat

not

havi

ng t

he a

bilit

y to

id

entif

y an

d pr

ovid

e a

full

popu

latio

n of

con

tract

ors

wor

king

for

Coa

st G

uard

doe

s no

t ful

ly r

emed

iate

all

of

the

findi

ngs

and

cond

ition

s fr

om

FY

2009

. Th

eref

ore,

this

prio

r ye

ar N

FR w

ill b

e re

issu

ed in

FY

20

10.

CG

-IT-

10-0

3 In

FY

20

09,

we

dete

rmin

ed

that

C

oast

G

uard

H

eadq

uarte

rs a

ctiv

ely

mon

itors

all

civi

lians

to

verif

y w

heth

er th

ey h

ave

a va

lid b

ackg

roun

d in

vesti

gatio

n on

re

cord

. C

oast

Gua

rd s

tate

d th

at i

t co

nsid

ers

Coa

st

Gua

rd

gove

rnm

ent

posi

tions

th

at

use,

de

velo

p,

oper

ate,

or m

aint

ain

IT s

yste

ms

to b

e at

leas

t low

risk

ba

sed

upon

OPM

gui

danc

e. T

here

fore

, C

oast

Gua

rd

cont

inue

d ve

tting

in

divi

dual

s ba

sed

on

the

OPM

re

quire

men

ts f

or l

ow r

isk

posi

tions

whi

ch r

equi

re a

N

AC

I inv

estig

atio

n. T

his p

ositi

on is

not

in c

ompl

ianc

e w

ith

the

DH

S st

anda

rd

that

st

ates

th

at

all

DH

S go

vern

men

t po

sitio

ns t

hat

use,

dev

elop

, op

erat

e, o

r m

aint

ain

IT s

yste

ms

are

cons

ider

ed a

t lea

st m

oder

ate

risk,

and

per

DH

S 43

00A

req

uire

men

ts,

a M

inim

um

Bac

kgro

und

Inve

stig

atio

n (M

BI)

is

th

e m

inim

um

stan

dard

of i

nves

tigat

ion.

We

reco

mm

end

that

Coa

st G

uard

Hea

dqua

rters

co

ntin

ue w

ith th

e fo

llow

ing

effo

rts:

�D

evel

op a

RP

with

as

soci

ated

sup

porti

ng

busi

ness

ca

se(s

) to

ad

dres

s fix

ing

the

orga

niza

tion-

wid

e ba

ckgr

ound

inv

estig

atio

ns

repo

rt.

�C

ontin

ue e

xist

ing

effo

rts to

upd

ate,

doc

umen

t, an

d im

plem

ent

the

over

all

Coa

st

Gua

rd

pers

onne

l se

curit

y pr

oces

s fo

r ci

vilia

n pe

rson

nel,

base

d up

on

the

JRT

repo

rt/gu

idan

ce.

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 2

4

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

In

addi

tion,

C

oast

G

uard

H

eadq

uarte

rs

did

not

com

plet

e ba

ckgr

ound

rei

nves

tigat

ions

for

all

civi

lian

staf

f due

to th

e fa

ct th

at th

is is

not

a re

quire

men

t und

er

OPM

gui

danc

e fo

r lo

w r

isk

posi

tions

. Thi

s is

in n

on-

com

plia

nce

with

DH

S po

licy

(MD

110

50.2

) tha

t sta

tes

that

rein

vest

igat

ions

mus

t be

com

plet

ed e

very

10

year

s fo

r mod

erat

e ris

k po

sitio

ns.

Furth

er, a

Joi

nt R

efor

m T

eam

(JR

T) b

een

esta

blis

hed

by th

e O

ffic

e of

the

Dire

ctor

of

Nat

iona

l Int

ellig

ence

(O

DN

I) a

nd t

he O

ffic

e of

Man

agem

ent

and

Bud

get

(OM

B)

to r

efor

m t

he f

eder

al s

uita

bilit

y cl

eara

nce

proc

ess,

and

the

JRT

stan

dard

s w

ere

sche

dule

d fo

r im

plem

enta

tion

by t

he e

nd o

f C

alen

dar

Yea

r 20

10.

The

Coa

st

Gua

rd

was

w

aitin

g on

th

e JR

T re

port/

guid

ance

to b

e im

plem

ente

d pr

ior

to m

akin

g a

dete

rmin

atio

n on

if

they

w

ould

fo

llow

th

e D

HS

stan

dard

s in

re

gard

s to

ci

vilia

n ba

ckgr

ound

in

vest

igat

ions

and

rein

vest

igat

ions

.

Dur

ing

our F

Y 2

010

follo

w u

p, w

e de

term

ined

that

the

Coa

st G

uard

will

del

ay i

ssui

ng a

ny n

ew o

r up

date

d gu

idan

ce/in

stru

ctio

ns u

ntil

the

JRT

repo

rt/gu

idan

ce

has

been

issu

ed a

nd w

ill c

ontin

ue to

not

com

ply

with

th

e D

HS

stan

dard

s in

reg

ards

to

civi

lian

back

grou

nd

inve

stig

atio

n an

d re

inve

stig

atio

ns.

Coa

st G

uard

will

co

ntin

ue to

vet

civ

ilian

indi

vidu

als

base

d on

the

OPM

re

quire

men

ts

and

asso

ciat

ed

met

hodo

logy

bo

th

in

term

s of

ini

tial

back

grou

nd i

nves

tigat

ions

and

re-

inve

stig

atio

ns.

In a

dditi

on, C

oast

Gua

rd h

as c

reat

ed a

n or

gani

zatio

n-

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 2

5

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

wid

e au

tom

ated

rep

ort

that

sho

ws

the

back

grou

nd

inve

stig

atio

n st

atus

of

ea

ch

civi

lian

Coa

st

Gua

rd

empl

oyee

. H

owev

er, C

oast

Gua

rd is

cur

rent

ly u

nabl

e to

co

nsis

tent

ly

gene

rate

er

ror-

free

rep

orts

.

Coa

st

Gua

rd s

tate

d th

at th

e re

port

coul

d be

cor

rect

ed w

ithin

tw

o ye

ars i

f add

ition

al re

sour

ces a

re p

rovi

ded.

CG

-IT-

10-0

4 Fr

om t

he p

erio

d of

Oct

ober

1,

2009

thr

ough

the

N

ovem

ber

29,

2009

, th

ere

was

no

t ad

equa

te

guid

ance

in p

lace

for C

oast

Gua

rd to

pro

perly

ass

ess

the

finan

cial

sta

tem

ent

impa

ct o

f ch

ange

s to

the

pr

oduc

tion

envi

ronm

ent

of

the

CA

S,

FPD

an

d W

INS.

Dur

ing

this

tim

e pe

riod,

tw

o C

AS

chan

ges

wer

e im

plem

ente

d in

to

prod

uctio

n w

ithou

t a

prop

er

asse

ssm

ent o

f th

e fin

anci

al s

tate

men

t im

pact

of

the

prop

osed

cha

nges

.

Upo

n th

e ef

fect

ive

date

of

the

Fina

ncia

l Im

pact

D

eter

min

atio

n fo

r D

ata

Scri

pts

and

Syst

em C

hang

e Re

ques

ts M

emor

andu

m o

n N

ovem

ber

30,

2009

, C

oast

G

uard

be

gan

and

cont

inue

d to

fo

llow

ad

equa

te g

uida

nce

to p

rope

rly a

sses

s th

e fin

anci

al

stat

emen

t im

pact

of

chan

ges

to C

AS,

FPD

and

W

INS.

No

reco

mm

enda

tion

requ

ired.

C

oast

Gua

rd t

ook

appr

opria

te c

orre

ctiv

e ac

tion

durin

g th

e cu

rren

t fis

cal

year

to

rem

edia

te t

he e

xcep

tion

that

was

id

entif

ied

durin

g th

is fi

scal

yea

r.

X

1

CG

-IT-

10-0

5 W

e de

term

ined

th

at

som

e pr

evio

usly

no

ted

wea

knes

ses

wer

e re

med

iate

d (p

artic

ular

ly

in

the

seco

nd

half

of

FY

2010

), w

hile

ot

her

cont

rol

defic

ienc

ies

cont

inue

d to

exi

st.

The

rem

aini

ng c

ontro

l de

ficie

ncie

s th

at w

ere

pres

ent

thro

ugho

ut F

Y 2

010

We

reco

mm

end

that

Coa

st G

uard

: �

Upd

ate

the

scrip

ting

polic

ies

and

proc

edur

es

to i

nclu

de a

dditi

onal

and

mor

e de

taile

d te

st

docu

men

tatio

n;

�D

evel

op tr

aini

ng th

at a

ddre

sses

all

aspe

cts

of

X

3

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 2

6

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

vary

in

sign

ifica

nce,

how

ever

thr

ee k

ey a

reas

tha

t im

pact

the

Coa

st G

uard

Scr

ipt

cont

rol

envi

ronm

ent

are:

1) S

crip

t Tes

ting

Req

uire

men

ts; 2

) Scr

ipt T

estin

g En

viro

nmen

t; an

d 3)

Scr

ipt A

udit

Logg

ing

Proc

ess.

a.

Scrip

t Te

stin

g R

equi

rem

ents

: Li

mite

d te

stin

g re

quire

men

ts e

xist

to

guid

e FI

NC

EN s

taff

in

the

deve

lopm

ent

of t

est

plan

s an

d gu

idan

ce

over

th

e fu

nctio

nal

test

ing

that

sh

ould

be

pe

rfor

med

. A

dditi

onal

ly,

we

dete

rmin

ed t

hat

ther

e ar

e no

det

aile

d re

quire

men

ts o

ver

the

revi

ew a

nd te

stin

g of

func

tiona

l cha

nges

to th

e da

ta.

FIN

CEN

onl

y tra

cks

and

docu

men

ts th

e nu

mbe

r of

tran

sact

ions

upd

ated

on

scrip

ts th

at

have

a f

inan

cial

im

pact

and

not

the

det

aile

d do

llar

amou

nts

asso

ciat

ed w

ith t

he f

inan

cial

im

pact

tran

sact

ions

.

b.

Scrip

t Te

stin

g En

viro

nmen

t: N

ot a

ll sc

ript

chan

ges

wer

e te

sted

in

the

appr

opria

te C

AS

Suite

test

env

ironm

ents

, as r

equi

red.

FI

NC

EN

man

agem

ent

info

rmed

us

th

at

the

test

ing

envi

ronm

ents

, C

AS4

and

LU

FSFQ

T3,

wer

e of

fline

for t

hese

exc

eptio

ns d

ue to

a re

fres

h of

th

e da

taba

ses

and

that

tes

ters

use

d C

AS3

and

A

lpha

as

al

tern

ate

test

ing

envi

ronm

ents

in

stea

d.

How

ever

, FI

NC

EN

man

agem

ent

info

rmed

KPM

G t

hat

thes

e en

viro

nmen

ts a

re

refr

eshe

d on

an

as n

eede

d ba

sis

and

no fu

rther

in

form

atio

n co

uld

be

prov

ided

ov

er

how

fr

eque

ntly

the

CA

S3 a

nd A

lpha

dat

abas

es w

ere

refr

eshe

d to

ve

rify

that

th

e sc

ripts

w

ere

adeq

uate

ly

test

ed

in

the

appr

opria

te

scrip

t tes

ting

(incl

udin

g do

cum

enta

tion

of te

st

docu

men

ts)

and

prov

ide

train

ing

to

appr

opria

te C

M st

aff;

�D

evel

op

a re

sour

ce

plan

w

ith

asso

ciat

ed

supp

ortin

g bu

sine

ss

case

(s)

to

addr

ess

the

data

base

aud

it lo

ggin

g re

quire

men

ts;

�D

evel

op

proc

edur

es

and

perf

orm

re

gula

r ac

coun

t re

valid

atio

n fo

r Se

rena

to

en

sure

pr

ivile

ges r

emai

n ap

prop

riate

; and

�

Con

duct

an

as

sess

men

t ov

er

the

Inte

rnal

C

ontro

l O

ver

Fina

ncia

l R

epor

ting

(IC

OFR

) pr

oces

s re

late

d to

ide

ntify

ing

and

eval

uatin

g sc

ripts

that

hav

e a

finan

cial

stat

emen

t im

pact

.

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 2

7

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

envi

ronm

ent.

Fur

ther

mor

e, w

e de

term

ined

that

gu

idan

ce

is

not

prov

ided

ov

er

the

use

of

alte

rnat

e te

stin

g en

viro

nmen

ts fo

r the

test

ing

of

scrip

ts to

ens

ure

they

are

ade

quat

ely

test

ed.

c. S

crip

t A

udit

Logg

ing

Proc

ess:

T

he C

AS,

FP

D,

and

Sunf

low

er d

atab

ases

are

log

ging

ch

ange

s to

tab

les

as w

ell

as s

ucce

ssfu

l an

d un

succ

essf

ul

logi

ns.

H

owev

er,

no

reco

ncili

atio

n be

twee

n th

e sc

ripts

run

and

the

ch

ange

s m

ade

to t

he d

atab

ase

tabl

es i

s be

ing

perf

orm

ed t

o m

onito

r th

e sc

ript

activ

ities

and

en

sure

that

all

scrip

ts r

un h

ave

been

app

rove

d th

roug

h C

hang

e m

anag

emen

t Scr

ipt S

yste

m o

r Se

rena

. I

n ad

ditio

n, w

e no

ted

that

FIN

CEN

ha

s not

est

ablis

hed

a fo

rmal

pro

cess

to m

onito

r an

d re

view

cha

nges

mad

e to

the

Sun

flow

er

data

base

inc

ludi

ng t

he t

able

s an

d ac

tiviti

es

mod

ified

by

the

data

base

adm

inis

trato

rs.

Dur

ing

our

test

wor

k, w

e no

ted

wea

knes

ses

in t

he

scrip

t cha

nge

man

agem

ent p

roce

ss a

s it

rela

tes

to th

e IC

OFR

pro

cess

(e.g

., th

e fin

anci

al s

tate

men

t im

pact

of

the

chan

ges

to t

he C

AS

Suite

thr

ough

the

scr

ipt

chan

ge m

anag

emen

t pro

cess

). W

hile

a p

roce

ss e

xist

s to

iden

tify,

and

rou

te a

scr

ipt w

ith p

oten

tial f

inan

cial

st

atem

ent

impa

ct t

hrou

gh a

n as

sess

men

t pr

oces

s, th

e re

view

and

det

erm

inat

ion

over

eac

h sc

ript i

s pr

imar

ily

perf

orm

ed w

ithou

t st

ruct

ured

/det

aile

d pr

oced

ures

in

plac

e.

Furth

erm

ore,

the

rat

iona

le d

ocum

entin

g th

e im

pact

of

th

e sc

ript,

whe

ther

de

emed

as

ha

ving

fin

anci

al

impa

ct

or

not,

is

not

docu

men

ted

and

reta

ined

. In

ad

ditio

n,

with

in

the

CA

S Su

ite

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 2

8

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

envi

ronm

ent,

ther

e ar

e ov

er 2

00 s

crip

ts r

un o

n a

wee

kly

basi

s an

d w

e no

ted

that

the

finan

cial

sta

tem

ent

impa

ct a

sses

smen

t is

esse

ntia

lly p

erfo

rmed

by

a si

ngle

br

anch

, w

hich

has

aut

horiz

ed o

nly

thre

e pe

ople

to

asse

ss th

e sc

ripts

.

CG

-IT-

10-0

6 To

com

plem

ent o

ur I

T au

dit t

estin

g ef

forts

as

part

of

the

FY 2

010

DH

S Fi

nanc

ial

Stat

emen

t A

udit

and

Aud

it of

Inte

rnal

Con

trol o

ver F

inan

cial

Rep

ortin

g, w

e al

so p

erfo

rmed

soci

al e

ngin

eerin

g te

stin

g. T

his t

estin

g w

as c

ondu

cted

at

key

Coa

st G

uard

loc

atio

ns t

hat

proc

ess,

supp

ort a

nd h

ouse

Coa

st G

uard

fina

ncia

l dat

a.

Soci

al e

ngin

eerin

g is

def

ined

as

the

act o

f at

tem

ptin

g to

man

ipul

ate

or d

ecei

ve in

divi

dual

s in

to ta

king

act

ion

that

is

in

cons

iste

nt

with

D

HS

polic

ies,

such

as

di

vulg

ing

sens

itive

info

rmat

ion

or a

llow

ing

/ ena

blin

g co

mpu

ter s

yste

m a

cces

s. T

he te

rm ty

pica

lly a

pplie

s to

tri

cker

y or

dec

eptio

n fo

r th

e pu

rpos

e of

inf

orm

atio

n ga

ther

ing,

or g

aini

ng c

ompu

ter s

yste

m a

cces

s.

Dur

ing

the

cour

se o

f our

soc

ial e

ngin

eerin

g te

st w

ork,

th

e ob

ject

ive

was

prim

arily

foc

used

on

atte

mpt

ing

to

obta

in u

ser

pass

wor

ds.

Pos

ing

as D

HS

tech

nica

l su

ppor

t em

ploy

ees,

atte

mpt

s w

ere

mad

e to

obt

ain

this

ty

pe o

f ac

coun

t in

form

atio

n by

con

tact

ing

rand

omly

se

lect

ed U

SCG

em

ploy

ees

by te

leph

one

at tw

o C

oast

G

uard

loc

atio

ns,

Hea

dqua

rters

(H

Q)

and

the

Coa

st

Gua

rd F

INC

EN.

A s

crip

t was

follo

wed

whi

ch h

ad u

s as

k fo

r as

sist

ance

fro

m t

he u

ser

in r

esol

ving

a C

oast

G

uard

net

wor

k is

sue.

A

s pr

esen

ted

in t

he f

ollo

win

g ta

ble,

for

eac

h pe

rson

we

atte

mpt

ed to

cal

l, w

e no

ted

whe

ther

the

indi

vidu

als

wer

e re

ache

d an

d w

heth

er w

e

We

reco

mm

end

that

Coa

st G

uard

Hea

dqua

rters

up

date

th

e an

nual

In

form

atio

n A

ssur

ance

(I

A)

train

ing

to i

nclu

de m

ore

robu

st “

phis

hing

” an

d “s

ocia

l eng

inee

ring”

gui

danc

e an

d in

stru

ctio

n an

d ex

plic

itly

test

ind

ivid

uals

dur

ing

the

train

ing

on

thes

e to

pic

area

s.

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 2

9

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

obta

ined

any

inf

orm

atio

n fr

om t

hem

tha

t sh

ould

not

ha

ve b

een

shar

ed w

ith u

s ac

cord

ing

to D

HS

polic

y.

Our

se

lect

ion

of

indi

vidu

als

was

no

t st

atis

tical

ly

deriv

ed, a

nd, t

here

fore

, we

are

unab

le to

pro

ject

resu

lts

to th

e C

oast

Gua

rd o

r the

DH

S as

a w

hole

. C

G-I

T-10

-07

Dur

ing

the

FY 2

010

IT A

udit,

a s

elec

tion

of n

ewly

cr

eate

d us

ers

of th

e JU

MPS

app

licat

ion

was

mad

e to

in

spec

t w

heth

er

appl

icab

le

docu

men

tatio

n w

as

reco

rded

and

ret

aine

d to

ide

ntify

aut

horiz

ed u

sers

. W

e de

term

ined

tha

t do

cum

enta

tion

was

not

ret

aine

d fo

r on

e of

the

fiv

e us

ers

sele

cted

. W

e pe

rfor

med

in

quiry

pro

cedu

res w

ith m

anag

emen

t to

dete

rmin

e th

at

acce

ss

was

ap

prop

riate

ly

rest

ricte

d fo

r th

is

user

; ho

wev

er,

no

JUM

PS

Acc

ess

Aut

horiz

atio

n Fo

rm

coul

d be

loc

ated

. O

n Ju

ly 2

0, 2

010,

man

agem

ent

rem

edia

ted

the

exce

ptio

n by

com

plet

ing

a ne

w JU

MPS

A

cces

s A

utho

rizat

ion

Form

for

the

note

d us

er w

ith a

co

py o

f the

form

bei

ng e

nter

ed in

to th

e C

oast

Gua

rd’s

Im

ageN

ow im

agin

ing

repo

sito

ry.

As n

oted

in th

e co

nditi

on, m

anag

emen

t rem

edia

ted

the

exce

ptio

n up

on n

otifi

catio

n of

this

IT N

FR. N

o ad

ditio

nal

actio

ns a

re r

equi

red

and,

the

refo

re,

no

reco

mm

enda

tion

will

be

issu

ed.

X

1

CG

-IT-

10-0

8 D

urin

g ou

r FY

201

0 te

st w

ork,

we

dete

rmin

ed th

at th

e C

oast

G

uard

TI

ER

Syst

em

pass

wor

d se

tting

fo

r lo

ckou

t du

ratio

n (P

ASS

WO

RD

_LO

CK

_TIM

E)

is

only

con

figur

ed to

0.0

005

days

(les

s th

an o

ne m

inut

e).

This

set

ting

was

sub

sequ

ently

rem

edia

ted

on 7

/19/

201

to a

set

ting

of “

UN

LIM

ITED

” w

hich

req

uire

s an

ad

min

istra

tor t

o un

lock

the

acco

unt.

We

obse

rved

and

no

ted

that

this

rem

edia

tion

was

take

n by

Coa

st G

uard

.

No

reco

mm

enda

tion

requ

ired.

C

oast

Gua

rd t

ook

appr

opria

te c

orre

ctiv

e ac

tion

durin

g th

e cu

rren

t fis

cal

year

to

rem

edia

te t

he e

xcep

tion

that

was

id

entif

ied

durin

g th

is fi

scal

yea

r.

X

1

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 3

0

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

CG

-IT-

10-0

9 To

com

plem

ent o

ur I

T au

dit t

estin

g ef

forts

as

part

of

the

FY 2

010

DH

S Fi

nanc

ial

Stat

emen

t A

udit

and

Aud

it of

Inte

rnal

Con

trol o

ver F

inan

cial

Rep

ortin

g, w

e al

so p

erfo

rmed

afte

r-ho

urs

phys

ical

sec

urity

tes

ting.

Th

is

test

ing

was

co

nduc

ted

at

key

Coa

st

Gua

rd

loca

tions

that

pro

cess

, sup

port

and

hous

e C

oast

Gua

rd

finan

cial

dat

a.

We

perf

orm

ed a

fter-

hour

s ph

ysic

al s

ecur

ity te

stin

g to

id

entif

y ris

ks r

elat

ed t

o no

n-te

chni

cal

aspe

cts

of I

T se

curit

y.

Thes

e no

n-te

chni

cal

IT s

ecur

ity a

spec

ts

incl

ude

phys

ical

acc

ess

to m

edia

and

equ

ipm

ent

that

ho

uses

fin

anci

al d

ata

and

info

rmat

ion

resi

ding

on

a U

SCG

em

ploy

ee’s

/ co

ntra

ctor

’s d

esk,

whi

ch c

ould

be

used

by

othe

rs to

gai

n un

auth

oriz

ed a

cces

s to

sys

tem

s ho

usin

g fin

anci

al

info

rmat

ion.

The

test

ing

was

pe

rfor

med

at v

ario

us U

SCG

loca

tions

that

pro

cess

and

/

or m

aint

ain

finan

cial

dat

a. A

fter

gain

ing

phys

ical

ac

cess

to

the

faci

litie

s w

ith a

USC

G e

mpl

oyee

who

w

as d

esig

nate

d to

ass

ist

with

and

mon

itor

our

test

w

ork,

we

insp

ecte

d a

sele

ctio

n of

45

desk

s, cu

bicl

es,

offic

es,

and

othe

r w

ork

area

s fo

r ea

ch

loca

tion.

D

urin

g th

e te

stin

g w

e w

ere

look

ing

for

item

s su

ch a

s im

prop

er p

rote

ctio

n of

use

r acc

ount

logi

n in

form

atio

n,

unse

cure

d

porta

ble

syst

em

hard

war

e,

incl

udin

g la

ptop

s an

d ex

tern

al h

ard

driv

es,

and

open

/ a

ctiv

e ap

plic

atio

n or

net

wor

k se

ssio

ns.

In

addi

tion,

we

insp

ecte

d w

ork

area

s fo

r do

cum

enta

tion

mar

ked

“For

O

ffic

ial

Use

Onl

y” (

FOU

O),

pers

onal

ly i

dent

ifiab

le

info

rmat

ion

(PII

), Fe

dera

l G

over

nmen

t cr

edits

car

ds,

and

agen

cy b

adge

s. T

his

list d

oes

not e

ncom

pass

the

tota

l ty

pe o

f ite

ms

we

wer

e se

arch

ing

for

durin

g ou

r

We

reco

mm

end

that

Coa

st G

uard

: �

Upd

ate

the

annu

al IA

trai

ning

to in

clud

e m

ore

robu

st o

ffic

e “p

hysi

cal

secu

rity”

and

“cl

ean

desk

” gu

idan

ce a

nd i

nstru

ctio

n an

d ex

plic

itly

test

ind

ivid

uals

dur

ing

the

train

ing

on t

hese

to

pic

area

s. �

Impl

emen

t en

terp

rise-

wid

e an

d si

te-s

peci

fic

proc

esse

s fo

r ve

rifyi

ng t

he e

ffec

tiven

ess

of

this

tra

inin

g vi

a m

echa

nism

s su

ch

as

sche

dule

d an

d ad

hoc

des

k ch

ecks

, tra

inin

g fo

llow

-ups

, and

oth

er m

anag

emen

t con

trols

.

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 3

1

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

test

ing.

As

depi

cted

in

the

follo

win

g ta

ble,

for

eac

h lo

catio

n vi

site

d,

we

note

d th

e ty

pe

of

unse

cure

d in

form

atio

n or

pro

perty

we

iden

tifie

d an

d in

clud

ed th

e to

tal e

xcep

tions

not

ed b

y lo

catio

n, a

s w

ell a

s by

type

of

info

rmat

ion

or p

rope

rty id

entif

ied.

C

G-I

T-10

-10

In F

Y 2

009,

w

e de

term

ined

th

at

the

Rol

e-B

ased

Tr

aini

ng f

or U

SCG

IA

Pro

fess

iona

ls C

omm

anda

nt

Inst

ruct

ion

had

been

rena

med

the

Rol

e-B

ased

Indu

stry

St

anda

rds

for

USC

G I

A P

rofe

ssio

nals

Com

man

dant

In

stru

ctio

n.

H

owev

er,

the

rena

med

In

stru

ctio

n re

mai

ned

in d

raft

form

. I

n ad

ditio

n, w

e de

term

ined

th

at

once

th

e In

stru

ctio

n ha

d be

en

final

ized

, th

e cu

rric

ulum

had

bee

n ag

reed

upo

n an

d th

e tra

inin

g im

plem

ente

d,

Coa

st

Gua

rd

wou

ld

utili

ze

the

Prof

essi

onal

C

ertif

icat

ions

an

d Li

cens

es

mod

ule

with

in

the

Dire

ct

Acc

ess

syst

em

rath

er

than

th

e Tr

aini

ng M

anag

emen

t To

ol (

TMT)

to

mon

itor

and

verif

y tra

inin

g co

mpl

etio

n. T

his

was

not

the

cas

e as

D

irect

Acc

ess

was

not

con

figur

ed t

o tra

ck c

ontra

ctor

in

form

atio

n an

d, t

here

fore

will

not

inc

lude

tra

inin

g in

form

atio

n fo

r con

tract

ors.

The

Inst

ruct

ion

cont

inue

d to

ref

eren

ce t

he u

se o

f th

e TM

T an

d ha

d no

t be

en

upda

ted

to i

nclu

de p

roce

dure

s fo

r ut

ilizi

ng D

irect

A

cces

s.

Dur

ing

our

FY

2010

fo

llow

-up

test

w

ork,

w

e de

term

ined

that

the

Role

-Bas

ed In

dust

ry S

tand

ards

for

USC

G I

A Pr

ofes

sion

als

Com

man

dant

Ins

truct

ion

had

been

re

nam

ed

Info

rmat

ion

Assu

ranc

e Pr

ofes

sion

al

Cer

tific

atio

ns a

nd w

as f

orm

ally

iss

ued

on M

arch

23,

20

10.

The

Inst

ruct

ion

stat

ed

that

al

l m

ilita

ry

empl

oyee

s as

sign

ed t

o an

IA

rol

e m

ust

obta

in a

We

reco

mm

end

Coa

st G

uard

Hea

dqua

rters

: �

Con

tinue

to

im

plem

ent

Com

man

dant

In

stru

ctio

n In

form

atio

n As

sura

nce

Prof

essi

onal

Cer

tific

atio

ns.

�Im

prov

e an

d ut

ilize

its

m

anua

l tra

ckin

g pr

oces

s un

til s

uch

time

that

the

Dire

ct A

cces

s im

plem

enta

tion

is in

pla

ce.

X

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 3

2

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

requ

ired

certi

ficat

ion

with

in

12

mon

ths

of

the

Com

man

dant

Ins

truct

ion

issu

e da

te (

i.e.,

Mar

ch 2

3,

2011

), an

d al

l ci

vilia

n em

ploy

ees

curr

ently

in

an I

A

role

wou

ld b

e gr

ante

d a

wai

ver

with

in 1

2 m

onth

s of

th

e C

omm

anda

nt

Inst

ruct

ion

issu

e da

te.

The

Com

man

dant

In

stru

ctio

n fu

rther

st

ated

: 1)

bo

th

mili

tary

and

civ

ilian

em

ploy

ees

assi

gned

to a

n IA

role

af

ter

the

issu

ance

dat

e w

ould

be

requ

ired

to o

btai

n a

certi

ficat

ion

with

in 1

2 m

onth

s, in

clud

ing

trans

fers

, and

2)

all

certi

ficat

ions

mus

t be

rec

orde

d /

track

ed i

n D

irect

A

cces

s. Pe

rtain

ing

to

cont

ract

ors,

the

Con

tract

ing

Off

icer

Tec

hnic

al R

epre

sent

ativ

e (C

OTR

) m

ust k

eep

reco

rds

of a

ll IA

per

sonn

el th

at re

quire

and

ha

ve r

ecei

ved

role

-bas

ed c

ertif

icat

ion

prep

arat

ion

or

Con

tinui

ng P

rofe

ssio

nal E

duca

tion

(CPE

) cr

edits

, and

al

l tra

inin

g an

d ce

rtific

atio

n re

quire

men

ts a

re in

serte

d w

ithin

all

futu

re s

tate

men

ts o

f w

ork

and

awar

ded

cont

ract

s. T

he i

nstru

ctio

n al

so s

tate

s th

at a

ll IA

pe

rson

nel

(mili

tary

, ci

vilia

ns,

and

cont

ract

ors)

mus

t re

ceiv

e in

itial

pro

fess

iona

l ce

rtific

atio

n pr

epar

atio

n an

d an

nual

CPE

s th

erea

fter

prio

r to

bei

ng g

rant

ed

Coa

st G

uard

IT

syst

ems

acce

ss s

peci

fic t

o th

ose

secu

rity

dutie

s.

Alth

ough

Coa

st G

uard

has

take

n co

rrec

tive

actio

ns to

re

med

iate

thi

s pr

ior

year

NFR

, w

e de

term

ined

tha

t ev

en t

houg

h th

e co

rrec

tive

actio

ns a

re p

lann

ed f

or

com

plet

ion

by M

arch

201

1, t

hey

have

not

yet

bee

n co

mpl

eted

in F

Y 2

010

(i.e.

, all

IA p

rofe

ssio

nals

who

ar

e re

quire

d to

ob

tain

/

mai

ntai

n a

prof

essi

onal

ce

rtific

atio

n w

ithin

a y

ear o

f the

dat

e of

the

Inst

ruct

ion

have

not

obt

aine

d a

certi

ficat

ion

to d

ate)

. O

ur te

stin

g

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 3

3

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

note

d th

at 8

or

3.9%

of

Coa

st G

uard

IA

pro

fess

iona

ls

out

of t

he t

otal

pop

ulat

ion

of 2

05 h

ave

the

requ

ired

certi

ficat

ion

for

thei

r pr

escr

ibed

le

vel

on

file.

Fu

rther

mor

e, w

e no

ted

that

59

or 2

8.7%

of

Coa

st

Gua

rd IA

pro

fess

iona

ls h

ave

not p

rovi

ded

evid

ence

of

indu

stry

-bas

ed

train

ing.

In

addi

tion,

th

roug

h ou

r te

stin

g, w

e co

uld

not

dete

rmin

e th

e nu

mbe

r of

IA

pr

ofes

sion

als

that

had

bee

n gr

ante

d w

aive

rs f

or t

he

certi

ficat

ion

requ

irem

ent.

In

clos

ing,

we

also

not

ed

that

14

Coa

st G

uard

Sys

tem

Adm

inis

trato

rs w

ere

not

liste

d as

bei

ng p

art

of t

he 2

05 C

oast

Gua

rd I

A

prof

essi

onal

s. C

G-I

T-10

-11

Dur

ing

the

FY 2

010

IT A

udit,

a s

elec

tion

of u

sers

ad

ded

to th

e C

G T

IER

app

licat

ion

for

the

fisca

l yea

r w

as m

ade

to i

nspe

ct w

heth

er p

rope

r do

cum

enta

tion

was

rec

orde

d an

d re

tain

ed f

or i

dent

ify a

utho

rized

us

ers.

Our

test

ing

dete

rmin

ed th

at d

ocum

enta

tion

was

no

t re

tain

ed f

or o

ne o

f th

e tw

o C

G T

IER

use

rs

sele

cted

. Upo

n fu

rther

inq

uiry

with

man

agem

ent,

we

wer

e in

form

ed th

at th

e id

entif

ied

CG

TIE

R u

ser

was

au

thor

ized

acc

ess

by t

he F

inan

cial

Bra

nch

Chi

ef;

how

ever

, the

em

ail a

ppro

val h

ad b

een

lost

.

We

reco

mm

end

that

Coa

st G

uard

Fin

ance

Cen

ter

take

the

follo

w a

ctio

ns:

�Fo

r the

use

r ide

ntifi

ed d

urin

g te

stin

g, c

ompl

ete

and

reta

in a

ll ap

prop

riate

acc

ess r

eque

st

docu

men

tatio

n; a

nd,

�U

pdat

e th

e C

G T

IER

acc

ount

man

agem

ent

proc

edur

es to

eff

ectiv

ely

track

and

reta

in u

ser

acce

ss d

ocum

enta

tion.

X

1

CG

-IT-

10-1

2 D

urin

g ou

r FY

200

9 te

st w

ork,

we

dete

rmin

ed th

at o

n a

quar

terly

bas

is,

45-9

0 D

irect

Acc

ess

user

acc

ount

s ar

e ra

ndom

ly

sam

pled

an

d fo

rmal

ly

revi

ewed

to

de

term

ine

if ac

cess

re

mai

ns

appr

opria

te

for

each

se

lect

ed u

ser a

ccou

nt.

As

part

of th

e qu

arte

rly re

view

, C

oast

G

uard

’s

Pay

and

Pers

onne

l C

ente

r (P

PC)

man

agem

ent

verif

ies

that

no

sing

le u

ser

has

both

C

GA

PPL

(abi

lity

to

ente

r an

ap

plic

ant)

and

CG

HR

SUP

(abi

lity

to h

ire a

n ap

plic

atio

n) ro

les.

PPC

m

anag

emen

t th

en

verif

ies

that

no

us

er

has

both

We

reco

mm

end

Coa

st G

uard

hea

dqua

rters

and

the

PPC

: �

Dev

elop

a

RP

with

as

soci

ated

su

ppor

ting

busi

ness

cas

e(s)

to a

ddre

ss th

e 10

0% a

ccou

nt

revi

ew re

quire

men

t. �

Con

tinue

to c

oord

inat

e w

ith th

e D

HS

CIS

O’s

of

fice

to

dete

rmin

e an

d fo

rmal

ize

the

freq

uenc

y an

d de

pth

/ br

eadt

h of

eff

ectiv

e re

view

s th

at a

ddre

ss th

e pe

rcei

ved

risk.

Bas

ed

upon

the

resu

lts o

f th

ese

disc

ussi

ons

with

the

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 3

4

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

CG

APP

L an

d C

GH

IRE

priv

ilege

s w

ithin

the

Dire

ct

Acc

ess a

pplic

atio

n.

Per

PPC

man

agem

ent,

ther

e ar

e 17

,496

ind

ivid

uals

w

ith

activ

e D

irect

A

cces

s ac

coun

ts

that

m

aint

ain

grea

ter

than

re

ad-o

nly

acce

ss.

PPC

m

anag

emen

t fu

rther

adv

ised

us

that

6,9

20 (

40%

) of

the

Dire

ct

Acc

ess

acco

unts

wer

e re

valid

ated

dur

ing

the

perio

d of

O

ctob

er 1

, 200

8 –

Sept

embe

r 17,

200

9, le

avin

g 10

,576

(6

0%)

Dire

ct A

cces

s ac

coun

ts n

ot r

eval

idat

ed d

urin

g FY

09.

As a

resu

lt, w

e de

term

ined

that

100

% o

f Dire

ct

Acc

ess

user

acc

ount

s w

ith g

reat

er t

han

read

-onl

y ac

cess

ar

e no

t an

nual

ly

revi

ewed

pe

r th

e D

HS

requ

irem

ent.

Dur

ing

our

FY 2

010

test

wor

k, w

e w

ere

info

rmed

by

the

Coa

st G

uard

that

an

annu

al re

view

of 1

00%

of t

he

Dire

ct A

cces

s us

er a

ccou

nts

with

gre

ater

tha

n re

ad-

only

acc

ess

(and

the

ir as

soci

ated

priv

ilege

s) h

as n

ot

been

per

form

ed fo

r thi

s fis

cal y

ear.

Coa

st G

uard

als

o in

form

ed u

s th

at a

ll D

irect

Acc

ess

acco

unts

cre

ated

and

/or m

odifi

ed d

urin

g th

e fis

cal y

ear

have

bee

n re

view

ed a

s pa

rt of

the

norm

al tr

ansf

er a

nd

agin

g pr

oces

ses;

how

ever

, our

test

ing

did

not e

xten

d to

va

lidat

e th

is s

tate

men

t. B

ased

upo

n a

risk

base

d de

cisi

on,

the

Coa

st G

uard

has

des

igne

d a

proc

ess

to

revi

ew a

sub

set o

f use

rs th

at re

pres

ent t

he g

reat

est r

isk

to D

irect

Acc

ess.

Thi

s an

nual

rev

iew

wou

ld c

over

ap

prox

imat

ely

743

Dire

ct A

cces

s us

ers.

The

sco

pe o

f th

e re

view

inc

lude

s us

ers

with

pay

men

t ap

prov

al,

secu

rity

adm

inis

trato

r per

mis

sion

s, al

l con

tract

ors,

and

user

s with

upd

ate/

dele

te p

erm

issi

ons.

DH

S C

ISO

’s o

ffic

e, t

he C

oast

Gua

rd w

ill

mod

ify p

roce

dure

s an

d de

velo

p, if

app

licab

le,

requ

ired

wai

vers

/exc

eptio

ns

to

refle

ct

an

adeq

uate

per

cent

age

of D

irect

Acc

ess

user

ac

coun

ts to

be

revi

ewed

. �

Con

tinue

to u

se it

s ex

istin

g ris

k-ba

sed

acco

unt

revi

ew

effo

rts

until

su

ch

time

that

th

e pr

oced

ures

are

upd

ated

in

resp

onse

to

the

activ

ities

as

soci

ated

w

ith

the

seco

nd

reco

mm

enda

tion.

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 3

5

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

How

ever

, si

nce

this

sub

set

revi

ew d

oes

not

cove

r 10

0% o

f the

Dire

ct A

cces

s us

er a

ccou

nts

with

gre

ater

th

an re

ad-o

nly

acce

ss (a

nd th

eir a

ssoc

iate

d pr

ivile

ges)

as

req

uire

d by

DH

S, w

e co

nsid

er t

his

NFR

to

be r

e-is

sued

.

CG

-IT-

10-1

3 D

urin

g ou

r te

stin

g, w

e de

term

ined

tha

t al

l pr

evio

us

year

con

ditio

ns l

iste

d in

NFR

s C

G-I

T-09

-46

wer

e pr

oper

ly r

emed

iate

d by

USC

G.

We

cons

ider

thi

s pr

ior-

year

IT N

FR a

s clo

sed.

As

part

of

this

ye

ar’s

te

stin

g, w

e id

entif

ied

one

secu

rity

conf

igur

atio

n m

anag

emen

t w

eakn

ess

(i.e.

, ou

tdat

ed

oper

atin

g sy

stem

so

ftwar

e)

on

host

s su

ppor

ting

CA

S,

FPD

, N

ESSS

, as

w

ell

as

thos

e sy

stem

s’

netw

ork

infr

astru

ctur

e an

d as

soci

ated

w

orks

tatio

ns.

Tabl

e 1,

sta

rting

on

the

next

pag

e, li

sts

the

cond

ition

s as

ide

ntifi

ed b

y th

e so

ftwar

e to

ol u

sed,

the

sys

tem

(h

ost)

impa

cted

, ef

fect

sta

tem

ent,

IT g

ener

al c

ontro

l ar

ea, s

oftw

are

tool

use

d to

iden

tify

the

cond

ition

, and

if

the

cond

ition

ide

ntifi

ed w

as a

prio

r ye

ar I

T au

dit

issu

e. T

he c

ondi

tions

list

ed in

Tab

le 1

are

pot

entia

lly

expl

oita

ble

by a

n in

side

r w

ithou

t sp

ecifi

c kn

owle

dge

of t

he o

pera

tion

of t

he s

yste

m o

r th

e ap

plic

atio

ns

host

ed o

n th

at sy

stem

.

We

reco

mm

end

that

Coa

st G

uard

FIN

CEN

: �

Dev

elop

a

RP

with

as

soci

ated

su

ppor

ting

busi

ness

cas

e(s)

to

addr

ess

the

inst

alla

tion

of

Serv

ice

Pack

3 o

n al

l app

licab

le W

indo

ws

XP

wor

ksta

tions

an

d/or

up

grad

e th

e op

erat

ing

syst

ems

of t

hese

wor

ksta

tions

to

the

Coa

st

Gua

rd’s

Vis

ta-b

ased

Sta

ndar

d Im

age

6.0.

�

Dev

elop

a

RP

with

as

soci

ated

su

ppor

ting

busi

ness

ca

se(s

) to

ad

dres

s th

e se

rver

op

erat

ing

syst

em

upgr

ades

to

in

clud

e a

tech

nica

l an

alys

is t

o en

sure

Win

dow

s 20

03

serv

er u

pgra

des d

o no

t adv

erse

ly a

ffec

t sys

tem

op

erat

ion.

�

Bas

ed u

pon

the

resu

lts o

f R

ecom

men

datio

n 1

and

Rec

omm

enda

tion

2, s

ched

ule

and

perf

orm

th

e up

grad

es a

nd/o

r pa

tche

s of

the

im

pact

ed

serv

ers a

nd w

orks

tatio

ns.

X

1

CG

-IT-

10-1

4 D

urin

g ou

r FY

201

0 au

dit t

est w

ork,

we

sam

pled

25

new

use

r acc

esse

s for

NES

SS th

at w

ere

gran

ted

durin

g th

e fis

cal y

ear

to d

eter

min

e if

an a

cces

s au

thor

izat

ion

form

had

bee

n co

mpl

eted

, if

the

acce

ss h

ad b

een

timel

y ap

prov

ed b

y th

e us

er’s

sup

ervi

sor,

and

that

the

We

reco

mm

end

the

Coa

st

Gua

rd’s

O

pera

tion

Syst

ems

Cen

ter (

OSC

) upd

ate

the

NES

SS a

ccou

nt

man

agem

ent S

tand

ard

Ope

ratin

g Pr

oced

ure

(SO

P)

to p

rovi

de c

lear

gui

danc

e re

gard

ing

the

use

of u

ser

acce

ss fo

rms a

nd u

pdat

e th

e ac

cess

form

to in

clud

e

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 3

6

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

form

s w

ere

reta

ined

. B

ased

upo

n ou

r tes

ting,

we

wer

e un

able

to

obta

in 9

of

the

25 u

ser

acce

ss f

orm

s. I

n ad

ditio

n, e

vide

nce

of s

uper

viso

ry a

ppro

val f

or 9

of t

he

25 sa

mpl

ed u

sers

was

not

ava

ilabl

e.

an a

ppro

val s

igna

ture

line

.

CG

-IT-

10-1

5 D

urin

g th

e FY

20

10

audi

t te

st

wor

k,

Avi

atio

n Lo

gist

ics

Cen

ter (

ALC

) vis

itor l

ogs

for t

he fi

scal

yea

r w

ere

obta

ined

to

de

term

ine

whe

ther

pr

oper

do

cum

enta

tion

was

re

cord

ed

and

reta

ined

fo

r th

e ve

rific

atio

n of

in

divi

dual

s vi

sitin

g th

e A

LC

Dat

a C

ente

r an

d Fa

cilit

y.

Our

tes

ting

dete

rmin

ed t

hat

the

ALC

C

usto

mer

Su

ppor

t D

esk

did

not

prop

erly

co

mpl

ete

the

visi

tor

logs

dur

ing

the

FY 2

010

audi

t pe

riod.

Sp

ecifi

cally

, fr

om a

tot

al o

f 19

0 vi

sito

r lo

g en

tries

for t

he fi

scal

yea

r, 33

vis

itor l

og e

ntrie

s di

d no

t ha

ve th

e D

ate-

Out

and

Tim

e-O

ut fi

elds

com

plet

ed a

nd

31 v

isito

r lo

g en

tries

did

not

hav

e th

e Sp

onso

r fie

ld

com

plet

ed.

Add

ition

ally

, th

e A

LC D

ata

Cen

ter

Acc

ess

List

ing

was

obt

aine

d to

det

erm

ine

whe

ther

a r

evie

w o

f th

e ac

cess

lis

ting

was

con

duct

ed a

nd e

vide

nce

of t

he

revi

ew w

as p

erfo

rmed

and

mai

ntai

ned.

O

ur t

estin

g de

term

ined

tha

t th

e ev

iden

ce o

f re

view

s of

the

Dat

a C

ente

r A

cces

s fo

r th

e FY

20

10

perio

d w

as

not

mai

ntai

ned.

Th

eref

ore,

we

coul

d no

t de

term

ine

that

th

e D

ata

Cen

ter

Acc

ess

List

ing

had

been

pro

perly

re

view

ed d

urin

g th

e ye

ar.

We

reco

mm

end

that

Coa

st G

uard

: �

Dev

elop

and

mai

ntai

n an

SO

P to

ens

ure

that

th

e A

LC D

ata

Cen

ter

Acc

ess

Con

trol

list

is

kept

cur

rent

and

tha

t its

qua

rterly

rev

iew

is

docu

men

ted

and

mai

ntai

ned;

and

�

Re-

emph

asiz

e to

al

l A

LC

Supp

ort

Des

k pe

rson

nel

(thro

ugh

train

ing)

, th

e im

porta

nce

of p

rope

rly m

aint

aini

ng th

e vi

sito

r lo

g an

d to

en

sure

it

is

fille

d ou

t co

mpl

etel

y an

d ac

cura

tely

.

X

1

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 3

7

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

CG

-IT-

10-1

6 D

urin

g th

e FY

20

10

IT

Aud

it,

the

Avi

atio

n M

aint

enan

ce

Man

agem

ent

Info

rmat

ion

Syst

em

(AM

MIS

) pa

ssw

ord

conf

igur

atio

n se

tting

s w

ere

obta

ined

an

d te

sted

to

de

term

ine

whe

ther

th

ey

com

plie

d w

ith D

HS

polic

y.

Our

tes

ting

dete

rmin

ed

that

the

AM

MIS

sub

syst

em p

assw

ord

conf

igur

atio

n se

tting

s do

not

com

ply

with

all

of t

he r

equi

red

DH

S pa

ssw

ord

guid

elin

es.

Spec

ifica

lly, A

MM

IS p

assw

ord

conf

igur

atio

n se

tting

s di

d no

t co

mpl

y w

ith

the

follo

win

g D

HS

pass

wor

d po

licy:

�C

onta

in a

com

bina

tion

of a

lpha

betic

, num

eric

, an

d sp

ecia

l ch

arac

ters

–

the

AM

MIS

pa

ssw

ord

requ

ires

a co

mbi

natio

n of

al

phab

etic

, num

eric

, or s

peci

al c

hara

cter

s; a

nd

�N

ot b

e th

e sa

me

as th

e pr

evio

us 8

pas

swor

ds.

The

AM

MIS

pas

swor

d co

nfig

urat

ion

is s

et to

be

the

sam

e as

the

prev

ious

6 p

assw

ords

.

Add

ition

ally

, ou

r te

stin

g de

term

ined

tha

t th

e cu

rren

t A

viat

ion

Logi

stic

s M

anag

emen

t In

form

atio

n Sy

stem

(A

LMIS

) Sys

tem

Sec

urity

Pla

n (S

SP),

whi

ch in

clud

es

the

syst

em

leve

l re

quire

men

ts

of

the

AM

MIS

su

bsys

tem

, st

ates

th

at

the

impl

emen

ted

pass

wor

d co

nfig

urat

ion

does

not

com

ply

with

the

cur

rent

DH

S pa

ssw

ord

polic

y. S

peci

fical

ly, t

he A

LMIS

SSP

sta

tes

that

the

pass

wor

d ca

nnot

be

the

sam

e as

the

prev

ious

6

pass

wor

ds;

how

ever

, D

HS

guid

ance

st

ates

th

at

pass

wor

ds c

anno

t be

the

sam

e as

the

pre

viou

s 8

pass

wor

ds.

We

reco

mm

end

that

the

Coa

st G

uard

con

figur

e th

e A

MM

IS

appl

icat

ion

to

enfo

rce

the

stro

ng

pass

wor

d an

d pa

ssw

ord

hist

ory

requ

irem

ents

de

scrib

ed

in

the

DH

S M

anag

emen

t D

irect

ive

4300

A P

olic

y D

irect

ive

and

to u

pdat

e al

l im

pact

ed

Cer

tific

atio

n &

A

ccre

dita

tion

and

syst

em

docu

men

tatio

n ac

cord

ingl

y.

X

1

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 3

8

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

CG

-IT-

10-1

7 To

com

plem

ent o

ur I

T au

dit t

estin

g ef

forts

as

part

of

the

FY 2

010

DH

S Fi

nanc

ial

Stat

emen

t A

udit

and

Aud

it of

Inte

rnal

Con

trol o

ver F

inan

cial

Rep

ortin

g, w

e al

so p

erfo

rmed

soci

al e

ngin

eerin

g te

stin

g. T

his t

estin

g w

as c

ondu

cted

at

key

Coa

st G

uard

loc

atio

ns t

hat

proc

ess,

supp

ort a

nd h

ouse

Coa

st G

uard

fina

ncia

l dat

a.

Soci

al e

ngin

eerin

g is

def

ined

as

the

act o

f at

tem

ptin

g to

man

ipul

ate

or d

ecei

ve in

divi

dual

s in

to ta

king

act

ion

that

is

in

cons

iste

nt

with

D

HS

polic

ies,

such

as

di

vulg

ing

sens

itive

info

rmat

ion

or a

llow

ing

/ ena

blin

g co

mpu

ter s

yste

m a

cces

s. T

he te

rm ty

pica

lly a

pplie

s to

tri

cker

y or

dec

eptio

n fo

r th

e pu

rpos

e of

inf

orm

atio

n ga

ther

ing,

or g

aini

ng c

ompu

ter s

yste

m a

cces

s.

This

was

the

sec

ond

roun

d of

soc

ial

engi

neer

ing

test

ing

cond

ucte

d as

par

t the

FY

201

0 D

HS

Fina

ncia

l A

udit

and

Aud

it of

Int

erna

l C

ontro

l ov

er F

inan

cial

R

epor

ting.

O

ur in

itial

test

ing

occu

rred

bac

k on

Jun

e 30

th a

nd J

uly

1st .

Our

initi

al te

stin

g re

sulte

d in

Coa

st

Gua

rd

IT-N

FR-1

0-06

be

ing

issu

ed.

Th

e te

stin

g ap

proa

ch a

nd s

cope

for

the

sec

ond

roun

d of

tes

ting

was

the

sam

e as

the

initi

al ro

und.

Dur

ing

the

cour

se o

f our

soc

ial e

ngin

eerin

g te

st w

ork,

th

e ob

ject

ive

was

prim

arily

foc

used

on

atte

mpt

ing

to

obta

in u

ser

pass

wor

ds.

Pos

ing

as D

HS

tech

nica

l su

ppor

t em

ploy

ees,

atte

mpt

s w

ere

mad

e to

obt

ain

this

It is

reco

mm

ende

d th

at C

oast

Gua

rd im

plem

ent t

he

reco

mm

enda

tions

pre

sent

ed i

n C

oast

Gua

rd I

T-N

FR-1

0-06

. N

o ad

ditio

nal a

ctio

ns a

re re

quire

d.

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 3

9

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

type

of

acco

unt

info

rmat

ion

by c

onta

ctin

g ra

ndom

ly

sele

cted

USC

G e

mpl

oyee

s by

tele

phon

e at

two

Coa

st

Gua

rd l

ocat

ions

, H

eadq

uarte

rs (

HQ

) an

d th

e C

oast

G

uard

Fin

ance

Cen

ter

(FIN

CEN

). A

scr

ipt w

as u

sed

to a

sk f

or a

ssis

tanc

e fr

om t

he u

ser

in r

esol

ving

a

netw

ork

issu

e at

the

Coa

st G

uard

. A

s pr

esen

ted

in th

e fo

llow

ing

tabl

e, f

or e

ach

pers

on w

e at

tem

pted

to c

all,

we

note

d w

heth

er t

he i

ndiv

idua

ls w

ere

reac

hed

and

whe

ther

we

obta

ined

any

info

rmat

ion

from

them

that

sh

ould

not

hav

e be

en sh

ared

with

us a

ccor

ding

to D

HS

polic

y.

Our

se

lect

ion

of

indi

vidu

als

was

no

t st

atis

tical

ly d

eriv

ed,

and,

the

refo

re,

we

are

unab

le t

o pr

ojec

t re

sults

to

the

com

pone

nt o

r de

partm

ent

as a

w

hole

. C

G-I

T-10

-18

Our

tes

ting

dete

rmin

ed t

hat

the

evid

ence

of

revi

ews

over

the

AM

MIS

aud

it lo

gs f

or t

he F

Y 2

010

audi

t pe

riod

wer

e no

t m

aint

aine

d by

ALC

. Th

eref

ore,

we

coul

d no

t det

erm

ine

if th

e A

MM

IS a

udit

logs

had

bee

n pr

oper

ly re

view

ed d

urin

g th

e ye

ar.

Add

ition

ally

, our

test

ing

dete

rmin

ed th

at re

view

s of a

ll de

activ

ated

AM

MIS

acc

ount

s m

ay n

ot h

ave

been

pe

rfor

med

an

d ev

iden

ce

of

the

revi

ews

was

no

t m

aint

aine

d by

the

ALC

. T

here

fore

, w

e co

uld

not

dete

rmin

e w

heth

er d

eact

ivat

ed A

MM

IS a

ccou

nts

had

been

pro

perly

mon

itore

d an

d re

view

ed d

urin

g th

e ye

ar.

Last

ly,

we

wer

e in

form

ed

by

the

ALC

th

at

the

AM

MIS

aud

it lo

gs w

ere

not

bein

g re

view

ed b

y an

in

divi

dual

th

at

is

cons

ider

ed

inde

pend

ent

to

the

proc

ess.

W

e no

ted

that

an

A

MM

IS

syst

em

We

reco

mm

end

that

Coa

st G

uard

: �

Upd

ate

the

AM

MIS

St

anda

rd

Ope

ratin

g Pr

oced

ures

to a

ddre

ss th

e au

dit l

og re

view

and

re

tent

ion

proc

edur

es; a

nd

�Im

plem

ent

sepa

ratio

n of

du

ties

for

the

AM

MIS

aud

it lo

g re

view

s.

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 4

0

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

adm

inis

trato

r is

resp

onsi

ble

for r

evie

win

g th

e A

MM

IS

audi

t log

s.

CG

-IT-

10-1

9 O

ur te

stin

g de

term

ined

that

evi

denc

e of

a r

evie

w a

nd

rece

rtific

atio

n of

th

e 11

,306

us

ers

with

“U

pdat

e”

priv

ilege

in A

LMIS

was

not

mai

ntai

ned

by th

e A

LC.

Ther

efor

e, w

e co

uld

not

dete

rmin

e th

at A

LMIS

use

r ac

coun

ts h

ad b

een

prop

erly

rev

iew

ed a

nd r

ecer

tifie

d du

ring

the

year

.

We

reco

mm

end

that

Coa

st G

uard

: �

Dev

elop

a

RP

with

as

soci

ated

su

ppor

ting

busi

ness

cas

e(s)

to a

ddre

ss th

e 10

0% a

ccou

nt

revi

ew re

quire

men

t; �

Con

tinue

to c

oord

inat

e w

ith th

e D

HS

CIS

O’s

of

fice

to

dete

rmin

e an

d fo

rmal

ize

the

freq

uenc

y an

d de

pth

/ br

eadt

h of

eff

ectiv

e re

view

s th

at a

ddre

ss th

e pe

rcei

ved

risk.

Bas

ed

upon

the

resu

lts o

f th

ese

disc

ussi

ons

with

the

DH

S C

ISO

’s o

ffic

e, t

he C

oast

Gua

rd w

ill

mod

ify p

roce

dure

s an

d de

velo

p, if

app

licab

le,

requ

ired

wai

vers

/exc

eptio

ns

to

refle

ct

an

adeq

uate

per

cent

age

of A

LMIS

use

r ac

coun

ts

to b

e re

view

ed; a

nd

�C

ontin

ue to

use

its

exis

ting

risk-

base

d ac

coun

t re

view

ef

forts

un

til

such

tim

e th

at

the

proc

edur

es a

re u

pdat

ed i

n re

spon

se t

o th

e ac

tiviti

es

asso

ciat

ed

with

th

e se

cond

re

com

men

datio

n.

X

2

CG

-IT-

10-2

0 O

ur t

estin

g de

term

ined

tha

t th

e A

MM

IS S

oftw

are

Cha

nge

Req

uest

Fo

rms

wer

e no

t ap

prop

riate

ly

auth

oriz

ed.

Spec

ifica

lly,

for

the

four

(4)

AM

MIS

so

ftwar

e ch

ange

s m

ade

durin

g th

e fis

cal y

ear,

two

(2)

of th

e so

ftwar

e ch

ange

req

uest

for

ms

wer

e no

t sig

ned

by th

e D

ivis

ion

Chi

ef.

We

reco

mm

end

that

Coa

st G

uard

est

ablis

h an

d fo

llow

a m

anag

emen

t re

view

pro

cess

to

ensu

re

that

any

new

AM

MIS

SC

Rs

proc

esse

d w

ill b

e re

view

ed b

y th

e PC

team

for t

he p

rope

r / re

quire

d si

gnat

ures

.

X

1

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 4

1

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

CG

-IT-

10-2

1 D

urin

g ou

r FY

201

0 au

dit t

est w

ork

over

the

NES

SS

rece

rtific

atio

n pr

oces

s, w

e no

ted

that

32

user

s w

ere

assi

gned

the

rol

e FL

S_U

SR_A

DM

_GR

P w

ithin

the

N

ESSS

app

licat

ion.

Thi

s rol

e gr

ants

the

abili

ty to

add

, m

odify

, and

del

ete

user

acc

ount

s. In

add

ition

, tw

o (2

) of

th

ese

user

s w

ere

syst

em

adm

inis

trato

rs.

Th

is

num

ber o

f use

rs w

ith th

is e

leva

ted

role

was

con

side

red

exce

ssiv

e ba

sed

upon

the

rat

io o

f th

is r

ole

to t

he

NES

SS u

ser p

opul

atio

n.

On

Oct

ober

7, 2

010,

OSC

man

agem

ent r

emed

iate

d th

e co

nditi

on b

y re

duci

ng t

he n

umbe

r of

use

rs w

ith t

he

FLS_

USR

_AD

M_G

RP

role

dow

n to

six.

Coa

st G

uard

took

app

ropr

iate

cor

rect

ive

actio

n to

re

med

iate

the

exce

ptio

n th

at w

as id

entif

ied

and

no

addi

tiona

l cor

rect

ive

actio

ns a

re re

quire

d.

X

2

CG

-IT-

10-2

2 W

e de

term

ined

th

at

Ope

ratio

ns

Syst

em

Cen

ter

(OSC

) ha

d up

date

d th

e po

licie

s an

d pr

oced

ures

for

Sy

stem

A

dmin

istra

tors

(S

As)

an

d D

atab

ase

Adm

inis

trato

rs (

DB

As)

to

incl

ude

mor

e de

tail

and

inst

ruct

ions

on

en

terin

g su

ffic

ient

ev

iden

ce

rega

rdin

g th

e w

eekl

y no

n-in

depe

nden

t au

dit

log

revi

ews

docu

men

ted

and

track

ed i

n th

e C

lear

Que

st

Tick

etin

g sy

stem

. W

e al

so n

oted

tha

t th

e m

onth

ly

SAM

aud

it lo

g re

view

s w

ere

bein

g co

nduc

ted

by a

n in

depe

nden

t tea

m.

Alth

ough

OSC

has

take

n st

eps t

o re

med

iate

the

prio

r ye

ar

cond

ition

s by

up

datin

g th

e po

licie

s an

d co

mpl

etin

g th

e m

onth

ly i

ndep

ende

nt r

evie

ws,

we

dete

rmin

ed t

hat

the

3 sa

mpl

ed m

onth

s of

SA

and

D

BA

aud

it lo

g re

view

s di

d no

t hav

e su

ffic

ient

det

ail

on

the

Cle

arQ

uest

tic

kets

. Sp

ecifi

cally

, w

e id

entif

ied

the

follo

win

g:

We

reco

mm

end

that

Coa

st G

uard

: �

Upd

ate

the

SAM

and

NES

SS a

udit

log

revi

ew

proc

edur

es

with

in

the

Stan

dard

O

pera

ting

Proc

edur

es

to

incl

ude

mor

e de

tail

in

the

Cle

arQ

uest

Tic

kets

inc

ludi

ng r

ecor

ding

the

re

sults

of t

he re

view

of t

he a

udit

logs

; �

Impl

emen

t sim

ilar

sepa

ratio

n of

dut

ies

for

the

NES

SS

audi

t lo

g re

view

s as

ha

ve

been

im

plem

ente

d fo

r th

e SA

M a

udit

log

revi

ews;

an

d;

�C

ontin

ue w

ith o

ngoi

ng e

ffor

ts f

or id

entif

ying

, de

sign

ing,

and

im

plem

entin

g au

tom

ated

too

ls

to

assi

st

in

audi

t lo

g co

llect

ion,

st

orag

e,

anal

ysis

, an

d re

porti

ng

whi

ch

will

fu

rther

im

prov

e co

nsis

tenc

y, ti

mel

ines

s, an

d ac

cura

cy

of th

e re

view

s w

hen

com

pare

d w

ith la

bor a

nd

time

inte

nsiv

e m

anua

l pro

cess

es.

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 4

2

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

�1

of th

e 3

SA m

onth

ly re

view

s did

not

hav

e a

sear

chab

le ti

tle

�2

of t

he 3

SA

mon

thly

rev

iew

s di

d no

t in

clud

e re

sults

of t

he a

udit

log

revi

ew (i

.e.,

audi

t log

s had

no

exce

ptio

ns.)

�3

of t

he 3

DB

A m

onth

ly r

evie

ws

did

not

list

the

logs

tha

t w

ere

incl

uded

in

th

e re

view

�

3 of

the

3 D

BA

mon

thly

rev

iew

s di

d no

t ha

ve re

sults

of t

he a

udit

log

revi

ews

As

a re

sult

of li

mita

tions

of t

he u

nder

lyin

g op

erat

ing

syst

em o

f the

Sho

re A

sset

Man

agem

ent S

yste

m A

M

syst

em:

�Th

e se

rver

s do

not a

utom

atic

ally

ale

rt in

th

e ev

ent o

f an

inci

dent

. �

The

serv

er o

pera

ting

syst

ems d

o no

t in

here

ntly

pro

vide

aud

it re

duct

ion

and

repo

rt ge

nera

tion

capa

bilit

y.

Furth

erm

ore,

th

e O

SC

has

not

impl

emen

ted

a ce

ntra

lized

log

solu

tion

for

audi

t lo

g re

duct

ion

and

repo

rting

, and

aut

omat

ed a

lert

notif

icat

ions

.

NES

SS A

udit

Logs

: D

urin

g ou

r FY

201

0 te

st w

ork

for

the

NES

SS, w

e no

ted

that

dai

ly a

nd w

eekl

y au

dit

log

revi

ews

are

perf

orm

ed b

y th

e N

ESSS

Sys

tem

Adm

inis

trato

r. Th

e w

eekl

y au

dit l

og re

view

s ar

e do

cum

ente

d in

the

Cle

arQ

uest

sys

tem

with

a r

unni

ng t

icke

t fo

r th

e ca

lend

ar y

ear.

Eac

h w

eek’

s re

view

is a

dded

to th

e

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 4

3

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

Cle

arQ

uest

tic

ket.

How

ever

, w

e de

term

ined

tha

t th

ere

is n

ot s

uffic

ient

det

ail i

n th

e C

lear

Que

st ti

cket

in

rec

ordi

ng t

he r

esul

ts o

f th

e re

view

of

the

audi

t lo

gs.

Furth

erm

ore,

as

sim

ilar

to S

AM

aud

it lo

g re

view

pr

oces

s lis

ted

abov

e,

OSC

ha

s no

t im

plem

ente

d a

cent

raliz

ed lo

g so

lutio

n fo

r aud

it lo

g re

duct

ion

and

repo

rting

, an

d au

tom

ated

al

ert

notif

icat

ions

. In

add

ition

, th

e w

eekl

y re

view

s ar

e pe

rfor

med

by

the

NES

SS S

yste

m A

dmin

istra

tor,

who

is

not

cons

ider

ed a

n in

depe

nden

t pa

rty a

s re

quire

d by

DH

S M

D 4

300A

. C

G-I

T-10

-23

Dur

ing

the

FY 2

010

audi

t te

st w

ork,

the

OSC

dat

a ce

nter

ac

cess

lis

ting

was

ob

tain

ed

in

orde

r to

de

term

ine

whe

ther

a r

evie

w o

f th

e ac

cess

list

ing

was

co

nduc

ted

and

evid

ence

of t

he re

view

was

mai

ntai

ned.

O

SC i

nfor

med

us

that

the

y pe

rfor

m a

rev

iew

of

the

data

cen

ter a

cces

s on

a q

uarte

rly b

asis

. H

owev

er, o

ur

test

ing

dete

rmin

ed

that

th

e ev

iden

ce

of

revi

ews

conc

erni

ng O

SC d

ata

cent

er a

cces

s fo

r th

e FY

201

0 pe

riod

was

not

mai

ntai

ned.

Th

eref

ore,

we

coul

d no

t de

term

ine

whe

ther

the

OSC

dat

a ce

nter

acc

ess

listin

g ha

d be

en p

rope

rly re

view

ed d

urin

g th

e ye

ar.

We

reco

mm

end

that

Coa

st G

uard

dev

elop

det

aile

d pr

oced

ures

for:

�Q

uarte

rly

data

ce

nter

ac

cess

re

view

s to

in

clud

e va

lidat

ing

that

use

rs h

ave

a ph

ysic

al

need

to a

cces

s the

dat

a flo

or; a

nd

�M

etho

ds

for

mai

ntai

ning

th

e re

view

do

cum

enta

tion.

X

1

CG

-IT-

10-2

4 D

urin

g pr

ior

finan

cial

sta

tem

ent a

udits

dat

ing

back

to

FY

2003

, w

e no

ted

that

th

e im

plem

enta

tion

and

over

sigh

t of

the

Coa

st G

uard

’s i

nfor

mat

ion

secu

rity

cont

rols

nee

ded

vario

us im

prov

emen

ts.

In F

Y 2

010,

co

ntin

ued

impr

ovem

ents

hav

e be

en m

ade

in th

e ar

eas

of

acce

ss

cont

rols

, en

tity-

leve

l co

ntro

ls,

and

conf

igur

atio

n m

anag

emen

t. I

mpr

ovem

ents

in

the

IT

cont

rol

envi

ronm

ent

wer

e id

entif

ied

at e

ach

of t

he

Coa

st G

uard

fin

anci

al p

roce

ssin

g lo

catio

ns w

here

IT

We

reco

mm

end

Coa

st G

uard

to:

�C

ontin

ue t

o im

plem

ent

and

impr

ove

upon

th

e m

onito

ring

of c

ompl

ianc

e w

ith D

HS,

C

oast

Gua

rd,

and

Fede

ral

secu

rity

polic

ies

and

proc

edur

es

in

the

area

s of

sc

ript

conf

igur

atio

n m

anag

emen

t co

ntro

ls

to

incl

ude

the

use

of

the

auto

mat

ed

tool

s de

ploy

ed a

t the

FIN

CEN

; and

�

Dev

elop

and

im

plem

ent

corr

ectiv

e ac

tion

X

3

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 4

4

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

audi

t was

pre

viou

sly

cond

ucte

d.

How

ever

, sig

nific

ant i

mpr

ovem

ents

are

stil

l war

rant

ed

in

the

area

of

sc

ript

conf

igur

atio

n m

anag

emen

t co

ntro

ls f

or t

he k

ey f

inan

cial

sys

tem

s lo

cate

d at

the

FI

NC

EN.

Scrip

t con

figur

atio

n m

anag

emen

t con

trol i

s th

e su

bjec

t of

th

e si

gnifi

cant

co

ntro

l de

ficie

ncie

s id

entif

ied

and

reco

mm

enda

tions

tha

t w

ere

deve

lope

d du

ring

the

audi

t. O

ther

wea

knes

ses

cont

inue

d to

exi

st,

to a

less

er e

xten

t, in

the

area

s of

acc

ess

cont

rols

and

en

tity-

wid

e se

curit

y at

ea

ch

of

the

Coa

st

Gua

rd

finan

cial

pr

oces

sing

lo

catio

ns.

Th

ese

cont

inue

d w

eakn

esse

s re

quire

Coa

st G

uard

to c

ontin

ue w

ith th

e im

plem

enta

tion

of t

heir

corr

ectiv

e ac

tions

pla

ns a

nd

mon

itorin

g ef

forts

.

As

a re

sult

of o

ur a

udit

test

wor

k an

d su

ppor

ted

by a

ll th

e IT

NFR

s is

sued

dur

ing

the

curr

ent

year

, w

e de

term

ined

that

Coa

st G

uard

is n

on-c

ompl

iant

with

the

Fede

ral

Fina

ncia

l M

anag

emen

t Im

prov

emen

t A

ct

(FFM

IA).

plan

s to

add

ress

and

rem

edia

te t

he N

FRs

issu

ed d

urin

g th

e FY

201

0 au

dit.

CG

-IT-

10-2

5 D

urin

g ou

r FY

201

0 ye

ar-e

nd I

T ro

ll-fo

rwar

d au

dit

test

ing

proc

edur

es, w

e de

term

ined

that

one

(1) o

f the

fiv

e (5

) Fi

nanc

ial

Proc

urem

ent

Des

ktop

(F

PD),

Prod

uctio

n Im

plem

enta

tion

Req

uest

(P

IR)

form

s te

sted

w

as

not

sign

ed

off

on

by

the

anal

yst/s

ubm

itter

/impl

emen

ter

as r

equi

red

per

the

FIN

CEN

PIR

form

.

The

proc

ess

for

obta

inin

g w

ritte

n si

gn-o

ff o

n PI

R

form

s ha

s re

cent

ly

been

re

plac

ed

with

an

au

tom

ated

wor

kflo

w p

roce

ss t

hat

elim

inat

es t

he

need

for w

ritte

n ap

prov

als;

ther

efor

e no

add

ition

al

corr

ectiv

e ac

tions

are

requ

ired.

X

1

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 4

5

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

CG

-IT-

10-2

6 D

urin

g th

e FY

201

0 au

dit

test

wor

k, w

e de

term

ined

th

at A

LC p

olic

ies

and

proc

edur

es f

or t

he f

ollo

win

g co

ntro

l ar

eas

are

not

adeq

uate

ly d

etai

led

to p

rovi

de

clea

r and

com

plet

e co

ntro

l des

crip

tions

for e

ach

of th

e fo

llow

ing

proc

esse

s:

�Ph

ysic

al

Acc

ess

to

the

data

ce

nter

an

d sy

stem

s in

the

data

cen

ter;

�A

cces

s to

Prog

ram

Lib

rarie

s;

�Se

greg

atio

n of

D

utie

s in

su

ppor

t of

th

e A

MM

IS a

pplic

atio

n;

�A

MM

IS A

udit

Log

Rev

iew

and

Ret

entio

n;

�B

acku

ps a

nd D

ata

Res

tora

tion;

and

, �

Off

site

Sto

rage

of B

acku

p m

edia

.

We

reco

mm

end

that

C

oast

G

uard

de

velo

p,

docu

men

t, co

mm

unic

ate,

tra

in,

test

, an

d co

ntin

uous

ly m

aint

ain

polic

ies

and

proc

edur

es f

or

the

cite

d co

ntro

l and

pro

cess

are

as.

X

2

CG

-IT-

10-2

7 Th

e N

ESSS

’ O

racl

e ve

rify

_fun

ctio

n in

th

e SY

S sc

hem

a is

inco

rrec

tly c

onfig

ured

and

doe

s no

t inc

lude

ve

rific

atio

n of

spec

ial c

hara

cter

s for

pas

swor

ds.

We

reco

mm

end

that

C

oast

G

uard

re

view

an

d up

date

the

Ora

cle

veri

fy f

unct

ion

in t

he S

YS

sche

ma

to

incl

ude

the

verif

icat

ion

of

spec

ial

char

acte

rs fo

r pas

swor

ds.

X

1

CG

-IT-

10-2

8 D

urin

g ou

r FY

201

0 au

dit t

est w

ork,

we

follo

wed

up

with

Coa

st G

uard

man

agem

ent a

nd w

ere

notif

ied

that

th

is D

irect

Acc

ess

audi

t lo

ggin

g w

eakn

ess,

note

d in

FY

200

9, c

anno

t be

res

olve

d un

til D

irect

Acc

ess

is

upda

ted

to P

eopl

eSof

t ver

sion

9.

Ther

e is

no

curr

ent

timel

ine

for t

he u

pgra

de to

take

pla

ce.

The

follo

win

g co

nditi

ons

wer

e no

ted

last

yea

r an

d ar

e st

ill o

pen

in

FY 2

010.

Not

all

Dire

ct A

cces

s fa

iled

logo

n at

tem

pts

are

logg

ed

or r

evie

wed

; an

d ac

coun

t m

anag

emen

t au

dit

logs

for

th

e D

irect

Acc

ess

appl

icat

ion

are

not

revi

ewed

on

a

We

reco

mm

end

Coa

st G

uard

con

tinue

with

the

Pe

ople

Soft

9.0

upgr

ade

and

Peop

leSo

ft Po

rtal

impl

emen

tatio

n.

X

1

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 4

6

A

ppen

dix

B

Dep

artm

ent o

f Hom

elan

d Se

curi

ty

Info

rmat

ion

Tech

nolo

gy M

anag

emen

t Let

ter

Sept

embe

r 30,

201

0

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

mon

thly

bas

is, w

hich

is a

requ

irem

ent s

et fo

rth w

ithin

D

HS

Polic

y. Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 4

7

Appendix B


September 30, 2010



� Customs and Border Protection (CBP)


App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

Not

ice

of F

indi

ngs a

nd R

ecom

men

datio

ns –

Det

ail

Cus

tom

s and

Bor

der

Prot

ectio

nN

FR

#No

Con

ditio

n R

ecom

men

datio

n N

ew

Issu

e R

epea

t Is

sue

Ris

k R

atin

g C

BP-

IT-1

0-01

This

is a

sys

tem

-leve

l fin

ding

. K

PMG

not

ed th

at C

BP

porta

l ac

coun

ts f

or s

epar

ated

em

ploy

ees

are

rem

oved

on

a b

i-wee

kly

basi

s an

d ar

e no

t rem

oved

on

the

day

of

the

indi

vidu

al’s

sep

arat

ion

as r

equi

red

by C

BP

and

DH

S po

licy.

KPM

G d

id n

ote

that

CB

P is

aw

are

of th

e is

sue

and

is l

ooki

ng i

nto

an a

utom

ated

sol

utio

n fo

r co

mpl

ianc

e w

ith C

BP

and

DH

S po

licy.

Upo

n fu

rther

te

stin

g of

ter

min

ated

em

ploy

ees,

KPM

G d

id n

ot f

ind

any

user

s th

at h

ad a

cces

sed

the

syst

em a

fter

thei

r se

para

tion

date

from

CB

P.

CB

P sh

ould

impl

emen

t pro

cedu

res

to re

info

rce

adhe

renc

e to

gu

idan

ce r

equi

ring

timel

y no

tific

atio

n of

sep

arat

ions

by

empl

oyee

s or

co

ntra

ctor

s w

ith

acce

ss

to

AC

E.

Thos

e re

spon

sibl

e fo

r A

CE

acce

ss c

ontro

l nee

d to

be

notif

ied

of a

se

para

tion

no la

ter t

han

the

day

of se

para

tion.

X

2

CB

P-IT

-10-

02

This

is a

sys

tem

leve

l fin

ding

. K

PMG

not

ed th

at A

CE

is n

ot c

urre

ntly

con

figur

ed t

o pr

even

t in

com

patib

le

role

s fro

m b

eing

ass

igne

d to

a u

ser,

as re

quire

d by

CB

P an

d D

HS

polic

ies.

Whi

le, i

nitia

l ste

ps h

ave

been

take

n to

add

ress

for

mal

seg

rega

tion

of d

utie

s w

ithin

the

sy

stem

, no

addi

tiona

l act

ions

hav

e ta

ken

plac

e.

CB

P O

ffic

e of

Info

rmat

ion

and

Tech

nolo

gy w

ill c

ontin

ue to

w

ork

with

the

Off

ice

of I

nter

natio

nal

Trad

e, O

ffic

e of

A

dmin

istra

tion

and

Off

ice

of F

ield

Ope

ratio

ns t

o id

entif

y in

com

patib

le r

oles

and

dev

elop

pro

cedu

res

as p

art

of t

he

acce

ss c

ontro

l pro

cess

to e

nsur

e th

at th

ese

role

com

bina

tions

ar

e no

t gr

ante

d to

AC

E us

ers,

exce

pt w

hen

a w

aive

r is

gr

ante

d in

writ

ing.

X

2

CB

P-IT

-10-

03

This

is

a

syst

em-le

vel

findi

ng.

KPM

G

note

d th

at

evid

ence

of

co

mpl

eted

A

CE

syst

em

log

(Sys

log)

re

view

s di

d no

t inc

lude

an

appr

opria

te le

vel o

f de

tail.

Sp

ecifi

cally

, dur

ing

the

maj

ority

of F

Y 2

010,

ther

e w

as

no f

orm

al m

etho

d of

doc

umen

ting

who

per

form

ed th

e au

dit

log

revi

ews,

whe

n th

ey w

ere

revi

ewed

, w

hat

issu

es (i

f any

) wer

e id

entif

ied,

and

the

actio

ns ta

ken

(if

appl

icab

le).

KPM

G n

oted

tha

t pr

oced

ures

reg

ardi

ng

the

revi

ew o

f A

CE

audi

t lo

gs h

ave

been

est

ablis

hed

prio

r to

FY

201

0, a

nd t

hat

man

agem

ent

is c

urre

ntly

im

plem

entin

g a

form

al m

etho

d of

doc

umen

ting

the

requ

isite

syst

em lo

g re

view

info

rmat

ion.

We

reco

mm

end

that

CB

P m

aint

ain

evid

ence

tha

t re

gula

r re

view

s of

aud

it lo

gs a

re o

ccur

ring.

S

peci

fical

ly,

we

reco

mm

end

that

CB

P co

ntin

ue w

ith p

lans

initi

ated

in J

uly

of

2010

to

in

stitu

tiona

lize

a m

ore

form

al

met

hod

of

docu

men

ting

who

per

form

ed r

evie

ws

of a

udit

logs

, w

hen

thes

e re

view

s oc

curr

ed,

and

wha

t is

sues

(if

any)

wer

e id

entif

ied.

We

also

re

com

men

d th

at

CB

P pe

rfor

m

a co

st/b

enef

it an

alys

is t

o de

term

ine

whe

ther

an

AC

E cu

stom

-dev

elop

ed

solu

tion

or

a pu

rcha

sed

CO

TS

prod

uct

shou

ld

be

impl

emen

ted

for f

ull a

utom

atio

n of

aud

it lo

g re

view

s.

X

2

CB

P-So

cial

eng

inee

ring

is d

efin

ed a

s the

act

of a

ttem

ptin

g to

W

e re

com

men

d th

at C

BP

impl

emen

t m

ultip

le t

ypes

of

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 4

9

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

IT-1

0-05

m

anip

ulat

e or

dec

eive

peo

ple

into

taki

ng a

ctio

n th

at is

in

cons

iste

nt w

ith p

olic

ies,

such

as

divu

lgin

g se

nsiti

ve

info

rmat

ion

or a

llow

ing

/ en

ablin

g co

mpu

ter

syst

em

acce

ss.

The

term

typ

ical

ly a

pplie

s to

tric

kery

or

dece

ptio

n fo

r th

e pu

rpos

e of

info

rmat

ion

gath

erin

g, o

r co

mpu

ter s

yste

m a

cces

s.

The

obje

ctiv

e of

our

soc

ial

engi

neer

ing

test

wor

k pr

imar

ily

focu

sed

on

atte

mpt

ing

to

iden

tify

user

pa

ssw

ords

. Po

sing

as

D

HS

tech

nica

l su

ppor

t em

ploy

ees,

atte

mpt

s w

ere

mad

e to

obt

ain

this

typ

e of

ac

coun

t in

form

atio

n by

con

tact

ing

rand

omly

sel

ecte

d em

ploy

ees

by te

leph

one.

A

scr

ipt w

as u

sed

to a

sk f

or

assi

stan

ce fr

om th

e us

er in

reso

lvin

g a

netw

ork

issu

e in

th

e co

mpo

nent

. Fo

r ea

ch p

erso

n w

e at

tem

pted

to c

all,

we

note

d in

the

tab

le b

elow

whe

ther

the

ind

ivid

ual

answ

ered

and

whe

ther

we

obta

ined

any

inf

orm

atio

n fr

om t

hem

tha

t sh

ould

not

hav

e be

en s

hare

d w

ith u

s ac

cord

ing

to D

HS

polic

y. O

ur s

elec

tion

of in

divi

dual

s w

as n

ot s

tatis

tical

ly d

eriv

ed,

and

ther

efor

e w

e ar

e un

able

to

pr

ojec

t re

sults

to

th

e co

mpo

nent

or

de

partm

ent a

s a w

hole

.

Of

25 in

divi

dual

s ca

lled,

16

answ

ered

. O

f th

e 16

that

an

swer

ed, 2

div

ulge

d th

eir n

etw

ork

pass

wor

d.

secu

rity

awar

enes

s re

min

ders

and

opp

ortu

nitie

s to

edu

cate

us

ers

of t

he i

mpo

rtanc

e of

pro

tect

ing

CB

P in

form

atio

n sy

stem

s an

d da

ta.

Spec

ifica

lly,

we

reco

mm

end

that

soc

ial

engi

neer

ing

eval

uatio

ns b

e in

corp

orat

ed i

nto

rout

ine

site

in

spec

tions

to

test

em

ploy

ee’s

sec

urity

aw

aren

ess

and

to

educ

ate

user

s on

how

to

resp

ond

to i

nfor

mat

ion

secu

rity

atta

cks.

CB

P-IT

-10-

06

This

is

a sy

stem

-leve

l fin

ding

. K

PMG

req

uest

ed

acce

ss a

utho

rizat

ion

docu

men

tatio

n fo

r 25

ind

ivid

uals

w

ho w

ere

gran

ted

AC

E ac

cess

dur

ing

FY 2

010.

Ini

tial

acce

ss re

ques

ts a

nd a

ppro

vals

for 9

of t

hese

indi

vidu

als

wer

e no

t pro

vide

d. A

lthou

gh a

pro

cess

for c

reat

ing

and

mai

ntai

ning

use

r acc

ess

form

s an

d re

ques

ts h

as b

een

in

plac

e si

nce

befo

re t

he b

egin

ning

of

FY 2

010,

acc

ess

appr

oval

s pr

ior

to th

e cr

eatio

n of

AC

E ac

coun

ts w

ere

not

cons

iste

ntly

mai

ntai

ned

in a

ccor

danc

e w

ith C

BP

polic

y an

d pr

oced

ures

.

We

reco

mm

end

that

th

e O

ffic

e of

In

form

atio

n an

d Te

chno

logy

(O

IT) i

ssue

a m

emor

andu

m a

nd d

istri

bute

the

pr

oced

ures

to th

e re

spec

tive

CB

P O

ffic

es to

impl

emen

t. W

e al

so r

ecom

men

d th

at m

onito

ring

proc

edur

es b

e es

tabl

ishe

d to

ens

ure

com

plia

nce

with

the

pro

cedu

res

and

that

OIT

co

ordi

nate

a

mee

ting

with

th

e ot

her

CB

P O

ffic

es

to

dete

rmin

e if

cent

raliz

ed

acce

ss

cont

rol

mea

sure

s ar

e ne

cess

ary.

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 5

0

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

CB

P-IT

-10-

07

We

perf

orm

ed a

fter-

hour

s ph

ysic

al s

ecur

ity t

estin

g to

id

entif

y ris

ks r

elat

ed t

o no

n-te

chni

cal

aspe

cts

of I

T se

curit

y.

Thes

e no

n-te

chni

cal

IT

secu

rity

aspe

cts

incl

ude

phys

ical

ac

cess

to

eq

uipm

ent

that

ho

uses

fin

anci

al

data

an

d in

form

atio

n re

sidi

ng

on

CB

P pe

rson

nel

desk

s, w

hich

cou

ld b

e us

ed b

y ot

hers

to

inap

prop

riate

ly

acce

ss

finan

cial

in

form

atio

n.

Th

e te

stin

g w

as p

erfo

rmed

at

vario

us C

BP

loca

tions

tha

t pr

oces

s an

d/or

m

aint

ain

finan

cial

da

ta.

A

CB

P em

ploy

ee w

as d

esig

nate

d to

ass

ist

with

and

mon

itor

our

test

wor

k.

Afte

r ga

inin

g ac

cess

to C

BP

faci

litie

s, w

e in

spec

ted

a se

lect

ion

of

desk

s an

d/or

of

fices

, lo

okin

g fo

r ite

ms

such

as

im

prop

er

prot

ectio

n of

sy

stem

pa

ssw

ords

, un

secu

red

info

rmat

ion

syst

em

hard

war

e, d

ocum

enta

tion

mar

ked

FOU

O, a

nd u

nloc

ked

netw

ork

sess

ions

. O

ur s

elec

tion

of d

esks

and

off

ices

w

as n

ot s

tatis

tical

ly d

eriv

ed,

and

ther

efor

e w

e ar

e un

able

to

pr

ojec

t re

sults

to

th

e co

mpo

nent

or

de

partm

ent a

s a

who

le.

For

each

loca

tion

visi

ted,

we

note

the

type

of

unse

cure

d in

form

atio

n or

pro

perty

we

iden

tifie

d an

d in

clud

ed t

he t

otal

exc

eptio

ns n

oted

by

loca

tion,

as

wel

l as

by ty

pe o

f in

form

atio

n or

pro

perty

id

entif

ied.

A to

tal o

f 10

2 in

stan

ces

wer

e id

entif

ied

acro

ss th

e si

x lo

catio

ns w

here

phy

sica

l ass

ets o

r sen

sitiv

e in

form

atio

n w

as n

ot s

ecur

ed in

acc

orda

nce

with

DH

S an

d/or

CB

P po

licie

s.

CB

P sh

ould

con

tinue

its a

nnua

l sec

urity

aw

aren

ess t

rain

ing.

In

add

ition

, it s

houl

d se

ek to

add

oth

er m

eans

of i

ncre

asin

g se

curit

y aw

aren

ess.

X

2

CB

P-IT

-10-

08

This

is a

com

pone

nt-le

vel f

indi

ng.

KPM

G n

oted

that

se

para

tion

proc

edur

es fo

r con

tract

em

ploy

ees

(Cus

tom

s D

irect

ive

5171

5-00

6) a

re o

ut o

f da

te a

nd i

nclu

de

inco

mpl

ete

and

inac

cura

te re

fere

nces

. S

peci

fical

ly, t

he

proc

edur

es h

ave

not

been

upd

ated

sin

ce S

epte

mbe

r 20

01.

The

proc

edur

es re

fere

nce

Trea

sury

faci

litie

s an

d

We

reco

mm

end

that

C

BP

revi

ew

the

curr

ent

Cus

tom

s D

irect

ive

and

upda

te i

t to

ref

lect

the

cur

rent

ope

ratin

g en

viro

nmen

t. A

dditi

onal

ly, w

e re

com

men

d th

at C

BP

requ

ire

the

cons

iste

nt a

nd a

ccur

ate

com

plet

ion

of th

e SF

242

for a

ll se

para

ting

cont

ract

ors

with

ac

cess

to

C

BP

faci

litie

s, in

form

atio

n sy

stem

s and

/or s

ensi

tive

info

rmat

ion.

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 5

1

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

Trea

sury

pol

icie

s as

sou

rce

docu

men

tatio

n.

KPM

G

note

s th

at a

new

dire

ctiv

e, C

BP

Dire

ctiv

e 12

10-0

07,

entit

led

‘Con

tract

or

Trac

king

Sy

stem

,’ w

as

issu

ed

requ

iring

the

use

of

the

Con

tract

or T

rack

ing

Syst

em;

how

ever

, th

e ne

w d

irect

ive

still

ref

ers

to o

ut o

f da

te

Cus

tom

s D

irect

ive

5171

5-00

6 fo

r se

para

tion

proc

edur

es fo

r con

tract

or e

mpl

oyee

s.

Add

ition

ally

, K

PMG

not

ed t

hat

SF 2

42 c

ontra

ctor

se

para

tion

form

s ar

e no

t co

mpl

eted

con

sist

ently

for

se

para

ting

CB

P co

ntra

ctor

s. S

peci

fical

ly, K

PMG

not

ed

that

of

45 s

epar

ated

con

tract

ors

with

acc

ess

to C

BP

faci

litie

s, in

form

atio

n sy

stem

s, an

d/or

se

nsiti

ve

info

rmat

ion

who

wer

e se

lect

ed f

or t

estin

g, 9

for

ms

wer

e no

t co

mpl

eted

, w

ere

not

prov

ided

, or

wer

e no

t co

mpl

eted

in a

tim

ely

man

ner.

CB

P-IT

-10-

09

This

is a

com

pone

nt le

vel f

indi

ng.

KPM

G s

elec

ted

45

gove

rnm

ent e

mpl

oyee

s th

at h

ad s

epar

ated

in F

Y 2

010

and

note

d th

at 1

9 of

the

se i

ndiv

idua

ls d

id n

ot h

ave

a co

mpl

eted

CB

P Fo

rm 2

41 o

n fil

e.

We

reco

mm

end

that

CB

P re

view

the

val

idity

of

the

CB

P Fo

rm 2

41 E

mpl

oyee

Sep

arat

ion

proc

ess

and

dete

rmin

e an

al

tern

ate

mec

hani

sm

to

hold

m

anag

ers

acco

unta

ble

for

timel

y no

tific

atio

n of

em

ploy

ee

sepa

ratio

ns

and

for

conf

irmin

g th

e te

rmin

atio

n of

acc

ess

to in

form

atio

n sy

stem

s, an

d th

e re

turn

of p

rope

rty a

nd e

quip

men

t.

X

2

CB

P-IT

-10-

10

This

is a

com

pone

nt le

vel f

indi

ng.

Whi

le K

PMG

not

es

that

pr

ogre

ss

has

been

m

ade

in

impl

emen

ting

proc

edur

es r

equi

ring

the

sign

ing

of N

DA

s, K

PMG

no

ted

that

ND

As a

re st

ill n

ot c

onsi

sten

tly c

ompl

eted

by

cont

ract

ors a

t CB

P. S

peci

fical

ly, K

PMG

not

ed th

at o

ut

of a

sel

ectio

n of

45

cont

ract

ors,

one

ND

A w

as s

igne

d m

ore

than

four

mon

ths

afte

r the

hire

dat

e. I

n ad

ditio

n,

one

ND

A w

as n

ot p

rovi

ded

for

a co

ntra

ctor

in

a m

ediu

m o

r hi

gh r

isk

posi

tion.

Fu

rther

, KPM

G n

oted

th

at t

he N

DA

s fo

r 27

con

tract

ors

in m

ediu

m o

r hi

gh

risk

posi

tions

did

not

hav

e a

date

of s

igna

ture

.

We

reco

mm

end

that

CB

P im

plem

ent

a m

ore

cons

iste

nt

met

hod

of

ensu

ring

that

ea

ch

cont

ract

or

empl

oyee

in

m

oder

ate

and

high

-ris

k po

sitio

ns si

gn a

nd d

ate

a N

DA

.

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 5

2

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

BP-

IT-1

0-11

Con

ditio

n

This

is

a co

mpo

nent

-leve

l fin

ding

. K

PMG

has

not

ed

that

CB

P ha

s no

t be

en a

ble

to p

rovi

de e

vide

nce

that

w

orks

tatio

ns n

ot o

n ar

e re

ceiv

ing

anti-

viru

s an

d ot

her

secu

rity

patc

h up

date

s on

a ti

mel

y ba

sis.

KPM

G n

oted

that

whi

le p

rogr

ess

has

been

mad

e in

acc

ount

ing

for a

ll C

BP

wor

ksta

tions

, a c

ompl

ete

and

up-to

-dat

e lis

ting

of a

ll C

BP

wor

ksta

tions

has

not

bee

n m

aint

aine

d fo

r th

e m

ajor

ity o

f FY

201

0.

As

a re

sult,

C

BP

does

not

hav

e an

acc

urat

e in

vent

ory

of w

hich

w

orks

tatio

ns h

ave

not

rece

ived

ant

i-viru

s an

d ot

her

secu

rity

patc

h up

date

s.

Rec

omm

enda

tion

We

reco

mm

end

that

CB

P co

ntin

ue i

nsta

lling

a

nd

deve

lop,

impl

emen

t, an

d m

onito

r pol

icie

s an

d pr

oced

ures

to

mov

e al

l w

orks

tatio

ns t

o o

r to

obt

ain

wai

vers

and

com

pens

atin

g co

ntro

ls f

or t

hose

wor

ksta

tions

th

at c

anno

t be

mov

ed to

.

New

Is

sue

Rep

eat

Issu

e X

Ris

k R

atin

g 2

CB

P-IT

-10-

12

CB

P’s

RB

ST

Prog

ram

do

es

not

mee

t th

e D

HS

requ

irem

ents

for

“an

nual

spe

cial

ized

tra

inin

g” t

hat

is

“com

men

sura

te

with

th

e in

divi

dual

’s

dutie

s an

d re

spon

sibi

litie

s.” S

peci

fical

ly, t

he C

BP

RB

ST p

rogr

am

requ

ires

IT p

erso

nnel

to

com

plet

e on

ly o

ne h

our

of

Inci

dent

Res

pons

e tra

inin

g, a

nd o

ne h

our o

f C

lass

ified

In

form

atio

n tra

inin

g (if

app

licab

le t

o th

e in

divi

dual

’s

resp

onsi

bilit

ies)

ann

ually

.

Furth

erm

ore,

out

of

the

sam

pled

45

CB

P pe

rson

nel

with

si

gnifi

cant

IT

se

curit

y re

spon

sibi

litie

s, 5

com

plet

ed t

he t

rain

ing

afte

r C

BP’

s in

tern

al J

une

30,

2010

dea

dlin

e.

In a

dditi

on, a

noth

er e

ight

hav

e ye

t to

co

mpl

ete

the

train

ing.

We

reco

mm

end

that

CB

P re

-exa

min

e its

rol

e-ba

sed

train

ing

prog

ram

and

con

side

r im

plem

entin

g th

e D

HS

Rol

e-B

ased

Se

curit

y Tr

aini

ng P

rogr

am o

nce

it ha

s be

en im

plem

ente

d at

th

e de

partm

ent l

evel

.

X

2

CB

P-IT

-10-

13

This

is

a co

mpo

nent

-leve

l fin

ding

. W

e no

ted

the

follo

win

g w

eakn

esse

s re

late

d to

acc

ess

to t

he r

aise

d flo

or a

rea:

�

We

revi

ewed

acc

ess

requ

est

auth

oriz

atio

ns t

o th

e ra

ised

floo

r are

a of

and

not

ed th

at o

f the

45

indi

vidu

als

sele

cted

, 1 a

utho

rized

acc

ess

form

was

no

t pro

vide

d.

�W

e re

view

ed e

vide

nce

of t

he r

ecer

tific

atio

n of

We

reco

mm

end

that

m

anag

emen

t de

velo

p to

ols

and

proc

edur

es

for

faci

litat

ing

and

docu

men

ting

the

appr

oval

/rece

rtific

atio

n an

d re

view

of

indi

vidu

al a

cces

s to

th

e ra

ised

floo

r are

a.

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 5

3

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

indi

vidu

als

with

acc

ess

to th

e ra

ised

floo

r are

a an

d no

ted

that

of t

he 1

5 se

lect

ed in

divi

dual

s, 2

had

not

yet b

een

rece

rtifie

d.

CB

P-IT

-10-

14

This

is

a sy

stem

lev

el f

indi

ng.

KPM

G n

oted

tha

t al

thou

gh c

hang

es t

o a

user

’s A

CS

acce

ss p

rofil

e ar

e lo

gged

, th

e lo

gs o

f th

ese

even

ts a

re n

ot r

egul

arly

re

view

ed

by

pers

onne

l in

depe

nden

t fr

om

thos

e in

divi

dual

s tha

t mad

e th

e ch

ange

s.

We

reco

mm

end

that

CB

P fo

rmal

ize

a de

taile

d pr

oced

ure

for

the

revi

ew o

f A

CS

secu

rity

prof

ile c

hang

e lo

gs.

The

pr

oced

ure

shou

ld in

clud

e im

plem

entin

g a

perio

dic

revi

ew o

f th

e lo

gs b

y an

inde

pend

ent r

evie

wer

.

X

2

CB

P-IT

-10-

15

Dur

ing

our

tech

nica

l te

stin

g, p

atch

and

con

figur

atio

n m

anag

emen

t ex

cept

ions

wer

e id

entif

ied

on t

he

.

X

2

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 5

4

NFR

#N

o C

ondi

tion

.

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

CB

P-IT

-10-

16

This

is

a sy

stem

-leve

l fin

ding

and

a p

rior

year

iss

ue

from

FY

200

8 an

d FY

200

9.

KPM

G d

eter

min

ed th

at

evid

ence

of I

SAs

for 6

of t

he 1

7 PG

As

iden

tifie

d in

the

Syst

em S

ecur

ity P

lan

coul

d no

t be

prov

ided

. O

f the

six

th

at w

ere

prov

ided

, tw

o ex

pire

d du

ring

FY20

10 a

nd

ha

d no

t bee

n re

new

ed.

We

reco

mm

end

that

CB

P de

vote

suf

ficie

nt r

esou

rces

in

orde

r to

impl

emen

t and

mai

ntai

n fo

rmal

ISA

s with

the

PGA

s th

at i

nter

conn

ect

with

AC

S.

We

reco

mm

end

that

CB

P do

cum

ent

ISA

s fo

r al

l A

CS

PGA

con

nect

ions

ide

ntifi

ed i

n th

e A

CS

SSP.

X

2

CB

P-IT

-10-

17

This

is

a sy

stem

-leve

l fin

ding

.

W

e re

ques

ted

acce

ss

auth

oriz

atio

n ev

iden

ce f

or 4

5 A

CS

user

s to

det

erm

ine

whe

ther

AC

S ac

cess

was

app

ropr

iate

ly

auth

oriz

ed.

OIT

was

unab

le t

o pr

ovid

e ev

iden

ce o

f th

e ac

cess

requ

est a

utho

rizat

ions

for

any

of

the

45 s

elec

ted

AC

S us

ers.

As

a re

sult,

we

are

not

able

to

dete

rmin

e w

heth

er A

CS

acce

ss i

nitia

tions

or

mod

ifica

tions

wer

e ap

prop

riate

ly

appr

oved

an

d w

heth

er

A

CS

acce

ssco

ntro

ls a

re in

pla

ce a

nd o

pera

ting

as re

quire

d by

DH

S an

d C

BP

polic

ies.

We

reco

mm

end

that

C

BP

impl

emen

t pr

oced

ures

to

co

nsis

tent

ly d

ocum

ent t

he a

cces

s re

ques

ts a

nd a

ppro

vals

for

an

y an

d al

l ac

cess

cre

atio

ns a

nd c

hang

es t

o A

CS

user

prof

iles.

X

2

CB

P-IT

-10-

18

This

is

a co

mpo

nent

lev

el f

indi

ng.

We

note

d th

at

acce

ss r

eque

st f

orm

s, or

evi

denc

e of

rec

ertif

icat

ion

of

acce

ss, t

o th

e of

fsite

med

ia c

ould

not

be

prov

ided

for 5

of

the

15 se

lect

ed e

mpl

oyee

s.

We

reco

mm

end

that

CB

P up

date

the

acc

ess

auth

oriz

atio

n pr

oces

s to

indi

cate

that

the

acce

ss li

st w

ill u

nder

go a

100

%

rece

rtific

atio

n an

nual

ly.

The

artif

act

shou

ld b

e an

off

icia

l re

port

from

the

Con

tract

ing

Off

icer

Tec

hnic

al R

epre

sent

ativ

e fo

r off

site

med

ia st

orag

e cl

early

stat

ing

the

resu

lts a

long

with

ba

ckup

pap

erw

ork

for

all

add,

del

etes

, an

d ch

ange

s to

the

ac

cess

list

.

X

1

CB

P-IT

-10-

19

Th

is is

a s

yste

m le

vel f

indi

ng.

We

wer

e in

form

ed th

at

AC

S Se

curit

y A

udit

Logs

are

not

bei

ng r

evie

wed

. A

dditi

onal

ly, w

e no

ted

that

the

fol

low

ing

wea

knes

ses

rela

ted

to t

he A

CS

Secu

rity

Aud

it Lo

gs p

roce

dure

s co

ntin

ue to

exi

st:

�Pr

oced

ures

do

not

defin

e ho

w o

ften

t

he A

CS

We

reco

mm

end

that

CB

P de

velo

p an

d im

plem

ent p

roce

dure

s th

at d

ocum

ent

the

revi

ew p

roce

ss f

or A

CS

prof

ile c

hang

e lo

gs.

The

proc

ess

shou

ld in

clud

e th

e do

cum

ente

d ev

iden

ce

of re

view

, how

ofte

n au

dit l

ogs

are

revi

ewed

, and

the

revi

ew

sa

mpl

ing

met

hodo

logy

.

X

2

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 5

5

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

secu

rity

prof

ile c

hang

e au

dit l

ogs a

re re

view

ed.

�Pr

oced

ures

do

not

desc

ribe

how

the

doc

umen

ted

evid

ence

of

the

revi

ew p

roce

ss i

s cr

eate

d by

the

A

CS

Info

rmat

ion

Syst

em

Secu

rity

Off

icer

(I

SSO

)/Ind

epen

dent

Rev

iew

er.

�Pr

oced

ures

do

no

t de

fine

the

sam

plin

g m

etho

dolo

gy t

hat

is u

sed

to s

elec

t A

CS

prof

ile

chan

ge se

curit

y lo

gs fo

r rev

iew

CB

P-IT

-10-

20

This

is a

sys

tem

-leve

l fin

ding

. We

note

d th

e fo

llow

ing

wea

knes

ses

rela

ted

to t

he

e co

nfig

urat

ion

setti

ngs:

�

KPM

G n

oted

that

use

rs w

ere

allo

wed

an

num

ber

of f

aile

d at

tem

pts

to a

cces

s da

tase

ts t

o w

hich

th

ey

wer

e no

t au

thor

ized

. K

PMG

de

term

ined

tha

t th

e co

ntro

l op

tion

in t

he s

ecur

ity

softw

are,

whi

ch re

sults

in im

med

iate

sus

pens

ion

of

any

user

who

exc

eeds

the

spe

cifie

d nu

mbe

r of

vi

olat

ions

, ha

d no

t be

en

conf

igur

ed

prop

erly

. K

PMG

not

ed t

hat

this

set

ting

was

cor

rect

ed o

n Fe

brua

ry 2

4, 2

010.

�

KPM

G n

oted

tha

t us

ers

wer

e al

low

ed

faile

d lo

gon

atte

mpt

s be

fore

thei

r ac

coun

ts w

ere

lock

ed.

At

the

end

of t

he f

isca

l ye

ar t

he s

ettin

g w

as

upda

ted

to th

ree

faile

d lo

gin

atte

mpt

s, an

d K

PMG

ob

serv

ed th

e se

tting

in th

e sy

stem

and

not

ed th

at it

w

as c

orre

cted

on

Sept

embe

r 24,

201

0.

As

the

cond

ition

s w

ere

clos

ed

durin

g te

stin

g,

no

reco

mm

enda

tion

is re

quire

d.

X

2

CB

P-IT

-10-

21

This

is

a co

mpo

nent

lev

el f

indi

ng.

We

note

d th

e fo

llow

ing

wea

knes

ses

rela

ted

to th

e C

BP

Bac

kgro

und

Inve

stig

atio

n pr

oces

s:

�O

f th

e 45

ind

ivid

uals

sel

ecte

d, w

e no

ted

that

1

cont

ract

or d

id n

ot h

ave

a co

mpl

eted

bac

kgro

und

inve

stig

atio

n as

req

uire

d by

the

CB

P In

form

atio

n Sy

stem

Se

curit

y Po

licie

s an

d Pr

oced

ures

We

reco

mm

end

that

CB

P:

�C

ompl

ete

via

e-Q

IP t

he “

initi

atio

n” o

f al

l re

mai

ning

em

ploy

ee re

inve

stig

atio

ns b

y D

ecem

ber 3

0, 2

010.

�

Com

plet

e th

e re

inve

stig

atio

ns fo

r all

such

em

ploy

ees

by

Dec

embe

r 30,

201

1.

�D

evel

op/d

eplo

y a

track

ing

mec

hani

sm

(Con

tract

or

Trac

king

Sys

tem

) by

whi

ch to

iden

tify

thos

e co

ntra

ctor

s

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 5

6

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

Han

dboo

k. W

e no

ted

that

this

con

tract

has

acc

ess

to th

e A

utom

ated

Com

mer

cial

Env

ironm

ent (

AC

E)

syst

em.

�O

f th

e 45

ind

ivid

uals

sel

ecte

d, w

e no

ted

that

5

empl

oyee

s an

d 25

con

tract

ors

did

not

have

the

ir ba

ckgr

ound

rei

nves

tigat

ions

ini

tiate

d w

ithin

the

fiv

e ye

ar

timef

ram

e as

re

quire

d by

C

BP

Mem

oran

dum

Reg

ardi

ng R

einv

estig

atio

ns,

date

d A

ugus

t 18,

200

8.

requ

iring

rein

vest

igat

ion.

�

Dev

elop

an

d im

plem

ent

a st

rate

gy

to

ensu

re

that

re

inve

stig

atio

ns

for

all

cont

ract

ors

are

initi

ated

as

re

quire

d.

CB

P-IT

-10-

22

This

is

a sy

stem

-leve

l fin

ding

. A

CS

deve

lope

rs m

ay

gain

em

erge

ncy/

tem

pora

ry a

cces

s to

the

pro

duct

ion

envi

ronm

ent t

hrou

gh th

e po

rtal r

eque

st p

roce

ss.

Whi

le

the

emer

genc

y/te

mpo

rary

acc

ount

act

iviti

es a

re lo

gged

, C

BP

does

not

rev

iew

the

se a

ctiv

ity l

ogs

to i

dent

ify

inap

prop

riate

act

iviti

es.

KPM

G r

ecom

men

ds t

hat

CB

P re

ports

on

the

TSS

audi

t of

em

erge

ncy

acce

ss s

houl

d be

run

as n

eede

d at

man

agem

ent’s

(e

.g.,

emer

genc

y ap

prov

er’s

) req

uest

.

X

2

CB

P-IT

-10-

23

This

is a

sys

tem

-leve

l fin

ding

. A

cces

s ap

prov

als

prio

r to

th

e cr

eatio

n of

N

DC

-LA

N

acco

unts

w

ere

not

cons

iste

ntly

mai

ntai

ned

in a

ccor

danc

e w

ith C

BP

polic

y an

d pr

oced

ures

. K

PMG

requ

este

d ac

cess

aut

horiz

atio

n do

cum

enta

tion

for

25 i

ndiv

idua

ls w

ho w

ere

gran

ted

ND

C-L

AN

ac

cess

du

ring

FY

2010

.

Alth

ough

a

proc

ess

for c

reat

ing

and

mai

ntai

ning

use

r acc

ess

form

s an

d re

ques

ts

has

been

in

pl

ace

sinc

e be

fore

th

e be

ginn

ing

of F

Y 2

010,

ini

tial

acce

ss r

eque

sts

and

appr

oval

s fo

r 10

of

th

ese

indi

vidu

als

wer

e no

t pr

ovid

ed.

We

reco

mm

end

that

CB

P fu

lly t

rans

ition

the

ir pr

oces

s fo

r re

ques

ting

ND

C-L

AN

Net

wor

k ac

cess

from

the

pape

r-ba

sed

user

acc

ess

requ

est f

orm

to a

n el

ectro

nic

user

acc

ess

requ

est

form

. O

nce

the

elec

troni

c fo

rm i

s fu

lly i

mpl

emen

ted,

the

do

cum

ente

d pr

oces

s w

ill b

e up

date

d to

refle

ct th

at a

ll N

DC

-LA

N u

ser a

cces

s req

uest

s mus

t go

to th

e Te

chno

logy

Ser

vice

D

esk

(TSD

) fo

r ac

tion.

TS

D w

ill g

ener

ate

a tro

uble

tick

et

and

atta

ch t

he e

lect

roni

c ac

cess

req

uest

for

m t

o th

e in

itial

us

er r

eque

st ti

cket

for

ND

C-L

AN

acc

ess.

The

ticke

t will

be

issu

ed i

n th

e na

me

of t

he u

ser

gain

ing

the

acce

ss s

o it

is

easi

ly se

arch

able

.

TSD

is

curr

ently

in

the

deve

lopm

ent

phas

e fo

r a

new

use

r ac

coun

t re

ques

t po

rtal

whi

ch w

ill p

rovi

de a

sec

ure

onlin

e en

viro

nmen

t for

man

agin

g th

is p

roce

ss.

This

new

tool

will

al

low

requ

esto

rs th

e ab

ility

to c

ompl

ete

and

subm

it LA

N a

nd

eMai

l ac

coun

t re

ques

ts v

ia o

nlin

e w

eb f

orm

. O

nce

the

requ

est i

s re

view

ed a

nd a

ppro

ved

by th

e C

BP

supe

rvis

or, a

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 5

7

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

ticke

t will

be

auto

mat

ical

ly g

ener

ated

(byp

assi

ng th

e ne

ed o

f sa

ving

/atta

chin

g an

d em

ailin

g th

e TS

D)

and

rout

ed t

o th

e ap

prop

riate

gro

up fo

r pro

cess

ing.

A lo

g w

ill b

e ca

ptur

ed a

nd

save

d in

the

new

sys

tem

for

eac

h ap

prov

ed/d

enie

d re

ques

t fo

r fut

ure

refe

renc

e.

CB

P-IT

-10-

24

CB

P ha

s no

t co

rrec

ted

func

tiona

lity

issu

es c

urre

ntly

no

ted

in A

CS,

and

rout

ine

mai

nten

ance

is in

crea

sing

ly

diff

icul

t an

d ex

pens

ive.

C

urre

ntly

, on

ly t

wo

vend

ors

supp

ort

AC

S, w

hich

lim

its C

BP’

s ab

ility

to

obta

in

mai

nten

ance

ser

vice

s at

a r

easo

nabl

e co

st.

Dur

ing

FY

2010

, CB

P sp

ent n

early

$12

.1 m

illio

n ju

st to

mai

ntai

n A

CS

at it

s cu

rren

t lev

el o

f fu

nctio

nalit

y.

In a

dditi

on,

CB

P is

cur

rent

ly r

e-vi

sitin

g th

e am

ount

of

fund

ing

nece

ssar

y to

com

plet

e th

e im

plem

enta

tion

of th

e A

CE

finan

cial

mod

ules

and

will

com

plet

e th

is a

naly

sis i

n FY

20

11.

Due

to t

hese

con

ditio

ns r

egar

ding

the

func

tiona

lity

of

AC

S an

d de

laye

d im

plem

enta

tion

of A

CE,

CB

P ha

s no

t re

solv

ed t

he f

ollo

win

g kn

own

AC

S fu

nctio

nalit

y is

sues

:

�A

CS

lack

s th

e co

ntro

ls n

eces

sary

to

prev

ent,

or

dete

ct a

nd c

orre

ct e

xces

sive

dra

wba

ck c

laim

s. T

he

prog

ram

min

g lo

gic

in A

CS

does

not

link

dra

wba

ck

clai

ms

to im

ports

at a

det

aile

d, li

ne it

em le

vel.

In

addi

tion,

AC

S do

es n

ot h

ave

the

capa

bilit

y to

co

mpa

re, v

erify

, and

trac

k es

sent

ial i

nfor

mat

ion

on

draw

back

cl

aim

s to

th

e re

late

d un

derly

ing

cons

umpt

ion

entri

es

and

expo

rt do

cum

enta

tion

upon

whi

ch th

e dr

awba

ck c

laim

is b

ased

. Ex

port

info

rmat

ion

is n

ot li

nked

to th

e D

raw

back

mod

ule

and

ther

efor

e el

ectro

nic

com

paris

ons o

f exp

ort d

ata

cann

ot b

e pe

rfor

med

with

in A

CS.

See

NFR

CB

P-10

-20

for f

urth

er d

etai

ls.

To a

ddre

ss th

is fi

ndin

g, C

BP

reco

mm

ends

that

it c

ontin

ue to

: �

Mod

erni

ze

its

busi

ness

pr

oces

ses

thou

gh

the

deve

lopm

ent

and

depl

oym

ent

of f

unct

iona

lity

in t

he

Aut

omat

ed C

omm

erci

al E

nviro

nmen

t as

it

has

done

si

nce

2001

. �

Wor

k w

ith

sta

keho

lder

s, in

clud

ing

CB

P pe

rson

nel,

the

trade

, pa

rtici

patin

g go

vern

men

t ag

enci

es,

the

Dep

artm

ent o

f H

omel

and

Secu

rity

and

the

Con

gres

s to

pr

iorit

ize,

dev

elop

, and

dep

loy

func

tiona

lity

that

allo

ws

CB

P to

ful

fill

its m

issi

on a

nd m

eet

the

need

s of

its

st

akeh

olde

rs.

�Se

ek f

unds

thr

ough

the

bud

get

proc

ess

that

will

allo

w

CB

P to

con

tinue

to d

evel

op a

nd d

eplo

y fu

nctio

nalit

y in

t

hat

will

sup

port

CB

P’s

mis

sion

and

mee

t th

e ne

eds o

f its

stak

ehol

ders

.

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 5

8

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

�C

erta

in

mon

itorin

g re

ports

us

ed

to

mon

itor

(rev

iew

) im

porte

r co

mpl

ianc

e w

ith t

he i

n-bo

nd

proc

ess

have

not

bee

n de

velo

ped

and

ther

efor

e im

porte

r co

mpl

ianc

e is

not

bei

ng t

rack

ed.

In

addi

tion,

in-

bond

s ar

e no

t au

tom

atic

ally

lin

ked

to

the

rele

vant

ent

ry o

r ex

port

filin

gs in

AC

S, w

hich

le

ads

to e

xten

sive

man

ual

wor

k to

clo

se o

pen

in-

bond

s. F

inal

ly, A

CS

does

not

pro

vide

the

abili

ty to

ru

n ov

ersi

ght

repo

rts t

o de

term

ine

if po

rts h

ave

com

plet

ed a

ll re

quire

d in

-bon

d po

st a

udits

and

ex

ams.

See

NFR

CB

P-10

-14

for f

urth

er d

etai

ls.

�A

CS

does

no

t pr

oper

ly

acco

unt

for

bond

su

ffic

ienc

y of

cla

ims

that

inv

olve

a c

ontin

uous

bo

nd a

nd th

eref

ore

a cl

aim

ant c

an p

oten

tially

cla

im

and

rece

ive

an a

ccel

erat

ed p

aym

ent

that

exc

eeds

th

e bo

nd a

mou

nt o

n fil

e. A

s a

resu

lt, C

BP

will

not

ha

ve s

uffic

ient

sur

ety

agai

nst

a dr

awba

ck o

ver

clai

min

g. S

ee N

FR C

BP-

10-0

5 fo

r fur

ther

det

ails

. �

AC

S do

es n

ot p

rovi

de s

umm

ary

info

rmat

ion

of th

e to

tal u

npai

d as

sess

men

ts fo

r dut

ies,

taxe

s, an

d fe

es

by i

ndiv

idua

l im

porte

r (i.

e.,

a su

b-le

dger

) an

d ca

nnot

pr

ovid

e re

porti

ng

info

rmat

ion

on

outs

tand

ing

rece

ivab

les,

the

age

of r

ecei

vabl

es, o

r ot

her d

ata

nece

ssar

y fo

r man

agem

ent t

o ef

fect

ivel

y m

onito

r co

llect

ion

actio

ns.

See

NFR

CB

P-10

-04

for f

urth

er d

etai

ls.

�Th

e dr

awba

ck s

elec

tivity

fun

ctio

n of

AC

S is

not

pr

ogra

mm

ed to

sele

ct a

stat

istic

ally

val

id sa

mpl

e of

pr

ior

draw

back

cla

ims

agai

nst

a se

lect

ed i

mpo

rt en

try.

See

NFR

CB

P-10

-03

for f

urth

er d

etai

ls.

�A

CS

is p

rogr

amm

ed to

aut

omat

ical

ly in

dica

te th

at

a Po

rt D

irect

or c

ertif

ied

a re

fund

or

draw

back

pa

ymen

t eve

n if

the

Port

Dire

ctor

doe

s not

cer

tify

a gi

ven

paym

ent.

See

NFR

CB

P-10

-19

for

furth

er

deta

ils.

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 5

9

A

ppen

dix

B

Dep

artm

ent o

f Hom

elan

d Se

curi

ty

Info

rmat

ion

Tech

nolo

gy M

anag

emen

t Let

ter

Sept

embe

r 30,

201

0

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 6

0

Appendix B


September 30, 2010

Department of Homeland SecurityFY 2010 Information Technology - Notice of Findings and


Federal Emergency Management Agency


App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

Not

ice

of F

indi

ngs a

nd R

ecom

men

datio

ns –

Det

ail

Fede

ral E

mer

genc

y M

anag

emen

t Age

ncy

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

FEM

A-

IT-1

0-01

Dur

ing

FY 2

010,

FEM

A f

inal

ized

and

doc

umen

ted

requ

irem

ents

, an

d in

itiat

ed

auto

mat

ed

tech

nica

l pr

oces

ses

and

cont

rols

rel

ated

to

the

NEM

IS A

cces

s C

ontro

l Sys

tem

(N

AC

S) P

ositi

on R

e-A

ppro

val P

roje

ct

(NPR

P).

Spe

cific

ally

, En

terp

rise

Ope

ratio

ns B

ranc

h pe

rson

nel h

ave

begu

n sy

stem

atic

ally

exp

iring

pos

ition

as

sign

men

ts a

nd re

quiri

ng su

perv

isor

reau

thor

izat

ion

of

a su

bset

of

NA

CS

acco

unts

an

d re

late

d po

sitio

ns

prog

ress

ivel

y ov

er a

180

day

per

iod.

D

ue t

o th

e vo

lum

e of

act

ive

posi

tions

, FEM

A m

anag

emen

t sta

ted

that

the

rece

rtific

atio

n pr

oces

s w

ill r

ecer

tify

all N

AC

S po

sitio

ns a

fter

the

180

days

and

is

antic

ipat

ed t

o be

co

mpl

eted

in F

Y 2

011.

Th

us, w

hile

we

note

d th

at im

prov

emen

ts w

ere

mad

e by

de

velo

ping

and

impl

emen

ting

an a

utom

ated

pro

cess

for

rece

rtify

ing

all

NA

CS

acco

unts

and

rel

ated

pos

ition

s, in

clud

ing

thos

e re

late

d to

N

EMIS

ac

cess

, in

itial

re

certi

ficat

ion

to

revi

ew

and

reva

lidat

e al

l N

AC

S ac

coun

ts a

nd p

ositi

ons h

as st

ill n

ot b

een

com

plet

ed.

�C

ompl

ete

the

initi

al r

ecer

tific

atio

n of

all

exis

ting

NA

CS

acco

unts

and

rel

ated

pos

ition

s in

itiat

ed i

n A

pril

2010

to

en

sure

th

at

all

activ

e N

EMIS

ac

coun

ts

and

thei

r as

soci

ated

pr

ivile

ges

are

appr

opria

tely

aut

horiz

ed; a

nd

�En

sure

th

at

all

NA

CS

acco

unts

an

d re

late

d po

sitio

ns a

re r

ecer

tifie

d by

the

use

r’s

appr

opria

te

supe

rvis

or n

o le

ss t

han

annu

ally

, in

acc

orda

nce

with

DH

S po

licy.

X

3

FEM

A-

IT-1

0-02

FEM

A h

as n

ot e

stab

lishe

d an

alte

rnat

e pr

oces

sing

site

fo

r NEM

IS.

Add

ition

ally

, an

exce

ptio

n to

DH

S po

licy

for

the

lack

of

an e

stab

lishe

d al

tern

ate

proc

essi

ng s

ite

as

requ

ired

syst

ems

such

as

N

EMIS

th

at

are

cate

goriz

ed a

s “h

igh

impa

ct”

for

avai

labi

lity

has

not

been

requ

este

d by

FEM

A.

�C

ontin

ue a

nd c

ompl

ete

effo

rts re

quire

d to

est

ablis

h an

d im

plem

ent

an a

ltern

ate

proc

essi

ng s

ite f

or

NEM

IS a

ccor

ding

to D

HS

4300

A.

�U

ntil

an a

ltern

ate

proc

essi

ng s

ite i

s es

tabl

ishe

d,

deve

lop

and

subm

it an

exc

eptio

n fo

r ap

prov

al i

n ac

cord

ance

w

ith

DH

S po

licy,

an

d en

sure

th

at

com

pens

atin

g co

ntro

ls

over

th

e al

tern

ate

proc

essi

ng s

ite h

ave

been

im

plem

ente

d an

d ar

e ef

fect

ive,

and

doc

umen

tatio

n of

thei

r eff

ectiv

enes

s is

mai

ntai

ned

as a

udita

ble

reco

rds.

X

3

FEM

A-

IT-1

0-03

The

FEM

A d

omai

n se

curit

y po

licy

is c

onfig

ured

to

enfo

rce

activ

atio

n of

a p

assw

ord-

prot

ecte

d sc

reen

save

r on

end

-use

r wor

ksta

tions

afte

r 15

min

utes

of i

nact

ivity

,

�C

onfig

ure

the

FEM

A L

AN

dom

ain

secu

rity

polic

y to

au

tom

atic

ally

ac

tivat

e a

pass

wor

d-pr

otec

ted

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 6

2

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

rath

er th

an th

e fiv

e m

inut

e in

activ

ity th

resh

old

requ

ired

by D

HS

polic

y.

scre

ensa

ver

on e

nd-u

ser

wor

ksta

tions

afte

r fiv

e m

inut

es o

f ina

ctiv

ity, c

onsi

sten

t with

DH

S po

licy.

�

Impl

emen

t ap

prop

riate

man

agem

ent

cont

rols

to

ensu

re ti

mel

y co

mm

unic

atio

n an

d im

plem

enta

tion

of e

xist

ing

and

futu

re D

HS

info

rmat

ion

secu

rity

polic

y re

quire

men

ts p

erta

inin

g to

the

conf

igur

atio

n of

FE

MA

en

d us

er

wor

ksta

tions

, an

d to

pe

riodi

cally

ass

ess

syst

em c

ontro

ls t

o de

term

ine

com

plia

nce.

FE

MA

-IT

-10-

04

As

note

d du

ring

our

FY

2009

au

dit

proc

edur

es,

wea

knes

ses

exis

t in

pr

oces

ses

rela

ted

to

logg

ing,

m

onito

ring,

an

d re

tain

ing

audi

t lo

gs

on

syst

em

softw

are

and

oper

atin

g sy

stem

s su

ppor

ting

NEM

IS.

Spec

ifica

lly,

polic

ies

and

proc

edur

es r

elat

ed t

o th

e m

onito

ring

of

activ

ity

on

syst

em

softw

are

and

oper

atin

g sy

stem

s su

ppor

ting

NEM

IS h

ave

not

been

re

vise

d to

incl

ude

all i

dent

ified

ope

ratin

g sy

stem

s an

d IT

com

pone

nts

that

com

pris

e th

e sy

stem

bou

ndar

y fo

r th

e N

EMIS

app

licat

ion.

Add

ition

ally

, co

ntro

ls h

ave

not

been

con

figur

ed a

nd

appr

opria

tely

im

plem

ente

d to

log

, m

onito

r, or

ret

ain

suff

icie

ntly

det

aile

d au

dit

logs

for

act

ivity

on

NEM

IS

oper

atin

g sy

stem

s and

serv

ers.

�R

evis

e th

e SO

P, M

onito

ring

Sen

sitiv

e Ac

cess

to

NEM

IS, t

o en

sure

that

it st

ates

that

the

scop

e of

the

proc

edur

es

incl

udes

op

erat

ing

syst

ems

on

all

serv

ers

with

in s

yste

m b

ound

arie

s as

def

ined

in u

p-to

-dat

e N

EMIS

syst

em d

ocum

enta

tion.

�

Acq

uire

and

dep

loy

appr

opria

te to

ols

on o

pera

ting

syst

ems

and

serv

ers

supp

ortin

g N

EMIS

to g

ener

ate

audi

t tra

ils a

nd r

ecor

ds in

acc

orda

nce

with

FEM

A

and

DH

S po

licy.

�

Impl

emen

t th

e SO

P, M

onito

ring

Sen

sitiv

e Ac

cess

to

NEM

IS, b

y re

view

ing

and

reta

inin

g au

dit t

rails

an

d re

cord

s in

acc

orda

nce

with

FEM

A a

nd D

HS

polic

y.

X

3

FEM

A-

IT-1

0-05

As i

dent

ified

dur

ing

the

FY 2

009

audi

t, PA

RS

data

base

se

curit

y co

ntro

ls a

re n

ot a

ppro

pria

tely

est

ablis

hed

as

note

d be

low

:

�PA

RS

data

base

ac

coun

ts

are

not

revi

ewed

to

id

entif

y ac

coun

ts t

hat

have

bee

n in

activ

e fo

r 45

da

ys o

r mor

e, a

s re

quire

d by

DH

S po

licy

for h

igh

impa

ct sy

stem

s.

�St

rong

pas

swor

ds a

nd a

uthe

ntic

ator

con

trols

are

no

t im

plem

ente

d fo

r PA

RS

data

base

acc

ount

s in

ac

cord

ance

w

ith

FEM

A

and

DH

S po

licy.

�D

ocum

ent

and

impl

emen

t a

form

al p

roce

ss t

o im

plem

ent

appr

opria

te

cont

rols

to

en

sure

th

at

inac

tive

PAR

S da

taba

se a

ccou

nts

are

disa

bled

in

acco

rdan

ce w

ith D

HS

polic

y.

�C

onfig

ure

PAR

S da

taba

se a

ccou

nts

in a

ccor

danc

e w

ith D

HS

and

FEM

A r

equi

rem

ents

for

pas

swor

ds

and

auth

entic

ator

con

trols

, in

clud

ing

expi

ratio

n,

reus

e, a

nd c

ompl

exity

. �

Doc

umen

t an

d im

plem

ent

syst

em-s

peci

fic

proc

esse

s for

gen

erat

ing

and

perf

orm

ing

revi

ews o

f PA

RS

data

base

aud

it lo

gs a

nd r

etai

ning

aud

itabl

e

X

3

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 6

3

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

Spec

ifica

lly:

-A

min

imum

pas

swor

d le

ngth

is n

ot se

t;

-Pa

ssw

ord

com

plex

ity is

not

enf

orce

d to

requ

ire

pass

wor

ds

that

in

clud

e a

com

bina

tion

of

uppe

r/low

erca

se l

ette

rs,

num

bers

, an

d sp

ecia

l ch

arac

ters

or

to r

estri

ct t

he u

se o

f di

ctio

nary

w

ords

as p

assw

ords

;

-R

euse

of p

revi

ous p

assw

ords

is n

ot p

rohi

bite

d;

-Pa

ssw

ords

are

not

con

figur

ed t

o ex

pire

or

be

chan

ged

afte

r a p

re-d

eter

min

ed le

ngth

of t

ime;

an

d

-A

ccou

nts

are

not c

onfig

ured

to d

isab

le a

fter

a pr

e-de

term

ined

num

ber

of c

onse

cutiv

e in

valid

lo

gin

atte

mpt

s.

�Sy

stem

-spe

cific

pol

icie

s an

d pr

oced

ures

hav

e no

t be

en d

evel

oped

for t

he P

AR

S O

racl

e da

taba

se, a

nd

exis

ting

polic

ies

and

proc

edur

es in

herit

ed fr

om th

e IF

MIS

app

licat

ion

oper

atin

g en

viro

nmen

t do

not

ad

equa

tely

de

scrib

e im

plem

enta

tion

of

FEM

A

polic

ies

for

the

gene

ratio

n, r

evie

w,

and

rete

ntio

n of

all

requ

ired

audi

tabl

e ev

ents

.

�D

atab

ase

audi

t log

s ar

e no

t con

figur

ed to

cap

ture

au

dita

ble

even

ts,

incl

udin

g fa

iled

logi

n at

tem

pts

and

adm

inis

trato

r-le

vel

actio

ns,

as r

equi

red

by

FEM

A a

nd D

HS

polic

y.

�A

lthou

gh

a pe

riodi

c re

certi

ficat

ion

of

PAR

S da

taba

se a

cces

s ac

coun

ts i

s pe

rfor

med

to

ensu

re

that

acc

ess

is s

till

nece

ssar

y an

d ap

prop

riate

for

ea

ch i

ndiv

idua

l, po

licie

s an

d pr

oced

ures

ove

r th

e m

anag

emen

t of

acc

ount

s on

the

PA

RS

Ora

cle

data

base

do

no

t sp

ecify

re

quire

men

ts

for

perf

orm

ing

a pe

riodi

c re

certi

ficat

ion

of d

atab

ase

evid

ence

of r

evie

w in

acc

orda

nce

with

FEM

A a

nd

DH

S po

licy.

Add

ition

ally

, en

sure

tha

t al

l D

HS

requ

irem

ents

ar

e m

et

thro

ugh

this

pr

oces

s, in

clud

ing

appr

opria

te

supe

rvis

ory

revi

ew

and

segr

egat

ion

of d

utie

s prin

cipl

es.

�C

onfig

ure

PAR

S da

taba

se a

udit

logs

to c

aptu

re a

nd

reta

in a

udita

ble

even

ts i

n ac

cord

ance

with

FEM

A

and

DH

S po

licy.

�

Furth

er d

efin

e an

d es

tabl

ish

a fo

rmal

pro

cess

for

gr

antin

g in

itial

ac

cess

an

d re

certi

fyin

g ac

cess

sp

ecifi

cally

to

the

PAR

S da

taba

se t

hat

incl

udes

ap

prop

riate

app

rova

l fro

m F

EMA

man

agem

ent a

nd

requ

irem

ents

for t

empo

rary

and

em

erge

ncy

acce

ss,

in a

ccor

danc

e w

ith D

HS

guid

ance

.

Plea

se s

ee N

FR F

EMA

-IT-

10-4

8 fo

r rec

omm

enda

tions

re

late

d to

th

e pe

riodi

c re

view

an

d as

sess

men

t of

se

curit

y co

ntro

ls i

n pl

ace

to e

nsur

e th

at c

orre

ctiv

e ac

tions

are

app

ropr

iate

ly i

mpl

emen

ted

over

ide

ntifi

ed

secu

rity

wea

knes

ses.

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 6

4

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

acco

unts

to v

alid

ate

the

cont

inue

d ap

prop

riate

ness

of

ac

cess

. A

dditi

onal

ly,

the

FY

2010

re

certi

ficat

ion

of

PAR

S O

racl

e da

taba

se

user

ac

coun

ts w

as n

ot c

ompl

eted

con

sist

ently

and

in

acco

rdan

ce

with

FE

MA

re

quire

men

ts.

Spec

ifica

lly, o

f a s

elec

tion

of re

certi

ficat

ion

form

s fo

r fiv

e PA

RS

data

base

use

r ac

coun

ts r

eque

sted

, fo

ur

form

s re

certi

fied

acce

ss

for

cont

ract

ors

with

out d

ocum

ente

d C

OTR

app

rova

l.

�A

utho

rizat

ion

of

initi

al

acce

ss

for

the

PAR

S da

taba

se

is

not

cons

iste

ntly

co

mpl

eted

in

ac

cord

ance

w

ith

FEM

A

and

DH

S po

licy.

Sp

ecifi

cally

, of a

sel

ectio

n of

thre

e PA

RS

data

base

ac

cess

form

s req

uest

ed:

-Tw

o us

er a

ccou

nts w

ere

gran

ted

to c

ontra

ctor

s w

ithou

t the

requ

ired

CO

TR si

gnat

ure.

-O

ne

acco

unt

was

id

entif

ied

by

Fina

ncia

l Sy

stem

s Se

ctio

n (F

SS) p

erso

nnel

as

an IF

MIS

sy

stem

acc

ount

. H

owev

er,

no d

ocum

enta

tion

just

ifyin

g or

aut

horiz

ing

the

use

of th

is s

yste

m

acco

unt w

as p

rovi

ded.

FEM

A-

IT-1

0-06

Dur

ing

the

FY 2

010

finan

cial

stat

emen

t aud

it, w

e no

ted

that

FE

MA

ha

s m

ade

impr

ovem

ents

ov

er

the

man

agem

ent

of

NEM

IS

Ora

cle

data

base

pa

ssw

ord

cont

rols

fo

r IT

O

pera

tions

da

taba

se

adm

inis

trato

r ac

coun

ts,

spec

ifica

lly

by

conf

igur

ing

a 10

4-da

y pa

ssw

ord

lifet

ime.

H

owev

er,

the

follo

win

g w

eakn

esse

s no

ted

in F

Y 2

009

cont

inue

to e

xist

in F

Y

2010

for t

he fo

ur d

atab

ases

sele

cted

for t

estin

g:

�A

pas

swor

d co

mpl

exity

ver

ifica

tion

func

tion

is n

ot

conf

igur

ed

to

requ

ire

a co

mbi

natio

n of

up

per/l

ower

case

le

tters

, nu

mbe

rs,

and

spec

ial

We

reco

mm

end

that

FE

MA

co

nfig

ure

all

NEM

IS

Ora

cle

data

base

s to

ens

ure

com

plia

nce

with

eff

ectiv

e D

HS

and

FEM

A p

olic

y re

quire

men

ts f

or p

assw

ords

an

d au

then

ticat

or

cont

rol

requ

irem

ents

, in

clud

ing

expi

ratio

n, re

use,

and

leng

th a

nd c

ompl

exity

.

X

3

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 6

5

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

char

acte

rs.

�R

euse

of p

revi

ous p

assw

ords

is n

ot p

rohi

bite

d.

�N

o m

inim

um p

assw

ord

leng

th is

enf

orce

d.

FEM

A-

IT-1

0-07

FEM

A h

as m

ade

impr

ovem

ents

ove

r th

e m

anag

emen

t of

IF

MIS

-Mer

ged

Ora

cle

data

base

pa

ssw

ords

by

co

nfig

urin

g th

e sy

stem

to

re

tain

a

hist

ory

of

the

prev

ious

ten

pass

wor

ds.

How

ever

, upo

n in

spec

tion

of

addi

tiona

l da

taba

se

pass

wor

d pa

ram

eter

s, w

e de

term

ined

th

at

the

pass

wor

d hi

stor

y fo

r th

e te

n pr

evio

us

pass

wor

ds

is

only

re

tain

ed

for

30

days

. Th

eref

ore,

afte

r th

e 30

day

tim

efra

me,

the

pas

swor

d hi

stor

y is

era

sed,

allo

win

g th

e us

er t

o po

tent

ially

use

on

e of

the

prev

ious

ten

pass

wor

ds.

We

reco

mm

end

that

FEM

A c

onfig

ure

the

IFM

IS-

Mer

ged

Ora

cle

data

base

to

ensu

re c

ompl

ianc

e w

ith

effe

ctiv

e D

HS

and

FEM

A

polic

y re

quire

men

ts

rega

rdin

g th

e re

use

of u

ser p

assw

ords

.

X

3

FEM

A-

IT-1

0-08

Dur

ing

the

FY 2

010

finan

cial

sta

tem

ent

audi

t, w

e se

lect

ed f

our

NEM

IS O

racl

e da

taba

ses

for

test

ing

and

note

d th

at e

ach

is c

onfig

ured

to

lock

acc

ount

s af

ter

thre

e co

nsec

utiv

e fa

iled

logi

n at

tem

pts

and

to r

emai

n lo

cked

for

415

sec

onds

(7.

5 m

inut

es)

befo

re b

eing

un

lock

ed.

Con

figur

e al

l N

EMIS

O

racl

e da

taba

ses

to

ensu

re

com

plia

nce

with

eff

ectiv

e D

HS

and

FEM

A p

olic

y re

quire

men

ts f

or a

ccou

nt l

ocko

uts

due

to f

aile

d lo

gin

atte

mpt

s.

X

3

FEM

A-

IT-1

0-09

As

note

d du

ring

the

FY 2

009

audi

t, th

e fo

llow

ing

wea

knes

ses

over

aud

it lo

ggin

g co

ntro

ls fo

r the

NEM

IS

Ora

cle

data

base

s con

tinue

to e

xist

in F

Y 2

010:

�Th

e FE

MA

IT

O

pera

tions

B

ranc

h St

anda

rd

Ope

ratin

g Pr

oced

ure

(SO

P)

for

Han

dlin

g of

O

racl

e Au

dit

Logs

ha

s no

t be

en

upda

ted.

Sp

ecifi

cally

:

-Th

e sc

ope

sect

ion

of th

e SO

P do

es n

ot li

st a

ll O

racl

e da

taba

ses

iden

tifie

d th

at c

ompr

ise

the

NEM

IS d

ata

proc

essi

ng e

nviro

nmen

t.

-Th

e SO

P ha

s no

t bee

n up

date

d to

add

ress

all

DH

S po

licy

requ

irem

ents

sur

roun

ding

aud

it

�R

evis

e th

e SO

P fo

r H

andl

ing

of O

racl

e Au

dit L

ogs

to e

nsur

e th

at p

roce

dure

s ov

er r

equi

rem

ents

for

lo

ggin

g an

d m

onito

ring

audi

tabl

e ac

tiviti

es o

n al

l N

EMIS

dat

abas

es a

re d

ocum

ente

d in

acc

orda

nce

with

DH

S an

d FE

MA

gui

danc

e an

d th

e pr

oces

s fo

r au

dit l

og r

evie

w is

app

ropr

iate

ly im

plem

ente

d fo

r al

l dat

abas

es w

ithin

the

NEM

IS sy

stem

bou

ndar

y.

�Im

plem

ent

data

base

con

figur

atio

ns o

n al

l N

EMIS

da

taba

ses

in a

ccor

danc

e w

ith D

HS

and

FEM

A

polic

y an

d pr

oced

ures

ov

er

requ

ired

audi

tabl

e ev

ents

and

act

iviti

es.

�D

edic

ate

the

appr

opria

te r

esou

rces

and

impl

emen

t th

e ap

prop

riate

au

tom

ated

to

ols

or

esta

blis

h m

anua

l pr

oces

ses

to

colle

ct,

revi

ew,

and

reta

in

X

3

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 6

6

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

trails

and

act

ivity

mon

itorin

g.

Spec

ifica

lly,

succ

essf

ul lo

gins

, acc

ess m

odifi

catio

ns, h

ighl

y pr

ivile

ged

user

acc

ount

act

ivity

, and

cha

nges

to

use

r pr

ofile

s ar

e no

t req

uire

d to

be

logg

ed

and

revi

ewed

.

-Th

e SO

P sp

ecifi

es

that

da

taba

se

adm

inis

trato

rs

will

re

view

O

racl

e au

dit

reco

rds,

whi

ch is

a v

iola

tion

of s

egre

gatio

n of

du

ties

prin

cipl

es t

hat

requ

ire a

n in

depe

nden

t re

view

of s

yste

m a

ctiv

ity.

�O

n th

e fo

ur N

EMIS

dat

abas

es s

elec

ted

for t

estin

g,

conf

igur

atio

ns a

re n

ot f

ully

ena

bled

so

that

a

revi

ew o

f au

dit t

rails

and

act

ivity

def

ined

by

DH

S po

licy

requ

irem

ents

ca

n be

co

mpl

eted

. Sp

ecifi

cally

, on

ly

faile

d lo

gin

atte

mpt

s ar

e re

cord

ed i

n th

e au

dit

trails

of

all

data

base

use

r ac

coun

ts.

audi

tabl

e ac

tiviti

es o

n al

l N

EMIS

dat

abas

es,

to

ensu

re c

ompl

ianc

e w

ith D

HS

and

FEM

A p

olic

y.

FEM

A-

IT-1

0-10

As

note

d du

ring

the

FY 2

009

audi

t, w

e de

term

ined

that

w

eakn

esse

s ov

er t

he t

rack

ing

of F

EMA

con

tract

ors

cont

inue

to e

xist

in F

Y 2

010.

Spe

cific

ally

:

�FE

MA

doe

s not

hav

e a

form

al p

roce

ss fo

r cen

trally

an

d ad

equa

tely

tra

ckin

g FE

MA

co

ntra

ctor

s th

roug

hout

th

e on

-boa

rdin

g,

term

inat

ion,

an

d tra

nsfe

r pr

oces

ses.

As

a re

sult,

FEM

A c

ould

not

pr

ovid

e a

com

plet

e lis

ting

of

all

cont

ract

ors

wor

king

for F

EMA

.

�Th

e pr

oces

s es

tabl

ishe

d fo

r no

tifyi

ng

FEM

A

Off

ice

of

Chi

ef

Info

rmat

ion

Off

icer

(O

CIO

) m

anag

emen

t, in

clud

ing

IT s

yste

m a

dmin

istra

tors

, of

cha

nges

in

cont

ract

or's

stat

us, s

o th

at a

ccou

nts

can

be d

isab

led/

rem

oved

or a

ccou

nt p

rofil

es c

an b

e ap

prop

riate

ly m

odifi

ed i

n th

e re

quire

d tim

efra

me,

�D

evel

op,

docu

men

t, fu

lly

impl

emen

t, an

d co

mm

unic

ate

form

al

polic

ies

and

proc

edur

es,

acco

rdin

g to

DH

S gu

idel

ines

and

requ

irem

ents

, for

ce

ntra

lly t

rack

ing

all

cont

ract

ors

thro

ugho

ut t

he

on-b

oard

ing,

ter

min

atio

n, a

nd t

rans

fer

proc

esse

s. En

sure

pol

icie

s and

pro

cedu

res i

nclu

de:

• Th

e as

sign

men

t of

role

s an

d re

spon

sibi

litie

s to

ap

prop

riate

FE

MA

m

anag

emen

t an

d st

akeh

olde

rs.

�Pr

oced

ures

to

ensu

re t

hat

CO

TRs

notif

y th

e FE

MA

OC

IO o

f cha

nges

in c

ontra

ctor

s’ s

tatu

s, in

clud

ing

sepa

ratio

n or

tra

nsfe

r, so

th

at

acco

unts

can

be

disa

bled

/rem

oved

or

acco

unt

prof

iles

can

be a

ppro

pria

tely

mod

ified

in

the

requ

ired

timef

ram

e.

�Es

tabl

ishm

ent

of

cont

rols

fo

r pe

riodi

cally

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 6

7

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

is n

ot e

ffec

tive

or c

ompr

ehen

sive

. Sp

ecifi

cally

, no

form

al re

quire

men

ts e

xist

for C

ontra

ctin

g O

ffic

er’s

Te

chni

cal

Rep

rese

ntat

ives

(C

OTR

s) t

o no

tify

the

OC

IO o

f sep

arat

ing

cont

ract

ors.

mon

itorin

g th

e ef

fect

iven

ess

of t

he p

roce

ss t

o en

sure

com

plia

nce

with

pol

icy.

�

Reg

ular

ly

dist

ribut

e a

listin

g of

te

rmin

ated

co

ntra

ctor

pe

rson

nel

to

info

rmat

ion

syst

em

adm

inis

trato

rs s

o th

ey c

an r

emov

e us

er a

cces

s tim

ely.

FE

MA

-IT

-10-

11

Whi

le F

EMA

has

mad

e im

prov

emen

ts o

ver t

he re

view

of

IFM

IS-M

erge

r ap

plic

atio

n ac

tivity

by

docu

men

ting

resp

onsi

bilit

ies

for

perf

orm

ing

perio

dic

revi

ews

of

supe

r use

r acc

ount

act

iviti

es, t

he fo

llow

ing

wea

knes

ses

note

d in

FY

200

9 co

ntin

ue to

exi

st in

FY

201

0:

�Ex

istin

g po

licie

s an

d pr

oced

ures

, inc

ludi

ng F

EMA

In

terim

C

FO

Dire

ctiv

e 26

00-2

1,

IFM

IS

Use

r Ac

cess

and

Ter

min

atio

n, a

nd F

EMA

SO

P 20

00-

002,

Mon

itori

ng o

f IFM

IS D

atab

ase

Audi

t Log

, do

not r

equi

re th

e ge

nera

tion,

rev

iew

, or

rete

ntio

n of

au

dit l

ogs

for a

ll ac

tiviti

es r

equi

red

by F

EMA

and

D

HS

polic

y.

�Fa

iled

data

base

(O

racl

e) a

nd a

pplic

atio

n (U

NIX

) lo

gin

atte

mpt

s an

d ac

tivity

pe

rfor

med

by

ap

plic

atio

n us

ers

with

the

“sup

er u

ser”

role

rem

ain

the

only

form

s of a

ctiv

ity lo

gged

and

mon

itore

d fo

r IF

MIS

-Mer

ger.

Oth

er ty

pes o

f act

ivity

requ

ired

by

FEM

A

and

DH

S po

licy,

in

clud

ing

succ

essf

ul

logi

ns,

acce

ss m

odifi

catio

ns,

and

chan

ges

to u

ser

prof

iles,

are

not l

ogge

d or

mon

itore

d.

�W

hile

we

note

d th

at lo

ggin

g of

use

rs a

cces

sing

or

atte

mpt

ing

to a

cces

s th

e IF

MIS

-Mer

ger a

pplic

atio

n is

en

able

d an

d di

strib

uted

to

ap

prop

riate

in

depe

nden

t re

view

ers,

evid

ence

of

re

view

of

ap

plic

atio

n lo

gin

atte

mpt

s is n

ot d

ocum

ente

d.

Add

ition

ally

, w

e no

ted

the

follo

win

g w

eakn

esse

s re

late

d to

rev

iew

s of

act

ivity

of

supe

r us

ers

with

in th

e

�R

evis

e an

d im

plem

ent p

olic

ies

and

proc

edur

es th

at

docu

men

t re

quire

men

ts f

or c

onfig

urin

g, r

etai

ning

, an

d re

view

ing

audi

t tra

ils f

or t

he I

FMIS

-Mer

ger

appl

icat

ion

and

data

base

, in

clud

ing

defin

ed r

oles

an

d re

spon

sibi

litie

s, in

acc

orda

nce

with

DH

S an

d FE

MA

pol

icy.

�

Impl

emen

t co

nfig

urat

ions

on

the

IFM

IS-M

erge

r ap

plic

atio

n an

d da

taba

se t

o en

sure

tha

t au

dit

logs

re

cord

req

uire

d au

dita

ble

even

ts a

nd a

ctiv

ities

, in

acco

rdan

ce w

ith D

HS

and

FEM

A p

olic

y.

�Im

plem

ent

appr

opria

te

man

agem

ent

cont

rols

to

ensu

re ti

mel

y co

mm

unic

atio

n an

d im

plem

enta

tion

of e

xist

ing

and

futu

re D

HS

info

rmat

ion

secu

rity

polic

y re

quire

men

ts p

erta

inin

g to

the

conf

igur

atio

n of

aud

it lo

gs o

n th

e IF

MIS

-Mer

ger a

pplic

atio

n an

d da

taba

se,

and

to

perio

dica

lly

asse

ss

syst

em

cont

rols

to d

eter

min

e co

mpl

ianc

e.

X

3

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 6

8

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

IFM

IS-M

erge

r app

licat

ion:

�A

ctiv

ity o

f use

rs w

ith e

leva

ted

priv

ilege

s is

logg

ed

and

revi

ewed

on

a w

eekl

y ba

sis.

How

ever

, FEM

A

polic

y re

quire

s th

at a

udit

reco

rds

be c

aptu

red

and

revi

ewed

at l

east

eve

ry th

ree

days

.

�R

evie

w o

f su

per

user

act

ivity

is

perf

orm

ed b

y an

in

divi

dual

with

sup

er u

ser

priv

ilege

s w

ithin

the

ap

plic

atio

n, i

n co

nflic

t w

ith s

egre

gatio

n of

dut

ies

prin

cipl

es.

FEM

A-

IT-1

0-12

The

follo

win

g w

eakn

esse

s no

ted

in F

Y 2

009

cont

inue

d to

exi

st in

FY

201

0:

�G

&T

IFM

IS a

pplic

atio

n us

er a

ccou

nts

wer

e no

t co

nsis

tent

ly a

ppro

ved

or a

utho

rized

prio

r to

initi

al

acco

unt

crea

tion

or

mod

ifica

tion

of

acco

unt

priv

ilege

s. O

f th

e 25

act

ive

appl

icat

ion

user

s se

lect

ed f

or te

stin

g, F

EMA

was

una

ble

to p

rovi

de

adeq

uate

doc

umen

ted

evid

ence

that

cre

atio

n of

, or

mod

ifica

tions

to

, ac

coun

t pr

ivile

ges

for

22

acco

unts

wer

e pr

oper

ly a

utho

rized

. Sp

ecifi

cally

:

�D

ocum

enta

tion

for

10

acco

unts

di

d no

t ev

iden

ce t

hat

acce

ss w

as a

utho

rized

by

the

Off

ice

of th

e C

hief

Fin

anci

al O

ffic

er (O

CFO

).

�D

ocum

enta

tion

for

11 a

ccou

nts

indi

cate

d th

at

acce

ss w

as a

utho

rized

by

the

OC

FO a

fter

the

mod

ifica

tions

to

the

acco

unt

priv

ilege

s w

ere

perf

orm

ed.

�D

ocum

enta

tion

for

one

acco

unt

was

no

t av

aila

ble.

�G

&T

IFM

IS O

racl

e da

taba

se u

ser

acco

unts

wer

e no

t co

nsis

tent

ly a

ppro

ved

or a

utho

rized

prio

r to

in

itial

acc

ount

cre

atio

n.

Spec

ifica

lly, o

f th

e ei

ght

Ther

e is

no

reco

mm

ende

d co

rrec

tive

actio

n sp

ecifi

c to

th

is f

indi

ng b

ecau

se o

f th

e de

com

mis

sion

ing

of G

&T

IFM

IS in

June

201

0. A

ny G

&T

IFM

IS a

ccou

nts w

hich

no

w e

xist

on

the

IFM

IS –

Mer

ged

inst

ance

will

nee

d to

be

in

clud

ed

in

rece

rtific

atio

n ef

forts

th

at

will

be

pe

rfor

med

by

FEM

A a

s co

rrec

tive

actio

n to

rem

edia

te

NFR

FEM

A-I

T-10

-14,

whi

ch c

ites

a la

ck o

f con

sist

ent

rece

rtific

atio

n of

C

ore/

Mer

ged

IFM

IS

acco

unts

, to

en

sure

tha

t al

l m

igra

ted

G&

T IF

MIS

acc

ount

s ar

e ap

prop

riate

ly a

utho

rized

.

X

3

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 6

9

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

activ

e da

taba

se u

ser

acco

unts

sel

ecte

d fo

r te

stin

g,

FEM

A

was

un

able

to

pr

ovid

e do

cum

ente

d ev

iden

ce t

hat

the

initi

al a

ccou

nt c

reat

ion

of t

wo

acco

unts

in F

Y 2

010

was

aut

horiz

ed.

Whi

le K

PMG

not

ed t

hat

the

plan

ned

mer

ger

of t

he

G&

T IF

MIS

and

Cor

e IF

MIS

ins

tanc

es o

ccur

red

in

Febr

uary

201

0, a

nd t

he e

xist

ing

G&

T IF

MIS

Ora

cle

data

base

and

app

licat

ion

serv

er w

as d

ecom

mis

sion

ed

in J

une

2010

, th

e w

eakn

esse

s ov

er t

he f

inan

cial

dat

a ex

iste

d fo

r the

maj

ority

of t

he fi

scal

yea

r.

FEM

A-

IT-1

0-13

As

note

d du

ring

the

FY 2

009

audi

t, w

eakn

esse

s in

G

&T

IFM

IS O

racl

e da

taba

se a

udit

logg

ing

cont

rols

co

ntin

ued

to e

xist

in

FY 2

010.

Spe

cific

ally

, O

racl

e da

taba

se a

udit

trails

wer

e no

t con

figur

ed to

cap

ture

any

ac

tivity

, in

clud

ing

faile

d lo

gin

atte

mpt

s or

ad

min

istra

tor-

leve

l ac

tions

as

requ

ired

by F

EMA

and

D

HS

guid

ance

.

Whi

le w

e no

ted

that

the

pla

nned

mer

ger

of t

he G

&T

IFM

IS a

nd C

ore

IFM

IS in

stan

ces

occu

rred

in F

ebru

ary

2010

and

the

exis

ting

G&

T IF

MIS

Ora

cle

data

base

was

de

com

mis

sion

ed in

June

201

0, th

e w

eakn

esse

s ove

r the

fin

anci

al d

ata

exis

ted

for t

he m

ajor

ity o

f the

fisc

al y

ear.

Ther

e is

no

reco

mm

ende

d co

rrec

tive

actio

n sp

ecifi

c to

th

is f

indi

ng b

ecau

se o

f th

e de

com

mis

sion

ing

of G

&T

IFM

IS in

June

201

0.

X

3

FEM

A-

IT-1

0-14

Dur

ing

the

FY 2

010

audi

t pr

oced

ures

, w

e no

ted

that

w

eakn

esse

s w

hich

exi

sted

in

FY 2

009

rela

ted

to t

he

rece

rtific

atio

n of

IFM

IS a

pplic

atio

n ac

coun

ts c

ontin

ue

to

exis

t. Sp

ecifi

cally

, al

thou

gh

the

Cor

e IF

MIS

ap

plic

atio

n us

er a

ccou

nts

wer

e re

certi

fied

in J

anua

ry

2010

prio

r to

the

mer

ge o

f th

e G

&T

and

Cor

e IF

MIS

ap

plic

atio

ns, w

e de

term

ined

tha

t th

e re

certi

ficat

ion

of

the

Cor

e IF

MIS

acc

ount

s w

as n

ot p

rope

rly c

ompl

eted

. O

f th

e 25

act

ive

appl

icat

ion

acco

unts

sel

ecte

d, F

EMA

w

as u

nabl

e to

pro

vide

doc

umen

ted

evid

ence

that

thre

e of

the

acco

unts

wer

e re

certi

fied

by th

e sy

stem

ow

ner t

o

�D

edic

ate

reso

urce

s to

ful

ly im

plem

ent F

EMA

and

D

HS

requ

irem

ents

fo

r a

rece

rtific

atio

n of

al

l IF

MIS

-Mer

ger

appl

icat

ion

acco

unts

at

le

ast

annu

ally

, in

clud

ing

revo

king

ac

cess

fo

r an

y ac

coun

ts n

ot c

urre

ntly

in

com

plia

nce

with

the

an

nual

rece

rtific

atio

n.

�Id

entif

y an

d im

plem

ent

appr

opria

te

mon

itorin

g co

ntro

ls

to

ensu

re

cont

inue

d co

mpl

ianc

e w

ith

rece

rtific

atio

n re

quire

men

ts f

or th

e IF

MIS

-Mer

ger

appl

icat

ion.

X

3

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 7

0

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

valid

ate

the

cont

inue

d ap

prop

riate

ness

of

the

acco

unt,

as r

equi

red

by F

EMA

and

DH

S po

licy.

Fu

rther

mor

e,

thes

e ac

coun

ts t

hen

rem

aine

d on

the

IFM

IS-M

erge

r ap

plic

atio

n af

ter

the

mer

ger

of

the

appl

icat

ions

oc

curr

ed.

FEM

A-

IT-1

0-15

Dur

ing

the

FY

2010

au

dit,

we

note

d th

at

the

wea

knes

ses

over

the

rec

ertif

icat

ion

of G

&T

IFM

IS

appl

icat

ion

and

Ora

cle

data

base

use

rs n

oted

in

FY

2009

con

tinue

d to

exi

st.

Spec

ifica

lly,

a m

anag

emen

t re

view

to v

alid

ate

the

appr

opria

tene

ss o

f G

&T

IFM

IS

appl

icat

ion

and

Ora

cle

data

base

use

r ac

coun

ts w

as n

ot

form

ally

im

plem

ente

d or

per

form

ed b

y th

e O

ffic

e of

th

e C

hief

Fin

anci

al O

ffic

er/F

inan

cial

Sys

tem

Sec

tion

(OC

FO-F

SS)

this

fis

cal

year

. W

e no

ted

that

the

pl

anne

d m

erge

r of

the

G&

T IF

MIS

and

Cor

e IF

MIS

in

stan

ces

occu

rred

in

Febr

uary

201

0, a

nd t

he e

xist

ing

G&

T IF

MIS

Ora

cle

data

base

and

app

licat

ion

serv

er

was

dec

omm

issi

oned

in J

une

2010

. H

owev

er, p

rior t

o th

e m

igra

tion

of G

&T

acco

unts

to th

e IF

MIS

– M

erge

d in

stan

ce i

n Fe

brua

ry 2

010,

a r

ecer

tific

atio

n of

G&

T IF

MIS

app

licat

ion

user

s di

d no

t oc

cur.

Ther

efor

e, t

he

wea

knes

ses o

ver t

he re

certi

ficat

ion

of u

sers

with

acc

ess

to G

&T

IFM

IS f

inan

cial

dat

a ex

iste

d fo

r th

e fir

st tw

o qu

arte

rs o

f the

fisc

al y

ear.

Ther

e is

no

reco

mm

ende

d co

rrec

tive

actio

n sp

ecifi

c to

th

is f

indi

ng b

ecau

se o

f th

e de

com

mis

sion

ing

of G

&T

IFM

IS i

n Ju

ne 2

010.

A

ny G

&T

IFM

IS a

ccou

nts

whi

ch n

ow e

xist

on

the

IFM

IS –

Mer

ged

inst

ance

will

be

inc

lude

d in

rec

ertif

icat

ion

effo

rts t

hat

need

to

be

perf

orm

ed b

y FE

MA

as

corr

ectiv

e ac

tion

to re

med

iate

N

FR F

EMA

-IT-

10-1

4, w

hich

cite

s a

lack

of c

onsi

sten

t re

certi

ficat

ion

of C

ore/

Mer

ged

IFM

IS a

ccou

nts.

X

3

FEM

A-

IT-1

0-16

The

mer

ger

of C

ore

IFM

IS a

nd G

&T

IFM

IS w

as

perf

orm

ed i

n Fe

brua

ry 2

010,

and

the

G&

T IF

MIS

ap

plic

atio

n an

d da

taba

se

serv

er

wer

e fo

rmal

ly

deco

mm

issi

oned

in

June

201

0.

Whi

le a

n A

TO w

as

gran

ted

for

the

IFM

IS-M

erge

r sy

stem

by

the

FEM

A

Chi

ef In

form

atio

n O

ffic

er o

n Ju

ne 4

, 201

0, p

rior t

o th

e co

mpl

etio

n of

the

mer

ged

inst

ance

, a

C&

A h

ad n

ot

been

pe

rfor

med

ov

er

the

G&

T IF

MIS

in

stan

ce.

Con

sequ

ently

, as

note

d du

ring

the

prio

r ye

ar F

Y 2

009

audi

t, G

&T

IFM

IS o

pera

ted

with

out

an A

TO p

rior

to

its d

ecom

mis

sion

ing.

In

add

ition

, we

dete

rmin

ed th

at

durin

g th

e tim

e th

e sy

stem

was

ope

ratio

nal,

neith

er a

n

Ther

e is

no

reco

mm

ende

d co

rrec

tive

actio

n sp

ecifi

c to

th

is f

indi

ng b

ecau

se o

f th

e de

com

mis

sion

ing

of G

&T

IFM

IS in

June

201

0.

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 7

1

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

Info

rmat

ion

Syst

em S

ecur

ity O

ffic

er (

ISSO

) no

r a

Des

igna

ted

Aut

horiz

ing

Aut

horit

y (D

AA

) ha

d be

en

form

ally

des

igna

ted

by F

EMA

man

agem

ent

for

G&

T IF

MIS

.

FEM

A-

IT-1

0-17

Dur

ing

the

FY 2

010

inte

grat

ed a

udit,

we

note

d th

e fo

llow

ing

wea

knes

ses

rega

rdin

g sp

ecia

lized

tra

inin

g fo

r FE

MA

em

ploy

ees

and

cont

ract

ors

with

sig

nific

ant

info

rmat

ion

secu

rity

resp

onsi

bilit

ies:

�FE

MA

ha

s no

t fo

rmal

ly

docu

men

ted

or

impl

emen

ted

polic

ies

and

proc

edur

es t

o m

eet

the

requ

irem

ents

ove

r sp

ecia

lized

tra

inin

g fo

r FE

MA

em

ploy

ees

and

cont

ract

ors

with

si

gnifi

cant

in

form

atio

n se

curit

y re

spon

sibi

litie

s in

acc

orda

nce

with

DH

S po

licy.

�W

ith t

he e

xcep

tion

of I

SSO

s, FE

MA

has

not

fo

rmal

ly id

entif

ied

all i

ndiv

idua

ls o

r pos

ition

s w

ith

sign

ifica

nt

info

rmat

ion

secu

rity

resp

onsi

bilit

ies

subj

ect t

o sp

ecia

lized

trai

ning

requ

irem

ents

.

�FE

MA

doe

s no

t tra

ck o

r m

onito

r co

mpl

etio

n of

sp

ecia

lized

tra

inin

g fo

r FE

MA

pe

rson

nel

with

cr

itica

l IT

role

s.

�D

evel

op a

nd i

mpl

emen

t po

licie

s an

d pr

oced

ures

re

quiri

ng i

nitia

l an

d pe

riodi

c sp

ecia

lized

tra

inin

g fo

r in

divi

dual

s w

ith

sign

ifica

nt

info

rmat

ion

secu

rity

resp

onsi

bilit

ies.

�Fo

rmal

ly

iden

tify

spec

ific

role

s an

d po

sitio

ns

poss

essi

ng

sign

ifica

nt

info

rmat

ion

secu

rity

resp

onsi

bilit

ies

that

ar

e su

bjec

t to

sp

ecia

lized

tra

inin

g re

quire

men

ts.

�D

evel

op a

nd im

plem

ent a

mec

hani

sm f

or tr

acki

ng

and

mon

itorin

g co

mpl

ianc

e w

ith

spec

ializ

ed

train

ing

requ

irem

ents

fo

r in

divi

dual

s w

ith

sign

ifica

nt in

form

atio

n se

curit

y re

spon

sibi

litie

s.

X

2

FEM

A-

IT-1

0-18

In F

Y 2

010,

we

note

d th

at t

he N

EMIS

SSP

was

up

date

d in

Nov

embe

r 20

09.

How

ever

, we

dete

rmin

ed

that

the

follo

win

g w

eakn

esse

s con

tinue

to e

xist

:

�N

EMIS

sy

stem

bo

unda

ries,

incl

udin

g id

entif

icat

ion

of

all

hard

war

e an

d so

ftwar

e el

emen

ts th

at c

ompr

ise

the

NEM

IS g

ener

al su

ppor

t sy

stem

an

d su

bsys

tem

s, ha

ve

not

been

fu

lly

defin

ed.

�FE

MA

has

not

doc

umen

ted

the

assi

gnm

ent

of

FEM

A p

erso

nnel

with

sec

urity

res

pons

ibili

ties

for

the

mod

ules

an

d m

ajor

ap

plic

atio

ns

that

ar

e

�Fu

lly

iden

tify

all

hard

war

e an

d so

ftwar

e co

mpo

nent

s of

the

NEM

IS p

latfo

rm a

nd u

pdat

e ap

prop

riate

N

EMIS

sy

stem

do

cum

enta

tion,

in

clud

ing

the

SSP,

to r

efle

ct th

e cu

rren

t ope

ratin

g en

viro

nmen

t as

requ

ired

by D

HS

polic

y an

d N

IST

guid

ance

.

�Es

tabl

ish

and

impl

emen

t a

form

al p

roce

ss f

or

perio

dica

lly

revi

ewin

g an

d as

sess

ing

syst

em

docu

men

tatio

n to

ens

ure

that

sys

tem

bou

ndar

ies

and

hard

war

e an

d so

ftwar

e co

mpo

nent

s ar

e ac

cura

tely

refle

cted

.

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 7

2

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

clas

sifie

d as

NEM

IS s

ubsy

stem

s w

ithin

the

curr

ent

NEM

IS S

SP.

�Fo

rmal

ly

assi

gn

and

docu

men

t se

curit

y re

spon

sibi

litie

s of

FE

MA

pe

rson

nel

for

all

com

pone

nts

of N

EMIS

, in

clud

ing

all

iden

tifie

d m

odul

es a

nd m

ajor

app

licat

ions

.

FEM

A-

IT-1

0-19

Dur

ing

the

FY 2

010

inte

grat

ed a

udit,

we

note

d th

e fo

llow

ing

wea

knes

ses

rega

rdin

g co

nfig

urat

ion

man

agem

ent

over

net

wor

k de

vice

s su

ch a

s fir

ewal

ls,

rout

ers,

and

switc

hes

that

sup

port

in-s

cope

fin

anci

al

syst

ems:

�C

ompr

ehen

sive

con

figur

atio

n ba

selin

es id

entif

ying

al

l re

leva

nt c

onfig

urat

ion

item

s (C

Is)

with

in t

he

scop

e of

IF

MIS

an

d N

EMIS

ha

ve

not

been

do

cum

ente

d.

�FE

MA

con

figur

atio

n m

anag

emen

t (C

M)

polic

ies

and

proc

edur

es

requ

ire

the

impl

emen

tatio

n of

C

onfig

urat

ion

Stat

us A

ccou

ntin

g (C

SA),

whi

ch

incl

udes

re

cord

ing

appr

oved

co

nfig

urat

ion

docu

men

tatio

n,

perf

orm

ing

Con

figur

atio

n A

udit

(CA

), an

d do

cum

entin

g ph

ysic

al

conf

igur

atio

n au

dits

to

as

sess

co

nfor

man

ce

with

es

tabl

ishe

d ba

selin

es.

How

ever

, re

quire

men

ts

for

the

freq

uenc

y, d

ocum

enta

tion,

and

ret

entio

n of

res

ults

of

thes

e ac

tiviti

es h

ave

not b

een

defin

ed in

exi

stin

g FE

MA

pol

icie

s or

pro

cedu

res.

Add

ition

ally

, th

e re

quire

d C

SA r

epor

ts a

nd C

As

have

not

bee

n pe

rfor

med

for I

FMIS

or N

EMIS

.

�Fo

rmal

ly

esta

blis

h ro

les

and

resp

onsi

bilit

ies

rela

ted

to

over

sigh

t an

d im

plem

enta

tion

of

conf

igur

atio

n m

anag

emen

t pol

icie

s an

d pr

oced

ures

fo

r ne

twor

k de

vice

s, in

clud

ing

firew

alls

an

d ro

uter

s, su

ppor

ting

finan

cial

ap

plic

atio

ns

in

acco

rdan

ce w

ith D

HS

and

FEM

A re

quire

men

ts.

�R

evis

e an

d im

plem

ent

conf

igur

atio

n m

anag

emen

t po

licie

s an

d pr

oced

ures

ove

r do

cum

entin

g an

d m

aint

aini

ng

curr

ent

base

line

conf

igur

atio

ns

for

netw

ork

devi

ces

supp

ortin

g fin

anci

al a

pplic

atio

ns,

incl

udin

g IF

MIS

and

NEM

IS, t

o en

sure

DH

S an

d FE

MA

requ

irem

ents

are

ade

quat

ely

addr

esse

d an

d co

nfig

urat

ion

base

lines

ar

e co

mpr

ehen

sive

ly

docu

men

ted

by F

EMA

. A

dditi

onal

ly, p

olic

ies

and

proc

edur

es

shou

ld

incl

ude

guid

ance

ov

er

requ

irem

ents

suc

h as

doc

umen

tatio

n of

bas

elin

es,

perio

dic

revi

ew a

nd a

uditi

ng,

and

appr

oval

of

base

line

chan

ges f

or n

etw

ork

devi

ces.

�Pe

rfor

m

requ

ired

conf

igur

atio

n m

anag

emen

t ac

tiviti

es, i

nclu

ding

per

iodi

c C

onfig

urat

ion

Stat

us

Acc

ount

ing

and

Con

figur

atio

n A

udit

activ

ities

, for

ne

twor

k de

vice

s su

ppor

ting

finan

cial

app

licat

ions

, in

clud

ing

IFM

IS a

nd N

EMIS

, and

reta

in a

udita

ble

evid

ence

of

thes

e ac

tiviti

es a

s re

quire

d by

FEM

A

polic

y.

X

3

FEM

A-

IT-1

0-20

Con

ditio

ns n

oted

in

FY 2

009

rela

ted

to w

eakn

esse

s ov

er t

he d

ocum

enta

tion

and

test

ing

of t

he N

EMIS

co

ntin

genc

y pl

an c

ontin

ue t

o ex

ist

in F

Y 2

010,

as

follo

ws:

�U

pdat

e th

e N

EMIS

IT

C

ontin

genc

y Pl

an

in

acco

rdan

ce w

ith D

HS

and

NIS

T re

quire

men

ts f

or

syst

ems

cate

goriz

ed a

t the

hig

h im

pact

ava

ilabi

lity

obje

ctiv

e.

Add

ition

ally

, en

sure

th

at

the

Con

tinge

ncy

Plan

com

preh

ensi

vely

add

ress

es t

he

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 7

3

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

�Th

e N

EMIS

IT

C

ontin

genc

y Pl

an

does

no

t ad

equa

tely

an

d co

mpr

ehen

sive

ly

incl

ude

info

rmat

ion

requ

ired

by D

HS

polic

y fo

r sy

stem

s w

ith h

igh

impa

ct a

vaila

bilit

y.

For

exam

ple,

we

note

d th

e fo

llow

ing

wea

knes

ses:

�D

etai

led

info

rmat

ion

over

N

EMIS

sy

stem

ar

chite

ctur

e, s

uch

as t

he d

atab

ase

and

serv

er

nam

es, a

s w

ell a

s in

form

atio

n ov

er th

e va

rious

m

odul

es o

f NEM

IS, h

as n

ot b

een

appr

opria

tely

do

cum

ente

d to

ref

lect

the

cur

rent

ope

ratin

g en

viro

nmen

t.

�Th

e pl

an d

oes

not

suff

icie

ntly

inc

lude

det

ails

ne

cess

ary

to

fully

re

stor

e N

EMIS

an

d de

pend

ent

subs

yste

ms

in

the

even

t of

an

em

erge

ncy.

�Th

e co

ntin

genc

y pl

an d

oes

not s

peci

fy c

ritic

al

role

s, sy

stem

res

ourc

es, o

r sy

stem

/app

licat

ion

reco

very

pr

iorit

ies

in

suff

icie

nt

deta

il to

di

stin

guis

h be

twee

n th

e va

rious

m

odul

es

with

in N

EMIS

.

�Th

e B

usin

ess

Impa

ct A

naly

sis

(BIA

) in

clud

ed

in t

he C

ontin

genc

y Pl

an w

as c

ompl

eted

in

2004

and

is n

ot a

dequ

atel

y do

cum

ente

d.

�Te

stin

g of

the

NEM

IS IT

con

tinge

ncy

plan

has

not

be

en

perf

orm

ed

in

the

past

12

m

onth

s in

ac

cord

ance

with

DH

S po

licy.

num

erou

s su

b-sy

stem

s w

ithin

N

EMIS

so

th

at

deta

iled

info

rmat

ion

exis

ts o

ver t

he c

urre

nt s

yste

m

arch

itect

ure,

crit

ical

pro

cess

ing

prio

ritie

s, de

taile

d re

cove

ry

proc

edur

es

and

othe

r re

quire

d co

mpo

nent

s in

acco

rdan

ce w

ith D

HS

guid

ance

. �

Con

duct

and

doc

umen

t ann

ual t

ests

of t

he N

EMIS

C

ontin

genc

y Pl

an th

at a

ddre

ss a

ll cr

itica

l pha

ses o

f th

e pl

an,

and

upda

te t

he C

ontin

genc

y Pl

an w

ith

less

ons

lear

ned,

as

nece

ssar

y an

d in

acc

orda

nce

with

DH

S an

d N

IST

requ

irem

ents

.

FEM

A-

IT-1

0-21

We

perf

orm

ed a

com

paris

on o

f ac

tive

IFM

IS-M

erge

r, G

&T

IFM

IS,

and

NEM

IS A

cces

s C

ontro

l Sy

stem

(N

AC

S) a

ccou

nts,

as w

ell

as i

ndiv

idua

ls w

ith V

irtua

l Pr

ivat

e N

etw

ork

(VPN

) re

mot

e ac

cess

pr

ivile

ges,

agai

nst

a lis

t of

FEM

A e

mpl

oyee

s th

at h

ad s

epar

ated

fr

om e

mpl

oym

ent s

ince

Oct

ober

1, 2

009

to d

eter

min

e

�Id

entif

y th

e ro

ot c

ause

(s) a

ssoc

iate

d w

ith s

epar

ated

em

ploy

ees

rem

aini

ng

on

FEM

A

info

rmat

ion

syst

ems.

A

s ap

prop

riate

, re

vise

ex

istin

g pr

oced

ures

or

deve

lop

addi

tiona

l pr

oced

ures

ove

r re

mov

al o

f se

para

ted

user

acc

ess

to I

T sy

stem

s to

ad

dres

s w

eakn

esse

s th

at c

ontri

bute

to

untim

ely

X

3

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 7

4

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

if an

y se

para

ted

empl

oyee

s re

tain

ed a

ctiv

e ac

coun

ts o

n th

e ap

plic

atio

ns

or

rem

ote

acce

ss

to

the

FEM

A

netw

ork.

The

follo

win

g w

eakn

esse

s wer

e id

entif

ied:

�11

IFM

IS-M

erge

r us

er a

ccou

nts

rem

aine

d ac

tive

and

unlo

cked

afte

r the

acc

ount

hol

der’

s se

para

tion

from

FEM

A.

�3

G&

T IF

MIS

use

r ac

coun

ts r

emai

ned

activ

e an

d un

lock

ed

afte

r th

e ac

coun

t ho

lder

’s

sepa

ratio

n fr

om F

EMA

.

�16

4 N

AC

S ac

coun

ts

with

N

EMIS

po

sitio

ns

assi

gned

at

the

time

of o

ur t

est

wor

k re

mai

ned

activ

e an

d un

lock

ed a

fter

the

acco

unt

hold

er’s

se

para

tion

from

FEM

A.

�33

ind

ivid

uals

ret

aine

d th

e ab

ility

to

acce

ss t

he

FEM

A

netw

ork

rem

otel

y du

e to

ac

tive

VPN

re

mot

e ac

cess

priv

ilege

s af

ter t

he a

ccou

nt h

olde

r’s

sepa

ratio

n fr

om

FEM

A.

All

33

indi

vidu

als

addi

tiona

lly r

etai

ned

an a

ctiv

e N

AC

S ac

coun

t as

de

scrib

ed a

bove

, thu

s al

low

ing

them

to p

oten

tially

ac

cess

NEM

IS a

s wel

l.

rem

oval

of s

epar

ated

indi

vidu

als f

rom

the

syst

ems.

�En

sure

th

at

proc

edur

es

are

impl

emen

ted

cons

iste

ntly

to

re

mov

e sy

stem

an

d ap

plic

atio

n ac

coun

ts f

or a

ll se

para

ted

user

s im

med

iate

ly u

pon

notif

icat

ion

of

sepa

ratio

n,

in

acco

rdan

ce

with

FE

MA

, DH

S an

d N

IST

guid

ance

.

No

corr

ectiv

e ac

tion

spec

ific

to t

he p

ortio

n of

thi

s fin

ding

re

late

d to

G

&T

IFM

IS

will

be

pr

ovid

ed

beca

use

of th

e de

com

mis

sion

ing

of th

at s

yste

m in

Jun

e 20

10.

FEM

A-

IT-1

0-22

In F

Y 2

010,

we

note

d th

at t

he f

ollo

win

g co

nditi

ons

iden

tifie

d in

FY

200

9 re

late

d to

FEM

A L

AN

acc

ount

s co

ntin

ue to

exi

st:

�Th

e FE

MA

LA

N d

omai

n se

curit

y po

licy

does

not

en

forc

e pa

ssw

ord

requ

irem

ents

in a

ccor

danc

e w

ith

DH

S po

licy.

Spe

cific

ally

:

�Th

e FE

MA

LA

N d

oes

not e

nfor

ce a

pas

swor

d hi

stor

y or

pre

vent

reus

e of

pas

swor

ds.

�Th

e FE

MA

LA

N d

oes

not e

nfor

ce c

ompl

exity

re

quire

men

ts, i

nclu

ding

pas

swor

d le

ngth

or t

he

use

of m

ixed

-cas

e al

phan

umer

ic a

nd s

peci

al

Con

figur

e th

e FE

MA

LA

N to

ens

ure

com

plia

nce

with

D

HS

and

FEM

A p

olic

y re

quire

men

ts f

or p

assw

ords

an

d au

then

ticat

or

cont

rol

requ

irem

ents

, in

clud

ing

expi

ratio

n, re

use,

and

leng

th a

nd c

ompl

exity

.

Iden

tify

and

impl

emen

t ap

prop

riate

m

onito

ring

cont

rols

to e

nsur

e th

at a

ll ac

coun

ts o

n th

e FE

MA

LA

N

are

in

com

plia

nce

with

D

HS

requ

irem

ents

fo

r au

thor

izat

ion.

A

dditi

onal

ly,

ensu

re

that

w

here

ap

prop

riate

po

licie

s an

d pr

oced

ures

ar

e fu

rther

de

velo

ped

and/

or

revi

sed

to

ensu

re

cons

iste

nt

impl

emen

tatio

n an

d in

clud

e re

quire

men

ts

for

all

acco

unts

on

the

FEM

A L

AN

, inc

ludi

ng g

ener

ic, s

hare

d

X

3

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 7

5

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

char

acte

rs, t

o en

sure

that

stro

ng p

assw

ords

are

us

ed.

�FE

MA

was

una

ble

to p

rovi

de e

vide

nce

of a

ccou

nt

auth

oriz

atio

n fo

r 10

A

ctiv

e D

irect

ory

(AD

) in

divi

dual

use

r acc

ount

s cre

ated

in F

Y 2

010.

�W

hile

po

licie

s an

d pr

oced

ures

ov

er

the

auth

oriz

atio

n of

gen

eric

, sha

red

grou

p, a

nd s

ervi

ce

acco

unts

on

the

FEM

A L

AN

hav

e be

en f

inal

ized

, ap

prov

al

of

thes

e ac

coun

ts

is

not

cons

iste

ntly

do

cum

ente

d ac

cord

ing

to p

olic

y. S

peci

fical

ly, o

f a

sele

ctio

n of

45

gene

ric,

grou

p, a

nd s

ervi

ce L

AN

ac

coun

ts c

reat

ed d

urin

g FY

201

0:

�2

did

not h

ave

a cl

early

def

ined

bus

ines

s ne

ed

or ju

stifi

catio

n do

cum

ente

d;

�26

did

not

hav

e IT

Sec

urity

or

syst

em o

wne

r ap

prov

al d

ocum

ente

d;

�19

w

ere

crea

ted

prio

r to

su

perv

isor

y ce

rtific

atio

n; a

nd

�2

did

not h

ave

any

auth

oriz

ing

docu

men

tatio

n pr

ovid

ed fo

r our

revi

ew.

�FE

MA

ha

s no

t es

tabl

ishe

d pr

oced

ures

an

d im

plem

ente

d a

proc

ess

over

th

e pe

riodi

c re

certi

ficat

ion

of F

EMA

LA

N a

ccou

nts

to e

nsur

e th

at a

cces

s is

stil

l ne

cess

ary

and

appr

opria

te f

or

each

acc

ount

as

requ

ired

by F

EMA

and

DH

S po

licy.

�W

e co

mpa

red

a lis

ting

of a

ctiv

e FE

MA

LA

N/A

D

acco

unts

ag

ains

t a

list

of

FEM

A

empl

oyee

se

para

tions

tha

t ha

d oc

curr

ed s

ince

Oct

ober

1,

2009

and

det

erm

ined

tha

t 85

acc

ount

s re

mai

ned

activ

e an

d un

lock

ed a

fter

the

acco

unt

hold

er’s

grou

p,

serv

ice,

an

d LA

N

end-

user

ac

coun

ts

not

incl

uded

in th

e N

AC

S.

Dev

elop

an

d im

plem

ent

a fo

rmal

pr

oces

s fo

r pe

rfor

min

g a

perio

dic

rece

rtific

atio

n of

all

FEM

A L

AN

ac

coun

ts w

hich

def

ines

req

uire

men

ts a

nd a

ddre

sses

ac

coun

ts

not

incl

uded

du

ring

the

plan

ned

rece

rtific

atio

n of

NEM

IS a

pplic

atio

n ac

cess

. Ev

alua

te a

nd, i

f app

ropr

iate

, rev

ise

exis

ting

proc

edur

es

over

rem

oval

of

sepa

rate

d us

er a

cces

s to

the

FEM

A

LAN

to

en

sure

th

e tim

ely

rem

oval

of

se

para

ted

indi

vidu

als f

rom

the

netw

ork.

Ensu

re th

at p

roce

dure

s ar

e im

plem

ente

d co

nsis

tent

ly to

re

mov

e FE

MA

LA

N a

ccou

nts

for

all

sepa

rate

d us

ers

imm

edia

tely

up

on

notif

icat

ion

of

sepa

ratio

n,

in

acco

rdan

ce w

ith F

EMA

, DH

S an

d N

IST

guid

ance

.

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 7

6

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

sepa

ratio

n fr

om F

EMA

.

FEM

A-

IT-1

0-23

In

FY

2010

, w

e de

term

ined

th

at

whi

le

chan

ge

man

agem

ent

proc

edur

es

have

be

en

deve

lope

d an

d im

plem

ente

d fo

r app

licat

ions

hos

ted

by th

e N

FIP

LAN

, in

clud

ing

Trav

erse

, the

doc

umen

ted

proc

edur

es d

o no

t sp

ecifi

cally

add

ress

pat

ch m

anag

emen

t po

licie

s an

d pr

oced

ures

for t

he N

FIP

LAN

in a

ccor

danc

e w

ith D

HS

requ

irem

ents

. Sp

ecifi

cally

, con

trols

ove

r the

app

rova

l, te

stin

g, a

nd d

eplo

ymen

t of

ope

ratin

g sy

stem

pat

ches

ar

e no

t add

ress

ed.

We

reco

mm

end

that

FE

MA

O

CIO

an

d N

FIP

man

agem

ent

final

ize

and

impl

emen

t co

mpr

ehen

sive

pa

tch

man

agem

ent

polic

ies

and

proc

edur

es f

or t

he

NFI

P LA

N s

uppo

rting

Tra

vers

e, i

n ac

cord

ance

with

D

HS

polic

y.

Add

ition

ally

, FE

MA

an

d N

FIP

man

agem

ent

shou

ld

ensu

re

that

th

ese

proc

edur

es

incl

ude

requ

irem

ents

fo

r au

thor

izin

g,

test

ing,

an

d ap

prov

ing

patc

hes

to b

e im

plem

ente

d in

to p

rodu

ctio

n an

d re

spon

ding

to D

HS

Secu

rity

Ope

ratio

ns C

ente

r and

D

HS

EOC

not

ifica

tions

to e

nsur

e co

mpl

ianc

e w

ith th

e tim

ely

impl

emen

tatio

n of

requ

ired

patc

hes.

X

2

FEM

A-

IT-1

0-24

Dur

ing

FY 2

010,

we

note

d th

at w

eakn

esse

s ov

er t

he

Cer

tific

atio

n an

d A

ccre

dita

tion

(C&

A)

of

NFI

P co

ntin

ue to

exi

st.

Spec

ifica

lly,

�FE

MA

ap

prov

ed

Con

ditio

nal

ATO

s fo

r th

e N

FIP/

LSS

on M

ay 2

2, 2

009

and

Aug

ust 2

0, 2

010

for t

wo

one-

year

per

iods

. H

owev

er, w

e no

ted

that

in

the

abse

nce

of a

ful

l ATO

, DH

S po

licy

allo

ws

“int

erim

” A

TOs

only

for

sys

tem

s th

at a

re e

ither

un

der

deve

lopm

ent

test

ing

or i

n th

e pr

otot

ype

phas

e of

dev

elop

men

t, no

t op

erat

iona

l sy

stem

s su

ch a

s th

e N

FIP/

LSS.

A

dditi

onal

ly,

“int

erim

” A

TOs

cann

ot e

xcee

d tw

o co

nsec

utiv

e si

x-m

onth

pe

riods

.

�D

urin

g th

e in

itial

Con

ditio

nal

ATO

per

iod

that

be

gan

on M

ay 2

2, 2

009,

FEM

A d

id n

ot c

ompl

ete

C&

A e

ffor

ts,

incl

udin

g th

e ris

k as

sess

men

t an

d se

curit

y te

stin

g an

d ev

alua

tion

(ST&

E) n

eede

d to

fu

lly a

sses

s ris

k as

soci

ated

with

the

syst

em, s

o th

at

a fu

ll A

TO c

ould

be

issu

ed.

Con

sequ

ently

, fro

m

May

20

10,

whe

n th

e in

itial

C

ondi

tiona

l A

TO

expi

red,

thr

ough

Aug

ust

2010

whe

n th

e se

cond

C

ondi

tiona

l A

TO

was

ap

prov

ed,

the

syst

em

We

reco

mm

end

that

NFI

P co

ntin

ue t

o w

ork

with

the

FE

MA

O

CIO

to

co

mpl

ete

the

rece

rtific

atio

n an

d ac

cred

itatio

n of

the

NFI

P Le

gacy

Ser

vice

s Sy

stem

(L

SS),

incl

udin

g do

cum

enta

tion

of a

ll re

quire

d ar

tifac

ts

in

acco

rdan

ce

with

ap

plic

able

D

HS

polic

ies

and

Fede

ral g

uida

nce.

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 7

7

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

oper

ated

with

out a

ny a

utho

rizat

ion.

�D

urin

g ou

r int

egra

ted

audi

t fie

ldw

ork

perio

d, N

FIP

was

una

ble

to p

rovi

de u

s w

ith e

vide

nce

that

C&

A

activ

ities

req

uire

d to

be

perf

orm

ed f

or a

ful

l ATO

to

be

gran

ted

had

been

com

plet

ed.

FEM

A-

IT-1

0-25

Dur

ing

the

FY 2

010

FEM

A In

tegr

ated

Aud

it, w

e no

ted

that

the

follo

win

g co

nditi

ons

rela

ted

to m

anag

emen

t of

FEM

A V

PN a

ccou

nts c

ontin

ue to

exi

st:

�Th

e V

PN R

ules

of

Beh

avio

r fo

r U

sers

Beh

ind

Cor

pora

te

Fire

wal

ls,

date

d D

ecem

ber

5,

2002

, re

quire

s in

divi

dual

’s

man

ager

ap

prov

al

and

Ente

rpris

e Se

rvic

e D

esk

(ESD

) va

lidat

ion

of a

ll V

PN

Acc

ess

Req

uest

fo

rms

prio

r to

gr

antin

g ac

cess

. H

owev

er, a

ppro

val b

y th

e sy

stem

ow

ner o

r a

desi

gnat

ed re

pres

enta

tive

is n

ot re

quire

d.

�V

PN A

cces

s R

eque

st f

orm

s in

clud

e an

app

rova

l bl

ock

title

d “F

or F

EMA

OC

S U

se O

nly,

” an

d th

e fo

rm st

ates

that

all

VPN

requ

ests

mus

t be

appr

oved

by

the

FEM

A O

ffic

e of

Cyb

er S

ecur

ity (

OC

S).

How

ever

, OC

S do

es n

ot c

urre

ntly

exi

st a

s a F

EMA

D

ivis

ion

due

to

FEM

A’s

re

orga

niza

tion.

C

onse

quen

tly, e

xist

ing

polic

ies

and

proc

edur

es d

o no

t re

flect

th

e cu

rren

t se

curit

y m

anag

emen

t st

ruct

ure

at

FEM

A

nor

do

they

as

sign

re

spon

sibi

lity

to a

cur

rent

ent

ity w

ithin

the

agen

cy.

�A

per

iodi

c re

certi

ficat

ion

of F

EMA

VPN

acc

ess

acco

unts

is n

ot c

urre

ntly

per

form

ed to

ens

ure

that

re

mot

e ac

cess

is s

till n

eces

sary

and

app

ropr

iate

for

each

indi

vidu

al.

�O

f the

sel

ectio

n of

45

VPN

Acc

ess

Req

uest

form

s re

view

ed:

�Tw

o di

d no

t sp

ecify

the

dat

e th

at a

cces

s w

as

�R

evis

e an

d im

plem

ent

curr

ent

polic

ies

and

proc

edur

es

for

docu

men

ting,

re

view

ing,

an

d ap

prov

ing

all r

emot

e ac

cess

acc

ount

s to

the

FEM

A

LAN

in

clud

ing

VPN

an

d iP

ass

acce

ss.

Spec

ifica

lly,

role

s an

d re

spon

sibi

litie

s sh

ould

be

defin

ed t

o en

sure

tha

t su

ffic

ient

res

ourc

es a

re

dedi

cate

d to

app

ropr

iate

ly a

utho

rize

acco

unts

on

beha

lf of

the

syst

em o

wne

r or

a d

esig

nee

prio

r to

gr

antin

g re

mot

e ac

cess

, ac

cord

ing

to F

EMA

and

D

HS

polic

y.

�D

evel

op a

nd im

plem

ent p

olic

ies

and

proc

edur

es to

pe

rfor

m a

per

iodi

c re

certi

ficat

ion

of a

ll re

mot

e us

er

acce

ss a

nd re

tain

aud

itabl

e re

cord

s as e

vide

nce

that

re

certi

ficat

ions

are

con

duct

ed a

nd c

ompl

eted

in

acco

rdan

ce w

ith D

HS

and

FEM

A p

olic

y.

X

3

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 7

8

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

appr

oved

by

the

requ

esto

r’s s

uper

viso

r.

�Th

ree

wer

e gr

ante

d su

perv

isor

y ap

prov

al a

fter

VPN

acc

ess w

as e

stab

lishe

d fo

r the

use

r.

�Th

e se

ctio

n of

eac

h fo

rm th

at re

quire

d “O

CS”

le

vel r

evie

w a

nd a

ppro

val w

as n

ot c

ompl

eted

.

Add

ition

ally

, w

e co

nduc

ted

furth

er

test

wor

k ov

er

rem

ote

acce

ss g

rant

ed th

roug

h th

e iP

ass

utili

ty, w

hich

is

use

d to

pro

vide

dia

l-up

acce

ss to

the

FEM

A n

etw

ork

via

the

VPN

gat

eway

. Th

is a

cces

s is

man

aged

thro

ugh

a se

para

te a

cces

s au

thor

izat

ion

proc

ess

from

VPN

. D

urin

g ou

r te

stw

ork,

we

note

d th

e fo

llow

ing

new

co

nditi

ons i

n FY

201

0 re

late

d to

man

agem

ent o

f acc

ess

to iP

ass:

�W

hile

iPas

s U

ser A

gree

men

t for

ms

requ

ire S

ectio

n C

hief

(or

equ

ival

ent)

appr

oval

and

IT

certi

ficat

ion

for

iPas

s re

mot

e ac

cess

, req

uest

s ar

e no

t app

rove

d by

th

e sy

stem

ow

ner

or

a de

sign

ated

re

pres

enta

tive,

as

re

quire

d by

D

HS

polic

y.

Add

ition

ally

, pol

icie

s an

d pr

oced

ures

do

not e

xist

re

late

d to

the

gran

ting

and

man

agem

ent o

f use

rs o

f th

e iP

ass r

emot

e di

al-u

p ut

ility

.

�O

f the

sel

ectio

n of

45

iPas

s U

ser A

gree

men

t for

ms

revi

ewed

:

�Th

ree

did

not s

peci

fy th

e da

te th

at a

cces

s w

as

appr

oved

by

the

requ

esto

r’s

sect

ion

chie

f (o

r eq

uiva

lent

).

�O

ne w

as g

rant

ed s

uper

viso

ry a

ppro

val

afte

r V

PN a

cces

s was

est

ablis

hed

for t

he u

ser.

�O

ne w

as g

rant

ed s

uper

viso

ry a

ppro

val

by t

he

sam

e in

divi

dual

th

at

the

requ

este

d V

PN

acco

unt

was

fo

r, in

dica

ting

a vi

olat

ion

of

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 7

9

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

segr

egat

ion

of

dutie

s in

th

e m

anag

emen

t re

view

and

app

rova

l of

inf

orm

atio

n sy

stem

ac

cess

.

FEM

A-

IT-1

0-26

The

follo

win

g w

eakn

esse

s no

ted

in F

Y 2

009

cont

inue

to

exi

st in

FY

201

0:

�IF

MIS

-Mer

ger

appl

icat

ion

user

acc

ount

s w

ere

not

prop

erly

app

rove

d or

aut

horiz

ed.

Spec

ifica

lly,

of

the

25 a

ctiv

e ap

plic

atio

n us

ers

sele

cted

for r

evie

w,

FEM

A

was

un

able

to

pr

ovid

e do

cum

ente

d ev

iden

ce t

hat

initi

al a

ccou

nt c

reat

ion

or t

he m

ost

rece

nt m

odifi

catio

ns t

o ac

coun

t pr

ivile

ges

for

6 ac

coun

ts w

ere

auth

oriz

ed.

�Po

licie

s an

d pr

oced

ures

ove

r th

e m

anag

emen

t of

ac

coun

ts o

n th

e IF

MIS

-Mer

ger O

racl

e da

taba

se d

o no

t spe

cify

requ

irem

ents

for p

erfo

rmin

g a

perio

dic

rece

rtific

atio

n of

dat

abas

e ac

coun

ts to

val

idat

e th

e co

ntin

ued

appr

opria

tene

ss o

f acc

ess.

�IF

MIS

-Mer

ger O

racl

e da

taba

se u

ser a

ccou

nts

wer

e no

t pro

perly

app

rove

d or

aut

horiz

ed. S

peci

fical

ly,

of t

he e

ight

act

ive

data

base

use

rs s

elec

ted

for

revi

ew,

appr

oval

for

six

use

r ac

coun

ts w

as n

ot

docu

men

ted

prio

r to

cr

eatio

n of

th

e ac

coun

ts.

App

rova

l w

as n

ot d

ocum

ente

d fo

r th

ese

acco

unts

un

til a

fter t

he a

udit

requ

est f

or d

ocum

enta

tion

was

re

ceiv

ed.

�Th

e FY

20

10

rece

rtific

atio

n of

IF

MIS

-Mer

ger

Ora

cle

data

base

us

er

acco

unts

w

as

neith

er

com

plet

ed

cons

iste

ntly

no

r in

ac

cord

ance

w

ith

FEM

A

polic

y.

Spec

ifica

lly,

we

requ

este

d a

sele

ctio

n of

rec

ertif

icat

ion

form

s fo

r 8

IFM

IS-

Mer

ger d

atab

ase

user

acc

ount

s an

d de

term

ined

that

3

wer

e gr

ante

d to

con

tract

ors,

but C

OTR

app

rova

l

�Id

entif

y an

d im

plem

ent

appr

opria

te

mon

itorin

g co

ntro

ls

to

ensu

re

com

plia

nce

with

in

itial

au

thor

izat

ion

and

mod

ifica

tion

requ

irem

ents

for

ac

coun

ts o

n th

e IF

MIS

-Mer

ger a

pplic

atio

n.

�D

ocum

ent

polic

ies

and

proc

edur

es

over

th

e pe

riodi

c re

certi

ficat

ion

of

all

acco

unts

on

th

e IF

MIS

-Mer

ger d

atab

ase.

�

Ded

icat

e re

sour

ces

to f

ully

impl

emen

t FEM

A a

nd

DH

S re

quire

men

ts

for

a re

certi

ficat

ion

of

all

IFM

IS-M

erge

r dat

abas

e ac

coun

ts a

t lea

st a

nnua

lly,

incl

udin

g re

voki

ng a

cces

s fo

r an

y ac

coun

ts n

ot

curr

ently

in

co

mpl

ianc

e w

ith

the

annu

al

rece

rtific

atio

n.

�Id

entif

y an

d im

plem

ent

appr

opria

te

mon

itorin

g co

ntro

ls

to

ensu

re

com

plia

nce

with

in

itial

au

thor

izat

ion,

m

odifi

catio

n,

and

perio

dic

rece

rtific

atio

n re

quire

men

ts f

or a

ccou

nts

on t

he

IFM

IS-M

erge

r dat

abas

e.

X

3

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 8

0

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

was

not

doc

umen

ted.

FEM

A-

IT-1

0-27

As

note

d du

ring

the

FY 2

009

audi

t, th

e fo

llow

ing

wea

knes

ses

in

G&

T IF

MIS

O

racl

e da

taba

se

user

ac

coun

t pa

ssw

ord

cont

rols

con

tinue

d to

exi

st i

n FY

20

10:

�W

e de

term

ined

th

at

FEM

A

perf

orm

ed

man

ual

revi

ews

of in

activ

e G

&T

IFM

IS d

atab

ase

acco

unts

on

a m

onth

ly b

asis

to d

isab

le a

ccou

nts

whi

ch h

ad

not b

een

used

in th

e pr

ior 9

0 da

ys.

How

ever

, sin

ce

G&

T IF

MIS

is

ca

tego

rized

as

a

high

im

pact

sy

stem

, re

view

s ar

e re

quire

d to

dis

able

acc

ount

s th

at h

ave

been

ina

ctiv

e fo

r 45

day

s, ac

cord

ing

to

DH

S po

licy.

�Th

e G

&T

IFM

IS d

atab

ase

acco

unt s

ecur

ity p

olic

y di

d no

t en

forc

e pa

ssw

ord

requ

irem

ents

in

ac

cord

ance

with

DH

S po

licy.

Spe

cific

ally

:

�Th

e da

taba

se

did

not

enfo

rce

a pa

ssw

ord

hist

ory

or p

reve

nt re

use

of p

assw

ords

.

�Th

e da

taba

se

did

not

enfo

rce

com

plex

ity

requ

irem

ents

, in

clud

ing

defin

ition

of

a

pass

wor

d ve

rific

atio

n fu

nctio

n to

ens

ure

stro

ng

pass

wor

ds a

re u

sed.

Sp

ecifi

cally

, pa

ssw

ord

leng

th a

nd re

quire

men

ts o

ver t

he u

se o

f mix

ed-

case

, al

phan

umer

ic a

nd s

peci

al c

hara

cter

s to

en

forc

e re

stric

tions

ove

r th

e us

e of

dic

tiona

ry

wor

ds, a

re n

ot d

efin

ed.

�Th

e da

taba

se

did

not

enfo

rce

pass

wor

d ex

pira

tion

afte

r a

pred

eter

min

ed

leng

th

of

time.

�FE

MA

had

not

est

ablis

hed

a fo

rmal

pro

cess

for

ap

prov

ing

emer

genc

y an

d te

mpo

rary

acc

ess

to th

e

Ther

e is

no

reco

mm

ende

d co

rrec

tive

actio

n sp

ecifi

c to

th

is f

indi

ng b

ecau

se o

f th

e de

com

mis

sion

ing

of G

&T

IFM

IS in

June

201

0.

X

3

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 8

1

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

G&

T IF

MIS

dat

abas

e th

at is

com

plia

nt w

ith D

HS

requ

irem

ents

. Sp

ecifi

cally

, em

erge

ncy

and

tem

pora

ry a

cces

s to

the

dat

abas

e fo

r in

divi

dual

s w

ith

elev

ated

pr

ivile

ges,

incl

udin

g ac

cess

fo

r co

ntra

ctor

dev

elop

men

t per

sonn

el, i

s ap

prov

ed b

y th

e Fi

nanc

ial S

yste

ms

Sect

ion

(FSS

) C

hief

and

/or

his/

her s

taff

, not

by

the

FEM

A C

ISO

or a

des

igne

e,

as re

quire

d by

DH

S po

licy.

Add

ition

ally

, a fo

rmal

pr

oces

s sp

ecifi

cally

add

ress

ing

proc

edur

es f

or t

he

gran

ting

of t

empo

rary

acc

ess

to t

he d

atab

ase

and

ensu

ring

that

acc

ess

is re

mov

ed in

a ti

mel

y m

anne

r w

as n

ot d

ocum

ente

d w

ithin

exi

stin

g IF

MIS

acc

ess

cont

rol p

olic

ies

and

proc

edur

es.

Furth

erm

ore,

we

dete

rmin

ed t

hat

thro

ugh

this

pro

cess

the

G&

T IF

MIS

Ora

cle

data

base

ac

cess

w

as g

rant

ed

to

cont

ract

ed

deve

lopm

ent

pers

onne

l in

or

der

to

impl

emen

t da

taba

se

chan

ges

to

G&

T IF

MIS

, w

hich

con

tinue

s to

con

flict

with

seg

rega

tion

of

dutie

s prin

cipl

es.

Whi

le w

e no

ted

that

the

mer

ger o

f the

G&

T IF

MIS

and

C

ore

IFM

IS i

nsta

nces

occ

urre

d in

Feb

ruar

y 20

10 a

nd

the

exis

ting

G&

T IF

MIS

O

racl

e da

taba

se

was

de

com

mis

sion

ed i

n Ju

ne 2

010,

the

wea

knes

ses

note

d ex

iste

d fo

r the

maj

ority

of t

he fi

scal

yea

r.

FEM

A-

IT-1

0-28

Wea

knes

ses n

oted

in F

Y 2

009

over

C&

A o

f the

FEM

A

LAN

an

d su

bsys

tem

s th

at

host

in

-sco

pe

finan

cial

ap

plic

atio

ns c

ontin

ue to

exi

st in

FY

201

0. D

urin

g ou

r FY

201

0 au

dit,

we

note

d th

at F

EMA

has

cla

ssifi

ed

regi

onal

LA

Ns a

s sub

syst

ems a

nd in

clud

ed th

em w

ithin

th

e de

fined

sys

tem

bou

ndar

y of

the

FEM

A S

witc

hed

Net

wor

k (F

SN)-

2. W

e no

ted

the

follo

win

g w

eakn

esse

s in

the

C&

A o

f th

e FS

N-2

Gen

eral

Sup

port

Syst

em

(GSS

) tha

t inc

lude

s the

FEM

A L

AN

s:

�Th

e FS

N-2

GSS

C

&A

was

no

t co

mpl

eted

in

�C

ontin

ue

to

fully

id

entif

y an

d de

coup

le

all

com

pone

nts

of

the

FSN

-2

plat

form

, in

clud

ing

regi

onal

LA

Ns

and

Gen

eral

Su

ppor

t Sy

stem

s, w

hich

hos

t or

sup

port

IFM

IS a

nd N

EMIS

, an

d pe

rfor

m a

ll re

quire

d C

ertif

icat

ion

& A

ccre

dita

tion

activ

ities

ove

r ea

ch c

ompo

nent

as

requ

ired

by

DH

S po

licy

and

NIS

T gu

idan

ce.

�Fo

rmal

ly

assi

gn

and

docu

men

t se

curit

y re

spon

sibi

litie

s fo

r al

l co

mpo

nent

s of

the

FSN

-2

plat

form

, in

clud

ing

regi

onal

LA

Ns

and

Gen

eral

Su

ppor

t Sy

stem

s, w

hich

hos

t or

sup

port

IFM

IS

X

3

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 8

2

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

com

plia

nce

with

DH

S an

d N

IST

requ

irem

ents

and

ha

s no

t be

en u

pdat

ed t

o ac

cura

tely

ref

lect

the

cu

rren

t GSS

env

ironm

ent.

Spe

cific

ally

:

�Th

e au

thor

izin

g of

ficia

ls a

nd in

divi

dual

s no

ted

as

resp

onsi

ble

for

the

secu

rity

role

s fo

r m

ultip

le r

egio

nal

LAN

s an

d su

bsys

tem

s ar

e no

t acc

urat

ely

refle

cted

in th

e SS

P in

clud

ed in

th

e C

&A

pac

kage

as

empl

oyee

s w

ith s

peci

fied

role

s no

long

er w

ork

for F

EMA

in th

e ca

paci

ty

note

d.

�W

hile

th

e M

aryl

and

Nat

iona

l Pr

oces

sing

Se

rvic

e C

ente

r is

iden

tifie

d as

a s

ubsy

stem

in

the

over

arch

ing

FSN

-2 G

SS C

&A

pac

kage

SS

P, C

&A

act

iviti

es h

ave

not b

een

perf

orm

ed

over

this

subs

yste

m.

�D

HS

polic

y re

quire

s an

nual

te

stin

g of

IT

co

ntin

genc

y pl

ans

for

info

rmat

ion

syst

ems

with

a h

igh

impa

ct a

vaila

bilit

y ca

tego

rizat

ion,

su

ch a

s th

e FS

N-2

GSS

. H

owev

er, t

he m

ost

rece

nt t

est

of t

he F

SN-2

IT

cont

inge

ncy

plan

w

as p

erfo

rmed

and

doc

umen

ted

durin

g FY

20

08.

�D

HS

polic

y re

quire

s th

at r

isk

asse

ssm

ents

be

cond

ucte

d fo

r in

form

atio

n sy

stem

s no

les

s fr

eque

ntly

tha

n ev

ery

thre

e ye

ars.

How

ever

, th

e m

ost r

ecen

t ST&

E w

as d

ocum

ente

d du

ring

FY 2

006.

�Th

e m

ost r

ecen

t ATO

gra

nted

by

the

FEM

A C

IO

expi

red

on J

anua

ry 2

2, 2

010,

and

the

FSN

-2 G

SS

is c

urre

ntly

ope

ratin

g w

ithou

t au

thor

izat

ion

from

FE

MA

man

agem

ent.

�A

lthou

gh t

he C

&A

pac

kage

ref

eren

ces

vario

us

and

NEM

IS.

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 8

3

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

subs

yste

ms

supp

ortin

g an

d ho

stin

g IF

MIS

an

d N

EMIS

, FE

MA

m

anag

emen

t w

as

unab

le

to

iden

tify

and

conf

irm

the

FSN

-2

subs

yste

ms

(incl

udin

g re

gion

al L

AN

s) th

at h

ost t

he p

rodu

ctio

n se

rver

s fo

r N

EMIS

an

d IF

MIS

ap

plic

atio

ns.

Con

sequ

ently

, we

wer

e un

able

to

test

the

hos

ting

envi

ronm

ent

supp

ortin

g fin

anci

al a

pplic

atio

ns i

n-sc

ope

for t

he F

Y 2

010

envi

ronm

ent.

FEM

A-

IT-1

0-29

Dur

ing

the

FY 2

009

FEM

A In

tegr

ated

Aud

it, w

e no

ted

that

a C

&A

of

PAR

S ha

d no

t bee

n pe

rfor

med

and

the

syst

em h

ad n

ot r

ecei

ved

an A

TO s

ince

bec

omin

g op

erat

iona

l in

th

e FE

MA

en

viro

nmen

t.

Whi

le

impr

ovem

ents

wer

e no

ted

in t

his

cond

ition

for

FY

20

10,

we

dete

rmin

ed

that

th

e fo

llow

ing

C&

A

wea

knes

ses o

ver P

AR

S co

ntin

ue to

exi

st:

In F

Y 2

010,

the

PA

RS

data

base

was

inc

lude

d w

ithin

th

e ac

cred

itatio

n bo

unda

ry

for

the

IFM

IS-M

erge

r sy

stem

, w

hich

was

gra

nted

an

ATO

in

June

201

0.

How

ever

, prio

r to

that

dat

e, th

e PA

RS

data

base

was

not

ce

rtifie

d an

d ac

cred

ited

and

cons

eque

ntly

, op

erat

ed

with

out a

n A

TO fo

r the

maj

ority

of F

Y 2

010.

�A

ll ot

her

syst

em c

ompo

nent

s of

PA

RS,

incl

udin

g th

e w

eb

and

appl

icat

ion

serv

ers,

cont

inue

d to

op

erat

e w

ithou

t an

ATO

, and

evi

denc

e th

at C

&A

ef

forts

fo

r th

ese

com

pone

nts

of

PAR

S w

ere

com

plet

ed a

nd a

ppro

ved

by F

EMA

man

agem

ent

coul

d no

t be

obt

aine

d fr

om F

EMA

for

rev

iew

du

ring

the

FY 2

010

audi

t.

�A

t th

e tim

e of

our

tes

t pr

oced

ures

, an

ISS

O h

ad

not

been

fo

rmal

ly

desi

gnat

ed

by

FEM

A

man

agem

ent

for

the

PAR

S w

eb

serv

er

and

appl

icat

ion.

Whi

le w

e w

ere

info

rmed

by

FEM

A IT

Se

curit

y M

anag

emen

t tha

t the

PA

RS

data

base

was

ad

min

iste

red

by a

n IS

SO u

nder

the

Cor

e IF

MIS

,

�Fo

rmal

ly d

esig

nate

an

ISSO

for

the

PA

RS

web

se

rver

and

app

licat

ion

envi

ronm

ent.

�C

ertif

y an

d ac

cred

it th

e PA

RS

web

ser

ver

and

appl

icat

ion

envi

ronm

ent,

incl

udin

g do

cum

enta

tion

of

all

requ

ired

artif

acts

in

ac

cord

ance

w

ith

appl

icab

le D

HS

polic

ies a

nd F

eder

al g

uida

nce.

X

3

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 8

4

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

we

dete

rmin

ed t

hat

no f

orm

al d

esig

natio

n of

thi

s re

spon

sibi

lity

was

ass

igne

d un

til F

Y 2

010

beca

use

the

PAR

S da

taba

se w

as n

ot in

clud

ed in

the

C&

A

boun

dary

fo

r C

ore

IFM

IS

and

no

addi

tiona

l de

sign

atio

n le

tters

wer

e is

sued

. A

s a

resu

lt, t

he

PAR

S da

taba

se d

id n

ot h

ave

a fo

rmal

des

igna

tion

of s

ecur

ity r

espo

nsib

ilitie

s fo

r th

e m

ajor

ity o

f th

e fis

cal y

ear.

FEM

A-

IT-1

0-30

As

note

d du

ring

the

FY 2

009

audi

t re

late

d to

Cor

e IF

MIS

, w

e de

term

ined

th

at

wea

knes

ses

over

th

e au

thor

izat

ion

of e

mer

genc

y an

d te

mpo

rary

acc

ess

to

the

IFM

IS –

Mer

ger

Ora

cle

data

base

con

tinue

to e

xist

in

FY

201

0. S

peci

fical

ly, F

EMA

has

not

est

ablis

hed

a fo

rmal

pr

oces

s fo

r ap

prov

ing

emer

genc

y an

d te

mpo

rary

acc

ess

to th

e IF

MIS

-Mer

ger d

atab

ase

that

is

com

plia

nt w

ith D

HS

requ

irem

ents

. D

urin

g ou

r FY

20

10

test

ing,

w

e de

term

ined

th

at

emer

genc

y an

d te

mpo

rary

acc

ess

to t

he d

atab

ase

for

indi

vidu

als

with

el

evat

ed p

rivile

ges,

incl

udin

g ac

cess

for

con

tract

or

deve

lopm

ent

pers

onne

l, is

app

rove

d by

the

Fin

anci

al

Syst

ems

Sect

ion

(FSS

) C

hief

and

/or

his/

her

staf

f, no

t by

the

FEM

A C

ISO

or a

des

igne

e, a

s re

quire

d by

DH

S po

licy.

A

dditi

onal

ly,

a fo

rmal

pr

oces

s sp

ecifi

cally

ad

dres

sing

pro

cedu

res

for

the

gran

ting

of t

empo

rary

ac

cess

to

the

data

base

and

ens

urin

g th

at a

cces

s is

re

mov

ed in

a ti

mel

y m

anne

r ha

s no

t bee

n do

cum

ente

d w

ithin

exi

stin

g IF

MIS

-Mer

ger

acce

ss c

ontro

l po

licie

s an

d pr

oced

ures

.

Furth

erm

ore,

we

dete

rmin

ed t

hat

thro

ugh

this

pro

cess

th

e IF

MIS

-Mer

ger O

racl

e da

taba

se a

cces

s is

gra

nted

to

cont

ract

ed

deve

lopm

ent

pers

onne

l in

or

der

to

impl

emen

t da

taba

se c

hang

es t

o IF

MIS

-Mer

ger,

whi

ch

cont

inue

s to

co

nflic

t w

ith

segr

egat

ion

of

dutie

s pr

inci

ples

.

We

reco

mm

end

that

FEM

A d

ocum

ent a

nd im

plem

ent a

fo

rmal

pro

cess

for

gra

ntin

g em

erge

ncy

and

tem

pora

ry

acce

ss t

o th

e IF

MIS

-Mer

ger

data

base

tha

t in

clud

es

guid

ance

ove

r al

l ty

pes

of a

ccou

nts

auth

oriz

ed f

or

tem

pora

ry a

nd e

mer

genc

y ac

cess

, seg

rega

tion

of d

utie

s co

nsid

erat

ions

, an

d ap

prop

riate

app

rova

l fr

om F

EMA

m

anag

emen

t in

acco

rdan

ce w

ith D

HS

polic

y.

X

3

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 8

5

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

FEM

A-

IT-1

0-31

Dur

ing

our

unan

noun

ced

enha

nced

sec

urity

tes

ting

perf

orm

ed d

urin

g th

e FY

201

0 in

tegr

ated

aud

it, w

e no

ted

that

the

FEM

A S

ecur

ity O

pera

tion

Cen

ter (

SOC

) pr

oact

ivel

y tra

cked

and

rep

orte

d in

cide

nts

rela

ted

to

soci

al

engi

neer

ing

atte

mpt

s pe

rfor

med

at

FE

MA

he

adqu

arte

rs a

nd re

gion

al o

ffic

es th

roug

h im

plem

ente

d ad

hoc

pro

cess

es. H

owev

er, w

eakn

esse

s no

ted

durin

g th

e FY

20

09

inte

grat

ed

audi

t re

late

d to

FE

MA

’s

inci

dent

res

pons

e pr

ogra

m c

ontin

ue t

o ex

ist

in F

Y

2010

.

Spec

ifica

lly,

stan

dard

op

erat

ing

proc

edur

es

for

the

man

agem

ent

of F

EMA

IT

secu

rity

inci

dent

s ha

ve n

ot

been

for

mal

ly a

ppro

ved

and

impl

emen

ted

by F

EMA

m

anag

emen

t. C

onse

quen

tly,

FEM

A

has

not

impl

emen

ted

DH

S po

licy

requ

irem

ents

to

esta

blis

h a

docu

men

ted

and

form

ally

app

rove

d co

mpo

nent

-leve

l in

cide

nt r

espo

nse

fram

ewor

k or

cap

abili

ty,

incl

udin

g ro

les,

resp

onsi

bilit

ies,

and

proc

esse

s re

late

d to

the

id

entif

icat

ion,

eva

luat

ion,

and

reso

lutio

n of

all

secu

rity

inci

dent

s.

We

reco

mm

end

that

FEM

A f

orm

ally

app

rove

and

im

plem

ent p

roce

dure

s fo

r man

agin

g se

curit

y in

cide

nts.

Spec

ifica

lly,

proc

edur

es s

houl

d cl

early

out

line

role

s an

d re

spon

sibi

litie

s re

quire

d to

mai

ntai

n a

cont

inuo

us

inci

dent

re

spon

se

capa

bilit

y an

d de

fine

proc

esse

s re

late

d to

the

iden

tific

atio

n, e

valu

atio

n, a

nd r

esol

utio

n of

all

secu

rity

inci

dent

s, as

req

uire

d by

DH

S an

d FE

MA

pol

icy.

X

3

FEM

A-

IT-1

0-32

In F

Y 2

009,

we

iden

tifie

d w

eakn

esse

s ov

er F

EMA

’s

patc

h m

anag

emen

t pro

gram

as

it re

late

s to

Cor

e IF

MIS

an

d G

&T

IFM

IS.

Dur

ing

the

FY 2

010

inte

grat

ed a

udit,

w

e de

term

ined

tha

t w

hile

FEM

A h

as f

inal

ized

and

fo

rmal

ly i

mpl

emen

ted

the

FEM

A O

ffice

of

the

Chi

ef

Info

rmat

ion

Offi

cer

(OC

IO)

Stan

dard

O

pera

ting

Proc

edur

e (S

OP)

for V

ulne

rabi

lity

Patc

h M

anag

emen

t, th

e SO

P w

as

not

appr

oved

un

til

Apr

il 8,

20

10.

Con

sequ

ently

, FE

MA

did

not

hav

e a

form

al p

atch

m

anag

emen

t pr

oced

ure

appl

icab

le

to

the

IFM

IS

envi

ronm

ents

for

a m

ajor

ity o

f th

e fis

cal

year

. Giv

en

the

timin

g of

th

e SO

P’s

appr

oval

, th

e pa

tch

man

agem

ent

proc

edur

es c

ould

not

be

impl

emen

ted

whe

n G

&T

IFM

IS w

as o

pera

tiona

l as

it

was

mer

ged

with

Cor

e IF

MIS

in F

ebru

ary

2010

.

We

reco

mm

end

that

FEM

A f

urth

er d

edic

ate

reso

urce

s to

do

cum

ent

and

fully

im

plem

ent

com

preh

ensi

ve

syst

em-s

peci

fic

patc

h m

anag

emen

t pr

oced

ures

to

en

sure

th

at

IFM

IS-M

erge

r op

erat

ing

syst

em

and

data

base

pat

ches

are

tes

ted

and

depl

oyed

in

a tim

ely

man

ner,

in a

ccor

danc

e w

ith D

HS

and

FEM

A p

olic

y.

No

corr

ectiv

e ac

tion

spec

ific

to t

he p

ortio

n of

thi

s fin

ding

re

late

d to

G

&T

IFM

IS

will

be

pr

ovid

ed

beca

use

of th

e de

com

mis

sion

ing

of th

at s

yste

m in

Jun

e 20

10.

X

3

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 8

6

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

Add

ition

ally

, we

dete

rmin

ed th

at F

EMA

has

not

ful

ly

and

cons

iste

ntly

im

plem

ente

d th

e re

quire

men

ts a

nd

proc

edur

es d

ocum

ente

d in

the

SOP

for

IFM

IS-M

erge

r in

acc

orda

nce

with

FEM

A a

nd D

HS

guid

ance

.

FEM

A-

IT-1

0-33

Wea

knes

ses

note

d in

FY

20

09

over

FE

MA

’s

info

rmat

ion

secu

rity

vuln

erab

ility

m

anag

emen

t pr

ogra

m a

s it

rela

tes

to N

EMIS

con

tinue

to e

xist

in F

Y

2010

. Sp

ecifi

cally

:

�FE

MA

doe

s no

t ha

ve d

ocum

ente

d an

d ap

prov

ed

proc

edur

es

that

es

tabl

ish

form

al

requ

irem

ents

, pr

oces

ses,

and

resp

onsi

bilit

ies

for

perf

orm

ing

regu

lar v

ulne

rabi

lity

scan

s of N

EMIS

.

�Th

e lis

t of N

EMIS

serv

ers c

urre

ntly

scan

ned

by th

e SO

C i

s in

com

plet

e an

d do

es n

ot r

epre

sent

the

cu

rren

t N

EMIS

sys

tem

bou

ndar

y as

def

ined

by

syst

em

owne

rs

and

IT

secu

rity

man

agem

ent.

Add

ition

ally

, N

EMIS

sy

stem

ow

ners

ar

e no

t re

ceiv

ing

listin

gs o

f al

l vu

lner

abili

ties

note

d on

th

eir

syst

em

com

pone

nts

to

ensu

re

corr

ectiv

e ac

tion

is tr

acke

d an

d re

med

iate

d.

�C

orre

ctiv

e ac

tion

over

vul

nera

bilit

ies

iden

tifie

d th

roug

h SO

C in

tern

al s

cans

of

NEM

IS p

rodu

ctio

n se

rver

s is

not

for

mal

ly t

rack

ed v

ia t

he P

lan

of

Act

ions

&

M

ilest

ones

(P

OA

&M

) pr

oces

s, as

re

quire

d by

DH

S po

licy.

�Es

tabl

ish

and

impl

emen

t do

cum

ente

d pr

oced

ures

th

at d

efin

e fo

rmal

req

uire

men

ts,

proc

esse

s, an

d re

spon

sibi

litie

s fo

r pe

rfor

min

g pe

riodi

c vu

lner

abili

ty s

cans

of

NEM

IS p

rodu

ctio

n se

rver

s. A

dditi

onal

ly,

ensu

re

thes

e pr

oced

ures

in

clud

e re

quire

men

ts f

or r

epor

ting

and

track

ing

reso

lutio

n of

wea

knes

ses

iden

tifie

d du

ring

inte

rnal

NEM

IS

vuln

erab

ility

sc

ans

in

acco

rdan

ce

with

D

HS

POA

&M

gui

danc

e.

�R

evis

e lis

ting

of N

EMIS

ser

vers

sca

nned

by

the

FEM

A S

OC

to

ensu

re t

hat

vuln

erab

ility

sca

ns

perf

orm

ed i

nclu

de a

ll N

EMIS

ser

vers

with

in t

he

curr

ent

oper

atin

g en

viro

nmen

t. A

dditi

onal

ly,

deve

lop

and

impl

emen

t pr

oced

ures

to

ensu

re t

hat

this

list

ing

is p

erio

dica

lly re

-eva

luat

ed a

nd u

pdat

ed

as a

ppro

pria

te.

�R

evis

e th

e SO

C d

istri

butio

n lis

ting

of N

EMIS

sy

stem

ow

ners

and

oth

er a

ppro

pria

te I

T se

curit

y m

anag

emen

t to

fu

rther

de

fine

pers

onne

l re

spon

sibl

e fo

r re

med

iatin

g an

d fo

rmal

ly t

rack

ing

all

vuln

erab

ilitie

s id

entif

ied

over

th

e va

rious

N

EMIS

com

pone

nts.

Add

ition

ally

, de

velo

p an

d im

plem

ent p

roce

dure

s to

ens

ure

that

this

list

ing

is

perio

dica

lly

re-e

valu

ated

an

d up

date

d as

ap

prop

riate

.

X

2

FEM

A-

IT-1

0-34

Wea

knes

ses

note

d in

FY

20

09

over

FE

MA

’s

info

rmat

ion

secu

rity

vuln

erab

ility

m

anag

emen

t pr

ogra

m a

s it

rela

tes

to G

&T

IFM

IS a

nd I

FMIS

-M

erge

r con

tinue

to e

xist

in F

Y 2

010.

Spe

cific

ally

:

We

reco

mm

end

that

FEM

A e

stab

lish

and

impl

emen

t do

cum

ente

d pr

oced

ures

th

at

defin

e fo

rmal

re

quire

men

ts,

proc

esse

s, an

d re

spon

sibi

litie

s fo

r pe

rfor

min

g re

gula

r vu

lner

abili

ty

scan

s of

IF

MIS

-M

erge

r. A

dditi

onal

ly,

proc

edur

es

shou

ld

incl

ude

X

3

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 8

7

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

�FE

MA

did

not

hav

e do

cum

ente

d an

d ap

prov

ed

proc

edur

es

that

es

tabl

ish

form

al

requ

irem

ents

, pr

oces

ses,

and

resp

onsi

bilit

ies

for

perf

orm

ing

regu

lar

vuln

erab

ility

sca

ns o

f G

&T

IFM

IS a

nd

IFM

IS-M

erge

r.

�Fo

r on

e of

the

thr

ee m

onth

s se

lect

ed f

or t

estin

g,

vuln

erab

ility

sca

ns w

ere

not

perf

orm

ed f

or t

he

G&

T IF

MIS

pro

duct

ion

serv

er.

�Fo

r al

l th

ree

mon

ths

sele

cted

fo

r te

stin

g,

vuln

erab

ilitie

s re

porte

d by

the

FEM

A S

OC

ove

r th

e G

&T

IFM

IS a

nd I

FMIS

-Mer

ger

prod

uctio

n se

rver

s w

ere

not f

orm

ally

trac

ked

via

the

POA

&M

pr

oces

s, as

requ

ired

by D

HS

polic

y.

requ

irem

ents

for

rep

ortin

g an

d tra

ckin

g re

solu

tion

of

wea

knes

ses

iden

tifie

d du

ring

inte

rnal

IFM

IS-M

erge

r vu

lner

abili

ty s

cans

in

acco

rdan

ce w

ith D

HS

POA

&M

gu

idan

ce.

No

corr

ectiv

e ac

tion

spec

ific

to t

he p

ortio

n of

thi

s fin

ding

re

late

d to

G

&T

IFM

IS

will

be

pr

ovid

ed

beca

use

of th

e de

com

mis

sion

ing

of th

at s

yste

m in

Jun

e 20

10.

FEM

A-

IT-1

0-35

In F

Y 2

009,

we

iden

tifie

d w

eakn

esse

s ov

er F

EMA

’s

patc

h m

anag

emen

t pro

gram

rela

ted

to N

EMIS

. D

urin

g th

e FY

201

0 in

tegr

ated

aud

it, w

e de

term

ined

that

whi

le

FEM

A h

as f

inal

ized

and

for

mal

ly i

mpl

emen

ted

the

FEM

A

OC

IO

SOP

for

Vul

nera

bilit

y Pa

tch

Man

agem

ent,

the

SOP

was

not

app

rove

d un

til A

pril

8,

2010

. C

onse

quen

tly,

FEM

A d

id n

ot h

ave

a fo

rmal

pa

tch

man

agem

ent p

roce

dure

app

licab

le to

the

NEM

IS

envi

ronm

ent

for

a m

ajor

ity

of

the

fisca

l ye

ar.

Add

ition

ally

, we

dete

rmin

ed th

at F

EMA

has

not

ful

ly

and

cons

iste

ntly

im

plem

ente

d th

e re

quire

men

ts a

nd

proc

edur

es d

ocum

ente

d in

the

SO

P fo

r al

l N

EMIS

co

mpo

nent

s in

ac

cord

ance

w

ith

FEM

A

and

DH

S gu

idan

ce.

We

reco

mm

end

that

FEM

A fu

rther

doc

umen

t and

fully

im

plem

ent

com

preh

ensi

ve

syst

em-s

peci

fic

patc

h m

anag

emen

t pr

oced

ures

to

en

sure

th

at

NEM

IS

oper

atin

g sy

stem

and

dat

abas

e pa

tche

s ar

e te

sted

and

de

ploy

ed in

a ti

mel

y m

anne

r, in

acc

orda

nce

with

DH

S an

d FE

MA

pol

icy.

Add

ition

ally

, th

ese

polic

ies

and

proc

edur

es

shou

ld

incl

ude

form

al

desi

gnat

ion

of

resp

onsi

bilit

ies

for

over

sigh

t an

d im

plem

enta

tion

of

requ

ired

patc

h m

anag

emen

t ac

tiviti

es f

or a

ll N

EMIS

co

mpo

nent

s to

ensu

re c

ompl

ianc

e at

the

syst

em le

vel.

X

2

FEM

A-

IT-1

0-36

Wea

knes

ses

iden

tifie

d in

FY

200

9 re

late

d to

the

test

ing

of N

EMIS

pro

duct

ion

data

base

bac

kup

tape

s co

ntin

ue

to e

xist

in F

Y 2

010.

Spe

cific

ally

:

�D

urin

g tw

o qu

arte

rs o

f FY

201

0, F

EMA

con

duct

ed

rest

orat

ion

test

s of

bac

kup

tape

s fo

r on

e sp

ecifi

c

�D

evel

op

and

impl

emen

t ba

ckup

po

licie

s an

d pr

oced

ures

to

ensu

re t

hat

all

NEM

IS c

ompo

nent

s ar

e ba

cked

up

an

d ba

ckup

m

edia

is

st

ored

in

/rota

ted

to a

n of

f-si

te fa

cilit

y ac

cord

ing

to F

EMA

an

d D

HS

requ

irem

ents

. �

Rev

ise

or

deve

lop

polic

ies

and

proc

edur

es

to

X

3

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 8

8

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

NEM

IS d

atab

ase

whi

le F

EMA

’s S

OP

for

Tape

B

acku

p Te

stin

g do

cum

ents

requ

irem

ents

for

the

te

stin

g of

39

da

taba

ses.

C

onse

quen

tly,

we

dete

rmin

ed

that

FE

MA

di

d no

t re

gula

rly

test

ba

ckup

tap

es c

onta

inin

g al

l N

EMIS

pro

duct

ion

data

base

dat

a du

ring

the

fisca

l yea

r.

�A

dditi

onal

ly,

whi

le w

e no

ted

that

the

Sta

ndar

d O

pera

ting

Proc

edur

e fo

r Ta

pe

Bac

kup

Test

ing

assi

gns

resp

onsi

bilit

y fo

r te

stin

g ba

ckup

tap

es i

n ac

cord

ance

with

a d

efin

ed s

ched

ule

to N

EMIS

IT

secu

rity

man

agem

ent,

adm

inis

trato

rs,

and

syst

em

owne

rs,

the

SOP

was

not

upd

ated

to

refle

ct t

he

requ

ired

sche

dule

for

per

form

ing

tape

res

tora

tion

test

s.

Furth

erm

ore,

we

note

d th

e fo

llow

ing

new

wea

knes

ses

rela

ted

to c

ontro

ls o

ver

the

perf

orm

ance

of

NEM

IS

data

base

bac

kups

:

�FE

MA

has

not

for

mal

ly d

efin

ed a

nd d

ocum

ente

d pr

oced

ures

tha

t ou

tline

pro

cess

es f

or p

erfo

rmin

g ba

ckup

s of

NEM

IS p

rodu

ctio

n da

taba

ses

and

for

rota

ting

and

phys

ical

ly s

ecur

ing

back

up ta

pes

off-

site

.

�FE

MA

w

as

unab

le

to

prov

ide

requ

este

d do

cum

enta

tion

to e

vide

nce

that

any

of

the

39

NEM

IS

prod

uctio

n da

taba

ses

iden

tifie

d in

th

e St

anda

rd O

pera

ting

Proc

edur

e fo

r Ta

pe B

acku

p Te

stin

g ar

e cu

rren

tly b

eing

bac

ked

up.

perio

dica

lly

test

an

d do

cum

ent

test

ing

of

the

NEM

IS b

acku

ps i

n co

mpl

ianc

e w

ith F

EMA

and

D

HS

requ

irem

ents

. In

addi

tion,

ens

ure

that

pol

icie

s an

d pr

oced

ures

ar

e im

plem

ente

d to

pe

rfor

m

perio

dic

rest

orat

ion

test

ing

of

all

NEM

IS

prod

uctio

n da

taba

ses

in

acco

rdan

ce

with

es

tabl

ishe

d re

quire

men

ts.

FEM

A-

IT-1

0-37

Dur

ing

our

soci

al

engi

neer

ing

test

ing,

se

vera

l pe

rson

nel p

rovi

ded

us w

ith u

ser I

Ds a

nd/o

r pas

swor

ds.

It sh

ould

be

note

d th

at s

ever

al p

erso

nnel

tha

t w

e co

ntac

ted

by

phon

e du

ring

our

soci

al

engi

neer

ing

phon

e ca

lls c

halle

nged

our

req

uest

s fo

r us

er a

cces

s

We

reco

mm

end

that

FEM

A m

anag

emen

t re

view

the

ef

fect

iven

ess

of e

xist

ing

secu

rity

awar

enes

s pr

ogra

ms

desi

gned

to

pr

otec

t “n

eed-

to-k

now

” in

form

atio

n,

incl

udin

g IT

sys

tem

acc

ess

cred

entia

ls, a

nd e

nsur

e th

at

indi

vidu

als

are

adeq

uate

ly i

nstru

cted

and

rem

inde

d of

th

eir

role

s in

th

e pr

otec

tion

of

sens

itive

sy

stem

X

3

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 8

9

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

cred

entia

ls b

y lo

okin

g up

our

ass

umed

nam

es i

n th

e FE

MA

di

rect

ory

to

dete

rmin

e if

we

wer

e FE

MA

pe

rson

nel,

requ

estin

g em

ploy

ee I

Ds,

aski

ng f

or h

elp

desk

tic

ket

num

bers

ass

ocia

ted

with

our

cal

ls,

and

repo

rting

our

atte

mpt

s to

supe

rvis

ors.

Whi

le in

divi

dual

s co

ntac

ted

repr

esen

ted

seve

ral o

ffic

es

in m

ultip

le F

EMA

regi

ons

as w

ell a

s H

eadq

uarte

rs, o

ur

sele

ctio

n of

ind

ivid

uals

was

not

sta

tistic

ally

der

ived

. Th

eref

ore,

we

are

unab

le t

o pr

ojec

t th

ese

resu

lts t

o FE

MA

as a

who

le.

info

rmat

ion

from

un

auth

oriz

ed

indi

vidu

als

thro

ugh

form

al,

perio

dic

com

mun

icat

ions

an

d/or

se

curit

y aw

aren

ess t

rain

ing.

FEM

A-

IT-1

0-38

Dur

ing

our

afte

r-ho

urs

phys

ical

se

curit

y te

stin

g co

nduc

ted

on J

uly

20,

2010

, w

e no

ted

inst

ance

s of

im

prop

erly

pro

tect

ed a

uthe

ntic

atio

n cr

eden

tials

, sys

tem

in

form

atio

n, in

form

atio

n te

chno

logy

ass

ets,

and

PII

in

the

faci

litie

s ins

pect

ed.

Som

e of

the

inst

ance

s of

impr

oper

ly s

ecur

ed P

II n

oted

in

th

e ta

ble

abov

e co

nsis

ted

of

larg

e st

acks

of

do

cum

ents

or c

ompi

led

spre

adsh

eets

that

con

tain

ed P

II

for

num

erou

s in

divi

dual

s co

nduc

ting

busi

ness

for

or

with

FE

MA

.

Exce

ptio

ns

cate

goriz

ed

as

“Oth

er’

cons

iste

d of

lapt

ops

and

othe

r IT

ass

ets

not p

hysi

cally

se

cure

d/lo

cked

to w

orks

pace

s, un

secu

red

bank

acc

ount

an

d go

vern

men

t tra

vel

card

inf

orm

atio

n, a

nd t

he l

ack

of a

dequ

ate

lock

ing

mec

hani

sms

on a

ser

ver

room

do

or.

Our

se

lect

ion

of

area

s at

ea

ch

faci

lity

that

w

ere

insp

ecte

d w

as n

ot s

tatis

tical

ly d

eriv

ed,

and

ther

efor

e,

we

are

unab

le to

pro

ject

resu

lts to

FEM

A a

s a w

hole

.

We

reco

mm

end

that

FEM

A m

anag

emen

t re

view

the

ef

fect

iven

ess

of e

xist

ing

secu

rity

awar

enes

s pr

ogra

ms

desi

gned

to

prot

ect

elec

troni

c an

d ph

ysic

al d

ata,

PII

, an

d FO

UO

ag

ency

in

form

atio

n an

d en

sure

th

at

indi

vidu

als

are

adeq

uate

ly i

nstru

cted

and

rem

inde

d of

th

eir

role

s in

the

pro

tect

ion

of b

oth

elec

troni

c an

d ph

ysic

al F

EMA

dat

a an

d ha

rdw

are

thro

ugh

form

al,

perio

dic

com

mun

icat

ions

and

/or

secu

rity

awar

enes

s tra

inin

g.

X

2

FEM

A-

IT-1

0-39

As

note

d du

ring

the

FY

2009

au

dit,

wea

knes

ses

cont

inue

to e

xist

ove

r the

seg

rega

tion

of d

utie

s co

ntro

ls

for

the

mig

ratio

n of

IF

MIS

-Mer

ger

chan

ges

into

pr

oduc

tion.

Spe

cific

ally

:

We

reco

mm

end

that

FEM

A d

ocum

ent a

nd im

plem

ent

polic

ies

and

proc

edur

es

to

limit

IFM

IS-M

erge

r de

velo

per

acce

ss t

o th

e pr

oduc

tion

envi

ronm

ent

to

“rea

d on

ly”

and

segr

egat

e th

e re

spon

sibi

lity

for

depl

oyin

g ap

plic

atio

n co

de c

hang

es i

nto

prod

uctio

n

X

3

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 9

0

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

�Th

e FE

MA

dev

elop

men

t co

ntra

ctor

con

tinue

s to

de

ploy

ch

ange

s in

to

the

UN

IX

prod

uctio

n en

viro

nmen

t th

roug

h th

e us

e of

th

e sh

ared

“i

fmis

cm”

acco

unt.

We

note

d th

at F

EMA

cha

nge

man

agem

ent

pers

onne

l ar

e fo

llow

ing

SOPs

tha

t ou

tline

the

con

trols

int

ende

d to

miti

gate

the

ris

k as

soci

ated

w

ith

the

IFM

IS-M

erge

r de

velo

pers

ha

ving

the

abili

ty to

mig

rate

cha

nges

to th

e IF

MIS

-M

erge

r pro

duct

ion

envi

ronm

ent.

In p

artic

ular

, the

O

ffice

of

the

Chi

ef F

inan

cial

Offi

cer

(OC

FO)

IFM

IS

Syst

em

Cha

nge

Requ

est

(SC

R)

SOP

requ

ires

the

lock

ing

and

unlo

ckin

g of

th

e “i

fmis

cm”

acco

unt

by

syst

em

adm

inis

trato

rs

durin

g th

e im

plem

enta

tion

of s

oftw

are

chan

ges

into

pro

duct

ion.

H

owev

er,

we

dete

rmin

ed t

hat

whi

le

the

SCR

SO

P st

ates

th

at

syst

em

adm

inis

trato

rs w

ill p

erio

dica

lly m

onito

r pro

duct

ion

dire

ctor

ies

to d

etec

t upd

ates

, no

form

al p

roce

dure

s or

pr

oces

ses

are

incl

uded

in

th

e SO

P or

do

cum

ente

d el

sew

here

fo

r de

taili

ng

how

to

m

onito

r th

e di

rect

orie

s or

the

req

uire

men

ts f

or

perf

orm

ing

the

revi

ews

to

verif

y th

at

only

au

thor

ized

cha

nges

to th

e “i

fmis

cm”

dire

ctor

y an

d su

b-di

rect

orie

s are

impl

emen

ted

into

pro

duct

ion

by

the

deve

lope

rs.

�W

e de

term

ined

tha

t al

thou

gh i

nfor

mal

rev

iew

s of

th

e di

rect

orie

s w

ere

perf

orm

ed d

urin

g th

e fis

cal

year

, the

y w

ere

not r

outin

ely

relie

d up

on b

y FE

MA

m

anag

emen

t as

the

y di

d no

t pr

ovid

e th

e le

vel

of

deta

il re

quire

d fo

r ad

equa

te

mon

itorin

g,

and

FEM

A p

erso

nnel

wer

e no

t abl

e to

dis

tingu

ish

the

type

s of

cha

nges

mad

e to

the

sys

tem

fro

m t

he

“ifm

iscm

” ac

coun

t.

from

the

dev

elop

men

t co

ntra

ctor

to

an i

ndep

ende

nt

cont

rol

grou

p.

If

busi

ness

ne

eds

requ

ire

that

th

e se

greg

atio

n of

du

ties

cann

ot

be

imm

edia

tely

im

plem

ente

d, F

EMA

sho

uld

docu

men

t and

impl

emen

t po

licie

s an

d pr

oced

ures

to m

itiga

te th

e ris

k as

soci

ated

w

ith

the

segr

egat

ion

of

dutie

s w

eakn

ess

note

d in

ac

cord

ance

with

DH

S gu

idan

ce, i

nclu

ding

a fo

rmal

ized

pr

oces

s fo

r pe

rfor

min

g an

d do

cum

entin

g re

view

s of

ac

tivity

per

form

ed b

y de

velo

pers

with

in t

he I

FMIS

-M

erge

r env

ironm

ent.

FEM

A-

As

note

d du

ring

the

FY

2009

au

dit,

wea

knes

ses

Ther

e is

no

reco

mm

ende

d co

rrec

tive

actio

n sp

ecifi

c to

X

3

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 9

1

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

IT-1

0-40

co

ntin

ued

to

exis

t ov

er

the

segr

egat

ion

of

dutie

s co

ntro

ls fo

r the

mig

ratio

n of

G&

T IF

MIS

cha

nges

into

pr

oduc

tion

durin

g FY

201

0.

Spec

ifica

lly,

the

“ifm

iscm

” ac

coun

t w

as u

sed

by t

he

FEM

A d

evel

opm

ent c

ontra

ctor

to d

eplo

y ch

ange

s in

to

the

UN

IX p

rodu

ctio

n en

viro

nmen

t. P

er o

ur re

view

, we

note

d th

at t

he G

&T

IFM

IS a

pplic

atio

n pr

ogra

mm

ers

resp

onsi

ble

for m

aint

aini

ng a

nd d

evel

opin

g ch

ange

s for

th

e G

&T

IFM

IS a

pplic

atio

n w

ere

also

res

pons

ible

for

m

igra

ting

appl

icat

ion

code

cha

nges

into

the

prod

uctio

n en

viro

nmen

t us

ing

the

“ifm

iscm

” ac

coun

t. W

e w

ere

info

rmed

by

FEM

A p

erso

nnel

tha

t th

e co

ntro

ls o

ver

this

acc

ount

did

not

cha

nge

from

FY

200

9 an

d th

at th

e ac

coun

t re

mai

ned

unlo

cked

whi

le G

&T

IFM

IS w

as

oper

atio

nal b

etw

een

Oct

ober

200

9 an

d Ju

ne 2

010

whe

n th

e sy

stem

was

dec

omm

issi

oned

. W

e w

ere

furth

er

info

rmed

by

FE

MA

pe

rson

nel

that

ac

cess

to

th

e “i

fmis

cm”

acco

unt w

as n

ot li

mite

d or

mon

itore

d on

a

perio

dic

basi

s, al

low

ing

the

deve

lopm

ent

cont

ract

or

unre

stric

ted

acce

ss to

the

prod

uctio

n en

viro

nmen

t.

Add

ition

ally

, w

e no

ted

that

FEM

A h

as d

ocum

ente

d po

licie

s an

d pr

oced

ures

that

requ

ire th

e IF

MIS

-Mer

ger

“ifm

iscm

” ac

coun

t to

be lo

cked

and

use

of t

he a

ccou

nt

to

be

mon

itore

d.

H

owev

er,

we

note

d th

at

no

esta

blis

hed

proc

edur

es o

r co

ntro

ls w

ere

in p

lace

for

G

&T

IFM

IS t

o m

itiga

te t

he r

isk

asso

ciat

ed w

ith t

his

acco

unt.

Con

sequ

ently

, w

e de

term

ined

tha

t w

hile

the

G&

T IF

MIS

app

licat

ion

serv

er w

as d

ecom

mis

sion

ed in

Jun

e 20

10,

the

wea

knes

ses

over

se

greg

atio

n of

du

ties

cont

rols

in th

e G

&T

IFM

IS c

onfig

urat

ion

man

agem

ent

proc

ess

cont

inue

d to

exi

st fo

r the

maj

ority

of F

Y 2

010,

an

d pr

ior y

ear N

FR F

EMA

-IT-

09-5

9 is

reis

sued

.

this

fin

ding

bec

ause

of

the

deco

mm

issi

onin

g of

G&

T IF

MIS

in Ju

ne 2

010.

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 9

2

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

FEM

A-

IT-1

0-41

Pass

wor

d,

patc

h m

anag

emen

t, an

d co

nfig

urat

ion

man

agem

ent

wea

knes

ses

wer

e id

entif

ied

durin

g vu

lner

abili

ty a

sses

smen

t tec

hnic

al te

stin

g.

Not

e: D

ue to

the

natu

re o

f thi

s fin

ding

, see

the

tabl

es

in a

ssoc

iate

d N

FR f

or t

he s

peci

fic d

etai

ls o

f th

e co

nditi

ons.

Impl

emen

t th

e sp

ecifi

c co

rrec

tive

actio

ns li

sted

in th

e N

FR fo

r eac

h te

chni

cal c

ontro

l wea

knes

s ide

ntifi

ed.

X

3

FEM

A-

IT-1

0-42

Dur

ing

the

FY 2

010

inte

grat

ed a

udit,

we

note

d th

e fo

llow

ing

wea

knes

ses

over

th

e co

mpl

eten

ess

and

accu

racy

of

certa

in C

&A

arti

fact

s th

at s

uppo

rt th

e A

utho

rizin

g O

ffic

ial’s

dec

isio

n to

gra

nt a

n A

TO fo

r the

IF

MIS

– M

erge

r:

�A

risk

ass

essm

ent f

or IF

MIS

-Mer

ger h

ad n

ot b

een

com

plet

ed o

r do

cum

ente

d pr

ior

to g

rant

ing

an

ATO

, in

ac

cord

ance

w

ith

DH

S an

d N

IST

requ

irem

ents

. A

dditi

onal

ly, F

EMA

doe

s no

t pla

n to

con

duct

and

doc

umen

t a r

isk

asse

ssm

ent o

r th

e re

sults

of t

he re

quire

d ris

k as

sess

men

t act

iviti

es fo

r IF

MIS

-Mer

ger

as

FEM

A

man

agem

ent

has

indi

cate

d th

at it

is n

ot re

quire

d fo

r FY

201

0.

�Th

e A

TO w

as s

igne

d in

Jun

e 20

10,

mor

e th

an

thre

e m

onth

s af

ter

the

IFM

IS-M

erge

r sy

stem

was

op

erat

iona

l in

late

Feb

ruar

y 20

10.

�Pe

r ou

r re

view

of

the

secu

rity

asse

ssm

ent

repo

rt,

the

asse

ssm

ent

perf

orm

ed

over

IF

MIS

-Mer

ger

prio

r to

gran

ting

ATO

did

not

incl

ude

eval

uatio

n of

an

y of

the

cont

rols

iden

tifie

d w

ithin

the

SSP.

The

as

sess

men

t w

as

limite

d to

vu

lner

abili

ty

and

com

plia

nce

scan

s.

�Th

e ST

&E

was

not

pro

perly

con

duct

ed b

ecau

se th

e ba

selin

e co

ntro

ls in

the

Req

uire

men

ts T

race

abili

ty

Mat

rix

wer

e no

t co

nsis

tent

w

ith

DH

S re

quire

men

ts.

�U

pdat

e an

d co

mpl

ete

all

requ

ired

C&

A a

rtifa

cts

for I

FMIS

-Mer

ger i

n ac

cord

ance

with

DH

S po

licy

and

NIS

T gu

idan

ce.

�En

sure

th

at

C&

A

artif

acts

, in

clud

ing

the

risk

asse

ssm

ent

or t

he r

esul

ts o

f th

e re

quire

d ris

k as

sess

men

t act

iviti

es, t

he S

T&E,

and

the

Secu

rity

Ass

essm

ent

Rep

ort

(SA

R)

are

cond

ucte

d an

d do

cum

ente

d in

acc

orda

nce

with

est

ablis

hed

DH

S ba

selin

e co

ntro

ls

acco

rdin

g to

th

e se

curit

y ca

tego

rizat

ion

of th

e sy

stem

.

X

3

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 9

3

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

FEM

A-

IT-1

0-43

Dur

ing

the

FY 2

010

inte

grat

ed a

udit,

we

note

d th

at th

e m

ost

rece

nt A

TO f

or N

EMIS

was

sig

ned

on O

ctob

er

29, 2

009.

H

owev

er, w

e id

entif

ied

wea

knes

ses

in t

he

com

plet

enes

s an

d ac

cura

cy o

f ce

rtain

C&

A a

rtifa

cts

that

sup

port

the

Aut

horiz

ing

Off

icia

l’s (

AO

) de

cisi

on

to g

rant

the

ATO

for N

EMIS

. Sp

ecifi

cally

, the

NEM

IS

Ris

k A

sses

smen

t, ST

&E,

and

SA

R w

ere

com

plet

ed in

20

06, a

nd th

us o

utda

ted

as D

HS

polic

y re

quire

s C

&A

ar

tifac

ts s

uppo

rting

ATO

s to

be

upda

ted

with

in th

e 13

m

onth

s pr

ior

to g

rant

ing

the

mos

t re

cent

ATO

, an

d N

IST

requ

ires e

ach

to b

e co

nduc

ted

ever

y 3

year

s.

We

reco

mm

end

that

FEM

A u

pdat

e an

d co

mpl

ete

all

requ

ired

C&

A a

rtifa

cts

for N

EMIS

in a

ccor

danc

e w

ith

DH

S po

licy

and

NIS

T gu

idan

ce.

X

3

FEM

A-

IT-1

0-44

Con

ditio

ns n

oted

in

FY 2

009

rela

ted

to w

eakn

esse

s ov

er c

ontro

ls in

pla

ce to

mon

itor a

nd re

stric

t acc

ess

to

high

ly-p

rivile

ged

syst

em a

ccou

nts

with

in t

he U

NIX

en

viro

nmen

t th

at s

uppo

rts I

FMIS

-Mer

ger

and

G&

T IF

MIS

con

tinue

to e

xist

in F

Y 2

010.

Spe

cific

ally

:

�A

cces

s to

th

e “r

oot”

ac

coun

t is

no

t pr

oper

ly

rest

ricte

d an

d sy

stem

adm

inis

trato

r ac

tiviti

es a

re

not

appr

opria

tely

lo

gged

.

Spec

ifica

lly,

the

pass

wor

d to

acc

ess

the

UN

IX “

root

” ad

min

istra

tor

acco

unt

is s

hare

d be

twee

n th

e ad

min

istra

tors

and

re

mot

e ac

cess

to

the

root

acc

ount

is

not

lock

ed

dow

n.

�Sy

stem

adm

inis

trato

r ac

tions

are

not

mon

itore

d an

d at

tribu

tabl

e to

in

divi

dual

ad

min

istra

tors

. Sp

ecifi

cally

, FEM

A h

as n

ot e

nfor

ced

the

use

of th

e “s

udo”

co

mm

and,

w

hich

re

quire

s sy

stem

ad

min

istra

tors

to

logi

n w

ith t

heir

indi

vidu

al u

ser

ID a

nd t

hen

switc

h ov

er t

o th

e ro

ot a

ccou

nt t

o en

sure

who

is a

cces

sing

the

acco

unt i

s lo

gged

and

au

thor

ized

.

�Sy

stem

log

s an

d re

ports

of

adm

inis

trato

r ac

tivity

, in

clud

ing

the

“sud

o” l

og w

hich

mon

itors

act

ions

pe

rfor

med

by

adm

inis

trato

rs w

hile

act

ing

as t

he

We

reco

mm

end

that

FEM

A d

ocum

ent a

nd im

plem

ent

appr

opria

te

tech

nica

l an

d m

anag

emen

t co

ntro

ls

to

rest

rict

and

mon

itor

acce

ss

to

priv

ilege

d sy

stem

ad

min

istra

tor a

ccou

nts

on th

e IF

MIS

-Mer

ger o

pera

ting

syst

em,

incl

udin

g us

e of

th

e “r

oot”

ac

coun

t, in

ac

cord

ance

with

DH

S an

d FE

MA

pol

icy.

Add

ition

ally

, po

licie

s an

d pr

oced

ures

sho

uld

incl

ude

requ

irem

ents

to

ensu

re t

hat

syst

em l

ogs

and

reco

rds

of a

dmin

istra

tor

activ

ity, i

nclu

ding

the

“roo

t” a

ccou

nt, a

re r

etai

ned

and

revi

ewed

by

IT s

ecur

ity m

anag

emen

t in

depe

nden

t of

th

e sy

stem

ad

min

istra

tion

team

, es

peci

ally

w

here

in

divi

dual

trac

eabi

lity

for t

he a

ccou

nt is

not

pos

sibl

e.

Ther

e is

no

reco

mm

ende

d co

rrec

tive

actio

n sp

ecifi

c to

th

e po

rtion

of

this

fin

ding

rel

ated

to

G&

T IF

MIS

be

caus

e of

the

dec

omm

issi

onin

g of

G&

T IF

MIS

in

June

201

0.

X

3

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 9

4

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

“roo

t”

acco

unt,

wer

e no

t re

view

ed

by

FEM

A

man

agem

ent p

erso

nnel

inde

pend

ent o

f th

e sy

stem

ad

min

istra

tion

staf

f.

FEM

A-

IT-1

0-45

In F

Y 2

009,

we

note

d w

eakn

esse

s ov

er s

uita

bilit

y de

term

inat

ions

for

fed

eral

em

ploy

ees

and

cont

ract

ors

with

sen

sitiv

e IT

sys

tem

acc

ess

that

con

tinue

d to

exi

st

in F

Y 2

010.

Spe

cific

ally

, of

15

fede

ral

empl

oyee

po

sitio

ns se

lect

ed fo

r tes

ting:

�Th

ree

did

not

have

ev

iden

ce

of

a co

mpl

eted

ba

ckgr

ound

inve

stig

atio

n on

file

that

met

min

imum

in

vest

igat

ive

requ

irem

ents

sp

ecifi

ed

by

DH

S po

licy.

�Fo

r on

e em

ploy

ee, F

EMA

was

una

ble

to p

rovi

de

any

docu

men

tatio

n to

evi

denc

e th

at th

e em

ploy

ee’s

ba

ckgr

ound

in

vest

igat

ion

was

pe

rfor

med

an

d m

aint

aine

d w

ithin

IS

MS,

FE

MA

’s

pers

onne

l su

itabi

lity

and

inve

stig

atio

n re

cord

keep

ing

utili

ty.

�N

ine

that

are

def

ined

as

“hig

h ris

k” a

ccor

ding

to

FEM

A p

olic

y di

d no

t hav

e an

app

ropr

iate

pos

ition

se

nsiti

vity

des

igna

tion

that

ref

lect

ed th

e ris

k le

vel

requ

ired

by D

HS

polic

y.

Dur

ing

our

FY 2

010

test

wor

k ov

er c

ontra

ctor

s, w

e de

term

ined

th

at

no

form

al

proc

edur

es

have

be

en

deve

lope

d or

impl

emen

ted

by F

EMA

to a

ddre

ss D

HS

requ

irem

ents

sur

roun

ding

the

sui

tabi

lity

scre

enin

g of

co

ntra

ctor

s ac

cess

ing

DH

S IT

sys

tem

s. A

dditi

onal

ly,

we

sele

cted

a p

opul

atio

n of

15

cont

ract

ors

with

acc

ess

to

mul

tiple

FE

MA

in

form

atio

n sy

stem

s w

ho

hold

se

nsiti

ve IT

sec

urity

pos

ition

s at F

EMA

such

as s

yste

m

adm

inis

trato

rs,

data

base

adm

inis

trato

rs,

and

syst

ems

deve

lopm

ent

cont

ract

ors

and

dete

rmin

ed t

hat

FEM

A

has

not

appr

opria

tely

co

nduc

ted

suita

bilit

y

�Fu

rther

def

ine

and

refin

e do

cum

ente

d pr

oces

ses

to

ensu

re

that

ba

ckgr

ound

in

vest

igat

ions

fo

r al

l Fe

dera

l em

ploy

ees

are

perf

orm

ed a

nd p

roce

dure

s ar

e im

plem

ente

d in

ac

cord

ance

w

ith

DH

S di

rect

ives

. �

Re-

eval

uate

an

d as

sign

th

e co

rrec

t po

sitio

n se

nsiti

vity

lev

els

to a

ll Fe

dera

l em

ploy

ees

with

ac

cess

to D

HS

info

rmat

ion

syst

ems

in a

ccor

danc

e w

ith D

HS

polic

y.

Add

ition

ally

doc

umen

t an

d/or

re

vise

, an

d fu

lly i

mpl

emen

t pr

oced

ures

to

ensu

re

that

pro

gram

man

ager

s ar

e aw

are

of r

equi

rem

ents

an

d ap

prop

riate

po

sitio

n se

nsiti

vity

le

vels

ar

e de

sign

ated

for

all

sens

itive

IT

posi

tions

in

the

futu

re.

�D

ocum

ent a

nd f

ully

impl

emen

t pro

cedu

res

with

in

FEM

A A

cqui

sitio

ns,

FEM

A P

erso

nnel

Sec

urity

, an

d FE

MA

IT

to e

nsur

e a

mor

e ce

ntra

lized

and

co

ordi

nate

d pr

oces

s fo

r tra

ckin

g an

d co

mpl

etin

g ba

ckgr

ound

in

vest

igat

ions

ov

er

cont

ract

or

pers

onne

l in

acco

rdan

ce w

ith D

HS

polic

y.

�En

sure

th

at

all

syst

em

owne

rs

docu

men

t an

d co

rrec

tly

defin

e th

e ap

prop

riate

se

nsiti

vity

de

sign

atio

ns

for

cont

ract

or

pers

onne

l ne

edin

g ac

cess

to th

eir

info

rmat

ion

syst

ems

in a

ccor

danc

e w

ith

DH

S po

licy.

A

dditi

onal

ly,

ensu

re

that

po

sitio

n se

nsiti

vity

de

sign

atio

ns

are

assi

gned

ba

sed

on th

e ty

pe o

f priv

ilege

s ne

eded

, and

requ

ire

cont

ract

ors

to h

ave

thei

r su

itabi

lity

inve

stig

atio

ns

com

plet

ed p

rior

to b

eing

gra

nted

acc

ess

to t

he

syst

em

in

acco

rdan

ce

with

FE

MA

an

d D

HS

polic

y.

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 9

5

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

inve

stig

atio

ns.

Spec

ifica

lly:

�Fo

r tw

o, F

EMA

was

una

ble

to p

rovi

de a

ny

docu

men

tatio

n to

ev

iden

ce

that

th

e co

ntra

ctor

’s

reco

rd

was

m

aint

aine

d w

ithin

IS

MS,

incl

udin

g th

e st

atus

of a

ny b

ackg

roun

d in

vest

igat

ions

per

form

ed.

�Si

x di

d no

t ha

ve e

vide

nce

of a

com

plet

ed

back

grou

nd i

nves

tigat

ion

on f

ile t

hat

mee

ts

min

imum

inve

stig

ativ

e re

quire

men

ts s

peci

fied

by D

HS

polic

y.

Of

the

six,

two

had

reco

rds

mai

ntai

ned

with

in

ISM

S;

how

ever

, FE

MA

w

as

unab

le

to

prov

ide

evid

ence

th

at

back

grou

nd

inve

stig

atio

ns

for

each

w

ere

perf

orm

ed.

�N

one

had

posi

tion

sens

itivi

ty

desi

gnat

ions

de

fined

by

FEM

A fo

r the

sen

sitiv

e IT

pos

ition

th

ey h

eld

at t

he t

ime

of o

ur t

est

wor

k, a

s re

quire

d by

DH

S po

licy.

FEM

A-

IT-1

0-46

Dur

ing

the

FY

2010

in

tegr

ated

au

dit,

we

note

d w

eakn

esse

s in

co

ntro

ls

over

th

e co

nfig

urat

ion

man

agem

ent o

f ap

plic

atio

n, w

eb, a

nd d

atab

ase

serv

ers

with

in

the

NEM

IS

prod

uctio

n en

viro

nmen

t. Sp

ecifi

cally

:

1.

Acc

ess

to

the

mul

tiple

ap

plic

atio

n,

web

, an

d da

taba

se

serv

ers

that

co

mpr

ise

the

NEM

IS

prod

uctio

n en

viro

nmen

t fo

r de

ploy

ing

appr

oved

co

de c

hang

es is

lim

ited

to IT

Ent

erpr

ise

Ope

ratio

ns

staf

f. H

owev

er,

no

form

aliz

ed

chan

ge

man

agem

ent

proc

edur

es

exis

t fo

r de

ploy

ing

chan

ges

to e

nsur

e th

e m

ovem

ent

of p

rodu

ctio

n co

de f

or t

he N

EMIS

pro

duct

ion

envi

ronm

ent

is

appr

opria

tely

con

trolle

d.

�D

ocum

ent a

nd im

plem

ent a

form

aliz

ed p

roce

ss a

nd

proc

edur

es

for

depl

oyin

g N

EMIS

ch

ange

s to

en

sure

the

mov

emen

t of

pro

duct

ion

code

for

the

N

EMIS

pro

duct

ion

envi

ronm

ent

is a

ppro

pria

tely

co

ntro

lled.

Proc

edur

es

shou

ld

incl

ude

requ

irem

ents

for r

estri

ctin

g an

d, m

onito

ring

acce

ss

and

docu

men

ting

revi

ews

to

the

NEM

IS

prod

uctio

n en

viro

nmen

t to

en

sure

th

at

the

prin

cipl

es o

f le

ast

priv

ilege

and

seg

rega

tion

of

dutie

s ar

e en

forc

ed,

in

acco

rdan

ce

with

D

HS

guid

ance

. �

Ensu

re

that

ad

equa

te

tech

nica

l co

ntro

ls

are

impl

emen

ted

to

enfo

rce

leas

t pr

ivile

ge

and

segr

egat

ion

of

dutie

s re

quire

men

ts

for

the

impl

emen

tatio

n of

sys

tem

cha

nges

. I

f in

divi

dual

X

3

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 9

6

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

2.

Acc

ess

to a

sha

red

serv

ice

acco

unt i

s us

ed f

or th

e de

ploy

men

t of

Lin

ux c

hang

es.

How

ever

, FE

MA

w

as u

nabl

e to

pro

vide

any

sys

tem

doc

umen

tatio

n or

ass

ocia

ted

artif

acts

dem

onst

ratin

g th

at F

EMA

w

as a

ppro

pria

tely

rest

rictin

g an

d co

ntro

lling

acc

ess

to t

he N

EMIS

pro

duct

ion

appl

icat

ion,

web

, an

d da

taba

se se

rver

s.

acco

unts

are

not

pos

sibl

e fo

r de

ploy

ing

chan

ges,

impl

emen

t lo

gica

l ac

cess

co

ntro

ls,

incl

udin

g co

nfig

urat

ion

of s

yste

m a

udit

logs

, on

NEM

IS

prod

uctio

n se

rver

s to

es

tabl

ish

indi

vidu

al

acco

unta

bilit

y fo

r all

FEM

A p

erso

nnel

with

acc

ess

to t

he e

nviro

nmen

t th

roug

h th

e sh

ared

ser

vice

ac

coun

t, in

ac

cord

ance

w

ith

DH

S an

d FE

MA

po

licy.

A

dditi

onal

ly,

for

thes

e sh

ared

ser

vice

ac

coun

ts,

docu

men

t, im

plem

ent,

and

appr

ove

stan

dard

op

erat

ing

proc

edur

es

for

the

impl

emen

tatio

n an

d fo

rmal

re

view

of

N

EMIS

sy

stem

cha

nges

on

prod

uctio

n se

rver

s. FE

MA

-IT

-10-

47

In F

Y 2

009,

we

note

d th

at F

EMA

’s O

CFO

and

NFI

P fin

anci

al s

yste

ms

deve

lopm

ent a

nd a

cqui

sitio

n pr

ojec

ts

wer

e un

derta

ken

and

prog

ress

ed w

ithou

t (1

) pr

oper

ov

ersi

ght

of

and

dire

ctio

n to

co

ntra

ctor

s, (2

) de

velo

pmen

t an

d ap

prov

al

of

requ

ired

proj

ect

docu

men

tatio

n, (

3) t

he c

ontin

ual

invo

lvem

ent

of t

he

OC

IO

to

ensu

re

appr

opria

te

cons

ider

atio

n an

d in

tegr

atio

n of

IT

se

curit

y,

and

(4)

the

join

t co

mm

unic

atio

n an

d de

cisi

on-m

akin

g of

FEM

A O

CFO

, O

CIO

an

d N

FIP

man

agem

ent.

A

s a

resu

lt,

we

reco

mm

ende

d th

at

FEM

A

man

agem

ent

defin

e an

d im

plem

ent

form

al a

nd r

epea

tabl

e pr

oces

ses

to e

nsur

e th

at f

inan

cial

sys

tem

s de

velo

pmen

t an

d ac

quis

ition

pr

ojec

ts a

re c

ondu

cted

in c

ompl

ianc

e w

ith D

HS

SELC

an

d ac

quis

ition

re

quire

men

ts

as

wel

l as

Fe

dera

l gu

idan

ce.

Dur

ing

the

FY 2

010

inte

grat

ed a

udit,

we

dete

rmin

ed

that

FE

MA

m

anag

emen

t ha

s no

t im

plem

ente

d co

rrec

tive

actio

ns o

r dev

elop

ed a

cor

rect

ive

actio

n pl

an

to

addr

ess

the

prio

r ye

ar

wea

knes

ses

note

d.

Spec

ifica

lly, e

ntity

leve

l cor

rect

ive

actio

ns to

inte

grat

e an

d de

velo

p su

ffic

ient

an

d ef

fect

ive

met

hods

of

co

mm

unic

atio

n to

ens

ure

that

sig

nific

ant

finan

cial

-

�D

efin

e an

d im

plem

ent f

orm

al a

nd re

peat

able

ent

ity

leve

l co

ntro

l pr

oces

ses

to e

nsur

e th

at f

inan

cial

sy

stem

s de

velo

pmen

t an

d ac

quis

ition

pro

ject

s ar

e co

nduc

ted

in

com

plia

nce

with

D

HS

Syst

em

Engi

neer

ing

Life

Cyc

le (

SELC

) an

d ac

quis

ition

re

quire

men

ts a

s w

ell

as F

eder

al g

uida

nce.

Th

e pr

oces

ses

shou

ld d

efin

e st

eps

to i

nclu

de,

but

are

not l

imite

d to

, for

mal

app

rova

l of

requ

ired

proj

ect

docu

men

tatio

n,

suff

icie

nt

cont

ract

or

over

sigh

t, de

finiti

ons

of p

roje

ct r

oles

and

res

pons

ibili

ties

so

that

de

cisi

on

mak

ing

incl

udes

th

e ap

prop

riate

in

volv

emen

t of

al

l st

akeh

olde

rs

and

rele

vant

FE

MA

man

agem

ent,

esta

blis

hmen

t of

AD

Es a

t ea

ch S

ELC

pha

se,

and

inte

grat

ion

of I

T se

curit

y co

nsid

erat

ions

thro

ugho

ut a

ll pr

ojec

t pha

ses.

�

Iden

tify

and

form

ally

as

sign

st

akeh

olde

rs

asso

ciat

ed

with

th

e re

med

iatio

n ef

forts

ov

er

alig

ning

th

e D

HS

SELC

m

etho

dolo

gy

with

FE

MA

’s

acqu

isiti

on

deve

lopm

ent

proc

ess

to

ensu

re a

ppro

pria

te p

artic

ipat

ion

from

all

requ

ired

orga

niza

tions

w

ithin

FE

MA

in

bo

th

the

deve

lopm

ent

of

polic

ies

and

proc

edur

es

and

inte

grat

ion

of t

he f

inan

cial

sys

tem

s ac

quis

ition

s lif

e cy

cle

stag

es a

s req

uire

d by

DH

S po

licy.

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 9

7

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

rela

ted

syst

em d

evel

opm

ent

and

acqu

isiti

on p

roje

cts

invo

lve

all r

elev

ant s

take

hold

ers,

incl

udin

g th

e O

CFO

, ha

ve

not

been

es

tabl

ishe

d.

A

dditi

onal

ly,

FEM

A

man

agem

ent

has

not

take

n ac

tion

to e

nhan

ce a

nd

furth

er

deve

lop

curr

ent

acqu

isiti

on

man

agem

ent

proc

esse

s to

en

sure

th

at

orga

niza

tion-

spec

ific

requ

irem

ents

exi

st a

nd a

re i

mpl

emen

ted

so t

hat

each

pr

ojec

t m

eets

or

gani

zatio

nal

mis

sion

ne

eds

and

func

tiona

l an

d te

chni

cal

requ

irem

ents

as

requ

ired

by

DH

S an

d N

IST

guid

ance

.

FEM

A-

IT-1

0-48

FEM

A I

T se

curit

y m

anag

emen

t re

spon

sibili

ties

wer

e no

t con

sist

ently

or

adeq

uate

ly a

ssig

ned

and

perf

orm

ed

over

the

FEM

A P

OA

&M

pro

cess

for F

Y 2

009

IT a

udit

findi

ngs,

in

acco

rdan

ce

with

D

HS

guid

ance

. Sp

ecifi

cally

:

�PO

A&

Ms

crea

ted

by

FEM

A

man

agem

ent

in

resp

onse

to

FY 2

009

IT f

inan

cial

sta

tem

ent

audi

t fin

ding

s w

ere

not c

onsi

sten

tly c

ateg

oriz

ed w

ith th

e ap

prop

riate

crit

ical

ity l

evel

in

acco

rdan

ce w

ith

DH

S po

licy.

Sp

ecifi

cally

, fo

r 52

PO

A&

Ms

prov

ided

by

FEM

A o

n M

ay 3

, 201

0, c

ritic

ality

was

ei

ther

und

efin

ed o

r err

oneo

usly

def

ined

as “

Ann

ual

Ass

essm

ent

Find

ing”

rat

her

than

“In

itial

Aud

it Fi

ndin

g” o

r “R

epea

t Aud

it Fi

ndin

g,”

as re

quire

d.

�FE

MA

man

agem

ent d

id n

ot c

onsi

sten

tly d

ocum

ent

deta

iled

corr

ectiv

e ac

tion

plan

s or

ap

prop

riate

m

ilest

ones

, inc

ludi

ng r

equi

red

test

s of

des

ign

and

effe

ctiv

e im

plem

enta

tion

for

finan

cial

sy

stem

PO

A&

Ms.

�FE

MA

man

agem

ent

did

not

cons

iste

ntly

ass

ign

POA

&M

st

akeh

olde

r ow

ners

hip

for

corr

ectiv

e ac

tion

plan

s or r

elat

ed m

ilest

ones

.

�Es

tabl

ish

and

docu

men

t a

form

aliz

ed p

roce

ss t

o pr

ovid

e IT

se

curit

y m

anag

emen

t ov

ersi

ght

to

ensu

re

that

ad

equa

te

perio

dic

revi

ew

and

asse

ssm

ent o

f se

curit

y co

ntro

ls a

re p

erfo

rmed

and

co

rrec

tive

actio

ns a

re a

ppro

pria

tely

ass

igne

d an

d im

plem

ente

d ov

er i

dent

ified

sec

urity

wea

knes

ses

thro

ugh

the

POA

&M

pro

cess

. �

Ded

icat

e re

sour

ces

to

fully

im

plem

ent

DH

S re

quire

men

ts o

ver t

he P

OA

&M

s fo

r aud

it fin

ding

s of

FEM

A f

inan

cial

sys

tem

s, in

clud

ing

the

prop

er

cate

goriz

atio

n of

aud

it fin

ding

s, do

cum

enta

tion

of

all

stak

ehol

ders

with

rem

edia

tion

resp

onsi

bilit

ies,

and

mon

itorin

g of

PO

A&

M a

ctiv

ities

to

valid

ate

that

co

rrec

tive

actio

ns

are

appr

opria

tely

do

cum

ente

d w

ith

asso

ciat

ed

mile

ston

es

and

evid

ence

of r

emed

iatio

n is

dev

elop

ed a

nd re

tain

ed.

�D

evel

op a

nd i

mpl

emen

t a

train

ing

prog

ram

for

pe

rson

nel w

ith IT

sec

urity

resp

onsi

bilit

ies,

such

as

syst

em o

wne

rs a

nd IS

SOs,

to e

nsur

e th

at th

ey fu

lly

unde

rsta

nd

thei

r ro

les

and

resp

onsi

bilit

ies

to

corr

ectly

cat

egor

ize

the

findi

ngs,

form

ally

def

ine

mile

ston

es,

and

valid

ate

the

docu

men

tatio

n an

d te

stin

g of

the

corr

ectiv

e ac

tion

impl

emen

ted.

�

Dev

elop

an

d im

plem

ent

revi

ew

proc

edur

es

to

ensu

re d

evel

oped

PO

A&

Ms

are

deta

iled

enou

gh to

X

3

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 9

8

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

dem

onst

rate

tha

t th

e ro

ot c

ause

of

the

issu

e ha

s be

en

asse

ssed

an

d th

e m

ilest

ones

ad

dres

s th

e ne

cess

ary

step

s to

ful

ly r

emed

iate

the

wea

knes

ses

as re

quire

d by

DH

S po

licy.

FE

MA

-IT

-10-

49

Dur

ing

the

FY

2010

fo

llow

-up

test

wor

k,

we

dete

rmin

ed th

at w

eakn

esse

s no

ted

in F

Y 2

009

cont

inue

to

exi

st.

Spec

ifica

lly, w

e de

term

ined

that

no

addi

tiona

l po

licie

s an

d pr

oced

ures

to

esta

blis

h a

proc

ess

for

impl

emen

ting

chan

ge c

ontro

ls f

or t

he m

aint

enan

ce o

f sy

stem

sec

urity

fun

ctio

ns h

ave

been

dev

elop

ed b

y FE

MA

or

the

IT d

evel

oper

of

IFM

IS-M

erge

r. F

EMA

ha

s no

t ade

quat

ely

ensu

red

that

app

ropr

iate

priv

ilege

s gr

ante

d to

us

ers

are

crea

ted,

do

cum

ente

d,

and

appr

oved

.

We

wer

e in

form

ed b

y FE

MA

per

sonn

el th

at th

e sy

stem

se

curit

y fu

nctio

ns a

re c

reat

ed a

nd m

odifi

ed to

pro

vide

ad

ditio

nal

func

tiona

lity

unde

r sp

ecifi

c m

enus

in

the

IFM

IS-M

erge

r ap

plic

atio

n.

As

a re

sult,

thes

e ch

ange

s to

the

men

u pr

ovid

e ad

ditio

nal

func

tiona

lity

to t

he

user

s w

ith a

cces

s to

tho

se m

enus

. H

owev

er,

curr

ent

docu

men

tatio

n ov

er I

FMIS

-Mer

ger,

incl

udin

g ac

cess

au

thor

izat

ion

form

s, ch

ange

man

agem

ent

plan

s an

d Sy

stem

Sec

urity

Pla

ns, d

o no

t de

fine

how

to

man

age

and

docu

men

t cha

nges

to th

ese

func

tions

to e

nsur

e th

at

appr

oved

ch

ange

s ar

e m

ade

and

appr

opria

te

and

trace

able

acc

ess i

s gra

nted

to IF

MIS

-Mer

ger u

sers

.

Whi

le

FEM

A

has

rece

ived

th

e IF

MIS

Se

curit

y Fu

nctio

ns

Ref

eren

ce

Gui

de

date

d 20

07

from

th

e so

ftwar

e ve

ndor

, we

dete

rmin

ed th

at th

e do

cum

enta

tion

is

a te

chni

cal

refe

renc

e m

anua

l th

at

defin

es

the

capa

bilit

ies

of th

e sy

stem

, usa

ge o

f th

e va

rious

sys

tem

se

curit

y fu

nctio

ns,

men

u op

tions

an

d re

late

d pe

rmis

sion

s fo

r ea

ch f

unct

ion.

H

owev

er,

the

guid

e do

es n

ot a

ddre

ss t

he m

anag

emen

t of

the

se s

yste

m

�D

edic

ate

reso

urce

s to

ass

ess

the

usag

e of

IFM

IS-

Mer

ger

syst

em s

ecur

ity f

unct

ions

aga

inst

DH

S po

licy

requ

irem

ents

and

det

erm

ine

gaps

that

exi

st

with

in e

xist

ing

syst

em d

ocum

enta

tion

over

the

se

curit

y fu

nctio

ns.

�D

evel

op a

nd i

mpl

emen

t po

licie

s an

d pr

oced

ures

do

cum

entin

g th

e pr

oces

s of

add

ing,

del

etin

g, a

nd

mod

ifyin

g IF

MIS

-Mer

ger

syst

em

secu

rity

func

tions

to e

nsur

e th

at p

rope

r con

trols

are

in p

lace

fo

r ap

prov

ing,

te

stin

g an

d do

cum

entin

g th

ese

func

tions

prio

r to

im

plem

enta

tion,

in

acco

rdan

ce

with

DH

S po

licy.

Th

ese

polic

ies

and

proc

edur

es

shou

ld

incl

ude

requ

irem

ents

ov

er

inde

pend

ent

mon

itorin

g of

th

e cr

eatio

n,

mod

ifica

tion

and

dele

tion

of

syst

em

secu

rity

func

tions

, an

d re

quire

men

ts f

or u

pdat

ing

syst

em d

ocum

enta

tion

to re

flect

the

impa

ct o

f the

cha

nges

to u

ser a

ccou

nt

priv

ilege

s. �

Dev

elop

and

impl

emen

t pro

cedu

res

to e

nsur

e th

at

func

tions

upd

ated

thro

ugh

the

chan

ge m

anag

emen

t pr

oces

s ar

e fo

rmal

ly a

ppro

ved

and

docu

men

ted

and

that

app

ropr

iate

sys

tem

doc

umen

tatio

n fo

r IF

MIS

-Mer

ger

syst

em

secu

rity

func

tions

is

up

date

d an

d re

tain

ed,

in a

ccor

danc

e w

ith D

HS

polic

y.

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 9

9

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

secu

rity

func

tions

fro

m a

cha

nge

cont

rol

and

acce

ss

cont

rol p

ersp

ectiv

e fo

r FEM

A.

Add

ition

ally

, the

gui

de

does

not

inc

lude

req

uire

men

ts f

or u

pdat

ing

syst

em

docu

men

tatio

n an

d tra

ckin

g th

ese

syst

em

secu

rity

func

tion

chan

ges t

o pr

ivile

ges i

n th

e sy

stem

.

Con

sequ

ently

, ba

sed

on o

ur t

estw

ork,

we

conc

lude

d th

at

a fo

rmal

ized

pr

oces

s fo

r m

odify

ing

spec

ific

IFM

IS-M

erge

r sys

tem

sec

urity

func

tions

to e

nsur

e th

at

appr

opria

te

priv

ilege

s ar

e cr

eate

d,

docu

men

ted,

ap

prov

ed, a

nd m

onito

red

does

not

exi

st.

FEM

A-

IT-1

0-50

Dur

ing

the

FY

2010

FE

MA

in

tegr

ated

au

dit,

we

dete

rmin

ed

that

th

e fo

llow

ing

cond

ition

s re

late

d au

thor

izat

ion

of e

xter

nal

conn

ectio

ns t

o th

e FE

MA

V

PN c

ontin

ue to

exi

st:

�Tw

o-fa

ctor

aut

hent

icat

ion

is n

ot u

sed

for

VPN

ac

cess

, as r

equi

red

by D

HS

polic

y.

�Th

e ex

istin

g do

cum

enta

tion

that

de

fines

th

e pr

oces

s fo

r gr

antin

g an

d m

aint

aini

ng V

PN a

cces

s to

th

e FE

MA

ne

twor

k do

es

not

incl

ude

requ

irem

ents

fo

r ad

min

iste

ring

the

site

su

rvey

pr

oces

s, in

clud

ing

requ

irem

ents

fo

r th

e au

thor

izat

ion

of th

e si

tes

surv

eys,

rece

rtific

atio

n of

si

te

surv

eys,

and

the

secu

rity

requ

irem

ents

as

soci

ated

with

the

vario

us a

spec

ts o

f the

pro

cess

.

�FE

MA

has

not

form

ally

iden

tifie

d an

d do

cum

ente

d th

e ro

les

and

resp

onsi

bilit

ies

nece

ssar

y w

ithin

FE

MA

to p

rope

rly a

utho

rize

and

adm

inis

ter

VPN

ac

cess

to in

divi

dual

s us

ing

non-

DH

S eq

uipm

ent t

o ac

cess

the

FEM

A n

etw

ork.

�A

cces

s fo

r st

ate

emer

genc

y m

anag

emen

t age

ncie

s an

d FE

MA

con

tract

ors

to lo

ad th

e V

PN c

lient

ont

o st

ate

or c

ontra

ctor

ow

ned

equi

pmen

t to

conn

ect t

o

�Im

plem

ent

and

requ

ire t

wo-

fact

or a

uthe

ntic

atio

n fo

r al

l re

mot

e ac

cess

to

the

FEM

A n

etw

ork,

as

requ

ired

by D

HS

polic

y an

d FI

PS 1

40-2

. �

Rev

ise

and

impl

emen

t pol

icie

s an

d pr

oced

ures

for

do

cum

entin

g,

revi

ewin

g,

and

appr

ovin

g th

e se

curit

y co

ntro

ls

in

plac

e ov

er

non-

DH

S eq

uipm

ent

conn

ectin

g to

the

FEM

A n

etw

ork

via

VPN

ac

cess

. Sp

ecifi

cally

, cl

early

de

fine

and

docu

men

t a

form

aliz

ed

proc

ess

for

the

auth

oriz

atio

n, r

evie

w,

and

mai

nten

ance

of

VPN

ac

cess

agr

eem

ents

bet

wee

n FE

MA

and

ext

erna

l en

titie

s. A

dditi

onal

ly,

ensu

re

that

w

ithin

th

e po

licie

s an

d pr

oced

ures

, ap

prop

riate

ro

les

and

resp

onsi

bilit

ies

over

the

pro

cess

are

def

ined

to

incl

ude

auth

oriz

atio

ns

by

the

CIS

O/IS

SM

to

conn

ect t

o no

n-D

HS

equi

pmen

t. �

Ensu

re th

at a

gree

men

ts r

elat

ed to

VPN

acc

ess

are

revi

ewed

and

rec

ertif

ied

whe

n a

maj

or s

yste

m

chan

ge o

ccur

s or

eve

ry th

ree

year

s, in

acc

orda

nce

with

DH

S po

licy.

�

Form

ally

iden

tify

and

docu

men

t app

ropr

iate

rol

es

and

resp

onsi

bilit

ies

rela

ted

to

man

agem

ent

of

rem

ote

acce

ss t

o th

e FE

MA

net

wor

k, i

nclu

ding

iP

ass a

nd V

PN.

X

3

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 1

00

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

the

FEM

A

LAN

is

ap

prov

ed

by

the

SOC

. H

owev

er, D

HS

polic

y re

quire

s th

at a

ny n

on-D

HS

equi

pmen

t con

nect

ing

to a

DH

S ne

twor

k m

ust b

e au

thor

ized

by

the

Com

pone

nt C

ISO

/ISSM

.

�FE

MA

’s V

PN R

ules

of B

ehav

ior

for

Use

rs B

ehin

d C

orpo

rate

Fir

ewal

ls,

date

d D

ecem

ber

5, 2

002,

re

quire

s an

Inte

r-A

genc

y V

PN A

gree

men

t bet

wee

n FE

MA

an

d ex

tern

al

orga

niza

tions

be

fore

pe

rmitt

ing

VPN

acc

ess

to t

he F

EMA

net

wor

k th

roug

h no

n-G

over

nmen

t iss

ued

equi

pmen

t suc

h as

co

ntra

ctor

or s

tate

age

ncy

wor

ksta

tions

. H

owev

er,

we

dete

rmin

ed th

at In

ter-

Age

ncy

VPN

Agr

eem

ents

ha

ve

not

been

do

cum

ente

d an

d th

at

this

re

quire

men

t is

in

cons

iste

nt

with

D

HS

polic

y,

whi

ch r

equi

res

ISA

s or

(M

OU

s/M

OA

s pr

ior

to

esta

blis

hing

a V

PN c

onne

ctio

n fr

om e

quip

men

t op

erat

ing

on a

n ex

tern

al n

etw

ork.

�FE

MA

’s

appr

oval

of

re

ques

ts

for

netw

ork

conn

ectio

ns to

ext

erna

l org

aniz

atio

ns th

roug

h V

PN

acce

ss fo

r rem

ote

user

s is b

ased

on

secu

rity

cont

rol

info

rmat

ion

subm

itted

by

the

exte

rnal

ent

ities

via

si

te s

urve

ys.

Bas

ed u

pon

our

revi

ew o

f ex

istin

g si

te s

urve

ys a

nd th

e si

te s

urve

y pr

oces

s, w

e no

ted

that

:

�Th

e si

te s

urve

ys d

o no

t co

ntai

n th

e le

vel

of

tech

nica

l gr

anul

arity

des

crib

ing

the

exte

rnal

ne

twor

k se

curit

y co

ntro

ls

requ

ired

to

appr

opria

tely

ap

prov

e a

conn

ectio

n to

th

e FE

MA

LA

N,

and

the

FEM

A S

OC

doe

s no

t in

depe

nden

tly

verif

y th

e ac

cura

cy

of

info

rmat

ion

in t

he s

ite s

urve

ys s

ubm

itted

by

exte

rnal

en

titie

s pr

ior

to

appr

ovin

g th

e co

nnec

tion

and

subs

eque

ntly

gra

ntin

g V

PN

acce

ss to

use

rs.

�D

ocum

ent a

nd im

plem

ent p

olic

ies

and

proc

edur

es

to e

nsur

e th

at fo

rmal

ized

ISA

s, M

OU

s, or

MO

As,

delin

eatin

g se

curit

y re

spon

sibi

litie

s by

FEM

A a

nd

exte

rnal

org

aniz

atio

ns w

hen

conn

ectin

g th

roug

h no

n-D

HS

equi

pmen

t to

the

FEM

A n

etw

ork

via

VPN

acc

ess

are

used

. S

uch

agre

emen

ts s

houl

d in

clud

e ev

iden

ce

of

valid

atio

n by

FE

MA

m

anag

emen

t th

at s

ecur

ity c

ontro

ls i

n pl

ace

on

exte

rnal

ent

ity n

etw

orks

are

app

ropr

iate

and

satis

fy

requ

irem

ents

for

min

imum

sec

urity

con

trols

on

DH

S an

d FE

MA

sys

tem

s pr

ior

to c

onne

ctio

n in

ac

cord

ance

with

DH

S po

licy.

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 1

01

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

�D

HS

guid

ance

indi

cate

s th

at a

sin

gle

ISA

may

be

use

d fo

r mul

tiple

con

nect

ions

pro

vide

d th

at

the

secu

rity

accr

edita

tion

is t

he s

ame

for

all

conn

ectio

ns c

over

ed b

y th

at I

SA.

How

ever

, w

e de

term

ined

tha

t th

e se

curit

y ac

cred

itatio

n of

th

e co

nnec

ting

netw

orks

is

no

t be

ing

eval

uate

d by

th

e FE

MA

SO

C

durin

g th

e re

view

of

site

sur

veys

to

ensu

re t

he s

ecur

ity

requ

irem

ents

are

app

ropr

iate

ly im

plem

ente

d.

FEM

A-

IT-1

0-51

In

FY

2009

, w

e id

entif

ied

wea

knes

ses

over

co

nfig

urat

ion

man

agem

ent

cont

rols

rel

ated

to

NEM

IS

prog

ram

lib

rarie

s an

d di

rect

orie

s w

ithin

th

e TD

L en

viro

nmen

t. D

urin

g th

e FY

201

0 in

tegr

ated

aud

it, w

e de

term

ined

tha

t th

e fo

llow

ing

wea

knes

ses

cont

inue

to

exis

t:

�C

ontro

ls

to

segr

egat

e ac

cess

w

ithin

th

e TD

L en

viro

nmen

t ha

ve

not

been

ap

prop

riate

ly

impl

emen

ted.

Spe

cific

ally

, IT

Syst

ems

Inte

grat

ion

pers

onne

l do

no

t gr

ant

sepa

rate

pr

ivile

ges

to

deve

lopm

ent c

ode,

whi

ch is

mov

ed to

TD

L by

the

syst

ems d

evel

oper

, and

pre

-pro

duct

ion

code

, whi

ch

has

com

plet

ed U

ser

Acc

epta

nce

Test

ing

(UA

T)

and

is

pend

ing

depl

oym

ent

to

the

NEM

IS

prod

uctio

n en

viro

nmen

t. A

s a

resu

lt, d

evel

oper

s ha

ve re

ad, w

rite

and

exec

ute

priv

ilege

s to

all

code

in

the

TDL

envi

ronm

ent.

�C

ode

appr

oved

for

im

plem

enta

tion

is n

ot l

ocke

d do

wn

with

in

the

TDL

envi

ronm

ent

prio

r to

de

ploy

men

t to

prod

uctio

n.

Add

ition

ally

, whi

le a

n ad

-hoc

rev

iew

is p

erfo

rmed

ove

r th

e di

rect

orie

s to

m

onito

r th

e m

odifi

catio

n da

tes

on t

he p

rodu

ctio

n co

de d

irect

orie

s, th

is p

roce

ss i

s no

t pe

rfor

med

co

nsis

tent

ly o

r do

cum

ente

d to

miti

gate

the

ris

k as

soci

ated

w

ith

not

rest

rictin

g ac

cess

to

th

e

�D

ocum

ent a

nd im

plem

ent f

orm

aliz

ed p

olic

ies

and

proc

edur

es fo

r res

trict

ing

and

mon

itorin

g ac

cess

to

the

NEM

IS T

DL

dire

ctor

ies

to e

nsur

e th

at t

he

prin

cipl

es o

f le

ast

priv

ilege

and

seg

rega

tion

of

dutie

s ar

e en

forc

ed,

in

acco

rdan

ce

with

D

HS

guid

ance

. Th

e pr

oces

s sh

ould

in

clud

e re

quire

men

ts

over

pe

riodi

c m

onito

ring

and

docu

men

ted

revi

ews

of N

EMIS

TD

L di

rect

orie

s to

ve

rify

that

no

chan

ges

have

occ

urre

d af

ter

the

appr

oval

of N

EMIS

syst

em c

hang

es.

�Im

plem

ent

tech

nica

l co

ntro

ls w

ithin

the

NEM

IS

TDL

envi

ronm

ent

to l

imit

deve

lope

rs’

acce

ss t

o pr

e-pr

oduc

tion

dire

ctor

ies

cont

aini

ng

“loc

ked”

ap

plic

atio

n co

de

chan

ges

to

“rea

d on

ly”.

If

busi

ness

nee

ds r

equi

re t

hat

the

segr

egat

ion

of

dutie

s can

not b

e im

med

iate

ly im

plem

ente

d, F

EMA

sh

ould

do

cum

ent

and

impl

emen

t po

licie

s an

d pr

oced

ures

to

com

pens

ate

for

the

risk

asso

ciat

ed

with

the

segr

egat

ion

of d

utie

s w

eakn

ess

note

d, in

ac

cord

ance

with

DH

S gu

idan

ce.

X

3

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 1

02

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

appr

oved

cod

e.

FEM

A-

IT-1

0-52

Con

ditio

ns n

oted

in

FY 2

009

rela

ted

to w

eakn

esse

s ov

er v

ulne

rabi

lity

asse

ssm

ents

for t

he W

indo

ws

serv

er

envi

ronm

ent

with

in t

he N

FIP

LAN

sup

porti

ng t

he

Trav

erse

app

licat

ion

cont

inue

to

exis

t in

FY

201

0.

Spec

ifica

lly:

�W

hile

pro

cedu

res

have

bee

n de

velo

ped,

the

NFI

P co

ntra

ctor

has

not

ful

ly i

mpl

emen

ted

the

proc

ess

for

cond

uctin

g in

tern

al

vuln

erab

ility

sc

ans

for

info

rmat

ion

syst

ems

and

for

asse

ssin

g, r

epor

ting,

an

d co

rrec

ting

iden

tifie

d w

eakn

esse

s th

roug

h th

e PO

A&

M P

roce

ss i

n ac

cord

ance

with

FEM

A a

nd

DH

S gu

idan

ce.

�FE

MA

doe

s no

t ha

ve d

ocum

ente

d an

d ap

prov

ed

proc

edur

es

that

es

tabl

ish

form

al

requ

irem

ents

, pr

oces

ses,

and

resp

onsi

bilit

ies

for

cond

uctin

g m

onito

ring

and

over

sigh

t of

reg

ular

vul

nera

bilit

y sc

ans

perf

orm

ed

over

th

e N

FIP

LAN

w

hich

su

ppor

ts

Trav

erse

to

m

eet

DH

S vu

lner

abili

ty

asse

ssm

ent r

equi

rem

ents

.

�Fu

rther

mor

e, w

hile

ad

hoc

scan

s w

ere

perf

orm

ed

in p

revi

ous

year

s by

the

con

tract

or,

evid

ence

of

perio

dic

NFI

P ne

twor

k sc

anni

ng c

ondu

cted

in F

Y

2010

cou

ld n

ot b

e ob

tain

ed.

Add

ition

ally

, w

e in

quire

d w

ith F

EMA

and

det

erm

ined

tha

t sc

ans

over

th

e N

FIP

LAN

su

ppor

ting

the

Trav

erse

ap

plic

atio

n w

ere

not

perf

orm

ed b

y th

e FE

MA

SO

C.

�D

ocum

ent

and

impl

emen

t fo

rmal

po

licie

s an

d pr

oced

ures

th

at

outli

ne

the

proc

esse

s an

d re

quire

men

ts f

or p

erfo

rmin

g in

tern

al v

ulne

rabi

lity

scan

s ov

er a

ll N

FIP

info

rmat

ion

syst

ems

as w

ell a

s th

e pr

oces

s fo

r ass

essi

ng, r

epor

ting,

and

cor

rect

ing

wea

knes

ses

iden

tifie

d du

ring

scan

s as

req

uire

d by

FE

MA

and

DH

S po

licy.

�

Ensu

re

that

po

licie

s an

d pr

oced

ures

fo

rmal

ly

desi

gnat

e re

spon

sibi

litie

s of

FE

MA

O

CIO

an

d N

FIP

IT

secu

rity

man

agem

ent

for

the

impl

emen

tatio

n, m

onito

ring,

and

ove

rsig

ht o

f th

e vu

lner

abili

ty s

cann

ing

proc

ess,

so th

at th

e sc

ope

of

vuln

erab

ility

sca

ns c

ondu

cted

inc

lude

all

NFI

P w

orks

tatio

ns a

nd s

erve

rs a

nd in

clud

e re

quire

men

ts

for

form

ally

tra

ckin

g an

d m

onito

ring

the

rem

edia

tion

of v

ulne

rabi

litie

s id

entif

ied

durin

g th

e in

tern

al

scan

s of

th

e N

FIP

LAN

th

roug

h th

e PO

A&

M p

roce

ss, i

n ac

cord

ance

with

DH

S po

licy.

X

2

FEM

A-

IT-1

0-53

Dur

ing

our

FY 2

010

inte

grat

ed a

udit

test

wor

k, w

e no

ted

that

NFI

P ha

s no

t est

ablis

hed

or im

plem

ente

d an

ef

fect

ive

proc

ess

to p

erio

dica

lly r

ecer

tify

user

acc

ess,

incl

udin

g se

rvic

e ac

coun

ts,

on t

he T

RR

P m

ainf

ram

e.

Cur

rent

ly,

NFI

P re

quire

s us

ers

to

sign

se

curit

y

�C

ompl

ete

the

revi

sion

, do

cum

enta

tion,

and

ful

l im

plem

enta

tion

of T

RR

P ac

cess

con

trol

polic

ies

and

proc

edur

es,

and

ensu

re t

hat

they

inc

lude

a

form

aliz

ed p

roce

ss f

or t

he r

ecer

tific

atio

n of

all

acco

unts

on

th

e m

ainf

ram

e,

incl

udin

g se

rvic

e

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 1

03

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

awar

enes

s an

d tra

inin

g ce

rtific

atio

ns o

n an

ann

ual

basi

s. H

owev

er,

no r

evie

w o

f us

ers’

acc

ess

and

priv

ilege

s is

con

duct

ed b

y m

anag

emen

t on

a p

erio

dic

basi

s to

ens

ure

syst

em a

cces

s re

mai

ns a

ppro

pria

te a

nd

com

men

sura

te w

ith j

ob r

espo

nsib

ilitie

s in

acc

orda

nce

with

DH

S gu

idan

ce.

Add

ition

ally

, we

note

d th

roug

h in

spec

tion

of th

e TR

RP

acce

ss p

roce

dure

s th

at n

o pr

oces

s ha

s be

en e

stab

lishe

d to

for

mal

ly d

ocum

ent

both

the

app

rova

l an

d bu

sine

ss

need

for s

ervi

ce a

ccou

nts.

acco

unts

, on

an

annu

al b

asis

to

dete

rmin

e th

at

acce

ss re

mai

ns a

ppro

pria

te a

nd c

omm

ensu

rate

with

jo

b re

spon

sibi

litie

s in

ac

cord

ance

w

ith

DH

S po

licy.

�

Doc

umen

t and

impl

emen

t pol

icie

s an

d pr

oced

ures

ov

er th

e cr

eatio

n of

ser

vice

acc

ount

s to

ens

ure

that

th

ey a

re a

ppro

pria

tely

aut

horiz

ed a

nd t

hat

a cl

ear

busi

ness

ne

ed

is

esta

blis

hed

and

docu

men

ted

just

ifyin

g th

e cr

eatio

n an

d us

e of

the

se t

ypes

of

acco

unts

in a

ccor

danc

e w

ith D

HS

polic

y.

FEM

A-

IT-1

0-54

Dur

ing

the

FY 2

010

inte

grat

ed a

udit,

we

dete

rmin

ed

that

wea

knes

ses

exis

ted

in th

e im

plem

enta

tion

of D

HS

SELC

req

uire

men

ts o

ver

the

IFM

IS-M

erge

r Pr

ojec

t. Sp

ecifi

cally

, th

roug

hout

the

life

cycl

e of

the

pro

ject

, FE

MA

man

agem

ent

did

not

adeq

uate

ly d

efin

e an

d im

plem

ent

requ

ired

elem

ents

of

th

e D

HS

SELC

pr

oces

s, in

clud

ing:

�A

det

aile

d an

d co

mpr

ehen

sive

Pro

ject

Tai

lorin

g Pl

an t

o de

fine

requ

ired

stag

es, a

ctiv

ities

, arti

fact

s an

d ex

it cr

iteria

for

the

pro

ject

per

DH

S SE

LC

guid

ance

was

not

dev

elop

ed a

nd a

ppro

ved

by

FEM

A m

anag

emen

t.

�A

ppro

vals

fo

r pr

ojec

t cr

itica

l do

cum

enta

tion

dem

onst

ratin

g th

at

all

requ

ired

stak

ehol

ders

re

view

ed

and

appr

oved

th

e re

sults

be

fore

ad

vanc

ing

to s

ubse

quen

t SEL

C s

tage

s co

uld

not b

e pr

ovid

ed.

�FE

MA

cou

ld n

ot p

rovi

de a

Dat

a M

igra

tion

Plan

an

d Te

st S

trate

gy to

dem

onst

rate

that

crit

ical

DH

S SE

LC

requ

irem

ents

w

ere

docu

men

ted

and

appr

oved

pr

ior

to

impl

emen

tatio

n of

th

e da

ta

mig

ratio

n.

We

reco

mm

end

that

FEM

A m

anag

emen

t con

duct

and

do

cum

ent

a le

sson

s le

arne

d re

port

rela

ted

to

the

IFM

IS-M

erge

r pr

ojec

t pe

r D

HS

SELC

gui

danc

e.

By

cond

uctin

g su

ch a

n ac

tivity

, FEM

A m

anag

emen

t w

ill

be a

ble

to m

aint

ain

a re

cord

of l

esso

ns le

arne

d in

ord

er

to

incr

ease

th

e pr

obab

ility

of

su

cces

s fo

r fu

ture

ac

quis

ition

s th

roug

h th

e im

prov

emen

t of

pro

cess

es,

tool

s, an

d ot

her p

roje

ct re

late

d en

titie

s.

Add

ition

ally

, w

e de

term

ined

th

at

the

root

ca

use

asso

ciat

ed w

ith t

he w

eakn

esse

s no

ted

over

the

SEL

C

proc

ess

is r

elat

ed t

o th

e en

tity

leve

l co

ntro

l is

sue

iden

tifie

d in

FE

MA

-IT-

10-4

7,

FEM

A

Man

agem

ent

Nee

ds

to

Impr

ove

Plan

ning

, M

anag

emen

t, an

d C

omm

unic

atio

n R

elat

ed

to

Fina

ncia

l Sy

stem

s D

evel

opm

ent

and

Acq

uisi

tion

Proj

ects

. W

hile

the

IF

MIS

-Mer

ger

proj

ect

has

been

com

plet

ed, c

orre

ctiv

e ac

tion

over

the

est

ablis

hmen

t of

a p

roce

ss t

o pr

ovid

e ov

ersi

ght

to

the

impl

emen

tatio

n of

th

e SE

LC

met

hodo

logy

mus

t be

com

plet

ed.

Ple

ase

see

NFR

FE

MA

-IT-

10-4

7 fo

r re

com

men

datio

ns r

elat

ed t

o th

e es

tabl

ishm

ent o

f thi

s pro

cess

.

X

3

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 1

04

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

�Sy

stem

sec

urity

req

uire

men

ts a

nd m

ilest

ones

wer

e no

t do

cum

ente

d an

d in

tegr

ated

int

o ke

y pr

ojec

t do

cum

enta

tion,

suc

h as

Bus

ines

s R

equi

rem

ents

do

cum

ents

, pro

ject

sche

dule

s, Pr

ojec

t Man

agem

ent

Plan

s, an

d R

isk

Man

agem

ent P

lans

.

�Pr

ojec

t do

cum

enta

tion

incl

udin

g th

e Pr

ojec

t M

anag

emen

t Pla

n, th

e R

isk

Man

agem

ent P

lan,

and

B

usin

ess

Req

uire

men

ts

docu

men

ts

wer

e no

t up

date

d an

d re

vise

d th

roug

hout

th

e pr

ojec

t du

ratio

n as

requ

ired

by th

e D

HS

SELC

.

�K

ey in

form

atio

n su

ch a

s ro

les

and

resp

onsi

bilit

ies

of

all

stak

ehol

ders

, gu

idel

ines

fo

r de

velo

ping

bu

sine

ss

requ

irem

ents

do

cum

enta

tion,

re

quire

men

ts

for

stag

e re

view

s, an

d ke

y ex

it cr

iteria

bef

ore

mov

ing

to t

he n

ext

stag

e of

the

pr

ojec

t w

ere

not

inte

grat

ed

into

th

e pr

ojec

t sc

hedu

le, P

roje

ct P

lan,

and

Com

mun

icat

ions

Pla

n.

�FE

MA

m

anag

emen

t di

d no

t pr

ovid

e ad

equa

te

over

sigh

t of

th

e co

ntra

ctor

s im

plem

entin

g th

e IF

MIS

-Mer

ger

Proj

ect.

Spec

ifica

lly,

docu

men

ted

evid

ence

sup

porti

ng t

he a

ppro

val,

valid

atio

n, a

nd

rete

ntio

n of

req

uire

d ar

tifac

ts a

ssoc

iate

d w

ith t

he

data

mig

ratio

n an

d ot

her

key

proj

ect m

anag

emen

t do

cum

ents

cou

ld n

ot b

e pr

ovid

ed b

y FE

MA

or

wer

e in

suff

icie

nt b

ased

on

DH

S re

quire

men

ts.

FEM

A-

IT-1

0-55

Dur

ing

our

FY 2

010

inte

grat

ed a

udit

test

wor

k, w

e no

ted

the

follo

win

g w

eakn

esse

s re

late

d to

th

e m

anag

emen

t an

d m

onito

ring

of u

ser

acco

unts

and

ac

tivity

on

the

NFI

P LA

N su

ppor

ting

Trav

erse

:

�N

FIP

has

not e

stab

lishe

d or

impl

emen

ted

a fo

rmal

pr

oces

s to

per

iodi

cally

rec

ertif

y al

l ac

coun

ts w

ith

acce

ss t

o th

e N

FIP

LAN

sup

porti

ng T

rave

rse,

as

�C

ompl

ete

the

revi

sion

, do

cum

enta

tion,

and

ful

l im

plem

enta

tion

of a

cces

s co

ntro

l po

licie

s an

d th

e N

FIP

LAN

sy

stem

ac

coun

t m

anag

emen

t pr

oced

ures

to a

lign

with

DH

S re

quire

men

ts su

ch a

s re

certi

ficat

ion

of a

ccou

nts

and

audi

t lo

g re

view

s. Sp

ecifi

cally

, ens

ure

that

they

incl

ude

a fo

rmal

ized

pr

oces

s for

the

rece

rtific

atio

n of

all

acco

unts

on

the

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 1

05

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

requ

ired

by D

HS

and

FEM

A p

olic

y. S

peci

fical

ly,

six

syst

em a

nd/o

r se

rvic

e ac

coun

ts o

n th

e FE

MA

LA

N

rem

aine

d ac

tive

abse

nt

an

acce

ptab

le

docu

men

ted

busi

ness

nee

d an

d ju

stifi

catio

n.

We

wer

e in

form

ed b

y N

FIP

man

agem

ent

that

the

se

acco

unts

wer

e no

lon

ger

need

ed,

and

they

wer

e re

mov

ed fr

om th

e sy

stem

dur

ing

test

wor

k.

�A

udit

logs

gen

erat

ed a

nd r

evie

wed

on

the

NFI

P LA

N d

o no

t in

clud

e ch

ange

s to

use

r ac

coun

t pr

ivile

ges a

s req

uire

d by

DH

S an

d FE

MA

pol

icy.

�A

udit

logs

for

the

NFI

P LA

N a

re n

ot r

etai

ned

for

at le

ast 9

0 da

ys, i

n ac

cord

ance

with

DH

S po

licy.

NFI

P LA

N,

incl

udin

g se

rvic

e ac

coun

ts,

on a

n an

nual

ba

sis

to

dete

rmin

e if

acce

ss

rem

ains

ap

prop

riate

an

d co

mm

ensu

rate

w

ith

job

resp

onsi

bilit

ies i

n ac

cord

ance

with

DH

S po

licy.

�

Doc

umen

t and

impl

emen

t pol

icie

s an

d pr

oced

ures

ov

er th

e cr

eatio

n of

ser

vice

acc

ount

s to

ens

ure

that

th

ey a

re a

ppro

pria

tely

aut

horiz

ed a

nd t

hat

a cl

ear

busi

ness

ne

ed

is

esta

blis

hed

and

docu

men

ted

just

ifyin

g th

e cr

eatio

n an

d us

e of

the

se t

ypes

of

acco

unts

in a

ccor

danc

e w

ith D

HS

polic

y.

�C

onfig

ure

the

NFI

P LA

N a

udit

logs

to

incl

ude

chan

ges

to u

ser

acco

unt p

rivile

ges

and

ensu

re th

at

stor

age

capa

city

se

tting

s of

au

dit

logs

ar

e co

nfig

ured

to r

etai

n th

e lo

gs fo

r 90

day

s on

line

as

requ

ired

by D

HS

and

FEM

A p

olic

y.

FEM

A-

IT-1

0-56

Dur

ing

our

FY 2

010

inte

grat

ed a

udit,

we

note

d th

e fo

llow

ing

wea

knes

ses

rela

ted

to th

e m

onito

ring

of u

ser

acco

unts

and

act

ivity

on

the

TRR

P m

ainf

ram

e:

�Se

greg

atio

n of

dut

ies

is n

ot p

rope

rly im

plem

ente

d ov

er t

he r

evie

w a

nd m

aint

enan

ce o

f TR

RP

audi

t lo

gs.

Spec

ifica

lly, t

he T

RR

P sy

stem

adm

inis

trato

r is

res

pons

ible

for

rev

iew

ing

TRR

P au

dit l

ogs,

and

a se

cond

inde

pend

ent r

evie

wer

is n

ot re

quire

d.

�A

udit

logs

gen

erat

ed a

nd r

evie

wed

on

the

TRR

P m

ainf

ram

e do

not

incl

ude

chan

ges

to u

ser a

ccou

nt

priv

ilege

s as r

equi

red

by D

HS

and

FEM

A p

olic

y.

�D

evel

op

and

impl

emen

t TR

RP

audi

t lo

ggin

g po

licie

s an

d pr

oced

ures

tha

t in

clud

e re

quire

men

ts

for a

udit

log

conf

igur

atio

ns a

nd th

e re

view

of l

ogs

by I

T se

curit

y m

anag

emen

t in

depe

nden

t of

the

sy

stem

adm

inis

tratio

n te

am i

n ac

cord

ance

with

D

HS

polic

y.

�C

onfig

ure

the

TRR

P au

dit l

ogs

to in

clud

e ch

ange

s to

use

r acc

ount

priv

ilege

s as

requ

ired

by D

HS

and

FEM

A p

olic

y.

X

2

FEM

A-

IT-1

0-57

Dur

ing

our

FY 2

010

inte

grat

ed a

udit

test

wor

k, w

e no

ted

that

NFI

P ha

s no

t est

ablis

hed

or im

plem

ente

d a

form

al p

roce

ss t

o au

thor

ize

or p

erio

dica

lly r

evie

w

rem

ote

acce

ss

to

the

LAN

ho

stin

g th

e TR

RP

mai

nfra

me

envi

ronm

ent

in a

ccor

danc

e w

ith D

HS

and

NIS

T gu

idan

ce.

�D

evel

op,

docu

men

t, an

d fu

lly i

mpl

emen

t po

licie

s an

d pr

oced

ures

ove

r do

cum

entin

g, r

evie

win

g, a

nd

appr

ovin

g re

mot

e ac

cess

to th

e N

FIP

LAN

hos

ting

the

TRR

P m

ainf

ram

e en

viro

nmen

t in

acc

orda

nce

with

FEM

A a

nd D

HS

requ

irem

ents

. �

Dev

elop

, do

cum

ent,

and

fully

im

plem

ent

polic

ies

and

proc

edur

es

to

perf

orm

a

perio

dic

rece

rtific

atio

n of

all

rem

ote

user

acc

ess

and

reta

in

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 1

06

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

audi

tabl

e re

cord

s as

evi

denc

e th

at r

ecer

tific

atio

ns

are

cond

ucte

d an

d co

mpl

eted

in

acco

rdan

ce w

ith

DH

S an

d FE

MA

pol

icy.

FE

MA

-IT

-10-

58

Whi

le

impr

ovem

ents

w

ere

note

d ov

er

the

docu

men

tatio

n of

Tr

aver

se

chan

ge

man

agem

ent

proc

edur

es d

urin

g th

e FY

201

0 in

tegr

ated

aud

it te

st

wor

k, w

e de

term

ined

that

cer

tain

wea

knes

ses

iden

tifie

d in

FY

20

09

cont

inue

to

ex

ist

over

th

e Tr

aver

se

conf

igur

atio

n m

anag

emen

t pro

cess

in c

ompr

ehen

sive

ly

addr

essi

ng

FEM

A

and

DH

S ch

ange

m

anag

emen

t po

licy.

For

exa

mpl

e, w

e de

term

ined

that

:

�Es

tabl

ishe

d pr

oced

ures

do

not i

nclu

de g

uida

nce

for

initi

al a

ppro

vals

as w

e w

ere

info

rmed

that

Tra

vers

e cu

rren

tly d

oes

not

fall

unde

r re

view

of

the

NFI

P C

hang

e C

ontro

l Boa

rd (C

CB

).

�R

equi

rem

ents

fo

r m

anag

ing

the

chan

ge

man

agem

ent

prog

ram

hav

e no

t be

en a

dequ

atel

y es

tabl

ishe

d an

d im

plem

ente

d to

ens

ure

that

NFI

P C

CB

and

/or

TRC

app

rova

ls a

re g

rant

ed p

rior

to

impl

emen

ting

chan

ges

into

th

e Tr

aver

se

prod

uctio

n en

viro

nmen

t, as

requ

ired

by F

EMA

and

D

HS

polic

y.

�A

dequ

ate

over

sigh

t and

invo

lvem

ent f

rom

FEM

A

man

agem

ent

is

not

inte

grat

ed

into

th

e co

nfig

urat

ion

man

agem

ent

requ

irem

ents

. Sp

ecifi

cally

, FE

MA

is

not

invo

lved

in

test

ing

and/

or re

view

ing

test

ing

and

appr

ovin

g ch

ange

s to

Tr

aver

se p

rior t

o im

plem

enta

tion.

�Tr

aver

se c

hang

es a

re n

ot re

quire

d to

be

test

ed p

rior

to im

plem

entin

g th

e ch

ange

into

pro

duct

ion

as n

o te

stin

g en

viro

nmen

t exi

sts.

�Li

mite

d te

stin

g re

quire

men

ts

exis

t to

gu

ide

pers

onne

l in

the

dev

elop

men

t of

tes

t pl

ans

and

�En

sure

the

NFI

P co

ntra

ctor

con

tinue

s to

ded

icat

e re

sour

ces

to e

stab

lish

and

impl

emen

t do

cum

ente

d po

licie

s an

d pr

oced

ures

ove

r th

e Tr

aver

se c

hang

e m

anag

emen

t pr

oces

s fo

r no

n-em

erge

ncy

and

emer

genc

y ch

ange

s w

hich

are

in

line

with

DH

S co

nfig

urat

ion

man

agem

ent

requ

irem

ents

. Pa

rticu

lar e

mph

asis

mus

t be

plac

ed o

n ap

prov

al b

y th

e N

FIP

CC

B

and/

or

TRC

, in

itial

ch

ange

ap

prov

als,

test

ing

and

test

ing

requ

irem

ents

, fin

al

appr

oval

s, an

d re

tent

ion

of

requ

ired

chan

ge

man

agem

ent

artif

acts

to

tra

ck

all

chan

ges

thro

ugho

ut t

heir

lifec

ycle

. Th

ese

phas

es s

houl

d al

so

incl

ude

an

inte

grat

ed

proc

ess

to

addr

ess

syst

em

chan

ge

requ

irem

ents

an

d st

akeh

olde

r ch

ange

req

uire

men

ts t

o en

sure

ade

quat

e te

stin

g an

d ap

prov

als

are

com

plet

ed b

y th

e ap

prop

riate

pa

rties

. �

Esta

blis

h an

d im

plem

ent

a fo

rmal

pr

oces

s to

co

nduc

t us

er

acce

ptan

ce

test

ing

in

a te

st

envi

ronm

ent

prio

r to

im

plem

enta

tion

in

prod

uctio

n.

�A

lloca

te q

ualif

ied

NFI

P m

anag

emen

t and

OC

IO IT

se

curit

y re

sour

ces

to p

rovi

de a

dequ

ate

over

sigh

t fo

r th

e co

nfig

urat

ion

man

agem

ent

proc

ess.

Ove

rsig

ht

activ

ities

sh

ould

en

com

pass

re

quire

men

ts

such

as

a

NFI

P Pr

ogra

m

Con

figur

atio

n M

anag

emen

t B

oard

res

pons

ible

for

m

anag

ing

and

parti

cipa

ting

in

the

NFI

P C

CB

an

d/or

TR

C to

ens

ure

that

all

requ

ired

elem

ents

in

the

conf

igur

atio

n m

anag

emen

t pr

oces

s ar

e fo

rmal

ly d

efin

ed a

nd i

mpl

emen

ted

in a

ccor

danc

e w

ith D

HS

and

FEM

A g

uida

nce.

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 1

07

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

guid

ance

ove

r the

test

ing

that

sho

uld

be p

erfo

rmed

an

d do

cum

ente

d.

Add

ition

ally

, ro

les

and

resp

onsi

bilit

ies

over

test

pla

n pr

oced

ures

to e

nsur

e th

at

plan

s ar

e su

ffic

ient

, do

cum

ent

expe

cted

ou

tcom

es, a

nd a

re r

evie

wed

and

app

rove

d pr

ior

to

deve

lopm

ent,

are

not d

ocum

ente

d.

�R

equi

rem

ents

fo

r Tr

aver

se

emer

genc

y ch

ange

s ha

ve n

ot b

een

form

ally

def

ined

.

�D

edic

ate

the

reso

urce

s to

fully

revi

ew a

nd fi

naliz

e ap

prov

al o

f al

l N

FIP

cont

ract

or’s

con

figur

atio

n m

anag

emen

t pol

icie

s an

d pr

oced

ures

to e

nsur

e th

e re

vise

d pr

oced

ures

ar

e co

mpl

iant

w

ith

DH

S re

quire

men

ts.

FEM

A-

IT-1

0-59

Whi

le

impr

ovem

ents

w

ere

note

d ov

er

the

docu

men

tatio

n of

TR

RP

chan

ge

man

agem

ent

proc

edur

es

durin

g th

e FY

20

10

inte

grat

ed

audi

t te

stw

ork,

w

e de

term

ined

th

at

certa

in

wea

knes

ses

iden

tifie

d in

FY

200

9 co

ntin

ue to

exi

st o

ver t

he T

RR

P co

nfig

urat

ion

man

agem

ent p

roce

ss in

com

preh

ensi

vely

ad

dres

sing

FE

MA

an

d D

HS

chan

ge

man

agem

ent

polic

y. F

or e

xam

ple,

we

dete

rmin

ed th

at:

�R

equi

rem

ents

fo

r m

anag

ing

the

chan

ge

man

agem

ent

prog

ram

hav

e no

t be

en a

dequ

atel

y es

tabl

ishe

d an

d im

plem

ente

d to

ens

ure

that

CC

B

and/

or

TRC

ap

prov

als

are

gran

ted

prio

r to

im

plem

entin

g ch

ange

s in

to t

he T

RR

P pr

oduc

tion

envi

ronm

ent,

as r

equi

red

by F

EMA

and

DH

S po

licy.

Spe

cific

ally

:

�W

hile

a C

CB

has

bee

n es

tabl

ishe

d by

NFI

P m

anag

emen

t, ad

equa

te

over

sigh

t an

d in

volv

emen

t fro

m F

EMA

man

agem

ent h

as n

ot

been

in

tegr

ated

in

to

the

conf

igur

atio

n m

anag

emen

t re

quire

men

ts

incl

udin

g m

anda

tory

FEM

A p

artic

ipat

ion

in t

he C

CB

an

d C

CB

app

rova

l of c

hang

es a

fter t

estin

g ha

s oc

curr

ed.

�FE

MA

man

agem

ent,

incl

udin

g IT

sec

urity

and

fin

anci

al p

erso

nnel

, are

not

invo

lved

in te

stin

g

�En

sure

the

NFI

P co

ntra

ctor

con

tinue

s to

ded

icat

e re

sour

ces

to e

stab

lish

and

impl

emen

t do

cum

ente

d po

licie

s an

d pr

oced

ures

ove

r th

e TR

RP

chan

ge

man

agem

ent

proc

ess

for

non-

emer

genc

y an

d em

erge

ncy

chan

ges

whi

ch a

re i

n lin

e w

ith D

HS

conf

igur

atio

n m

anag

emen

t re

quire

men

ts.

Parti

cula

r em

phas

is

mus

t be

pl

aced

on

in

itial

ch

ange

app

rova

ls, t

estin

g an

d te

stin

g re

quire

men

ts,

final

app

rova

ls,

and

rete

ntio

n of

req

uire

d ch

ange

m

anag

emen

t ar

tifac

ts

to

track

al

l ch

ange

s th

roug

hout

the

ir lif

ecyc

le.

Thes

e ph

ases

sho

uld

also

in

clud

e an

in

tegr

ated

pr

oces

s to

ad

dres

s sy

stem

ch

ange

re

quire

men

ts

and

stak

ehol

der

chan

ge r

equi

rem

ents

to

ensu

re a

dequ

ate

test

ing

and

appr

oval

s ar

e co

mpl

eted

by

the

appr

opria

te

parti

es.

�A

lloca

te q

ualif

ied

NFI

P m

anag

emen

t and

OC

IO IT

se

curit

y re

sour

ces

to p

rovi

de a

dequ

ate

over

sigh

t fo

r th

e co

nfig

urat

ion

man

agem

ent

proc

ess.

Ove

rsig

ht

activ

ities

sh

ould

en

com

pass

re

quire

men

ts

such

as

a

NFI

P Pr

ogra

m

Con

figur

atio

n M

anag

emen

t B

oard

res

pons

ible

for

m

anag

ing

and

parti

cipa

ting

in

the

NFI

P C

CB

an

d/or

TR

C to

ens

ure

that

all

requ

ired

elem

ents

in

the

conf

igur

atio

n m

anag

emen

t pr

oces

s ar

e fo

rmal

ly d

efin

ed a

nd i

mpl

emen

ted

in a

ccor

danc

e w

ith D

HS

and

FEM

A g

uida

nce.

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 1

08

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

and/

or

revi

ewin

g te

stin

g an

d ap

prov

ing

chan

ges t

o TR

RP

prio

r to

impl

emen

tatio

n.

�C

CB

rev

iew

s ar

e no

t co

nduc

ted

for

appr

oval

of

fin

al c

hang

es p

rior

to i

mpl

emen

tatio

n in

to

prod

uctio

n as

req

uire

d by

FEM

A a

nd D

HS

guid

ance

.

�Li

mite

d te

stin

g re

quire

men

ts

exis

t to

gu

ide

pers

onne

l in

the

dev

elop

men

t of

tes

t pl

ans

and

guid

ance

ov

er

the

test

ing,

in

clud

ing

user

ac

cept

ance

tes

ting,

tha

t sh

ould

be

perf

orm

ed a

nd

docu

men

ted

prio

r to

app

rova

l and

impl

emen

tatio

n in

to

prod

uctio

n.

Add

ition

ally

, ro

les

and

resp

onsi

bilit

ies

over

test

pla

n pr

oced

ures

to e

nsur

e th

at

plan

s ar

e su

ffic

ient

, do

cum

ent

expe

cted

ou

tcom

es, a

nd a

re r

evie

wed

and

app

rove

d pr

ior

to

deve

lopm

ent,

are

not d

ocum

ente

d.

�R

equi

rem

ents

for

TR

RP

emer

genc

y ch

ange

s ha

ve

not b

een

form

ally

def

ined

in w

ritin

g.

Furth

erm

ore,

we

perf

orm

ed t

estw

ork

over

ini

tial

and

final

app

rova

ls f

or a

sel

ectio

n of

25

TRR

P ch

ange

s m

ade

in F

Y 2

010

and

note

d th

e fo

llow

ing

exce

ptio

ns:

�D

ocum

enta

tion

for

3 of

the

25 c

hang

es c

ould

not

be

pro

vide

d

�17

of

22

ch

ange

s te

sted

di

d no

t ha

ve

initi

al

appr

oval

s do

cum

ente

d pr

ior

to

deve

lopi

ng

the

chan

ge

�9

of 2

2 ch

ange

s te

sted

cha

nges

did

not

hav

e al

l the

re

quire

d ap

prov

als p

rior t

o im

plem

enta

tion

�1

of 2

2 ch

ange

s te

sted

was

im

plem

ente

d pr

ior

to

�D

edic

ate

the

reso

urce

s to

fully

revi

ew a

nd fi

naliz

e ap

prov

al o

f al

l N

FIP

cont

ract

or’s

con

figur

atio

n m

anag

emen

t pol

icie

s an

d pr

oced

ures

to e

nsur

e th

e re

vise

d pr

oced

ures

ar

e co

mpl

iant

w

ith

DH

S re

quire

men

ts.

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 1

09

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

chan

ge d

ocum

enta

tion

bein

g co

mpl

eted

FEM

A-

IT-1

0-60

Wea

knes

ses i

dent

ified

in F

Y 2

009

rela

ted

to c

ontro

ls to

re

stric

t ac

cess

an

d co

ntro

l m

ovem

ent

of

Trav

erse

pr

ogra

m l

ibra

ries

and

data

con

tinue

to

exis

t in

FY

20

10.

Spec

ifica

lly:

�Im

plem

enta

tion

proc

edur

es o

ver

Trav

erse

cha

nges

ha

ve n

ot b

een

esta

blis

hed,

and

cur

rent

pro

cess

es d

o no

t inc

orpo

rate

seg

rega

tion

of d

utie

s re

quire

men

ts.

Spec

ifica

lly,

NFI

P IT

co

ntra

ctor

s us

e th

eir

indi

vidu

ally

as

sign

ed

syst

em

adm

inis

trato

r ac

coun

ts t

o lo

gon

and

crea

te s

essi

ons

to a

llow

a

third

-par

ty d

evel

opm

ent v

endo

r to

inst

all T

rave

rse

syst

em c

hang

es.

�N

FIP

does

no

t ha

ve

a fo

rmal

pr

oces

s fo

r m

onito

ring

chan

ges

that

th

e ve

ndor

m

akes

in

Tr

aver

se w

hile

logg

ed in

as a

n ad

min

istra

tor.

�In

acc

orda

nce

with

pol

icy,

enf

orce

req

uire

men

ts

over

ind

ivid

ual

user

acc

ount

s by

not

allo

win

g ve

ndor

s to

a u

se a

sys

tem

adm

inis

trato

r’s

acco

unt

to a

cces

s th

e sy

stem

and

dep

loy

chan

ges

into

pr

oduc

tion.

�

Doc

umen

t and

impl

emen

t pol

icie

s an

d pr

oced

ures

to

lim

it Tr

aver

se d

evel

oper

and

app

licat

ion

supp

ort

vend

or a

cces

s to

the

NFI

P pr

oduc

tion

envi

ronm

ent

to “

read

onl

y” t

hrou

gh a

n as

sign

ed u

ser

acco

unt

and

segr

egat

e th

e re

spon

sibi

lity

for

depl

oyin

g ap

plic

atio

n co

de c

hang

es in

to p

rodu

ctio

n fr

om th

e de

velo

pmen

t/sup

port

vend

or

to

an

inde

pend

ent

cont

rol

grou

p.

Add

ition

ally

, pr

oced

ures

sho

uld

incl

ude

impl

emen

tatio

n pr

oces

s re

quire

men

ts f

or

cont

rolli

ng a

cces

s to

pro

duct

ion

dire

ctor

ies.

If

busi

ness

nee

ds r

equi

re t

hat

the

segr

egat

ion

of

dutie

s ca

nnot

be

imm

edia

tely

impl

emen

ted,

FEM

A

shou

ld

docu

men

t an

d im

plem

ent

polic

ies

and

proc

edur

es to

miti

gate

the

risk

asso

ciat

ed w

ith th

e se

greg

atio

n of

du

ties

wea

knes

s no

ted

in

acco

rdan

ce

with

D

HS

guid

ance

, in

clud

ing

a fo

rmal

ized

pr

oces

s fo

r pe

rfor

min

g an

d do

cum

entin

g re

view

s of

act

ivity

per

form

ed b

y th

ird-p

arty

ve

ndor

s w

ithin

th

e Tr

aver

se

envi

ronm

ent.

X

2

FEM

A-

IT-1

0-61

As

note

d du

ring

the

FY 2

009

audi

t, w

eakn

esse

s ov

er

cont

inge

ncy

plan

ning

for

bot

h th

e Tr

aver

se a

nd T

RR

P sy

stem

s con

tinue

to e

xist

in F

Y 2

010.

Spe

cific

ally

:

�W

hile

th

e N

FIP

Lega

cy

Syst

em

Serv

ices

(N

FIP/

LSS)

Con

tinge

ncy

Plan

, w

hich

per

tain

s to

th

e co

ntin

genc

y pl

anni

ng a

roun

d Tr

aver

se a

nd th

e N

FIP

LAN

, ha

s be

en u

pdat

ed f

or F

Y 2

010,

the

fo

llow

ing

elem

ents

are

not

in

com

plia

nce

with

�D

evel

op,

docu

men

t, an

d fu

lly i

mpl

emen

t an

IT

Con

tinge

ncy

Plan

for N

FIP

com

pone

nts,

incl

udin

g TR

RP

and

Trav

erse

. A

dditi

onal

ly,

ensu

re t

hat

cont

inge

ncy

plan

ning

do

cum

enta

tion

incl

udes

de

taile

d in

stru

ctio

ns fo

r res

torin

g op

erat

ing

syst

em

softw

are

and

criti

cal a

pplic

atio

ns in

the

even

t of

a di

sast

er,

cont

inge

ncy,

or

disr

uptio

n of

ser

vice

in

acco

rdan

ce

with

D

HS

and

NIS

T po

licy

requ

irem

ents

for

sys

tem

s ca

tego

rized

at

the

high

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 1

10

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

DH

S an

d N

IST

requ

irem

ents

:

�Th

e N

FIP/

LSS

IT C

ontin

genc

y Pl

an d

oes

not

docu

men

t de

taile

d in

stru

ctio

ns f

or r

esto

ring

oper

atin

g sy

stem

s an

d cr

itica

l ap

plic

atio

ns i

n th

e ev

ent

of

a di

sast

er,

cont

inge

ncy,

or

di

srup

tion

of se

rvic

e.

�Th

e N

FIP/

LSS

IT C

ontin

genc

y Pl

an d

oes

not

desi

gnat

e th

e cu

rren

t al

tern

ate

proc

essi

ng

faci

lity

for t

he o

pera

ting

envi

ronm

ent.

�Te

stin

g of

the

NFI

P/LS

S IT

Con

tinge

ncy

Plan

ha

s no

t be

en p

erfo

rmed

in

the

12 m

onth

s, as

re

quire

d by

DH

S po

licy.

�FE

MA

an

d N

FIP

man

agem

ent

have

no

t do

cum

ente

d or

app

rove

d a

curr

ent I

T C

ontin

genc

y Pl

an fo

r the

mai

nfra

me

envi

ronm

ent s

uppo

rting

the

TRR

P sy

stem

in a

ccor

danc

e w

ith F

EMA

and

DH

S re

quire

men

ts.

�C

ontin

genc

y te

stin

g ov

er

TRR

P w

as

not

suff

icie

ntly

con

duct

ed i

n ac

cord

ance

with

DH

S an

d N

IST

requ

irem

ents

. W

hile

a l

imite

d di

sast

er

reco

very

test

of t

he N

FIP

mai

nfra

me

envi

ronm

ent,

incl

udin

g TR

RP,

was

per

form

ed i

n O

ctob

er 2

009

to te

st r

esto

ratio

n of

dat

a, a

ll el

emen

ts r

equi

red

to

be t

este

d un

der

the

DH

S re

quire

men

ts f

or a

n IT

C

ontin

genc

y Pl

an w

ere

not

suff

icie

ntly

add

ress

ed

and

coul

d no

t be

used

to v

alid

ate

the

effe

ctiv

enes

s of

th

e or

gani

zatio

n’s

cont

inge

ncy

plan

ning

co

ntro

ls.

�Th

e N

FIP

cont

ract

or’s

Con

tinui

ty o

f O

pera

tion

Plan

(CO

OP)

for T

rave

rse

and

TRR

P co

uld

not b

e pr

ovid

ed fo

r aud

itor r

evie

w.

impa

ct a

vaila

bilit

y ob

ject

ive.

�

Con

duct

and

doc

umen

t an

nual

tes

ts o

f th

e TR

RP

and

Trav

erse

IT

Con

tinge

ncy

Plan

(s)

that

add

ress

al

l cr

itica

l ph

ases

of

th

e pl

an(s

), an

d up

date

co

ntin

genc

y pl

anni

ng d

ocum

enta

tion

with

les

sons

le

arne

d, a

s ne

cess

ary

and

in a

ccor

danc

e w

ith D

HS

and

NIS

T re

quire

men

ts.

�D

edic

ate

reso

urce

s to

est

ablis

h an

d im

plem

ent

an

alte

rnat

e pr

oces

sing

site

for

the

NFI

P sy

stem

s in

ac

cord

ance

with

DH

S po

licy

requ

irem

ents

. �

Unt

il an

alte

rnat

e pr

oces

sing

site

is

esta

blis

hed,

de

velo

p an

d su

bmit

an e

xcep

tion

for

appr

oval

in

acco

rdan

ce

with

D

HS

polic

y,

and

ensu

re

that

co

mpe

nsat

ing

cont

rols

ove

r the

lack

of a

n al

tern

ate

proc

essi

ng s

ite h

ave

been

im

plem

ente

d an

d ar

e ef

fect

ive,

and

doc

umen

tatio

n of

thei

r eff

ectiv

enes

s is

mai

ntai

ned

as a

udita

ble

reco

rds.

�D

ocum

ent,

impl

emen

t, an

d m

aint

ain

the

NFI

P C

OO

P to

ens

ure

requ

ired

elem

ents

for

Tra

vers

e an

d TR

RP

are

incl

uded

in

acco

rdan

ce w

ith D

HS

guid

ance

for h

igh

impa

ct sy

stem

s.

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 1

11

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

FEM

A-

IT-1

0-62

Con

ditio

ns n

oted

in

FY 2

009

rela

ted

to w

eakn

esse

s ov

er t

he N

EMIS

con

figur

atio

n m

anag

emen

t pr

oces

s co

ntin

ue to

exi

st in

FY

201

0.

Bas

ed o

n ou

r te

stw

ork,

w

e co

nclu

ded

that

NEM

IS c

onfig

urat

ion

man

agem

ent

is n

ot a

dequ

atel

y an

d ce

ntra

lly c

ontro

lled,

doc

umen

ted,

or

man

aged

thr

ough

out

the

lifec

ycle

of

the

FEM

A

conf

igur

atio

n m

anag

emen

t pr

oces

s. S

peci

fical

ly,

we

iden

tifie

d th

e fo

llow

ing

wea

knes

ses:

�N

EMIS

co

nfig

urat

ion

man

agem

ent

polic

y an

d pr

oced

ures

whi

ch o

utlin

e FE

MA

’s r

espo

nsib

ilitie

s an

d pr

oces

ses

for

initi

atin

g, m

onito

ring,

tes

ting,

an

d ap

prov

ing

NEM

IS

non-

emer

genc

y an

d em

erge

ncy

chan

ges

that

are

dev

elop

ed u

nder

the

va

rious

de

velo

pmen

t co

ntra

cts

have

no

t be

en

docu

men

ted

and

appr

oved

by

FEM

A m

anag

emen

t, in

acc

orda

nce

with

DH

S an

d FE

MA

pol

icy.

�FE

MA

do

es

not

have

a

cent

raliz

ed

prog

ram

m

anag

emen

t fu

nctio

n or

pro

cess

to

mon

itor

and

track

NEM

IS S

oftw

are

Cha

nge

Req

uest

s (S

CR

s)

thro

ugho

ut

the

conf

igur

atio

n m

anag

emen

t lif

ecyc

le,

from

in

itial

ap

prov

al

thro

ugh

impl

emen

tatio

n in

to th

e pr

oduc

tion

envi

ronm

ent.

�D

ocum

ent

and

esta

blis

h a

cent

raliz

ed

and

inte

grat

ed

chan

ge

man

agem

ent

proc

ess

over

N

EMIS

to

en

sure

th

at

adeq

uate

co

ntro

ls

are

impl

emen

ted

thro

ugho

ut

the

lifec

ycle

of

th

e co

nfig

urat

ion

man

agem

ent p

roce

ss, i

n ac

cord

ance

w

ith D

HS

and

FEM

A p

olic

y.

�Fo

rmal

ly

desi

gnat

e FE

MA

m

anag

emen

t re

spon

sibi

litie

s fo

r ov

ersi

ght

and

impl

emen

tatio

n of

con

trols

for

ini

tiatin

g, m

onito

ring,

tes

ting,

and

ap

prov

ing

all

NEM

IS

non-

emer

genc

y an

d em

erge

ncy

chan

ges;

�

Esta

blis

h a

cent

raliz

ed, f

orm

al p

roce

ss to

mon

itor,

docu

men

t, an

d tra

ck N

EMIS

sof

twar

e ch

ange

s th

roug

hout

th

e co

nfig

urat

ion

man

agem

ent

lifec

ycle

, fr

om

initi

al

appr

oval

th

roug

h im

plem

enta

tion

into

the

prod

uctio

n en

viro

nmen

t.

X

3

FEM

A-

IT-1

0-63

Dur

ing

the

FY

2010

in

tegr

ated

au

dit,

we

note

d w

eakn

esse

s ov

er

the

IFM

IS-M

erge

r C

onfig

urat

ion

Man

agem

ent

Plan

.

Bas

ed

on

our

test

wor

k,

we

conc

lude

d th

at t

he I

FMIS

con

figur

atio

n m

anag

emen

t pr

oces

s do

es

not

mee

t co

mpr

ehen

sive

ch

ange

m

anag

emen

t pr

oces

s re

quire

men

ts a

nd p

roce

dure

s as

re

quire

d by

DH

S an

d N

IST

guid

ance

bec

ause

it is

not

ad

equa

tely

doc

umen

ted.

Fo

r ex

ampl

e, w

e id

entif

ied

the

follo

win

g w

eakn

esse

s:

�Th

e IF

MIS

CM

P pr

ovid

ed in

Jul

y 20

10 is

in d

raft

and

has n

ot b

een

upda

ted

to re

flect

the

new

IFM

IS-

�R

evis

e,

docu

men

t an

d fu

lly

impl

emen

t a

com

preh

ensi

ve

conf

igur

atio

n m

anag

emen

t pr

ogra

m

that

in

clud

es

a C

onfig

urat

ion

Man

agem

ent P

lan

for I

FMIS

-Mer

ger,

whi

ch a

ligns

w

ith a

ll ap

plic

able

DH

S an

d FE

MA

req

uire

men

ts

and

refle

cts

the

curr

ent

IFM

IS-M

erge

r op

erat

ing

envi

ronm

ent a

nd a

ll ap

plic

able

IT c

ompo

nent

s. �

Incl

ude

in

polic

ies

and

proc

edur

es

(a)

clea

rly

defin

ed a

nd f

orm

aliz

ed r

espo

nsib

ilitie

s fo

r ch

ange

m

anag

emen

t ov

ersi

ght

bodi

es

incl

udin

g a

Con

figur

atio

n/C

hang

e C

ontro

l B

oard

an

d (b

) su

ffic

ient

ly

deta

iled

resp

onsi

bilit

ies

and

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 1

12

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

Mer

ger

oper

atin

g en

viro

nmen

t. S

peci

fical

ly,

the

plan

inc

lude

s C

ore

IFM

IS a

nd G

&T

IFM

IS,

but

does

not

add

ress

the

IFM

IS-M

erge

r in

stan

ce t

hat

bega

n op

erat

ions

in F

ebru

ary

2010

.

�In

fras

truct

ure

info

rmat

ion

for

the

in-s

cope

ap

plic

atio

ns

does

no

t in

clud

e th

e se

rver

in

form

atio

n fo

r G

&T

IFM

IS,

whi

ch

was

op

erat

iona

l w

hen

the

plan

was

las

t re

vise

d in

N

ovem

ber 2

009.

�Th

e C

CB

ha

s no

t be

en

form

ally

an

d fu

lly

inte

grat

ed i

nto

the

FEM

A c

hang

e m

anag

emen

t pr

oces

s. W

hile

we

wer

e in

form

ed th

at a

CC

B f

or

IFM

IS w

as e

stab

lishe

d on

Mar

ch 2

2, 2

010,

we

dete

rmin

ed th

at th

e re

quire

men

ts o

ver t

he ro

les a

nd

resp

onsi

bilit

ies

as w

ell

as t

he m

embe

rshi

p of

the

C

CB

wer

e no

t cl

early

def

ined

, im

plem

ente

d, a

nd

docu

men

ted

to e

nsur

e th

at D

HS

requ

irem

ents

are

m

et.

�M

embe

rshi

p of

th

e “S

CR

R

evie

w

Team

” re

spon

sibl

e fo

r ini

tial a

ppro

val f

or d

evel

opm

ent o

f an

y ch

ange

s to

the

app

licat

ion

is n

ot f

orm

ally

de

fined

.

�R

equi

rem

ents

th

at

secu

rity

impa

ct

anal

yses

be

pe

rfor

med

prio

r to

impl

emen

tatio

n of

cha

nges

hav

e no

t bee

n do

cum

ente

d.

�Li

mite

d te

stin

g re

quire

men

ts e

xist

to g

uide

FEM

A

pers

onne

l in

the

dev

elop

men

t of

tes

t pl

ans

and

guid

ance

ove

r the

test

ing

that

sho

uld

be p

erfo

rmed

an

d do

cum

ente

d.

Add

ition

ally

, ro

les

and

resp

onsi

bilit

ies

over

test

pla

n pr

oced

ures

to e

nsur

e th

at

plan

s ar

e su

ffic

ient

, do

cum

ent

expe

cted

ou

tcom

es, a

nd a

re r

evie

wed

and

app

rove

d pr

ior

to

requ

irem

ents

for s

ecur

ity im

pact

ana

lyse

s, te

st p

lan

deve

lopm

ent,

and

appr

oval

for n

on-e

mer

genc

y an

d em

erge

ncy

chan

ge p

roce

dure

s.

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 1

13

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

deve

lopm

ent,

are

not d

ocum

ente

d.

�R

equi

rem

ents

ove

r em

erge

ncy

chan

ges

have

not

be

en d

efin

ed in

writ

ing.

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 1

14

Appendix B


September 30, 2010



� Federal Law Enforcement Training Center


App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

Not

ice

of F

indi

ngs a

nd R

ecom

men

datio

ns –

Det

ail

Fede

ral L

aw E

nfor

cem

ent a

nd T

rain

ing

Cen

ter

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

FLET

C-

IT-1

0-01

D

urin

g ou

r FY

201

0 re

view

of F

LETC

’s c

onfig

urat

ion

man

agem

ent

polic

ies

and

proc

edur

es,

we

note

d th

at

FLET

C d

oes n

ot c

ondu

ct th

e fo

llow

ing:

�

Mom

entu

m a

nd G

lync

o A

rea

Net

wor

k (G

AN

) ch

ange

s ar

e no

t bei

ng d

ocum

ente

d th

roug

hout

the

chan

ge c

ontro

l pro

cess

from

the

test

ing

of c

hang

es

to t

he f

inal

app

rova

l of

the

cha

nges

prio

r to

im

plem

enta

tion,

and

; �

Dis

tribu

tion

and

impl

emen

tatio

n of

Mom

entu

m

and

GA

N c

hang

es a

re n

ot b

eing

con

trolle

d.

The

FLET

C m

anag

emen

t will

upd

ate

and

enfo

rce

curr

ent

proc

edur

es t

o en

sure

cha

nges

are

ful

ly

docu

men

ted

thro

ugho

ut th

e ch

ange

con

trol p

roce

ss

to in

clud

e th

e re

sults

of t

estin

g th

e ch

ange

, rev

iew

of

the

cha

nge

test

res

ults

, an

d fin

al a

ppro

val

to

proc

eed

with

the

impl

emen

tatio

n.

X

2

FLET

C-

IT-1

0-02

D

urin

g th

e FY

200

9 fin

anci

al s

tate

men

t au

dit,

we

note

d se

vera

l w

eakn

esse

s w

ith

the

logi

cal

acce

ss

cont

rols

fo

r th

e G

lync

o A

dmin

istra

tive

Net

wor

k (G

AN

).

Dur

ing

our

revi

ew i

n FY

201

0, w

e re

view

ed t

he

logi

cal a

cces

s co

ntro

ls o

ver t

he G

AN

. Pe

r our

revi

ew,

we

note

d th

at F

LETC

has

rem

edia

ted

all o

f the

logi

cal

acce

ss c

ontro

ls o

ver t

he G

AN

; how

ever

, KPM

G n

oted

th

at t

he G

AN

was

con

figur

ed t

o re

set

the

lock

out

coun

ter a

fter 2

0 m

inut

es.

This

doe

s no

t mee

t the

DH

S 43

00A

req

uire

men

t of

24

hour

s. U

pon

notif

icat

ion,

FL

ETC

im

med

iate

ly

rem

edia

ted

the

conf

igur

atio

n is

sue.

How

ever

, the

con

figur

atio

n w

as in

appr

opria

tely

co

nfig

ured

for t

he m

ajor

ity o

f the

fisc

al y

ear.

Due

to re

med

iatio

n of

this

find

ing

with

in th

e fis

cal

year

, no

reco

mm

enda

tion

is re

quire

d.

X

3

FLET

C-

IT-1

0-03

In

FY

20

09,

KPM

G

cond

ucte

d A

fter-

Hou

rs

wal

kthr

ough

te

stin

g to

co

mpl

emen

t ou

r IT

au

dit

test

ing

effo

rts a

s pa

rt of

the

FY 2

010

DH

S Fi

nanc

ial

Stat

emen

t A

udit

and

Aud

it of

Int

erna

l C

ontro

l ov

er

Fina

ncia

l R

epor

ting.

W

e al

so p

erfo

rmed

afte

r-ho

urs

Fina

nce

Div

isio

n, B

uild

ing

66 S

afeg

uard

ing

of P

II

and

Cre

dit

Car

d da

ta:

Mod

ifica

tions

to

Bui

ldin

g 66

hav

e re

cent

ly b

een

com

plet

ed w

hich

pro

vide

se

cure

file

sto

rage

room

s an

d en

try c

ontro

ls fo

r all

acce

ss p

oint

s in

the

bui

ldin

g.

An

SOP

will

be

X

3

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 1

16

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

phys

ical

sec

urity

tes

ting

to i

dent

ify r

isks

rel

ated

to

non-

tech

nica

l as

pect

s of

IT

secu

rity.

Th

ese

non-

tech

nica

l IT

secu

rity

aspe

cts i

nclu

de p

hysi

cal a

cces

s to

equi

pmen

t tha

t hou

ses

finan

cial

dat

a an

d in

form

atio

n re

sidi

ng o

n th

e de

sks

of F

LETC

per

sonn

el,

whi

ch

coul

d be

use

d by

oth

ers

to i

napp

ropr

iate

ly a

cces

s fin

anci

al in

form

atio

n.

For

our

revi

ew i

n FY

201

0 fo

llow

up

test

wor

k w

as

perf

orm

ed a

t var

ious

FLE

TC b

uild

ings

in th

e G

lync

o,

Geo

rgia

com

plex

. Th

e de

sign

ated

FLE

TC T

echn

ical

Po

int

of C

onta

ct a

nd r

epre

sent

ativ

es f

rom

the

DH

S O

ffic

e of

In

spec

tor

Gen

eral

, th

e D

HS

Off

ice

of

Info

rmat

ion

Secu

rity,

an

d th

e FL

ETC

O

ffic

e of

Ph

ysic

al S

ecur

ity a

ccom

pani

ed K

PMG

to

mon

itor

test

ing

and

valid

ate

the

resu

lts.

Afte

r ga

inin

g ac

cess

to

the

fac

ilitie

s, w

e in

spec

ted

a ra

ndom

sel

ectio

n of

de

sks

and

offic

es, l

ooki

ng f

or it

ems

such

as

impr

oper

pr

otec

tion

of

syst

em

pass

wor

ds,

unse

cure

d in

form

atio

n sy

stem

har

dwar

e, d

ocum

enta

tion

mar

ked

FOU

O, a

nd u

nloc

ked

netw

ork

sess

ions

. O

ur s

elec

tion

of d

esks

and

off

ices

was

not

sta

tistic

ally

der

ived

, and

th

eref

ore

we

are

unab

le t

o pr

ojec

t re

sults

to

the

com

pone

nt o

r de

partm

ent

as a

who

le.

We

revi

ewed

ov

er 9

0 de

sks a

nd c

ubic

les w

ithin

the

four

loca

tions

.

draf

ted

to a

ddre

ss S

afeg

uard

ing

of P

II a

nd C

redi

t C

ard

data

in th

e Fi

nanc

e D

ivis

ion,

impl

emen

t use

of

the

secu

re fi

le s

tora

ge ro

oms,

and

addr

ess

entry

co

ntro

ls f

or a

cces

s po

ints

in

the

build

ing.

Th

is

will

be

deve

lope

d an

d im

plem

ente

d by

Nov

embe

r 15

, 201

0.

Add

ition

ally

, spe

cific

req

uire

men

ts f

or

Safe

guar

ding

of

PII

and

Cre

dit

Car

d da

ta w

ill b

e ad

ded

to e

ach

Fina

nce

Div

isio

n em

ploy

ee’s

FY

20

11 (a

nd fu

ture

) Ann

ual P

erfo

rman

ce W

ork

Plan

to

ens

ure

ther

e is

no

mis

unde

rsta

ndin

g re

gard

ing

each

em

ploy

ee’s

resp

onsi

bilit

ies i

n th

is a

rea.

Fina

nce

Off

ice,

B

uild

ing

66

Use

r N

ame

and

Pass

wor

ds:

Rem

edia

l tra

inin

g w

ill b

e co

nduc

ted

rega

rdin

g sa

fegu

ardi

ng U

ser N

ame

and

Pass

wor

ds.

Add

ition

ally

, sp

ecifi

c re

quire

men

ts

for

safe

guar

ding

Use

r N

ame

and

Pass

wor

ds w

ill b

e ad

ded

to e

ach

Fina

nce

Div

isio

n em

ploy

ee’s

FY

20

11 (a

nd fu

ture

) Ann

ual P

erfo

rman

ce W

ork

Plan

to

ens

ure

ther

e is

no

mis

unde

rsta

ndin

g re

gard

ing

each

em

ploy

ee’s

resp

onsi

bilit

ies i

n th

is a

rea.

For

the

CIO

Ope

ratio

ns a

nd S

uppo

rt D

ivis

ion

(OSD

) in

Bld

g 68

1, r

emed

ial

train

ing

will

be

cond

ucte

d to

ens

ure

empl

oyee

s an

d co

ntra

ctor

s lo

ck

thei

r do

ors

and

safe

guar

d se

nsiti

ve

info

rmat

ion.

O

SD w

ill e

nsur

e th

e w

orks

tatio

n sc

reen

save

r fea

ture

is e

nabl

ed o

n its

wor

ksta

tions

.

FLET

C-

IT-1

0-04

D

urin

g th

e FY

200

9 fin

anci

al s

tate

men

t aud

it, K

PMG

de

term

ined

that

logs

of a

udita

ble

even

ts in

the

Gyl

nco

Adm

inis

trativ

e N

etw

ork

(GA

N)

are

not

bein

g re

view

ed to

iden

tify

pote

ntia

l inc

iden

ts.

Dur

ing

our

FY 2

010

revi

ew, K

PMG

det

erm

ined

tha

t FL

ETC

has

im

plem

ente

d th

e Se

curit

y In

form

atio

n

FLET

C’s

cu

rren

t SI

M

solu

tion

prov

ides

no

ca

pabi

lity

to c

orre

late

or

aggr

egat

e au

dit

logs

w

hich

res

ults

in

an a

rduo

us,

un-tr

acka

ble

and

unm

anag

eabl

e au

dit

log

revi

ew

proc

ess

whe

n ha

ndlin

g m

illio

ns o

f re

cord

s ea

ch d

ay.

FLET

C is

cu

rren

tly i

n th

e pr

oces

s of

pro

curin

g A

rcSi

ght

ESM

as

a re

plac

emen

t SI

M s

olut

ion

to a

ddre

ss

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 1

17

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

Man

agem

ent

Syst

em

(SIM

) w

ith

capa

bilit

ies

to

man

age

and

stor

e lo

gs o

f au

dita

ble

even

ts.

How

ever

, w

e de

term

ined

tha

t m

anag

emen

t do

es n

ot h

ave

a fo

rmal

pro

cess

for

rev

iew

ing

the

audi

t lo

gs o

n a

perio

dic

basi

s.

thes

e an

d ot

her

shor

tcom

ings

with

the

cur

rent

so

lutio

n. A

rcSi

ght E

SM a

llow

s for

bot

h si

mpl

ified

an

d ex

cept

iona

lly c

ompl

ex e

vent

cor

rela

tion

rule

au

thor

ship

.

FLET

C w

ill d

eplo

y th

e A

rcSi

ght

ESM

sol

utio

n du

ring

FY 2

011.

Use

rs,

such

as

ISSO

s, w

ill b

e pr

ovid

ed

focu

sed

dash

boar

ds

with

co

rrel

ated

in

form

atio

n pe

rtine

nt

to

thei

r ar

eas

of

resp

onsi

bilit

y.

Aud

it lo

gs w

ill b

e re

view

ed a

s co

rrel

ated

and

agg

rega

ted

data

and

can

be

drill

ed

dow

n to

in d

etai

l and

revi

ewed

whe

n su

spic

ious

or

anom

alou

s re

cord

s ar

e fo

und.

Cus

tom

ized

repo

rts

and

auto

mat

ed a

lerts

will

be

conf

igur

ed f

or e

ach

syst

em a

nd t

ailo

red

for

the

audi

t lo

g re

view

er.

Aud

it lo

gs o

f acc

ess

to th

e SI

M it

self

will

als

o be

ge

nera

ted

and

revi

ewed

to

ensu

re u

sers

suc

h as

IS

SO’s

and

the

SOC

are

util

izin

g th

e sy

stem

and

re

view

ing

audi

t re

cord

s an

d re

spon

ding

to

the

conf

igur

ed a

utom

ated

ale

rts in

a ti

mel

y m

anne

r.

FLET

C-

IT-1

0-05

D

urin

g th

e FY

200

9 fin

anci

al s

tate

men

t aud

it, K

PMG

de

term

ined

tha

t ac

cess

con

trol

wea

knes

ses

exis

ted

over

M

omen

tum

ac

cess

au

thor

izat

ions

fo

r us

er’s

pr

ofile

s cre

ated

or m

odifi

ed d

urin

g th

e fis

cal y

ear.

Dur

ing

the

FY 2

010

finan

cial

sta

tem

ent a

udit,

KPM

G

dete

rmin

ed th

at a

cces

s co

ntro

l wea

knes

ses

still

exi

sted

ov

er

Mom

entu

m

acce

ss

auth

oriz

atio

ns

for

user

’s

prof

iles

crea

ted

or m

odifi

ed d

urin

g th

e fis

cal

year

. Sp

ecifi

cally

, w

e le

arne

d th

at n

ew u

sers

and

pro

file

chan

ges a

re n

ot b

eing

trac

ked

by F

LETC

.

FLET

C

has

impl

emen

ted

prof

ile

logg

ing,

ho

wev

er,

due

to t

he o

verw

helm

ing

volu

me

of

even

ts lo

gged

by

the

syst

em, t

his

has

prov

en to

be

unus

able

in te

rms

of id

entif

ying

rel

evan

t act

ivity

. FL

ETC

is

wor

king

to

bette

r an

alyz

e an

d m

anag

e th

e pr

ofile

log

ging

rep

orts

. A

n SO

P w

ill b

e dr

afte

d to

im

plem

ent

man

agem

ent

over

sigh

t fo

r M

omen

tum

ac

cess

au

thor

izat

ions

fo

r us

er’s

pr

ofile

s cr

eate

d or

mod

ified

dur

ing

the

fisca

l yea

r. Th

is p

roce

ss w

ill b

e de

velo

ped

and

impl

emen

ted

by N

ovem

ber 3

0, 2

010.

X

3

FLET

C-

IT-1

0-06

D

urin

g th

e FY

200

9 fin

anci

al s

tate

men

t au

dit,

we

note

d se

vera

l w

eakn

esse

s ar

ound

acc

ess

cont

rols

for

th

e St

uden

t Inf

orm

atio

n Sy

stem

(SIS

) inc

ludi

ng:

The

FLET

C

will

up

date

th

e ex

istin

g R

isk

Acc

epta

nce

to i

nclu

de t

he p

assw

ord

exce

ptio

ns

note

d in

the

cond

ition

abo

ve.

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 1

18

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

�SI

S is

con

figur

ed to

hav

e a

pass

wor

d hi

stor

y of

two

pass

wor

ds st

ored

. �

SIS

is n

ot c

onfig

ured

to re

set t

he a

ccou

nt

faile

d lo

gon

coun

ter

�U

sers

wer

e no

t loc

ked

out a

fter t

hree

inva

lid

acce

ss a

ttem

pts.

�SI

S sy

stem

adm

inis

trato

rs sh

are

a ‘r

oot’

user

nam

e an

d pa

ssw

ord

to p

erfo

rm

adm

inis

trativ

e re

spon

sibi

litie

s. �

A sa

mpl

e of

aud

it lo

gs th

at tr

ack

chan

ges t

o sy

stem

dat

a co

uld

not b

e pr

ovid

ed.

�U

ser p

rofil

e cr

eatio

n is

not

trac

ked

and

a lis

ting

of p

rofil

e cr

eatio

n da

tes c

ould

not

be

prov

ided

. �

Evid

ence

of p

erio

dic

revi

ew o

f use

r acc

ount

s co

uld

not b

e pr

ovid

ed.

In F

Y 2

010,

we

inqu

ired

with

FLE

TC a

nd n

oted

that

al

thou

gh s

ome

corr

ectiv

e ac

tions

hav

e ta

ken

plac

e, th

e fo

llow

ing

has n

ot y

et b

een

impl

emen

ted.

�

Use

rs a

re n

ot b

eing

lock

ed o

ut a

fter 3

inva

lid

atte

mpt

s. �

SIS

pass

wor

d le

ngth

min

imum

is c

onfig

ured

a

min

imum

of s

ix.

�SI

S do

es n

ot re

quire

a c

ombi

natio

n of

al

phab

etic

, num

eric

, and

spec

ial c

hara

cter

s. �

Aud

it lo

gs th

at tr

ack

chan

ges t

o sy

stem

dat

a ar

e no

t bei

ng re

view

ed.

�

Prof

ile c

reat

ion

and

chan

ges a

re n

ot b

eing

tra

cked

and

a li

stin

g of

pro

file

upda

tes c

ould

no

t be

prov

ided

. �

Perio

dic

revi

ew o

f use

r acc

ount

s is n

ot b

eing

co

nduc

ted.

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 1

19

Appendix B


September 30, 2010



� Immigration and Customs Enforcement


App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

Not

ice

of F

indi

ngs a

nd R

ecom

men

datio

ns –

Det

ail

Imm

igra

tion

and

Cus

tom

s Enf

orce

men

t

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

ICE-

IT-

10-0

1 D

urin

g th

e FY

200

9 fin

anci

al s

tate

men

t aud

it, K

PMG

pe

rfor

med

an

insp

ectio

n of

a s

ampl

e of

per

sonn

el th

at

had

term

inat

ed/tr

ansf

erre

d fr

om

thei

r em

ploy

men

t w

ith I

CE

durin

g th

e fis

cal

year

. K

PMG

req

uest

ed

evid

ence

that

exi

t cle

aran

ce fo

rms

wer

e co

mpl

eted

for

each

em

ploy

ee

to

dete

rmin

e IC

E m

anag

emen

t’s

com

plia

nce

with

exi

t cle

aran

ce p

roce

dure

s. O

f the

25

term

inat

ed/tr

ansf

erre

d IC

E pe

rson

nel

sam

pled

, ev

iden

ce o

f com

plia

nce

with

exi

t cle

aran

ce p

roce

dure

s co

uld

not b

e pr

ovid

ed fo

r 12

empl

oyee

s.

Dur

ing

the

FY 2

010

finan

cial

sta

tem

ent a

udit,

KPM

G

was

info

rmed

that

a p

olic

y an

d pr

oced

ure

has

not b

een

deve

lope

d fo

r th

e Pe

rson

nel

Exiti

ng P

roce

ss.

IC

E m

anag

emen

t sta

ted

that

the

Off

ice

of H

uman

Cap

ital

(OH

C)

has

impl

emen

ted

a m

ulti-

year

mis

sion

act

ion

plan

to a

ddre

ss th

is a

nd v

ario

us o

ther

issu

es, b

ut th

ere

has b

een

no c

orre

ctiv

e ac

tion

take

n at

this

tim

e.

ICE

shou

ld

esta

blis

h an

d im

plem

ent

a po

licy

gove

rnin

g th

e ex

it cl

eara

nce

proc

ess,

iden

tifyi

ng

the

proc

edur

es

sepa

ratin

g em

ploy

ees

and

cont

ract

ors

mus

t ta

ke t

o en

sure

the

ret

urn

and\

or

safe

guar

ding

of

gove

rnm

ent

prop

erty

, eq

uipm

ent,

and

syst

ems;

and

the

role

s an

d re

spon

sibi

litie

s of

IC

E of

fices

invo

lved

in th

e ex

it cl

eara

nce

proc

ess.

X

3

ICE-

IT-

10-0

2 D

urin

g th

e FY

200

9 au

dit,

KPM

G i

nqui

red

of I

CE

OC

IO p

erso

nnel

abo

ut F

FMS

pass

wor

d se

tting

s. W

e de

term

ined

tha

t th

e FF

MS

pass

wor

d se

tting

s re

quire

th

e us

e of

an

unde

rsco

re a

nd d

oes

not a

llow

the

use

of

any

othe

r spe

cial

cha

ract

ers s

uch

as !,

@, #

, $, %

, or *

, w

hich

is

not

com

plia

nt w

ith D

HS

polic

y.

The

DH

S po

licy

requ

ires

that

pas

swor

ds c

onta

in a

com

bina

tion

of a

lpha

betic

, num

eric

, and

spec

ial c

hara

cter

s.

Dur

ing

the

FY 2

010

audi

t, w

e pe

rfor

med

fol

low

-up

inqu

iry t

o de

term

ine

the

stat

us o

f th

is w

eakn

ess

and

lear

ned

that

th

e FF

MS

pass

wor

d se

tting

co

ntro

l w

eakn

ess

has

not b

een

rem

edia

ted.

IC

E m

anag

emen

t

ICE

shou

ld

upda

te

the

FFM

S pa

ssw

ord

conf

igur

atio

n se

tting

s to

ens

ure

that

the

y ar

e in

co

mpl

ianc

e w

ith D

HS

4300

A p

olic

ies.

X

3

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 1

21

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

stat

ed th

at a

cha

nge

to th

e sy

stem

has

bee

n re

ques

ted

to i

nclu

de t

wo

addi

tiona

l ch

arac

ters

in

the

pass

wor

d co

mpl

exity

. Th

e sp

ecia

l cha

ract

ers

that

will

be

adde

d on

ce t

he c

hang

e is

im

plem

ente

d ar

e th

e #,

$,

and

unde

rsco

re.

K

PMG

no

ted

that

O

racl

e us

es

the

follo

win

g ch

arac

ters

(!,

@,

%,

^, &

, *)

as

func

tion

key,

th

eref

ore,

th

ey

cann

ot

be

incl

uded

in

th

e pa

ssw

ord

com

plex

ity.

The

rem

edia

tion

com

plet

ion

date

is sc

hedu

led

for N

ovem

ber 2

010.

ICE-

IT-

10-0

3 D

urin

g th

e FY

200

9 au

dit,

KPM

G i

nqui

red

of I

CE

OC

IO p

erso

nnel

abo

ut t

he p

roce

ss f

or r

ecer

tifyi

ng

FFM

S us

er a

cces

s (r

evie

w o

f ac

cess

priv

ilege

s) a

nd

foun

d th

at t

his

proc

ess

is n

ot f

orm

ally

doc

umen

ted.

Fu

rther

mor

e, K

PMG

fou

nd t

hat

the

revi

ew f

or t

he

acce

ss

priv

ilege

s fo

r ea

ch

FFM

S ac

coun

t is

no

t ad

equa

tely

rec

orde

d an

d no

aud

it tra

il is

ava

ilabl

e to

su

ppor

t tha

t a re

certi

ficat

ion

was

com

plet

ed.

Dur

ing

the

FY 2

010

finan

cial

sta

tem

ent

audi

t, w

e pe

rfor

med

follo

w-u

p in

quiry

to d

eter

min

e th

e st

atus

of

this

wea

knes

s an

d le

arne

d th

at p

roce

dure

s ha

ve b

een

docu

men

ted

and

impl

emen

ted

for

the

FFM

S re

certi

ficat

ion

proc

ess,

how

ever

, a

form

al p

olic

y ha

s no

t be

en

docu

men

ted.

KPM

G

foun

d th

at

user

s’

logi

cal a

cces

s pr

ivile

ges

wer

e re

view

ed, r

ecor

ded,

and

m

aint

aine

d, t

here

fore

thi

s po

rtion

of

the

PY N

FR a

s be

en r

emed

iate

d.

How

ever

, pe

r in

quiry

with

IC

E m

anag

emen

t, K

PMG

fou

nd t

hat

a fo

rmal

pol

icy

still

do

es

not

exis

t fo

r th

e re

certi

ficat

ion

of

FFM

S ac

coun

ts.

ICE

man

agem

ent

shou

ld e

stab

lish

and

impl

emen

t po

licie

s an

d pr

oced

ures

to f

orm

ally

doc

umen

t the

re

certi

ficat

ion

of

FFM

S us

er

priv

ilege

s. Th

is

activ

ity is

the

resp

onsi

bilit

y of

OFM

and

the

ISSO

. Th

is p

roce

ss s

houl

d in

clud

e a

met

hod

to d

ocum

ent

user

re

certi

ficat

ion

and

a pr

oces

s to

m

aint

ain

evid

ence

of t

he re

view

s.

X

ICE-

IT-

10-0

4 D

urin

g th

e FY

200

9 fin

anci

al s

tate

men

t aud

it, K

PMG

pe

rfor

med

an

insp

ectio

n of

a l

istin

g of

FFM

S us

ers

and

thei

r as

sign

ed

role

s/re

spon

sibi

litie

s an

d de

term

ined

th

at

six

user

s ha

d O

rigin

ator

, Fu

nds

Cer

tific

atio

n O

ffic

ial,

and

App

rovi

ng O

ffic

ial p

rofil

es

ICE

shou

ld e

nfor

ce p

olic

ies

and

proc

edur

es t

o en

sure

tha

t as

sign

ed r

oles

and

res

pons

ibili

ties

are

com

men

sura

te w

ith p

erso

nnel

job

func

tions

.

X

3

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 1

22

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

that

wer

e in

vio

latio

n of

FFM

S se

greg

atio

n of

dut

ies

polic

ies.

Dur

ing

the

FY 2

010

finan

cial

sta

tem

ent

audi

t, w

e pe

rfor

med

follo

w-u

p in

quiry

to d

eter

min

e th

e st

atus

of

this

wea

knes

s and

lear

ned

that

dra

ft FF

MS

segr

egat

ion

of d

uty

polic

y is

in p

lace

, but

, is

not b

eing

fol

low

ed.

In a

dditi

on, K

PMG

insp

ecte

d a

listin

g of

FFM

S us

ers

and

thei

r as

sign

ed

role

s/re

spon

sibi

litie

s an

d de

term

ined

th

at

one

use

r ha

d O

rigin

ator

, Fu

nds

Cer

tific

atio

n O

ffic

ial,

and

a A

ppro

ving

O

ffic

ial

prof

ile, w

hich

is a

vio

latio

n of

the

FFM

S se

greg

atio

n of

dut

ies p

olic

y.

ICE-

IT-

10-0

5 D

urin

g th

e FY

201

0 fin

anci

al s

tate

men

t aud

it, K

PMG

de

term

ined

tha

t FF

MS

audi

t lo

gs w

ere

not

gene

rate

d or

rev

iew

ed d

urin

g th

e pe

riod

Oct

ober

200

9 th

roug

h Fe

brua

ry 2

010.

A

s of

Mar

ch 2

010,

the

log

s w

ere

gene

rate

d an

d re

view

ed,

how

ever

, no

su

ppor

ting

evid

ence

co

uld

be

prov

ided

.

Add

ition

ally

, w

e de

term

ined

that

aud

it lo

g po

licy

and

proc

edur

es h

ave

been

dra

fted,

how

ever

, th

ey h

ave

not

been

fin

aliz

ed,

appr

oved

, and

impl

emen

ted.

ICE

Off

ice

of F

inan

cial

Man

agem

ent (

OFM

) w

ill

final

ize,

see

k ap

prov

al,

and

form

ally

im

plem

ent

the

draf

t pol

icy

and

proc

edur

es.

In th

e m

eant

ime,

th

e dr

aft p

olic

y w

ill b

e us

ed to

pro

vide

an

accu

rate

au

dit l

og.

X

3

ICE-

IT-

10-0

6 D

urin

g th

e FY

200

9 fin

anci

al s

tate

men

t aud

it, K

PMG

de

term

ined

that

wea

knes

ses

exis

t ove

r A

DEX

acc

ess.

Spec

ifica

lly, K

PMG

fou

nd th

at 1

4 us

ers,

whi

ch w

ere

sepa

rate

d fr

om I

CE,

stil

l ha

d ac

tive

AD

EX a

ccou

nts

that

wer

e no

t rem

oved

upo

n th

eir t

erm

inat

ion/

trans

fer.

Dur

ing

the

FY 2

010

finan

cial

sta

tem

ent

audi

t, w

e pe

rfor

med

follo

w-u

p in

quiry

to d

eter

min

e th

e st

atus

of

this

wea

knes

s an

d le

arne

d th

at IC

E ha

s im

plem

ente

d a

com

pens

atin

g co

ntro

l th

at w

ill d

isab

le u

sers

acc

ount

af

ter

45 d

ays

of i

nact

ivity

to

miti

gate

the

con

trol

wea

knes

s. H

owev

er,

KPM

G f

ound

tha

t a

sepa

rate

d

Ensu

re im

plem

enta

tion

of th

e IC

E Ex

it C

lear

ance

D

irect

ive

whi

ch w

ill e

stab

lish

the

proc

ess

for

sepa

ratin

g em

ploy

ees,

both

Fe

dera

l an

d co

ntra

ctor

s, an

d fo

rmal

ize

a pr

oces

s to

ens

ure

that

se

para

ting

empl

oyee

s ha

ve th

eir

acce

ss to

all

ICE

info

rmat

ion

tech

nolo

gy sy

stem

s rem

oved

.

X

3

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 1

23

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

empl

oyee

’s a

ccou

nt w

as n

ot d

isab

led

in a

tim

ely

man

ner

as

the

acco

unt

was

ac

cess

ed

afte

r th

e em

ploy

ee’s

ter

min

atio

n da

te.

The

refo

re,

the

45-d

ay

win

dow

was

inap

prop

riate

ly d

elay

ed. I

n ad

ditio

n, w

e de

term

ined

that

DH

S ac

cess

con

trols

pol

icie

s ar

e no

t be

ing

follo

wed

as

user

s ar

e no

t pro

perly

iden

tifie

d an

d au

then

ticat

ed.

Bas

ed o

n IC

E m

anag

emen

t’s r

espo

nse

to th

is w

eakn

ess

“eith

er a

noth

er u

ser l

ogge

d on

as

the

term

inat

ed

user

or

In

form

atio

n Te

chno

logy

Fi

eld

Off

icer

(I

TFO

) lo

gged

in

us

ing

the

term

inat

ed

empl

oyee

’s c

rede

ntia

ls.”

IC

E-IT

-10

-07

Dur

ing

the

FY 2

010

finan

cial

stat

emen

t aud

it, K

PMG

de

term

ined

that

seve

ral p

hysi

cal a

nd e

nviro

nmen

tal

cont

rols

exi

st w

ithin

the

OC

S D

atac

ente

r. Sp

ecifi

cally

, w

e no

ted

the

follo

win

g:

�O

CS

Dat

a C

ente

r Ris

k A

sses

smen

t is n

ot

docu

men

ted.

�

Re-

entry

pro

cedu

res f

or p

erso

nnel

afte

r an

emer

genc

y ev

acua

tion

are

not d

ocum

ente

d.

�Fi

re su

ppre

ssio

n te

stin

g do

cum

enta

tion

is n

ot

mai

ntai

ned.

�

Wat

er d

amag

e w

as v

isib

le o

n th

e da

ta c

ente

r w

all w

here

FFM

S se

rver

s are

hou

sed

with

no

inci

dent

repo

rt of

the

even

t. �

UPS

test

ing

docu

men

tatio

n is

not

mai

ntai

ned.

As

of J

uly

2010

FFM

S ha

s be

en m

oved

fro

m th

e D

epar

tmen

t of

Com

mer

ce O

CS

to D

ata

Cen

ter

2 (D

C2)

. D

C2

will

be

revi

ewed

and

mon

itore

d to

en

sure

co

mpl

ianc

e w

ith

all

phys

ical

an

d da

ta

secu

rity

requ

irem

ents

.

X

2

ICE-

IT-

10-0

8 D

urin

g th

e FY

201

0 fin

anci

al s

tate

men

t au

dit,

we

dete

rmin

ed th

at th

e en

viro

nmen

tal c

ontro

ls in

the

PCN

co

mpu

ter

room

nee

d im

prov

emen

t. Sp

ecifi

cally

, w

e fo

und

that

en

viro

nmen

tal

test

re

sults

ar

e no

t do

cum

ente

d an

d m

aint

aine

d fo

r the

follo

win

g de

vice

s:

AC

un

its,

fire

extin

guis

hers

, an

d ba

ck-u

p po

wer

su

pply

.

Ensu

re

that

en

viro

nmen

tal

syst

ems

(Hea

t V

entil

atio

n A

ir C

ondi

tione

r, fir

e ex

tingu

ishe

rs,

and

Uni

vers

al P

ower

Sup

ply)

are

tes

ted

annu

ally

w

ith te

st re

sults

mad

e av

aila

ble

for r

evie

w.

X

2

ICE-

IT-

10-0

9 So

cial

eng

inee

ring

is d

efin

ed a

s th

e ac

t of a

ttem

ptin

g to

man

ipul

ate

or d

ecei

ve p

eopl

e in

to t

akin

g ac

tion

that

is

in

cons

iste

nt

with

D

HS

polic

ies,

such

as

di

vulg

ing

sens

itive

info

rmat

ion

or a

llow

ing/

enab

ling

Soci

al

Engi

neer

ing

is

cove

red

in

the

Ann

ual

Info

rmat

ion

Ass

uran

ce

Aw

aren

ess

Trai

ning

(I

AA

T) –

whi

ch i

s a

requ

irem

ent

for

all

ICE

empl

oyee

s. T

he I

AA

T sh

ould

con

tinue

to

stre

ss

X

3

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 1

24

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

com

pute

r sy

stem

acc

ess.

The

term

typi

cally

app

lies

to

trick

ery

or

dece

ptio

n fo

r th

e pu

rpos

e of

in

form

atio

n ga

ther

ing,

or c

ompu

ter s

yste

m a

cces

s.

Dur

ing

the

cour

se o

f our

soci

al e

ngin

eerin

g te

st w

ork,

th

e ob

ject

ive

was

prim

arily

foc

used

on

atte

mpt

ing

to

iden

tify

user

ID

s an

d pa

ssw

ords

. P

osin

g as

DH

S te

chni

cal s

uppo

rt em

ploy

ees,

atte

mpt

s w

ere

mad

e to

ob

tain

this

type

of a

ccou

nt in

form

atio

n by

con

tact

ing

rand

omly

sel

ecte

d em

ploy

ees

by te

leph

one.

A s

crip

t w

as u

sed

to a

sk f

or a

ssis

tanc

e fr

om th

e IC

E us

er in

re

solv

ing

a ne

twor

k is

sue

in t

he c

ompo

nent

. F

or

each

per

son

we

atte

mpt

ed to

cal

l, w

e no

ted

whe

ther

th

e in

divi

dual

was

rea

ched

and

whe

ther

we

obta

ined

an

y in

form

atio

n fr

om th

em th

at s

houl

d no

t hav

e be

en

shar

ed w

ith u

s ac

cord

ing

to

DH

S po

licy.

Our

se

lect

ion

of d

esks

and

off

ices

was

not

sta

tistic

ally

de

rived

, and

ther

efor

e w

e ar

e un

able

to p

roje

ct re

sults

to

the

com

pone

nt o

r dep

artm

ent a

s a w

hole

.

Dur

ing

the

FY 2

010

finan

cial

sta

tem

ent

audi

t, w

e le

arne

d th

at

ICE

cont

inue

s to

pr

omot

e se

curit

y aw

aren

ess

train

ing

by d

istri

butin

g a

wee

kly

new

slet

ter

to

empl

oyee

s an

d co

ntra

ctor

s ab

out

secu

rity

awar

enes

s. H

owev

er, K

PMG

foun

d th

at th

e pr

ior y

ear

secu

rity

wea

knes

s stil

l exi

sts.

soci

al

engi

neer

ing

risks

an

d gr

eate

r ou

treac

h sh

ould

be

achi

eved

.

ICE-

IT-

10-1

0 W

e pe

rfor

med

afte

r-ho

urs

phys

ical

sec

urity

test

ing

to

iden

tify

risks

rel

ated

to

non-

tech

nica

l as

pect

s of

IT

secu

rity.

Th

ese

non-

tech

nica

l IT

sec

urity

asp

ects

in

clud

e ph

ysic

al

acce

ss

to

equi

pmen

t th

at

hous

es

finan

cial

dat

a an

d in

form

atio

n re

sidi

ng o

n an

IC

E em

ploy

ee’s

des

k w

hich

cou

ld b

e us

ed b

y ot

hers

to

inap

prop

riate

ly

acce

ss

finan

cial

in

form

atio

n.

The

test

ing

was

per

form

ed a

t va

rious

IC

E lo

catio

ns t

hat

proc

ess

and/

or m

aint

ain

com

pone

nt f

inan

cial

dat

a.

Afte

r ga

inin

g ac

cess

to

the

faci

litie

s vi

a an

IC

E

Secu

rity

Aw

aren

ess

is

cove

red

in

the

Ann

ual

IAA

T –

whi

ch

is

a re

quire

men

t fo

r al

l IC

E em

ploy

ees.

The

IA

AT

shou

ld c

ontin

ue t

o st

ress

se

curit

y aw

aren

ess

risks

an

d gr

eate

r ou

treac

h sh

ould

be

achi

eved

.

X

3

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 1

25

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

empl

oyee

des

igna

ted

to a

ssis

t w

ith a

nd m

onito

r ou

r te

stw

ork,

we

insp

ecte

d a

rand

om s

elec

tion

of d

esks

an

d of

fices

lo

okin

g fo

r ite

ms

such

as

im

prop

er

prot

ectio

n of

sy

stem

us

er

nam

es

and

pass

wor

ds,

unse

cure

d in

form

atio

n sy

stem

ha

rdw

are,

do

cum

enta

tion

cont

aini

ng P

II o

r m

arke

d FO

UO

, and

un

lock

ed n

etw

ork

sess

ions

. O

ur s

elec

tion

of d

esks

an

d of

fices

was

not

sta

tistic

ally

der

ived

, and

ther

efor

e w

e ar

e un

able

to

proj

ect

resu

lts t

o th

e co

mpo

nent

or

depa

rtmen

t as

a w

hole

. Fo

r ea

ch lo

catio

n vi

site

d, w

e no

ted

the

type

of

unse

cure

d in

form

atio

n or

pro

perty

w

e id

entif

ied

and

incl

uded

the

tota

l exc

eptio

ns n

oted

by

loc

atio

n, a

s w

ell

as b

y ty

pe o

f in

form

atio

n or

pr

oper

ty id

entif

ied.

Dur

ing

the

FY 2

010

finan

cial

sta

tem

ent

audi

t, w

e le

arne

d th

at

ICE

cont

inue

s to

pr

omot

e se

curit

y aw

aren

ess

train

ing

and

dist

ribut

es a

wee

kly

new

slet

ter

to

empl

oyee

s an

d co

ntra

ctor

s ab

out

secu

rity

awar

enes

s. H

owev

er,

KPM

G f

ound

tha

t se

curit

y w

eakn

esse

s stil

l exi

st.

ICE-

IT-

10-1

1 In

FY

200

9, w

e fo

und

that

IC

E la

cked

pol

icie

s an

d pr

oced

ures

requ

iring

com

plet

ion

of a

trai

ning

pro

gram

by

per

sonn

el in

IT se

curit

y po

sitio

ns.

Dur

ing

the

FY 2

010

finan

cial

sta

tem

ent

audi

t, w

e le

arne

d th

at to

cor

rect

the

prio

r yea

r NFR

, IC

E fo

llow

s D

HS

4300

A

polic

y fo

r tra

inin

g pe

rson

nel

in

IT

secu

rity

posi

tions

, the

refo

re, t

his

porti

on o

f the

NFR

is

clos

ed.

How

ever

, dur

ing

our t

estw

ork

we

dete

rmin

ed

that

wea

knes

ses

still

exi

st o

ver

train

ing

pers

onne

l in

IT

sec

urity

pos

ition

s. S

peci

fical

ly, w

e de

term

ined

that

27

out

of 4

5 IT

sec

urity

per

sonn

el h

ave

not c

ompl

eted

sp

ecia

lized

trai

ning

.

OC

IO w

ill p

rovi

de m

anag

emen

t ov

ersi

ght

and

guid

ance

for

tra

inin

g pe

rson

nel

with

sig

nific

ant

resp

onsi

bilit

ies f

or in

form

atio

n se

curit

y.

X

2

ICE-

IT-

10-1

2 D

urin

g th

e FY

201

0 fin

anci

al st

atem

ent a

udit,

KPM

G

dete

rmin

ed th

at p

hysi

cal s

afeg

uard

wea

knes

ses e

xist

at

ICE

shou

ld e

nsur

e th

at r

e-en

try p

roce

dure

s ar

e pr

oper

ly d

ocum

ente

d at

the

Cla

rksv

ille

data

cen

ter

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 1

26

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

the

DC

2 da

tace

nter

. Sp

ecifi

cally

, we

dete

rmin

ed th

e fo

llow

ing:

�

Re-

entry

pro

cedu

res a

fter a

n em

erge

ncy

have

be

en im

plem

ente

d, h

owev

er, t

he p

roce

dure

s ar

e no

t doc

umen

ted.

�

FFM

S se

rver

is in

appr

opria

tely

mar

ked

with

a

labe

l tha

t ide

ntifi

es th

e ap

plic

atio

n/da

ta o

n th

e se

rver

.

and

mak

e ce

rtain

th

at

serv

ers

are

not

inap

prop

riate

ly id

entif

ied.

ICE-

IT-

10-1

3 D

urin

g K

PMG

’s

inte

rnal

vu

lner

abili

ty

asse

ssm

ent

effo

rts o

f IC

E’s

FFM

S ne

twor

k, s

erve

rs a

nd d

atab

ases

pe

rfor

med

in

Aug

ust

2010

, KPM

G i

dent

ified

sev

eral

H

igh/

M

ediu

m

Ris

k vu

lner

abili

ties,

rela

ted

to

conf

igur

atio

n m

anag

emen

t suc

h as

: �

Hot

St

andb

y R

oute

r Pr

otoc

ol

(HSR

P)

defa

ult

inst

alla

tion

on C

isco

rout

ers a

nd sw

itche

s �

Def

ault

“Ora

cle

List

ener

Pr

ogra

m

(tnsl

snr)

” se

rvic

e pa

ssw

ord

on se

rver

inst

alla

tion

�O

utda

ted

Mic

roso

ft O

pera

ting

Syst

ems

�B

onjo

ur (

also

kno

wn

as Z

eroC

onf

or m

DN

S)

liste

ning

pro

toco

l �

Rem

ote

web

ser

ver

HTM

L fo

rm f

ield

s tra

nsm

its

data

in c

lear

text

ICE

shou

ld t

ake

the

nece

ssar

y st

eps

to b

egin

ex

amin

ing

the

defa

ult

conf

igur

atio

n in

stal

latio

ns

and

syst

em s

ervi

ces

inst

alle

d on

FFM

S de

vice

s an

d de

term

ine

if th

e de

faul

t con

figur

atio

ns c

an b

e se

t to

incr

ease

FFM

S’s

secu

rity

or, i

n th

e ca

se o

f un

nece

ssar

y sy

stem

ser

vice

s, de

lete

d to

red

uce

FFM

S vu

lner

abili

ty to

atta

ck.

X

3

ICE-

IT-

10-1

4 D

urin

g K

PMG

’s

inte

rnal

vu

lner

abili

ty

asse

ssm

ent

effo

rts o

f IC

E’s

FFM

S ne

twor

k se

rver

s an

d da

taba

ses

perf

orm

ed i

n A

ugus

t 20

10, K

PMG

ide

ntifi

ed s

ever

al

Hig

h/ M

ediu

m R

isk

vuln

erab

ilitie

s, re

late

d to

sev

eral

co

nfig

urat

ion

and

patc

h m

anag

emen

t w

eakn

esse

s w

ithin

the

con

figur

atio

n of

the

FFM

S IC

E an

d C

IS

Ora

cle

data

base

inst

ance

s suc

h as

: �

Cle

ar te

xt p

assw

ords

stor

ed in

dat

abas

e �

Out

date

d pa

tche

s �

Tabl

e se

curit

y co

nfig

urat

ions

�

Use

r acc

ount

priv

ilege

s

ICE

shou

ld t

ake

the

nece

ssar

y st

eps

to b

egin

ap

plyi

ng t

he a

ppro

pria

te F

FMS

data

base

pat

ches

to

ens

ure

patc

h co

mpl

ianc

e.

X

3

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 1

27

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

�Pa

ssw

ord

setti

ngs f

or u

sers

and

dat

abas

e

ICE-

IT-

10-1

5 D

urin

g K

PMG

’s

inte

rnal

vu

lner

abili

ty

asse

ssm

ent

effo

rts o

f IC

E’s

FFM

S ne

twor

k se

rver

s an

d da

taba

ses

perf

orm

ed i

n A

ugus

t 20

10, K

PMG

ide

ntifi

ed s

ever

al

Hig

h/ M

ediu

m R

isk

vuln

erab

ilitie

s, re

late

d to

mis

sing

or

inad

equa

te p

atch

es su

ch a

s:

�M

icro

soft

Patc

hes

�A

dobe

Rea

der

�A

pach

e To

mca

t �

Java

Run

time

Envi

ronm

ent (

JRE)

�

Ora

cle

Dat

abas

e (s

erve

r ins

talla

tion)

�

HP

Syst

em M

anag

emen

t �

Inte

rnet

Exp

lore

r �

MyS

QL

data

base

ICE

shou

ld t

ake

the

nece

ssar

y st

eps

to b

egin

ap

plyi

ng t

he a

ppro

pria

te F

FMS

patc

hes

to t

he

FFM

S ne

twor

k se

rver

s an

d da

taba

ses

to e

nsur

e pa

tch

com

plia

nce.

X

3

ICE-

IT-

10-1

6 D

urin

g K

PMG

’s

inte

rnal

vu

lner

abili

ty

asse

ssm

ent

effo

rts o

f IC

E’s

AD

EX n

etw

ork

serv

ers

and

devi

ces

perf

orm

ed in

Aug

ust 2

010,

KPM

G id

entif

ied

a de

faul

t in

stal

latio

n an

d co

nfig

urat

ions

for

the

HSR

P on

the

C

isco

rout

ers.

ICE

shou

ld e

nsur

e th

at p

assw

ord

conf

igur

atio

n se

tting

s are

pro

perly

and

eff

ectiv

ely

appl

ied.

X

3

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 1

28

Appendix B


September 30, 2010



� Office of Financial Management � Office of Chief Information Officer


App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

Not

ice

of F

indi

ngs a

nd R

ecom

men

datio

ns –

Det

ail

Off

ice

of F

inan

cial

Man

agem

ent

Off

ice

of C

hief

Info

rmat

ion

Off

icer

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

CO

NS-

IT-1

0-01

D

urin

g ou

r fo

llow

-up

on t

his

prio

r ye

ar i

ssue

, w

e no

ted

that

the

fol

low

ing

pass

wor

d co

nfig

urat

ions

for

th

e D

HS

Inte

rnet

dom

ain,

whi

ch c

ontro

ls a

cces

s to

the

DH

STIE

R a

nd C

FO V

isio

n, a

re n

ot i

n co

mpl

ianc

e w

ith D

HS

4300

A re

quire

men

ts:

�Th

e ac

coun

t loc

kout

cou

nter

is c

onfig

ured

to re

set

afte

r 30

min

utes

rath

er th

an (2

4 ho

urs

as re

quire

d by

DH

S po

licy;

and

�

Wor

ksta

tion

idle

se

ssio

ns

term

inat

ion

is

conf

igur

ed t

o lo

ck w

orks

tatio

ns a

fter

15 m

inut

es

of i

nact

ivity

rat

her

than

5 a

s re

quire

d by

DH

S po

licy.

We

reco

mm

end

that

D

HSN

ET

logi

cal

acce

ss

conf

igur

atio

n be

al

igne

d w

ith

DH

S 43

00A

re

quire

men

ts

conc

erni

ng

acco

unt

lock

out

and

wor

ksta

tion

idle

sess

ion

term

inat

ion.

X

1

OC

IO-

IT-1

0-01

D

HS

is i

n th

e pr

oces

s of

bec

omin

g fu

lly c

ompl

iant

w

ith th

e Fe

dera

l Des

ktop

Cor

e C

onfig

urat

ion

(FD

CC

) se

curit

y co

nfig

urat

ions

. Ea

ch D

HS

com

pone

nt a

genc

y ha

s be

gun

test

ing

or im

plem

entin

g th

e FD

CC

sec

urity

co

nfig

urat

ions

; how

ever

, ful

l com

plia

nce

with

FD

CC

se

curit

y co

nfig

urat

ions

for a

ll D

HS

com

pone

nts

is n

ot

plan

ned

to b

e co

mpl

eted

unt

il th

e en

d of

FY

201

1.

We

reco

mm

end

that

the

DH

S O

CIO

: �

Fina

lize

the

DH

S H

arde

ning

G

uide

s fo

r W

indo

ws

desk

top

oper

atin

g sy

stem

s an

d di

strib

ute

them

to a

ll D

HS

com

pone

nt a

genc

ies.

�C

ontin

ue

with

th

e fu

ll im

plem

enta

tion

of

FDC

C s

ecur

ity c

onfig

urat

ions

acr

oss

all

DH

S co

mpo

nent

age

ncie

s.

X

2

OC

IO-

IT-1

0-02

D

urin

g th

e FY

201

0 fin

anci

al s

tate

men

t, w

e no

ted

two

wea

knes

ses

with

in D

HS

polic

ies

that

req

uire

fur

ther

ev

alua

tion

and

clar

ifica

tion.

Th

e fo

llow

ing

obse

rvat

ions

w

ere

note

d fo

r m

anag

emen

t co

nsid

erat

ion

over

acc

ess

to P

II a

nd S

egre

gatio

n of

D

utie

s prin

cipl

es:

�D

HS

Sens

itive

Sys

tem

s Po

licy

(DH

S M

D 4

300A

Se

ctio

n 3.

14.1

) re

fers

to

the

DH

S H

andb

ook

for

Safe

guar

ding

Sen

sitiv

e PI

I. W

e fo

und

that

sect

ion

2.4.

4 is

too

broa

d w

hen

asse

ssin

g th

at w

hen

PII i

s

DH

S sh

ould

re

vise

th

e D

HS

Han

dboo

k fo

r Sa

fegu

ardi

ng S

ensi

tive

PII t

o cl

arify

that

acc

ess

to

PII b

e re

stric

ted

to th

ose

with

a n

eed

to k

now

.

DH

S sh

ould

re

vise

D

HS

4300

A

Polic

y an

d H

andb

ook,

7.1

.1, S

ectio

n 5.

3 A

uditi

ng, t

o cl

arify

th

at t

he r

evie

w o

f lo

gs s

houl

d be

ind

epen

dent

ad

herin

g to

segr

egat

ion

of d

utie

s prin

cipl

es.

X

1

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 1

30

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

phys

ical

ly s

ecur

e; a

ll st

aff

with

acc

ess

to t

he

wor

kspa

ce h

ave

a “n

eed

to k

now

” an

d ca

n ac

cess

th

e PI

I. �

A v

iola

tion

of s

egre

gatio

n of

dut

ies

exis

ts w

ithin

th

e D

HS

4300

A S

ectio

n V

ersi

on 7

.1.1

, Se

ctio

n 5.

3 A

uditi

ng.

The

polic

y al

low

s th

e sy

stem

ad

min

istra

tor

to

revi

ew

the

audi

t re

cord

s fo

r fin

anci

al

syst

ems

or

for

syst

ems

host

ing

or

proc

essi

ng P

II o

n a

mon

thly

bas

is.

The

revi

ew o

f th

e au

dit l

ogs

shou

ld b

e in

depe

nden

t (e.

g., s

yste

m

adm

inis

trato

r of

a s

epar

ate

appl

icat

ion,

sec

urity

ad

min

istra

tor)

si

nce

the

syst

em

adm

inis

trato

r ty

pica

lly h

as fu

ll ac

cess

righ

ts a

nd th

e au

thor

ity to

m

ake

chan

ges

to

the

syst

em

that

m

ay

go

unno

ticed

.

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 1

31

Appendix B


September 30, 2010



� Transportation Security Administration


App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

Not

ice

of F

indi

ngs a

nd R

ecom

men

datio

ns –

Det

ail

Tra

nspo

rtat

ion

Secu

rity

Adm

inis

trat

ion

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

TSA

-IT-

10-0

1 To

com

plem

ent o

ur I

T au

dit t

estin

g ef

forts

as

part

of th

e FY

20

10

DH

S In

tegr

ated

A

udit,

w

e al

so

perf

orm

ed

soci

al

engi

neer

ing

and

afte

r ho

urs

phys

ical

sec

urity

test

ing

Dur

ing

our t

estin

g w

e id

entif

ied

the

follo

win

g

Dur

ing

our a

fter-

hour

s ph

ysic

al s

ecur

ity te

stin

g, w

e id

entif

ied

one

inst

ance

of a

n un

secu

red

lapt

op c

ompu

ter;

Dur

ing

our s

ocia

l eng

inee

ring

test

ing,

we

wer

e pr

ovid

ed w

ith

thre

e us

er’s

pas

swor

ds.

We

reco

mm

end

TSA

in th

e ar

ea o

f phy

sica

l Se

curit

y to

: �

Con

tinue

to

ex

ecut

e th

e IT

Se

curit

y A

war

enes

s Tra

inin

g pr

ogra

m;

�C

ondu

ct

inte

rnal

Ph

ysic

al

Secu

rity

wal

kthr

ough

on

a bi

-ann

ual b

asis

; �

Con

duct

one

-on-

one

train

ing

with

ind

ivid

uals

fa

iling

phy

sica

l sec

urity

afte

r-ho

urs t

estin

g;

�Ta

ke a

dmin

istra

tive

actio

ns,

if ne

eded

, on

a

case

-by-

case

bas

is; a

nd

�TS

A w

ill c

ondu

ct a

com

mun

icat

ions

cam

paig

n to

add

ress

the

effe

cts

of im

prop

er h

andl

ing

of

Phys

ical

Sec

urity

.

We

reco

mm

end

TSA

in

th

e ar

ea

of

soci

al

engi

neer

ing

to:

�C

ontin

ue

to

exec

ute

the

IT

Secu

rity

Aw

aren

ess T

rain

ing

prog

ram

; �

Con

duct

inte

rnal

Soc

ial E

ngin

eerin

g te

stin

g on

a

quar

terly

bas

is;

�C

ondu

ct o

ne-o

n-on

e tra

inin

g w

ith i

ndiv

idua

ls

faili

ng so

cial

eng

inee

ring

atte

mpt

s. �

TSA

w

ill

take

ad

min

istra

tive

actio

ns,

if ne

eded

, on

a ca

se-b

y-ca

se b

asis

. �

TSA

will

con

duct

a c

omm

unic

atio

ns c

ampa

ign

via

broa

dcas

t w

arni

ng

agai

nst

soci

al

engi

neer

ing.

X

1

TSA

-IT-

10-0

2 C

ore

Acco

untin

g Sy

stem

(C

AS)

& F

inan

cial

Pro

cure

men

t D

eskt

op (F

PD)

Dur

ing

our

FY 2

010

IT t

est

wor

k, w

e de

term

ined

tha

t TS

A

had

crea

ted

an In

tern

al S

tand

ard

Ope

ratin

g Pr

oced

ure

(ISO

P)

We

reco

mm

end

TSA

to

ta

ke

the

follo

win

g co

rrec

tive

actio

ns:

CA

S/FP

D:

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 1

33

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

to d

etai

l how

qua

rterly

acc

ess

revi

ews

wer

e to

be

perf

orm

ed.

We

com

pare

d a

listin

g of

TSA

CA

S an

d FP

D u

sers

to

the

mas

ter l

istin

g of

use

rs w

ho n

eede

d m

odifi

catio

ns o

r del

etio

ns

for t

hree

qua

rters

(Q1,

Q2,

and

Q3)

. W

e di

d no

t ide

ntify

any

ex

cept

ions

for

Q1

and

Q2;

how

ever

, for

the

3rd q

uarte

r, on

e C

AS

user

was

not

del

eted

or m

odifi

ed w

ithin

50

days

afte

r the

en

d of

the

com

plet

ion

of t

he 3

rd q

uarte

r. I

n ad

ditio

n, w

e no

ted

115

FPD

use

rs w

ere

not d

elet

ed o

r mod

ified

with

in 5

1 da

ys a

fter t

he c

ompl

etio

n of

the

3rd

quar

ter.

Sunf

low

er

Dur

ing

our F

Y 2

010

test

wor

k, w

e de

term

ined

that

the

Off

ice

of P

rope

rty M

anag

emen

t (O

PM)

perf

orm

s m

onth

ly a

cces

s re

view

s ov

er S

unflo

wer

use

r ac

coun

ts.

OPM

run

s th

ree

Sunf

low

er r

epor

ts e

ach

mon

th,

and

the

Dep

uty

Prop

erty

M

anag

emen

t O

ffic

ials

(D

PMO

s) a

nd O

PM A

cces

s M

anag

er

revi

ew th

e re

ports

and

pro

vide

dat

es a

nd in

itial

s by

eac

h us

er

revi

ewed

. H

owev

er,

for

the

thre

e m

onth

s sa

mpl

ed,

we

dete

rmin

ed

that

th

ree

Sunf

low

er

user

s, w

ho

had

upda

te

priv

ilege

s, ha

d no

t ha

d th

eir

acce

ss r

emov

ed i

n a

timel

y m

anne

r. A

ll us

ers

wer

e re

view

ed i

n Ja

nuar

y, b

ut t

wo

wer

e no

t rem

oved

unt

il Ju

ly, a

nd th

e ot

her

user

was

not

rem

oved

un

til A

ugus

t.

�H

ave

FIN

CEN

upd

ate

its h

elpd

esk

proc

edur

es

to p

rovi

de t

he c

orre

ct g

uide

lines

so

that

its

he

lpde

sk s

taff

will

no

long

er g

rant

add

ition

al

Stan

dard

FPD

role

s th

at w

ere

not r

eque

sted

on

Acc

ount

Acc

ess

Req

uest

(A

AR

). TS

A s

houl

d cl

osel

y m

onito

r th

e re

ques

ts i

mpl

emen

ted

by

FIN

CEN

to e

nsur

e th

at th

e up

date

d pr

oced

ures

ar

e be

ing

follo

wed

. �

TSA

sho

uld

impr

ove

the

timel

ine

and

proc

ess

of i

ts Q

uarte

rly R

evie

w.

TSA

sho

uld

upda

te

its

proc

edur

es

to

mon

itor

the

timel

ines

s, ac

cura

cy a

nd q

ualit

y of

the

Qua

lity

Rev

iew

pr

oces

s.

a.

Upd

ate

Qua

rterly

Rev

iew

ISO

P to

ad

d th

e ex

pect

ed

timel

ine

to

com

plet

e th

e qu

arte

rly re

view

. b.

C

ondu

ct

timel

y fo

llow

-up

and

revi

ew

of

the

actu

al

FIN

CEN

im

plem

enta

tion

of t

he A

AR

s to

en

sure

th

at

the

AA

Rs

wer

e im

plem

ente

d as

requ

este

d.

�TS

A s

houl

d w

ork

with

FIN

CEN

to

iden

tify

and

impl

emen

t the

bes

t sol

utio

n to

rem

ove

the

one

Sunf

low

er ro

le fr

om th

e us

er’s

pro

file.

�

TSA

sho

uld

wor

k w

ith F

INC

EN t

o re

sear

ch

and

iden

tify

optio

ns to

enh

ance

the

auto

mat

ed

AA

R p

roce

ss.

Sunf

low

er:

�TS

A w

ill p

rovi

de m

ore

train

ing

and

over

sigh

t fo

r an

y ne

w a

cces

s m

anag

er t

o en

sure

the

pr

oces

s is t

horo

ughl

y fo

llow

ed.

�TS

A w

ill c

lose

ly m

onito

r an

d fo

llow

-up

with

FI

NC

EN t

o en

sure

req

uest

s ar

e im

plem

ente

d tim

ely

and

corr

ectly

.

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 1

34

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

�TS

A

will

re

view

an

d id

entif

y al

tern

ate

repo

rting

pr

oces

ses

in

case

s of

te

chni

cal

diff

icul

ties

whe

re s

uper

viso

rs c

anno

t ac

cess

th

e m

aste

r file

s on

Shar

ePoi

nt.

TSA

-IT-

10-0

3 D

urin

g ou

r FY

201

0 au

dit t

est w

ork,

we

sele

cted

a s

ampl

e of

th

e fo

llow

ing

form

s re

quire

d by

the

TSA

dire

ctiv

e an

d de

term

ined

the

follo

win

g:

�Fo

rm 1

403

Com

pute

r A

cces

s A

gree

men

t: Pe

r th

e TS

A

IT

Secu

rity

Polic

y H

andb

ook,

al

l TS

A

pers

onne

l, in

clud

ing

cont

ract

ors,

are

requ

ired

to r

evie

w a

nd s

ign

Form

14

03:

Com

pute

r A

cces

s A

gree

men

t up

on

com

men

cem

ent

of w

orki

ng f

or t

he a

genc

y.

Our

tes

ting

note

d th

at o

f th

e fiv

e fo

rms

sam

pled

, on

e fo

rm w

as

com

plet

ed o

ne m

onth

afte

r the

use

r was

gra

nted

acc

ess

to

a TS

A sy

stem

.

We

reco

mm

end

that

TS

A

take

th

e fo

llow

ing

corr

ectiv

e ac

tion:

Su

perv

isor

s an

d C

ontra

ctin

g O

ffic

er’s

Tec

hnic

al

Rep

rese

ntat

ives

w

ithin

ea

ch

prog

ram

of

fice

in

TSA

sho

uld

ensu

re, a

s re

quire

d by

the

IT S

ecur

ity

Polic

y H

andb

ook,

that

evi

denc

e be

mai

ntai

ned

on

file

for

each

TSA

em

ploy

ee a

nd c

ontra

ctor

the

C

ompu

ter A

cces

s A

gree

men

t for

m, s

igne

d pr

ior t

o an

y fin

anci

al sy

stem

acc

ess i

s gra

nted

.

X

1

TSA

-IT-

10-0

4 D

urin

g th

e FY

201

0 IT

aud

it, w

e de

term

ined

tha

t TS

A h

as

fully

im

plem

ente

d th

e TS

A I

SOP:

Pro

cess

for

Val

idat

ion

of

Con

trols

ove

r the

USC

G S

crip

t Pro

cess

to m

onito

r scr

ipts

run

at F

INC

EN.

Spec

ifica

lly,

we

note

d th

at

TSA

ha

s im

plem

ente

d an

ex

tens

ive

revi

ew o

f the

scr

ipts

that

impa

ct T

SA o

n a

wee

kly,

m

onth

ly, q

uarte

rly a

nd a

d ho

c ba

sis.

Add

ition

ally

, a b

asel

ine

revi

ew w

as p

erfo

rmed

to e

nsur

e th

at a

ll sc

ripts

that

wer

e ru

n in

pro

duct

ion

prio

r to

4/1

/201

0, t

his

was

app

roxi

mat

ely

160

scrip

ts a

nd th

at th

ey w

ere

revi

ewed

for

thei

r pu

rpos

e an

d th

e fin

anci

al im

pact

of t

he s

crip

ts w

ere

unde

rsto

od b

y th

e va

rious

st

akeh

olde

rs in

the

scrip

t rev

iew

pro

cess

, whi

ch in

clud

ed th

e Sc

ript

Tech

nica

l Le

ad,

Scrip

t M

odul

e Le

ads

(SM

Ls),

and

Subj

ect

Mat

ter

Expe

rts (

SMEs

). A

ny s

crip

t th

at w

as n

ot

incl

uded

in th

e ba

selin

e re

view

was

con

side

red

new

and

was

in

clud

ed in

the

wee

kly,

mon

thly

, qua

rterly

and

ad

hoc

revi

ew

proc

ess.

The

rev

iew

s co

nduc

ted

by T

SA in

clud

ed v

alid

atio

n an

d ve

rific

atio

n st

eps

to e

nsur

e th

at t

he C

oast

Gua

rd i

s pr

oper

ly t

rack

ing

the

TSA

scr

ipts

and

tha

t th

ose

scrip

ts g

o th

roug

h th

e pr

oper

con

figur

atio

n m

anag

emen

t pro

cess

es.

We

reco

mm

end

that

TSA

wor

k w

ith t

he D

HS

Chi

ef

Fina

ncia

l O

ffic

er

and

the

DH

S C

hief

In

form

atio

n O

ffic

er t

o en

sure

tha

t C

oast

Gua

rd

Hea

dqua

rters

' com

plet

es, i

n a

timel

y m

anne

r, th

e pl

anne

d co

rrec

tive

actio

ns to

: �

Upd

ate

the

scrip

ting

polic

ies

and

proc

edur

es

to i

nclu

de a

dditi

onal

and

mor

e de

taile

d te

st

docu

men

tatio

n;

�D

evel

op tr

aini

ng th

at a

ddre

sses

all

aspe

cts

of

scrip

t tes

ting

(incl

udin

g do

cum

enta

tion

of te

st

docu

men

ts)

and

prov

ide

train

ing

to

appr

opria

te C

M st

aff;

�D

evel

op a

n R

P w

ith a

ssoc

iate

d su

ppor

ting

busi

ness

cas

e(s)

to a

ddre

ss th

e da

taba

se a

udit

logg

ing

requ

irem

ents

; �

Dev

elop

pr

oced

ures

an

d pe

rfor

m

regu

lar

acco

unt

reva

lidat

ion

for

Sere

na

to

ensu

re

priv

ilege

s rem

ain

appr

opria

te; a

nd

�C

ondu

ct

an

asse

ssm

ent

over

th

e IC

FOR

pr

oces

s re

late

d to

ide

ntify

ing

and

eval

uatin

g

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 1

35

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

We

note

d no

exc

eptio

ns d

urin

g ou

r tes

ting

of th

e TS

A S

crip

t C

onfig

urat

ion

Man

agem

ent O

vers

ight

Pro

cess

.

Con

figur

atio

n M

anag

emen

t C

ontro

ls O

ver

the

Coa

st G

uard

Sc

riptin

g Pr

oces

s

The

anal

ysis

co

nduc

ted

over

th

e C

oast

G

uard

sc

ript

conf

igur

atio

n m

anag

emen

t pro

cess

ref

lect

s th

e as

sess

men

t of

the

cont

rol

envi

ronm

ent

for

the

entir

e fis

cal

year

. W

eakn

esse

s id

entif

ied

over

the

proc

ess

are

risks

that

exi

sted

in

the

env

ironm

ent

from

Oct

ober

200

9 to

Sep

tem

ber

2010

un

less

oth

erw

ise

note

d.

�B

ased

upo

n fo

llow

-up

test

wor

k pe

rfor

med

in F

Y 2

010,

w

e de

term

ined

tha

t so

me

prev

ious

ly n

oted

wea

knes

ses

wer

e re

med

iate

d (p

artic

ular

ly i

n th

e se

cond

hal

f of

FY

20

10),

whi

le o

ther

con

trol d

efic

ienc

ies

cont

inue

d to

exi

st.

The

rem

aini

ng c

ontro

l de

ficie

ncie

s th

at w

ere

pres

ent

thro

ugho

ut F

Y 2

010

vary

in s

igni

fican

ce, h

owev

er th

ree

key

area

s th

at i

mpa

ct t

he C

oast

Gua

rd S

crip

t co

ntro

l en

viro

nmen

t ar

e:

1) S

crip

t Te

stin

g R

equi

rem

ents

, 2)

Sc

ript T

estin

g En

viro

nmen

t, an

d 3)

Scr

ipt A

udit

Logg

ing

Proc

ess.

-Sc

ript

Test

ing

Req

uire

men

ts:

Lim

ited

test

ing

requ

irem

ents

exi

st t

o gu

ide

FIN

CEN

sta

ff i

n th

e de

velo

pmen

t of

tes

t pl

ans

and

guid

ance

ove

r th

e fu

nctio

nal

test

ing

that

sh

ould

be

pe

rfor

med

. A

dditi

onal

ly,

we

dete

rmin

ed

that

th

ere

are

no

deta

iled

requ

irem

ents

ove

r th

e re

view

and

test

ing

of

func

tiona

l cha

nges

to th

e da

ta.

FIN

CEN

onl

y tra

cks

and

docu

men

ts t

he n

umbe

r of

tra

nsac

tions

upd

ated

on

scr

ipts

tha

t ha

ve a

fin

anci

al i

mpa

ct a

nd n

ot t

he

deta

iled

dolla

r am

ount

s as

soci

ated

with

the

finan

cial

im

pact

tran

sact

ions

.

scrip

ts th

at h

ave

a fin

anci

al s

tate

men

t im

pact

. Th

is

asse

ssm

ent

can

be

incl

uded

in

th

e C

onfig

urat

ion

Man

agem

ent O

vers

ight

Pro

cess

as

par

t of

Coa

st G

uard

’s a

nnua

l A-1

23 e

ffor

ts

or

perf

orm

ed

inde

pend

ent

of

the

A-1

23

proc

ess.

We

reco

mm

end

that

this

ass

essm

ent

(1) b

e pe

rfor

med

ear

ly in

the

FY 2

011,

in ti

me

to re

med

iate

def

icie

ncie

s be

fore

the

end

of th

e th

ird

quar

ter,

and

(2)

invo

lve

proc

ess

docu

men

tatio

n an

d su

ffic

ient

tes

ting

to f

ully

as

sess

bot

h de

sign

and

ope

ratin

g ef

fect

iven

ess

of c

ontro

ls.

The

obj

ectiv

e be

ing

to h

ave

a re

liabl

e pr

oces

s an

d in

tern

al c

ontro

ls in

pla

ce

that

allo

w th

e au

dito

r to

test

, and

rely

on

thos

e co

ntro

ls, d

urin

g th

e fo

urth

qua

rter o

f FY

201

1.

TSA

Spe

cific

Rec

omm

enda

tion:

Con

tinue

to

co

nduc

t an

as

sess

men

t ov

er

the

ICFO

R

proc

ess

rela

ted

to

iden

tifyi

ng

and

eval

uatin

g sc

ripts

tha

t ha

ve a

fin

anci

al s

tate

men

t im

pact

.

Find

ings

w

ill

be

com

mun

icat

ed

and

coor

dina

ted

with

USC

G,

as a

ppro

pria

te.

Thi

s as

sess

men

t ca

n be

inc

lude

d in

the

tes

ting

of t

he

TSA

Scr

ipt C

onfig

urat

ion

Man

agem

ent O

vers

ight

Pr

oces

s as

par

t of

TSA

’s a

nnua

l A

-123

eff

orts

. Fu

rther

, we

reco

mm

end

that

this

ass

essm

ent (

1) b

e pe

rfor

med

ea

rly

in

the

FY

2011

, in

tim

e to

re

med

iate

def

icie

ncie

s be

fore

the

end

of th

e th

ird

quar

ter,

and

(2)

invo

lve

proc

ess

docu

men

tatio

n an

d su

ffic

ient

tes

ting

to f

ully

ass

ess

both

des

ign

and

oper

atin

g ef

fect

iven

ess

of

cont

rols

.

The

obje

ctiv

e be

ing

to h

ave

a re

liabl

e pr

oces

s an

d in

tern

al c

ontro

ls in

pla

ce th

at a

llow

the

audi

tor

to

test

, and

rel

y on

thos

e co

ntro

ls, d

urin

g th

e fo

urth

qu

arte

r of F

Y 2

011.

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 1

36

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

-Sc

ript T

estin

g En

viro

nmen

t: N

ot a

ll sc

ript c

hang

es

wer

e te

sted

in

th

e ap

prop

riate

C

AS

Suite

te

st

envi

ronm

ents

as

requ

ired.

FI

NC

EN m

anag

emen

t in

form

ed u

s th

at th

e te

stin

g en

viro

nmen

ts, C

AS4

and

LU

FSFQ

T3, w

ere

offli

ne fo

r the

se e

xcep

tions

due

to

a re

fres

h of

the

data

base

s an

d th

at te

ster

s us

ed C

AS3

an

d A

lpha

as

alte

rnat

e te

stin

g en

viro

nmen

ts in

stea

d.

How

ever

, FI

NC

EN m

anag

emen

t in

form

ed K

PMG

th

at

thes

e en

viro

nmen

ts

are

refr

eshe

d on

an

as

ne

eded

bas

is a

nd n

o fu

rther

inf

orm

atio

n co

uld

be

prov

ided

ove

r ho

w f

requ

ently

the

CA

S3 a

nd A

lpha

da

taba

ses

wer

e re

fres

hed

to v

erify

tha

t th

e sc

ripts

w

ere

adeq

uate

ly

test

ed

in

the

appr

opria

te

envi

ronm

ent.

Fu

rther

mor

e,

we

dete

rmin

ed

that

gu

idan

ce i

s no

t pr

ovid

ed o

ver

the

use

of a

ltern

ate

test

ing

envi

ronm

ents

for

the

tes

ting

of s

crip

ts t

o en

sure

they

are

ade

quat

ely

test

ed.

-Sc

ript A

udit

Logg

ing

Proc

ess:

The

CA

S, F

PD, a

nd

Sunf

low

er d

atab

ases

are

logg

ing

chan

ges

to ta

bles

as

wel

l as

su

cces

sful

an

d un

succ

essf

ul

logi

ns.

How

ever

, no

rec

onci

liatio

n be

twee

n th

e sc

ripts

run

an

d th

e ch

ange

s m

ade

to th

e da

taba

se ta

bles

is b

eing

pe

rfor

med

to m

onito

r the

scr

ipt a

ctiv

ities

and

ens

ure

that

all

scrip

ts r

un h

ave

been

app

rove

d th

roug

h ch

ange

m

anag

emen

t sc

ript

syst

em

(CM

SS)

or

Sere

na.

In a

dditi

on, w

e no

ted

that

FIN

CEN

has

not

es

tabl

ishe

d a

form

al p

roce

ss t

o m

onito

r an

d re

view

ch

ange

s m

ade

to t

he S

unflo

wer

dat

abas

e in

clud

ing

the

tabl

es a

nd a

ctiv

ities

mod

ified

by

the

data

base

ad

min

istra

tors

.

Inte

rnal

C

ontro

l O

ver

Fina

ncia

l R

epor

ting

– Fi

nanc

ial

Stat

emen

t Im

pact

.

The

USC

G h

as e

stab

lishe

d ce

rtain

pro

cess

es t

o id

entif

y an

d as

sess

the

val

idity

of

scrip

ts t

hat

may

hav

e a

finan

cial

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 1

37

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

stat

emen

t im

pact

[o

n bo

th

USC

G

and

TSA

fin

anci

al

stat

emen

ts].

Thi

s pr

oces

s is

per

form

ed b

y on

e pr

imar

y in

divi

dual

, an

d tw

o id

entif

ied

back

up

pers

onne

l, w

ho

perf

orm

s a

revi

ew o

f th

e sc

ript

for

accu

racy

and

pro

prie

ty,

prov

ides

fee

dbac

k to

the

sour

ce, a

nd u

ltim

atel

y ap

prov

es th

e ap

plic

atio

n. T

his

proc

ess

has

certa

in c

ontro

l def

icie

ncie

s th

at

have

bee

n co

mm

unic

ated

to

USC

G (

see

NFR

# C

G-I

T-10

-05

), w

hich

hav

e le

ad,

in p

art,

to T

SA’s

ado

ptio

n of

cer

tain

re

dund

ant

cont

rols

to

re

view

TS

A

scrip

ts

for

prop

riety

. Fu

rther

mor

e, t

he r

atio

nale

doc

umen

ting

the

impa

ct o

f th

e sc

ript,

whe

ther

dee

med

as

havi

ng f

inan

cial

impa

ct o

r no

t, is

no

t do

cum

ente

d an

d re

tain

ed.

In

addi

tion,

with

in t

he C

AS

Suite

env

ironm

ent,

ther

e ar

e ov

er 2

00 s

crip

ts ru

n on

a w

eekl

y ba

sis.

Dur

ing

FY 2

010,

thr

ough

thi

s re

view

TSA

has

di

scov

ered

var

ious

err

ors

that

USC

G w

as re

quire

d to

cor

rect

. Th

e ex

cept

ions

not

ed b

y TS

A a

re in

dica

tive

of w

eakn

esse

s in

th

e U

SCG

pro

cess

.

We

also

co

nsid

er

this

co

ntro

l as

pect

to

be

pr

inci

pally

im

porta

nt

for

TSA

to

m

onito

r C

oast

G

uard

’s

corr

ectiv

e ac

tions

tak

en.

In a

dditi

on, T

SA s

houl

d co

nsid

er, a

s pa

rt of

th

eir

annu

al A

-123

eff

orts

, ad

ding

the

ir ow

n A

-123

tes

ting

proc

edur

es in

iden

tifyi

ng a

nd e

valu

atin

g th

e fin

anci

al im

pact

of

TSA

scrip

ting

at th

e C

oast

Gua

rd.

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 1

38

Appendix B


September 30, 2010

Department of Homeland Security FY 2010 Information Technology

Notification of Findings and Recommendations – Detail

� United States Citizenship and Immigration Services


App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

Not

ice

of F

indi

ngs a

nd R

ecom

men

datio

ns –

Det

ail

Uni

ted

Stat

es C

itize

nshi

p an

d Im

mig

ratio

n Se

rvic

es

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

CIS

-IT-

10-0

1 D

urin

g th

e FY

201

0 fin

anci

al s

tate

men

t au

dit,

we

perf

orm

ed in

quiry

follo

w-u

p to

det

erm

ine

the

stat

us o

f th

is w

eakn

ess

and

lear

ned

that

the

acce

ss r

oles

at t

he

Nat

iona

l B

enef

its C

ente

r (N

BC

) fo

r C

LAIM

S3 L

AN

ha

ve n

ot b

e de

fined

and

doc

umen

ted.

U

SCIS

has

be

gun

som

e co

rrec

tive

actio

n; h

owev

er,

thes

e is

sues

ha

ve n

ot b

een

fully

rem

edia

ted.

The

USC

IS O

ffic

e of

Info

rmat

ion

Tech

nolo

gy w

ill

final

ize

the

CLA

IMS

3 LA

N

Acc

ount

M

anag

emen

t Pr

oced

ures

th

at

addr

ess

acco

unt

iden

tific

atio

n,

set-u

p,

rece

rtific

atio

n,

and

term

inat

ion

and

acce

ss r

eque

st f

orm

mai

nten

ance

. Th

ese

proc

edur

es re

flect

how

all

CLA

IMS

3 LA

N

acco

unts

will

be

man

aged

at

each

fac

ility

tha

t ut

ilize

s the

CLA

IMS

3 LA

N.

X

3

CIS

-IT-

10-0

2 D

urin

g th

e FY

201

0 fin

anci

al s

tate

men

t au

dit,

we

perf

orm

ed in

quiry

follo

w-u

p to

det

erm

ine

the

stat

us o

f th

is w

eakn

ess

and

lear

ned

that

the

wea

knes

s ha

s no

t be

en r

emed

iate

d fo

r C

LAIM

S3 L

AN

per

iodi

c us

er

acce

ss r

evie

ws.

USC

IS h

as b

egun

som

e co

rrec

tive

actio

n; h

owev

er,

thes

e is

sues

hav

e no

t be

en f

ully

re

med

iate

d.

The

USC

IS O

IT w

ill c

ontin

ue to

revi

ew C

LAIM

S 3

LAN

acc

ount

s fo

r th

ose

that

hav

e be

en in

activ

e fo

r 45

day

s m

anua

lly a

nd t

o re

mov

e us

er’s

tha

t ap

pear

on

th

e O

ffic

e of

H

uman

C

apita

l an

d Tr

aini

ng (

HC

T) a

ttriti

on b

i-wee

kly

list.

OIT

will

fin

aliz

e th

e C

LAIM

S 3

LAN

A

ccou

nt

Man

agem

ent

Proc

edur

es

that

ad

dres

s ac

coun

t id

entif

icat

ion,

se

t-up,

re

certi

ficat

ion,

an

d te

rmin

atio

n an

d ac

cess

req

uest

form

mai

nten

ance

. O

IT w

ill c

ontin

ue to

wor

k w

ith th

e O

IT A

ccou

nt

Man

agem

ent

Gro

up,

the

IT P

roje

ct M

anag

er a

nd

each

inst

alla

tion

site

to r

ecer

tify

CLA

IMS

3 LA

N

acco

unts

and

ens

ure

a cu

rren

t an

d va

lid a

cces

s re

ques

t for

m i

s fil

ed.

OIT

will

con

tinue

to w

ork

with

HC

T to

ens

ure

thei

r ex

it cl

eara

nce

proc

ess

incl

udes

pro

cedu

res

to p

rom

ptly

not

ify O

IT w

hen

empl

oyee

s le

ave

or tr

ansf

er.

OIT

will

als

o fin

aliz

e th

e U

SCIS

Acc

ount

Man

agem

ent,

Man

agem

ent

Dire

ctiv

e (A

genc

y Po

licy)

.

X

3

CIS

-IT-

10-0

3 D

urin

g th

e FY

201

0 fin

anci

al s

tate

men

t au

dit,

we

perf

orm

ed in

quiry

follo

w-u

p to

det

erm

ine

the

stat

us o

f th

e pr

ior y

ear N

FR a

nd le

arne

d th

at th

e w

eakn

ess

still

ex

ist

for

inco

mpl

ete

or i

nade

quat

e ac

cess

req

uest

fo

rms

for

CLA

IMS

3 LA

N a

nd C

LAIM

S 4.

U

SCIS

The

USC

IS O

IT w

ill fi

naliz

e th

e C

LAIM

S 3

LAN

an

d C

LAIM

S 4

Acc

ount

Man

agem

ent P

roce

dure

s th

at

addr

ess

acco

unt

iden

tific

atio

n,

set-u

p,

rece

rtific

atio

n, a

nd te

rmin

atio

n an

d ac

cess

req

uest

fo

rm m

aint

enan

ce.

OIT

will

con

tinue

to

wor

k

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 1

40

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

has

begu

n so

me

corr

ectiv

e ac

tion;

how

ever

, th

ese

issu

es h

ave

not b

een

fully

rem

edia

ted.

w

ith th

e O

IT A

ccou

nt M

anag

emen

t Gro

up, t

he IT

Pr

ojec

t M

anag

er

and

each

in

stal

latio

n si

te

to

rece

rtify

C

LAIM

S 3

LAN

an

d C

LAIM

S 4

acco

unts

and

ens

ure

a cu

rren

t an

d va

lid a

cces

s re

ques

t for

m is

file

d.

CIS

-IT-

10-0

4 In

FY

200

9, K

PMG

per

form

ed a

n in

spec

tion

of a

sa

mpl

e of

per

sonn

el t

hat

had

term

inat

ed/tr

ansf

erre

d fr

om th

eir

empl

oym

ent w

ith U

SCIS

dur

ing

the

fisca

l ye

ar.

KPM

G r

eque

sted

evi

denc

e th

at e

xit

clea

ranc

e fo

rms

wer

e co

mpl

eted

for e

ach

empl

oyee

to d

eter

min

e U

SCIS

m

anag

emen

t’s

com

plia

nce

with

te

rmin

atio

n/tra

nsfe

r pr

oced

ures

.

Of

the

28

term

inat

ed/tr

ansf

erre

d U

SCIS

pe

rson

nel

sam

pled

, ev

iden

ce o

f com

plia

nce

with

exi

t cle

aran

ce p

roce

dure

s co

uld

not b

e pr

ovid

ed fo

r 19

empl

oyee

s.

Dur

ing

the

FY 2

010

finan

cial

sta

tem

ent

audi

t, w

e le

arne

d th

at U

SCIS

Hum

an R

esou

rce

Div

isio

n re

vise

d th

e ex

istin

g te

rmin

ated

/tran

sfer

red

proc

edur

es f

or e

xit

proc

essi

ng;

how

ever

, th

e pr

oced

ures

hav

e no

t be

en

appr

oved

nor

impl

emen

ted.

We

reco

mm

end

USC

IS m

anag

emen

t is

sue

and

adhe

re to

exi

t cle

aran

ce p

olic

ies

and

proc

edur

es to

be

follo

wed

in th

e ev

ent o

f tra

nsfe

r, te

rmin

atio

n or

se

para

tion

of

fede

ral

and

cont

ract

pe

rson

nel.

Res

ourc

es

shou

ld

be

mad

e av

aila

ble

to

com

mun

icat

e th

e up

date

d pr

oced

ures

to p

erso

nnel

, tra

in m

issi

on s

uppo

rt st

aff w

ho h

ave

a cr

itica

l rol

e in

the

upd

ated

pro

cess

, an

d en

forc

e an

d m

onito

r co

mpl

ianc

e w

ith th

e ex

it pr

oced

ures

and

pol

icie

s.

X

2

CIS

-IT-

10-0

5 D

urin

g th

e FY

201

0 fin

anci

al s

tate

men

t au

dit,

we

perf

orm

ed in

quiry

follo

w-u

p to

det

erm

ine

the

stat

us o

f th

is w

eakn

ess

and

lear

ned

that

equ

ipm

ent

and

med

ia

polic

ies

and

proc

edur

es a

re n

ot c

urre

nt.

USC

IS h

as

begu

n so

me

corr

ectiv

e ac

tion;

how

ever

, th

ese

issu

es

have

not

bee

n fu

lly re

med

iate

d.

The

USC

IS O

IT w

ill f

inal

ize

the

USC

IS M

edia

Pr

otec

tion

Man

agem

ent

Dire

ctiv

e an

d th

e U

SCIS

M

edia

Pro

tect

ion

Proc

edur

es a

nd e

nsur

e th

ey a

re

read

ily a

vaila

ble

to U

SCIS

per

sonn

el.

OIT

will

co

ntin

ue to

wor

k w

ith th

e O

ffic

e of

Adm

inis

tratio

n to

ens

ure

ther

e is

a s

tand

ardi

ze p

roce

ss t

o la

bel,

track

, sa

nitiz

e, r

efur

bish

, an

d/or

des

troy

USC

IS

med

ia u

sing

app

rove

d eq

uipm

ent a

nd so

ftwar

e.

X

1

CIS

-IT-

10-0

6 D

urin

g K

PMG

’s i

nter

nal

vuln

erab

ility

ass

essm

ent

of

FFM

S pe

rfor

med

in

Aug

ust

2010

, K

PMG

ide

ntifi

ed

seve

ral H

igh/

Med

ium

Ris

k vu

lner

abili

ties,

rela

ted

to

the

follo

win

g:

�FF

MS

mai

nfra

me

prod

uctio

n

data

base

s w

ere

inst

alle

d an

d co

nfig

ured

with

out b

asel

ine

secu

rity

USC

IS w

ill m

onito

r th

e M

issi

on A

ctio

n Pl

ans

(MA

P) o

f the

ass

ocia

ted

ICE

NFR

s: IT

-10-

12, I

T-10

-13,

IT-

10-1

4, I

T-10

-15

and

requ

est

perio

dic

stat

us u

pdat

es.

X

3

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 1

41

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

conf

igur

atio

ns,

incl

udin

g th

e U

SCIS

O

racl

e in

stan

ce

�FF

MS

serv

ers h

ave

mis

sing

or i

nade

quat

e pa

tche

s

In a

dditi

on, w

e fo

und

phys

ical

saf

egua

rd w

eakn

esse

s at

the

DH

S D

C2

data

cen

ter,

whi

ch i

mpa

ct U

SCIS

op

erat

ions

. Sp

ecifi

cally

, we

dete

rmin

ed th

e fo

llow

ing:

�

Re-

entry

pro

cedu

res

afte

r an

em

erge

ncy

have

be

en i

mpl

emen

ted;

how

ever

, th

e pr

oced

ures

are

no

t doc

umen

ted.

�

FFM

S se

rver

is

inap

prop

riate

ly m

arke

d w

ith a

la

bel

that

ide

ntifi

es t

he a

pplic

atio

n/da

ta o

n th

e se

rver

. C

IS-I

T-10

-07

Dur

ing

the

FY 2

009

finan

cial

sta

tem

ent a

udit,

KPM

G

perf

orm

ed i

nspe

ctio

n of

the

CLA

IMS

4 pa

ssw

ord

conf

igur

atio

n se

tting

s. Pe

r ou

r in

spec

tion,

KPM

G

dete

rmin

ed t

hat

CLA

IMS

4 ha

s be

en c

onfig

ured

to

proh

ibit

pass

wor

d re

use

for 6

gen

erat

ions

, whi

ch d

oes

not m

eet t

he D

HS

4300

A r

equi

rem

ent o

f 8

pass

wor

d ge

nera

tions

. D

urin

g th

e FY

201

0 fin

anci

al s

tate

men

t au

dit,

we

perf

orm

ed i

nqui

ry f

ollo

w-u

p to

det

erm

ine

the

stat

us

of

this

w

eakn

ess

and

lear

ned

that

th

e w

eakn

ess

has

not

been

rem

edia

ted

for

CLA

IMS4

pa

ssw

ord

conf

igur

atio

n.

USC

IS h

as b

egun

som

e co

rrec

tive

actio

n; h

owev

er, t

hese

issu

es h

ave

not b

een

fully

rem

edia

ted.

The

USC

IS O

IT w

ill c

ontin

ue to

eva

luat

e th

e ris

k im

pose

d on

th

e C

LAIM

S 4

syst

em

by

not

chan

ging

the

pass

wor

d hi

stor

y fr

om 6

to 8

. If i

t is

deem

ed t

hat

the

risk

is l

ow,

OIT

will

sub

mit

a W

aive

rs a

nd E

xcep

tions

Req

uest

For

m to

the

DH

S C

ISO

. If

the

risk

is d

eem

ed m

ediu

m o

r hig

h, O

IT

will

con

tinue

to im

plem

ent t

he p

assw

ord

chan

ges

as o

utlin

ed in

the

FY 2

009

USC

IS O

IT M

AP.

X

2

CIS

-IT-

10-0

8 D

urin

g th

e FY

201

0 fin

anci

al s

tate

men

t au

dit,

we

perf

orm

ed in

quiry

follo

w-u

p to

det

erm

ine

the

stat

us o

f th

is w

eakn

ess

and

lear

ned

that

ine

ffec

tive

safe

guar

ds

still

exi

st o

ver

phys

ical

acc

ess

to s

ensi

tive

faci

litie

s an

d re

sour

ces.

USC

IS h

as b

egun

som

e co

rrec

tive

actio

n; h

owev

er,

thes

e is

sues

hav

e no

t be

en f

ully

re

med

iate

d.

The

USC

IS O

IT w

ill c

ontin

ue t

o fin

aliz

e th

e M

edia

Pr

otec

tion

Proc

edur

es

for

the

Ver

mon

t Se

rvic

e C

ente

r. O

IT w

ill te

st V

SC’s

OIT

Vis

itor

Polic

y an

d Pr

oced

ures

to

ensu

re t

hey

addr

ess

the

phys

ical

sec

urity

con

cern

s lis

ted

in t

he c

ondi

tion

stat

emen

t.

X

1

CIS

-IT-

10-0

9 In

FY

200

9, w

e de

term

ined

tha

t th

e U

SCIS

lac

ks

polic

ies

and

proc

edur

es

over

au

dit

logg

ing

of

appl

icat

ion

and

serv

er a

udit

logs

for C

LAIM

S 3

LAN

OIT

will

con

tinue

to fi

naliz

e th

e U

SCIS

Aud

it an

d A

ccou

ntab

ility

M

anag

emen

t D

irect

ive

and

impl

emen

t ent

erpr

ise

audi

t log

ging

sof

twar

e. O

IT

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 1

42

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

and

CLA

IMS

4 sy

stem

. Sp

ecifi

cally

, we

lear

ned

that

C

LAIM

S3 L

AN

gen

erat

es a

udit

logs

; ho

wev

er,

the

USC

IS d

oes

not r

equi

re th

at th

e lo

gs a

re r

evie

wed

or

mai

ntai

ned.

In

add

ition

, w

e de

term

ined

tha

t th

e U

SCIS

doe

s no

t hav

e po

licie

s or

pro

cedu

res

in p

lace

fo

r m

aint

aini

ng a

nd r

evie

win

g th

e au

dit

logs

. F

or

CLA

IMS4

, w

e no

ted

that

C

ompu

ter

Serv

ice

Cor

pora

tion

(CSC

) con

tract

ors

capt

ure

and

revi

ew th

e lo

gs o

f use

r acc

ess

to C

LAIM

S4; h

owev

er, n

o re

view

s of

sig

nific

ant c

hang

es in

the

appl

icat

ion

or to

sys

tem

fil

es a

re c

ondu

cted

. A

dditi

onal

ly,

no p

olic

ies

or

proc

edur

es h

ave

been

est

ablis

hed

for

cond

uctin

g an

d m

onito

ring

the

audi

t log

revi

ews.

Dur

ing

the

FY 2

010

finan

cial

sta

tem

ent

audi

t, w

e le

arne

d th

at U

SCIS

has

beg

un s

ome

corr

ectiv

e ac

tion;

ho

wev

er, t

hese

issu

es h

ave

not b

een

fully

rem

edia

ted.

Th

eref

ore,

this

find

ing

is b

eing

reis

sued

.

will

ens

ure

CLA

IMS

3 LA

N a

nd C

LAIM

S 4

audi

t lo

gs a

re p

rovi

ded

to t

he e

nter

pris

e au

dit

logg

ing

softw

are

for

anal

ysis

. O

nce

the

inte

grat

ion

of

CLA

IMS

3 LA

N

and

CLA

IMS

4 an

d th

e en

terp

rise

audi

t lo

ggin

g so

ftwar

e is

co

mpl

ete,

de

velo

p C

LAIM

S 3

LAN

and

CLA

IMS

4 au

dit

and

acco

unta

bilit

y pr

oced

ures

.

CIS

-IT-

10-1

0 D

urin

g th

e FY

201

0 fin

anci

al s

tate

men

t au

dit,

we

perf

orm

ed in

quiry

follo

w-u

p to

det

erm

ine

the

stat

us o

f th

is w

eakn

ess

and

lear

ned

that

wea

k lo

gica

l ac

cess

co

ntro

ls s

till e

xist

ove

r CLA

IMS

4. U

SCIS

has

beg

un

som

e co

rrec

tive

actio

n; h

owev

er, t

hese

issu

es h

ave

not

been

fully

rem

edia

ted.

The

USC

IS O

ffic

e of

Inf

orm

atio

n Te

chno

logy

(O

IT)

will

fin

aliz

e th

e C

LAIM

S 4

Acc

ount

M

anag

emen

t Pr

oced

ures

th

at

addr

ess

acco

unt

iden

tific

atio

n,

set-u

p,

rece

rtific

atio

n,

and

term

inat

ion

and

acce

ss r

eque

st f

orm

mai

nten

ance

. O

IT w

ill c

ontin

ue to

wor

k w

ith th

e O

IT A

ccou

nt

Man

agem

ent

Gro

up,

the

IT P

roje

ct M

anag

er a

nd

each

in

stal

latio

n si

te

to

rece

rtify

C

LAIM

S 4

acco

unts

and

ens

ure

a cu

rren

t an

d va

lid a

cces

s re

ques

t fo

rm i

s fil

ed.

OIT

will

als

o fin

aliz

e th

e U

SCIS

A

ccou

nt

Man

agem

ent,

Man

agem

ent

Dire

ctiv

e (A

genc

y Po

licy)

.

OIT

will

con

tinue

to r

evie

w C

LAIM

S 4

acco

unts

fo

r th

ose

that

hav

e be

en i

nact

ive

for

45 d

ays

man

ually

and

to

rem

ove

user

s th

at a

ppea

r on

the

O

ffic

e of

HC

T at

tritio

n bi

-wee

kly

list.

OIT

will

co

ntin

ue t

o w

ork

with

HC

T to

ens

ure

thei

r ex

it

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 1

43

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

clea

ranc

e pr

oces

s in

clud

es p

roce

dure

s to

pro

mpt

ly

notif

y O

IT w

hen

empl

oyee

s lea

ve o

r tra

nsfe

r.

The

HC

T m

ust

final

ize

Exit

Cle

aran

ce P

roce

ss

polic

ies

and

proc

edur

es

and

ensu

re

that

th

ese

docu

men

ts

are

diss

emin

ated

ag

ency

-wid

e.

Spec

ifica

lly,

ensu

re

that

co

ntra

ctin

g of

ficer

s, co

ntac

ting

offic

ers’

te

chni

cal

repr

esen

tativ

es,

man

ager

s and

supe

rvis

ors a

re in

form

ed a

bout

thes

e do

cum

ents

and

und

erst

and

thei

r im

porta

nce.

CIS

-IT-

10-1

1 D

urin

g th

e FY

201

0 fin

anci

al s

tate

men

t au

dit,

we

perf

orm

ed in

quiry

follo

w-u

p to

det

erm

ine

the

stat

us o

f th

is w

eakn

ess

and

lear

ned

that

CLA

IMS3

LA

N s

till

lack

s po

licy

and

proc

edur

es f

or s

epar

ated

em

ploy

ees.

USC

IS h

as b

egun

som

e co

rrec

tive

actio

n; h

owev

er,

thes

e is

sues

hav

e no

t bee

n fu

lly re

med

iate

d.

The

USC

IS O

IT w

ill c

ontin

ue to

revi

ew C

LAIM

S 3

LAN

acc

ount

s fo

r th

ose

that

hav

e be

en in

activ

e fo

r 45

day

s m

anua

lly a

nd t

o re

mov

e us

er’s

tha

t ap

pear

on

the

Off

ice

of H

CT

attri

tion

bi-w

eekl

y lis

t. O

IT

will

fin

aliz

e th

e C

LAIM

S 3

LAN

A

ccou

nt

Man

agem

ent

Proc

edur

es

that

ad

dres

s ac

coun

t id

entif

icat

ion,

set

-up,

rec

ertif

icat

ion,

and

te

rmin

atio

n an

d ac

cess

req

uest

for

m m

aint

enan

ce.

OIT

will

con

tinue

to

wor

k w

ith H

CT

to e

nsur

e th

eir e

xit c

lear

ance

pro

cess

incl

udes

pro

cedu

res

to

prom

ptly

not

ify O

IT w

hen

empl

oyee

s le

ave

or

trans

fer.

OIT

w

ill

also

fin

aliz

e th

e U

SCIS

A

ccou

nt M

anag

emen

t Dire

ctiv

e (A

genc

y Po

licy)

.

The

HC

T m

ust

final

ize

Exit

Cle

aran

ce P

roce

ss

polic

ies

and

proc

edur

es

and

ensu

re

that

th

ese

docu

men

ts

are

diss

emin

ated

ag

ency

-wid

e.

Spec

ifica

lly,

ensu

re

that

co

ntra

ctin

g of

ficer

s, co

ntac

ting

offic

ers’

te

chni

cal

repr

esen

tativ

es,

man

ager

s and

supe

rvis

ors a

re in

form

ed a

bout

thes

e do

cum

ents

and

und

erst

and

thei

r im

porta

nce.

X

2

CIS

-IT-

10-1

2 D

urin

g th

e FY

201

0 fin

anci

al s

tate

men

t au

dit,

we

lear

ned

that

th

e IT

se

curit

y aw

aren

ess

train

ing

wea

knes

s ha

s no

t be

en r

emed

iate

d, t

here

fore

, th

is

findi

ng w

as re

issu

ed.

For i

nitia

l inf

orm

atio

n se

curit

y aw

aren

ess

train

ing,

O

IT w

ill c

ontin

ue t

o up

date

and

pro

vide

tra

inin

g m

ater

ials

for

the

Off

ice

of H

CT

New

Em

ploy

ee

Orie

ntat

ion

Prog

ram

(N

EOP)

. T

he H

CT

shou

ld

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 1

44

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#N

o C

ondi

tion

Rec

omm

enda

tion

New

Is

sue

Rep

eat

Issu

e Se

veri

ty

Rat

ing

cont

inue

to

impl

emen

t th

e N

EOP

agen

cy-w

ide.

H

CT

mus

t pr

ovid

e O

IT a

mon

thly

rep

ort

of a

ll ne

w h

ires

and

the

date

the

y co

mpl

eted

ini

tial

info

rmat

ion

secu

rity

awar

enes

s tra

inin

g du

ring

NEO

P.

For

annu

al

info

rmat

ion

secu

rity

awar

enes

s re

fres

her

train

ing,

OIT

will

con

tinue

to

use

the

Dep

artm

ent

of S

tatu

s (D

OS)

Com

pute

r Se

curit

y A

war

enes

s Tr

aini

ng

(CSA

T)

tool

to

pr

ovid

e in

form

atio

n se

curit

y aw

aren

ess

train

ing

to

all

USC

IS

empl

oyee

s w

ith

acce

ss

to

agen

cy

info

rmat

ion

syst

ems.

CIS

-IT-

10-1

3 D

urin

g ro

ll fo

rwar

d te

stin

g fo

r th

e FY

201

0 fin

anci

al

stat

emen

t au

dit,

KPM

G

perf

orm

ed

insp

ectio

n of

A

ctiv

e D

irect

ory

and

Exch

ange

(A

DEX

) ac

cess

re

ques

t for

ms.

Per

our

insp

ectio

n, K

PMG

det

erm

ined

th

at o

ne o

ut o

f th

e fo

rty-f

ive

acce

ss f

orm

s re

ques

ted

was

not

pro

vide

d. A

dditi

onal

ly, t

hree

out

of t

he fo

rty-

five

acce

ss f

orm

s re

ques

ted

wer

e cr

eate

d on

the

sam

e da

y of

the

requ

est.

The

Off

ice

of

Info

rmat

ion

Tech

nolo

gy

will

fin

aliz

e an

d is

sue

the

USC

IS M

D o

n In

form

atio

n Sy

stem

Acc

ount

Man

agem

ent.

The

MD

stip

ulat

es

polic

es o

n re

cord

s m

anag

emen

t of

acce

ss r

eque

sts

and

stan

dard

izes

th

e U

SCIS

N

etw

ork

Acc

ess

Req

uest

For

m.

X

2

CIS

-IT-

10-1

4 IC

E -

Dur

ing

KPM

G’s

in

tern

al

vuln

erab

ility

as

sess

men

t ef

forts

of

ICE’

s A

DEX

net

wor

k se

rver

s an

d de

vice

s pe

rfor

med

in

A

ugus

t 20

10,

KPM

G

iden

tifie

d a

defa

ult i

nsta

llatio

n an

d co

nfig

urat

ions

for

th

e H

SRP

on th

e C

isco

rout

ers.

USC

IS

- A

lthou

gh

USC

IS

does

no

t ha

ve

dire

ct

resp

onsi

bilit

y fo

r th

e co

ntro

ls o

ver

AD

EX a

nd I

CE

finan

cial

ap

plic

atio

ns,

USC

IS

does

ha

ve

a re

spon

sibi

lity

to

proa

ctiv

ely

man

age

its

serv

ice

prov

ider

rela

tions

hip

with

ICE.

USC

IS s

houl

d re

quire

IC

E to

pro

vide

a d

etai

led

Cor

rect

ive

Act

ion

Plan

(C

AP)

co

ntai

ning

th

e pl

anne

d re

med

iatio

n of

th

e se

curit

y vu

lner

abili

ties a

ffec

ting

USC

IS d

ata

inte

grity

.

USC

IS w

ill m

onito

r th

e M

AP

of t

he a

ssoc

iate

d N

FR#

ICE-

IT-1

0-16

and

req

uest

per

iodi

c st

atus

up

date

s.

X

3

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 1

45

A

ppen

dix

B

Dep

artm

ent o

f Hom

elan

d Se

curi

ty

Info

rmat

ion

Tech

nolo

gy M

anag

emen

t Let

ter

Sept

embe

r 30,

201

0

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 Fi

nanc

ial S

tate

men

t Aud

it Pa

ge 1

46

Appendix C


September 30, 2010

APPENDIX C

Status of Prior Year Notices of Findings and Recommendations and Comparison to

Current Year Notices of Findings and Recommendations at DHS


Disposition

NFR No. Description Closed Repeat

CBP-IT-09-03 Contractor Tracking Deficiencies X CBP-IT-09-12 Install 10-11CBP-IT-09-13 Complete List of CBP Workstations 10-11 CBP-IT-09-21 Review of Changes to Security Profiles in ACS 10-14 CBP-IT-09-27 Administrator Access Authorization Weaknesses X CBP-IT-09-29 Completion of CF-241 Forms for Terminated Employees 10-09 CBP-IT-09-34 Installation of Anti-Virus Protection 10-11 CBP-IT-09-41 Weaknesses in the Process of Separating CBP Contractors 10-08 CBP-IT-09-44 Completion of Non Disclosure Agreements for US CBP 10-10

ContractorsCBP-IT-09-45 Log configuration weakness for System. X CBP-IT-09-48 Lack of Effective ACS Access Change Log Review Procedures 10-19 CBP-IT-09-56 ACE Audit Log Reviews 10-03 CBP-IT-09-57 NDC LAN Audit Logs X CBP-IT-09-58 Novell Password Settings X CBP-IT-09-59 Formal Procedures for Mainframe System Utility Logs X CBP-IT-09-60 Configuration for Mainframe Security Violation Control Option 10-20 CBP-IT-09-61 Completion of Initial Background Investigations and Periodic 10-21

Background Reinvestigations for CBP Employees and ContractorsCBP-IT-09-62 Rules of Behavior Not Consistently Signed by CBP Employees X

and Contractors CBP-IT-09-63 ACE does not disable accounts after 45 days X CBP-IT-09-64 ACS PGA ISAs Not Completely Documented 10-16 CBP-IT-09-65 Documentation of ACE Access Change Requests 10-06 CBP-IT-09-66 Separated Employees on ACE Access Listing 10-01 CBP-IT-09-67 Inadequate Documentation of ACS Access Change Requests 10-17 CBP-IT-09-68 Vulnerabilities in Configuration and Patch Management X CBP-IT-09-69 Inadequate SAP Profile Change Review X CBP-IT-09-70 Overuse of ACS Emergency/Temporary Access Roles X CBP-IT-09-71 Inadequate Documentation of SAP Emergency/Temporary X

Access Requests CBP-IT-09-72 ACE Segregation of Duties Controls are Not In Place 10-02 CBP-IT-09-73 Inadequate Documentation of ACE SCO Access Requests and X

Approvals CBP-IT-09-74 Inadequate Protection of CBP Information and Property 10-05

10-07

CG-IT-09-10 Contractor Background Investigation Weakness 10-02 Weaknesses with Specialized Role-based Training for 10-10

CG-IT-09-14 Individuals with Significant Security Responsibilities CG-IT-09-23 Shore Asset Management (SAM) Audit Log Review Weakness 10- 22 CG-IT-09-25 WINS Access Controls Need Strengthening X CG-IT-09-31 Weaknesses Exist in the Configuration Management Controls 10-05

Appendix C Department of Homeland Security


Current Year Notices of Findings and Recommendations




Over the Scripting Process CG-IT-09-32 Lack of Documented Contractor Tracking System Reconciliation

Procedures X

CG-IT-09-33 Lack of a Consistent Contractor, Civilian, and Military Account Termination Process for Coast Guard Systems

10-01

CG-IT-09-34 WINS Change Control Weakness X CG-IT-09-40 Civilian Background Investigation Weakness 10-03 CG-IT-09-42 Non-Compliance with Federal Financial Management

Improvement Act (FFMIA) – Information Technology 10-24

CG-IT-09-43 Recertification Weakness within the User Management System (UMS)

X

CG-IT-09-45 FINCEN data center access is not restricted to appropriately authorized personnel

X

CG-IT-09-46 Configuration and Patch Management - Vulnerability Assessment

X

CG-IT-09-49 JUMPS Audit Log Review Weakness X CG-IT-09-50 Audit Trail Weaknesses within the Direct Access Application 10-28 CG-IT-09-51 Audit Trail Weaknesses within the Global Pay Application X CG-IT-09-52 Recertification Weakness within the Direct Access Application 10-12 CG-IT-09-53 Security Awareness Issues Associated with the Protection of

Sensitive Information 10-06

CIS-IT-09-01 Inefficient definition and documentation of access roles at the National Benefits Center for CLAIMS3 LAN

10-01

CIS-IT-09-02 Periodic user access reviews are not performed for CLAIMS3 LAN users.

10-02

CIS-IT-09-03 Incomplete or inadequate access request forms for CLAIMS3 LAN and CLAIMS4 system users.

10-03

CIS-IT-09-04 Periodic Active Directory (ADEX) system administrator access reviews are not performed at USCIS.

X

CIS-IT-09-06 Weak data center access controls exist X CIS-IT-09-07 Equipment and media policies and procedures are not current. 10-05 CIS-IT-09-08 Weak access controls for security software exist within the

Password Issuance and Control System (PICS). X

CIS-IT-09-09 Weak access controls exist in CLAIMS3 LAN. X CIS-IT-09-10 Weak password configuration controls around CLAIMS4. 10-07 CIS-IT-09-11 Background investigations are not conducted in a timely manner. X CIS-IT-09-12 Procedures for transferred/terminated personnel exit processing

are not finalized 10-04

CIS-IT-09-13 Ineffective safeguards over physical access to sensitive facilities and resources

10-08

CIS-IT-09-14 Weak access controls exist within FFMS X CIS-IT-09-15 Lack of policies and procedures for CLAIMS 3 LAN and

CLAIMS 4 audit logs 10-09

CIS-IT-09-16 Weak logical access controls exist over CLAIMS 4 10-10 CIS-IT-09-17 Training for IT security personnel is not mandatory X CIS-IT-09-18 Lack of policies and procedures for separated CLAIMS3 LAN

accounts 10-11

CIS-IT-09-19 IT Security Awareness Training compliance is not monitored 10-12

CIS-IT-09-20 Default installation and configuration of Cisco routers on ICE 10-14




Network Impact USCIS Operations.

CONS-IT-09-13 Evidence of Security Management Review of DHSTIER’s Oracle Activity Audit Reports is Not Retained

X

CONS-IT-09-14 CFO Vision Password Parameters are Not Configured in Accordance with DHS Policy

10-01

CONS-IT-09-15 Operating System Patch Management Procedures for DHSTIER and CFO Vision Not Documented.

X

CONS-IT-09-16 Periodic Review of DHS Stennis Data Center Access Privileges is Not Performed

X

FEMA-IT-09-02 Configuration Management Weaknesses on IFMIS, NEMIS, and Key Support Servers (vulnerability assessment finding)

10-41

FEMA-IT-09-03 Weaknesses Exist over Recertification of Access to IFMIS 10-14 FEMA-IT-09-06 Documentation Supporting the IFMIS User Functions Does Not

Exist 10-49

FEMA-IT-09-12 NEMIS Access Controls Need Improvement 10-01 FEMA-IT-09-13 Employee Termination Process for Removing System Access

Should be More Proactive 10-21

FEMA-IT-09-17 System Programmers Have the Ability to Migrate Code into the IFMIS Production Environment

10-39

FEMA-IT-09-19 Monitoring of NEMIS System Software Needs Improvement 10-04 FEMA-IT-09-22 Alternate Processing Site for NEMIS Has Not Been Established 10-02 FEMA-IT-09-24 NEMIS Backups Are Not Tested in Accordance with Policy 10-36 FEMA-IT-09-25 The NEMIS Contingency Plan Is Not Tested 10-20 FEMA-IT-09-28 NEMIS Configuration Management Process for Non-Emergency

Changes Needs Improvement 10-62

FEMA-IT-09-29 NEMIS Emergency Change Process Needs Improvement 10-62

FEMA-IT-09-38 Segregation of Duties Not Enforced for Traverse X FEMA-IT-09-39 Traverse Contingency Plan Not Tested and NFIP Disaster

Recovery and COOP Needs Improvement 10-61

FEMA-IT-09-45 IFMIS User Access is not Managed in Accordance with Account Management Procedures

10-26

FEMA-IT-09-46 IFMIS System Interconnections Agreements Have Not Been Reauthorized

X

FEMA-IT-09-48 Corrective Action over NEMIS Vulnerabilities is Not Formally Documented

10-33

FEMA-IT-09-50 Weaknesses Exist over IFMIS Application and Database Audit Logging

10-11

FEMA-IT-09-51 NEMIS Oracle Audit Logging is Not Tracked 10-09 FEMA-IT-09-52 Existing NEMIS Patch Management Guidance Needs to be

Implemented 10-35

FEMA-IT-09-38 Segregation of Duties Not Enforced for Traverse X FEMA-IT-09-39 Traverse Contingency Plan Not Tested and NFIP Disaster

Recovery and COOP Needs Improvement 10-61

FEMA-IT-09-45 IFMIS User Access is not Managed in Accordance with Account Management Procedures

10-26

FEMA-IT-09-46 IFMIS System Interconnections Agreements Have Not Been Reauthorized

X

FEMA-IT-09-48 Corrective Action over NEMIS Vulnerabilities is Not Formally Documented

10-33




FEMA-IT-09-50 Weaknesses Exist over IFMIS Application and Database Audit Logging

10-11

FEMA-IT-09-51 NEMIS Oracle Audit Logging is Not Tracked 10-09 FEMA-IT-09-52 Existing NEMIS Patch Management Guidance Needs to be

Implemented 10-35

FEMA-IT-09-77 FEMA and NFIP Planning, Management and Communication Related to Financial Systems Development and Acquisition Projects Needs to be Improved

10-47

FEMA-IT-09-78 Weaknesses Exist in the NEMIS Configuration Management Process under the EADIS contract

10-62

FEMA-IT-09-79 Weaknesses Exist over Management of FEMA LAN Accounts 10-22 FEMA-IT-09-80 Vulnerability Assessments of the NFIP LAN is Inadequate 10-52 FEMA-IT-09-81 Improvements are Needed in Core and G&T IFMIS Internal

Scanning Procedures and Processes 10-34

FEMA-IT-09-82 Core and G&T IFMIS Patch Management Weaknesses 10-32 FEMA-IT-09-83 EADIS NEMIS Access Restrictions to Program Directories

Needs Improvement 10-51

FEMA-IT-09-84 PARS Database Security Controls are Not Appropriately Established 10-05

FEMA-IT-09-85 TRRP Password Configurations have not been Configured in Accordance with DHS Policy

X

FEMA-IT-09-86 Weaknesses Exist over the Implementation of Traverse System Changes 10-60

FEMA-IT-09-87 Weaknesses Exist in FEMA’s Incident Response Program 10-31 FEMA-IT-09-88 Weaknesses exist over access authorizations for TRRP 10-53 FEMA-IT-09-89 Weaknesses exist over FEMA Background Investigations for

Federal Employees and Contractors 10-45

FEMA-IT-09-90 FEMA LAN Certification and Accreditation Package is not Adequate 10-28

FEMA-IT-09-91 FEMA Contractor Tracking Program is Inadequate 10-10

FLETC-IT-09-03 Momentum System Software is Not Logged or Reviewed X FLETC-IT-09-26 System Engineering Lifecycle (SELC) is not finalized X FLETC-IT-09-31 Configuration Management Weaknesses on the Procurement

Desktop, Momentum, and GSS. X

FLETC-IT-09-33 Momentum Audit Logs are not Reviewed 10-04 FLETC-IT-09-34 GAN audit logs are not reviewed 10-05 FLECT-IT-09-35 Weak access controls around Momentum 10-02 FLETC-IT-09-36 Ineffective logical access controls over the Glynco

Administrative Network 10-03

FLETC-IT-09-37 Physical Security and Security Awareness Issues Identified during Enhanced Security Testing

10-06

FLETC-IT-09-38 Ineffective logical access controls over SIS X

ICE-IT-09-11 Ineffective physical security controls at facility entrances X ICE-IT-09-12 Ineffective/non-compliant account lockout counter settings X ICE-IT-09-13 Ineffective password settings in FFMS 10-02 ICE-IT-09-14 Ineffective ADEX user access recertification process X ICE-IT-09-15 Ineffective FFMS access recertification process 10-03 ICE-IT-09-16 Terminated/transferred personnel are not removed from ADEX

in a timely manner 10-06




ICE-IT-09-17 Segregation of duty policies are not enforced in FFMS 10-04 ICE-IT-09-18 Background reinvestigations are not conducted in a timely

manner for contractors. X

ICE-IT-09-19 Procedures for transferred/terminated personnel exit processing are not allowed.

X 10-01

ICE-IT-09-20 Training for IT security personnel is not mandatory 10-11 ICE-IT-09-21 Vulnerability Assessment - Network devices were installed with

default configuration settings and protocols; inadequate patches; and weak/ generic passwords.

10-13 through 10-16

ICE-IT-09-22 Physical Security and Security Awareness Issues Identified during Enhanced Security Testing

10-09

ICE-IT-09-23 IT Security Awareness Training requirements are not enforced X

OCIO-IT-09-03 DHS has not fully implemented the FDCC security configurations requirements.

10-01

TSA-IT-10-20 TSA Computer Access Agreement Process TSA-IT-10-03

TSA-IT-10-23 Configuration Management Controls Over the Coast Guard Scripting Process (Included a specific TSA condition)

X

TSA-IT-10-28 Physical Security and Security Awareness Issues Identified during Enhanced Security Testing

TSA-IT-10-01

TSA-IT-10-29 CAS, FPD, and Sunflower Access Recertification TSA-IT-10-02


1 ".I)'-Il;l.tllltni ·,fll,,""I"n.I .... llrlh\\ ,L'hill~l"n. 1)( ~115:!X

HomelandSecurity

\lEMORAi\l>l'MI'OR: Fr,1Jlk DeJ"ll-1Assistant !nspl.';.:tor (il'ncra!InljlrllWlio!l I ~dlllnJogy :\udil"

FROM: I'C""' Slwrn!\ciin" Chid I111t:llH.:ml

f~~ . r_ .. r

. <-Ricl1.ml Spin.:~ ~('hier In rornVHion ()I lied

Robcrt \\'e,,1 \:~ .... _ '""-Chicr' Illl: ml1.11inn Su;urity ()!Ti(Tl"

Slll.JLCT: lJrart i\udll I{,,'porl . IIJ(imll(/{iui1 1(chn%gvlfut/agl..'JIIl'iIlI t'ller /fw f-T JIJf{) IJI/S Financiol ,\'Ialenwnl (Ilidif J'(J1"

Official { ',e ( JUI.1· (( lfe .. PmiL'u ,\"0. (ll( ;-11·03 :-11:. /.\f(;,\.((;

\\ l,,' 11;1\"e I\;\'i""\'cd thi,; OITi1.:e Drih...: 11lSPI.'(ltIf (j~ncri.ll·..; (O!O) dlJ.1L audil l'l'Jwn.h7/rJl"/iliI!wll lechno!of.!..\' A.Jullagen/c/'J! LCf{l'l' r/TAJI.)/(u'I''j" 20/fj /)//S Fimll/L'wf.)"I((h'1IiL'111 "/Ildit. d.lled fkt:...:lllhcr t) .20}11. We I..'(JJlL'ur \\ ilh tho: '·irWllcilll ... ~ 'll:m..S~nlnt~ fimlill).!,S \.'tll,t ..linl:d "iLlllll ~ \Illr ~Illdi( l"':pl In.

<I'h~ 1)11;'; ('hi~'f Illl'lrtl1<Hillll ()lliL:.:r \Cl(}) ,Int! ChIcI' Fin,llH;ial Of!icer (CH)1 uIlllinuc 10

work l\lil1il~ in "':lb\lrlng thl' lillld~ rcmedl;ll i,lll of financial ~) sh~lll Seellrll)" \\'~<1l..lle'sst:s

i.md :iII'Chgtlll-,)ing tlh: I)t::parlll\t:lll' s in!()J'Jllal ion :;yslCtrl:=; ct)ntfC>l::' (I)'i/if()nmcni. i\lajl'Wi1cti\'ilics illl:IIlJ~':

• ls";Ul.'t1I!l.,!'T ](}f(j 11/fc/"Ho{ COl/lmf I'II/\'hook ,lfwuw:('I11{'!1f A.\'.'/ll"tIi/u flmn'.D(;/Ii",' \\1Jicb indud~:, IJII;,\' apprpudlill J\Il'llllh':lllillg ami h::-;tillg !.Ill' tksignL'J !.:c!ivl.:tll.'sS 01 iilWKi;11 !'.~ S!I.-'Ill 1111; If/ll,nion I...·chll"lllg~ (i..'II..:r:r! ('Illllro!., (/"f o('s).

o I ·l,d,lk'...! lh~' ( H I [)(',i~n,lll'd ~~'h..'lll' I.i:;t Il.l!" j. Y ~oln as a n:stl!t 1I1'lh... 1"1 t.tl A·I" ~ ,1 ... 't..""f11l,'nl' jlL'rli.llllh:d ill I, Y .2009 'I hl'ji",'pl..'L:ilics lhl.' lil1<.llh,:i:d s~ .,1l.:111"; lll:l!

rL'ql1lr\' ;lddlliol1,1! l11;lll;I~l..'lI1l'lll :lI.:t:01l1llahilil) hi ellsure el"fcclive cOl1lrols I'xiSI overlil1,ll1L'tall\:P\l!1in~.

() Ik\ I,:h'pl,:d ;md illlplcllll.'llh.:d 1ll1ldifil".Hillll~ to thl,,' St:lllll' of A~ 123 ass\.'ssmClll:-; fur I· Y201111\1 pcrfnrlll \"l'rilrl.:.ltillll ,llld \alidathltl rrnl:l'ourcs III ensurc Plan" 01" I\diull and\ \ik,,!llllL';o;. t PC l. \8: \ I, I .lddn..:;..,.., n Illi C~llsesor Jinancial system "l'l..'uril~ l.:lllllrll]

ddit:iclH:iL'~ idl'lHilicd from thl." lill,1llci~d ,tatclllcni audils and Fcdl.:r~d Illlornmlil1!lSl'curtty .\1unagl'll1tlll ;'\l:l (FISi\·lt\) Ulll111ai as:"~""smcnts. V<1lidatioll and n:rificntiol1(V&VI pru(:cdllrcs \\"cr..: p(,.~rfonllcd al till.: folliH"ing COlllpOnCtlts·---U,S, Cili/,(,:llship

Appendix D Department of Homeland Security



.U1J Immigr~lli,lll Servi(l's, IlTlllllgnHiull and l'u~I(1rns I~llrorel'lncnt. Customs ,mel~;"'d";:'l':',lt~-:tloll, h"x!l:r;ll LI','. hHim::cm~nl 'I r;linillc Center. lh~ 01 IS \ (:m:lI2.I.'IllClU

l-'trccWI';l!l..' ;11hl I ·.S. S(:l.:r~t Sc\"\'il:!.:. 'I h.... V & V dYolls I:Ol1si."ll.'d 1)1 ,1 tJm,,:c·ph:I."'I..'da:'SCSSlllcnt apIll'tlac11:

I. Assess currl'lll :-,wt••: bascLllln IT \',,!iljl':ltipll~ of Finding::. ,Ull!

RI,,·l.'UllIlIll.'lll!alions I~ I· Rs i ,11ld 0,\ IB ('irclIbr A- J 2':; aSst:Ss1l1cnt gi1PS~

Ciai 11 ulltll.'r<.;l:lnd ilit' t 1\' 1\.'fHl.:di,lti .. In ;1i..·1 i \ j I iL'S ;\Jll! , llot caus~ '1lll.l1~ .,;.,. <lDl;

.l, TC,,1 ..k-<.;lgll ,1I11.l opl..'I"ll ill~ 1..·t"lI..'l.:li, I.:ll.:...." 01' 1\:Il1Cdlitkd COlli I \lh.

• IsslIcd 1111..' I Y ~OIO 1>1 I~ Inlimllalid!l Sl.'..:uril~ 1\:rlill'lll:IIlI.:C 1)I;ln \.-vhidl indudcs theII..'qllil'i,,:l1ll.'nts III \."I1:.Ufl.· h'~ lin'Ill\.·i,,1 ..,~,..,L ... m sl.'ull'iL~ \"IlIlLroh ure h"..,h:d ;l1lrtuall~ andqu:dit.\ PI), \8.. ~ Is an,: tlI.:H:lop;,:d ;llld l:01l1pk'll'd limd~.

• l',llllillLh,,:d Ir;II..''';II;= oj' .\- f'::~ 11 (i{' \\I..'<'l"lh:S'l.'~ Ihl"llllgh lhl.· \\l'<1kl1l:ss l'cmcdi,lIi\)\lm~Ll'ic 011 tIKI' 1;-. \ 1;\ S..,:oree'lrd.

• l'rm idL'd 1'( ),\&i\·I training wllil.:h ilH:lul!l::, nlOt cause analysis 11"3illing to PI IS('ompllllClll'i.

• IIlIPfl1\l.'d pr\lL:l"'\S li}r tr:lCkll1g 1·1 audil rn:olllillcnd,tlioll:-i ItH dil~~iji(,'d systems tl)I..'IlSurC Ir;Il.:~ahiliL~ to PI )"&~,ls in Clu..,,,ifieu 1.\1'.

Addill\Ill"III~ In I \- ~l)l J. I)ll~ kl'; L:Undlll.:lI."d individual rlS,", 8:'iSCSsmcnts nnd r~qLJircd

dd,likd hri\.,tin!-,s Frolll fill dllll{Jl.llll.:nh 1.'l1/111ihuling ((I tIll.' Ill<llr.:ria! \\l,<tkncss condilillJ1 at,hI..' Ikp,II'tl1h.'IH. 'J h":l'rinnry gnab II["lh.... sl..' Ilh.:: ...'lillgS Wo..:ll.' 10 dl.'kl'll1inl.: "utili r..:adill';~"....·vllltt~ll\.' thl.: d"h:l.:li\\:n...:s:-; \,)1' llll'l,;ol'rl.'l;li\·I.' ;lI.:llLHIS. and Ill..-lIlify <tp.:as wll ... I'\.· additillilalrclLl.H.:.... Gill h... r!;II..· ...d '111 .1IIh~ll1i1k\1 C\lI\lfllb

TltL: 1)1·1~ {TO and ('II.> r\."J1):llll rllll~ Ctlllllllilll'd 10 wod'llIg Ingdl1cf 10 SlUll'\.' DI ISlin<lm.:iat ...~ <.;tt:lllS alld l.:\llllillllC 10 rais~ 11K' sli.mdmds 11.11' II (;( "s I~ll' :->I.'l.:uring <Ill I)I!",fill<llH.:l,tl ,y<.;tl.'llI:- inlfXIlli.lllllll.

[1 ~'llt h.I\\.' ~lll.\ lIU\"stions \)1" "'uuld like uddiliunal Infi)lmatil)ll. ph.'il:'>t' cont<\ct Ellll.'''~

Csulai.., 1"0, Campli;IIKe Dir\.'l:IIJr at CW.2) 3S7-61 13 or Mkhael \\.·L:l1\I,)\\. OCTO.Dircc!llr !\lLem"l ('o11I,d Progr<tlll i'v1<lna.~:;;mcnl () nicc ElL (~02) 44"-51 06.

Appendix D Department of Homeland Security



Appendix E Department of Homeland Security


Report Distribution

Department of Homeland Security

Secretary Deputy Secretary General Counsel Chief of Staff Deputy Chief of Staff Executive Secretariat Under Secretary, Management Chief Information Officer Chief Financial Officer Chief Information Security Officer Assistant Secretary for Office of Policy Assistant Secretary for Office of Public Affairs Assistant Secretary for Office of Legislative Affairs DHS GAO OIG Audit Liaison Chief Information Officer, Audit Liaison

Office of Management and Budget

Chief, Homeland Security Branch DHS OIG Budget Examiner

Congress

Congressional Oversight and Appropriations Committees, as appropriate


ADDITIONAL INFORMATION AND COPIES To obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4100, fax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig. OIG HOTLINE To report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal misconduct relative to department programs or operations: • Call our Hotline at 1-800-323-8603; • Fax the complaint directly to us at (202) 254-4292; • Email us at [email protected]; or • Write to us at:

DHS Office of Inspector General/MAIL STOP 2600, Attention: Office of Investigations - Hotline, 245 Murray Drive, SW, Building 410, Washington, DC 20528.

The OIG seeks to protect the identity of each writer and caller.

information technology management letter for the fy 2010 dhs

Documents