http://www.fcw.com/article103492-08-13-07-Web
By Mary Mosquera
Aug. 13, 2007
The integrity of the Homeland Security Departments financial data is at
increased risk because of weak information technology internal controls
related to financial management systems, the DHS Office of Inspector
General has said in a report [1].
The report covers the IT management controls that support the
departments financial statement for fiscal 2006. Internal controls
reduce the risk of error or fraud in financial reporting.
This is not the first time the IG has pointed out these weaknesses,
which were the result of DHS not prioritizing the necessary corrective
actions.
The department has excessive access to and inadequate logical security
controls for its key financial applications and support systems, in
addition to incorrect or ineffective application change control
processes, the IG said in the report.
The effect of these numerous IT weaknesses identified during our testing
reduces the reliability of DHS financial data, DHS IG Richard Skinner
said in the report. The weaknesses limit DHS ability to ensure the
confidentiality, integrity and availability of critical financial and
operational data.
Many of these weaknesses may result in material errors in DHS financial
data that are not detected in a timely manner in the normal course of
business. That means DHS must operate manual controls to reduce that
risk, the report states.
Since manual controls are operated by people, there cannot be a
reasonable expectation that they would be able to be in place at all
times and in all areas, Skinner stated.
Last year, DHS improved its results toward complying with the Federal
Information Security Management Act. Meanwhile, a few DHS component
agencies took actions to improve their IT environments and address IT
control issues.
The IG identified more than 200 separate findings covering all DHS
agencies. DHS closed about 44 percent of the prior years IT findings,
but the IG uncovered 150 new ones through testing this year.
The IG audited the financial systems of the U.S. Citizen and Immigration
Services agency, which is owned and serviced by the Immigration and
Customs Enforcement agency.
DHS inherited many of its component agencies weaknesses, including
system development activities that did not incorporate strong security
controls from the outset, which will take several years to fully
address. Many of the larger agencies have decentralized IT and financial
system support.
The fact that DHS does not have an integrated financial system with the
embedded functionality required by the Office of Management and Budget
is the major factor for the departments financial management weaknesses,
the IG said.
DHS outlined a plan to fix the internal control weaknesses in a response
letter from Robert West, its chief information security officer. For
example, the department will develop procedures by November for testing
internal controls for its designated financial systems. Component
agencies will perform monitoring of key controls by March 2008.
In June, DHS said it will move its agencies to one of two certified
financial systems under the Transformation and Systems Consolidation
program. DHS will migrate its small agencies to either a version of
Oracle Federal Financials that the Transportation Security
Administration uses or a version of SAP that the Customs and Border
Protection uses. The Government Accountability Office has said DHS does
not have a detailed enough strategy for the migration.
[1] http://www.dhs.gov/xoig/assets/mgmtrpts/OIGr_07-53_Aug07.pdf
____________________________________
Attend HITBSecConf2007 - Malaysia
Taking place September 3-6 2007 featuring seven tracks of technical
training and a dual-track security conference with keynote speakers
Lance Spitzner and Mikko Hypponen! - Book your seats today!
http://conference.hitb.org/hitbsecconf2007kl/
Received on Aug 14 2007
Intro
