Security Flaws Found In Coast Guard IT System

Flaws in the configuration and security of the U.S. Coast Guard IT system caused a material weakness in the Department of Homeland Security financial system, according to a recent audit.

The situation was outlined in an IT management letter and audit report dated last month and signed by Frank Deffer, assistant inspector general for information technology audits.

The problem was found during a 2009 independent audit by KPMG of the Coast Guard's FY 2009 financial statements as part of the DHS Integrated Audit.

The core of the problem lies with controls the Coast Guard has for its IT system. Controls allow management or employees to prevent, detect, or correct mistakes made by the system.

Last year the Coast Guard addressed nearly half of IT control weaknesses identified during its previous fiscal year. However, some of those problems persisted, according to KPMG.

Specifically, the audit found 20 IT deficiencies in the system, both in the IT financial management system controls and in the IT system itself. Eleven were findings from the prior year, and nine were new IT findings, according to KPMG.

In the financial management system, KPMG found several issues mainly relating to scripts in the system, including the lack of a formal process to distinguish between the module lead approvers for script approval requests. It also found that testing requirements for scripts are inconsistently followed.

The system's script tracking system also does not consistently include all testing, approval, and implementation documentation for all scripts, according to the report. Moreover, proper approval is not consistently obtained and documented prior to the running of each script.

In the IT system itself, KPMG noted procedural issues, including lack of formal procedures for monitoring reports on contracted personnel data or over the account termination process.

Security problems also were noted in the system, according to the audit. Specifically, Coast Guard procedures do not include specific guidance for the program managers on how to set correct and consistent risk levels and position sensitivity designations for contract employees.

Moreover, during after-hours physical security and social engineering testing, KPMG said it identified exceptions in the protection of sensitive user account information, according to the letter.

The Coast Guard also has compliance issues. Specially, the agency is not fully compliant with the requirements of Federal Financial Management Improvement Act, KPMG found.

The Coast Guard has been made aware of the deficiencies in its system and is taking steps to correct them, according to the audit.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.