Persistent security problems in the Homeland Security Department's financial management systems compromise the confidentiality, integrity and availability of data, according to a redacted DHS inspector general report (.pdf) completed in April but only released publically Sept. 12.

Of the 161 deficiencies identified from the fiscal 2010 systems audit, 65 percent are repeated from the fiscal 2009 audit. Collectively, write KPMG auditors, who prepared the report for the DHS IG, the vulnerabilities represent a "significant deficiency that is considered a material weakness in IT controls and financial system functionality."

Many of the deficiencies remaining from fiscal 2009 were not remediated due to conflicting correction strategies, note auditors. "Disagreements with management's self assessment occurred almost entirely at the Federal Emergency Management Agency," notes the report. Security problems at FEMA and the Immigration and Customs Enforcement were the most significant among DHS components, according to both the 2009 and 2010 financial system audits.

Auditors used a variety of tests--from breaking into offices after hours to social engineering schemes--to test financial system resiliency. In one instance auditors posed at DHS IT support staff and asked employees for their user passwords. Several FEMA personnel provided user IDs and passwords, although the report did not divulge just how many did so.

Some components also fail to disable the accounts of former employees, according to the report. At ICE, former employee accounts were accessible, despite the presence of an automatic disabling tool on the network. In another test, ICE also proved unable to safeguard against duplicate payments.

The audit identified several additional security infractions. The department, in some cases, did not properly manage roles and responsibilities or access authorities, finds the report. What's more, DHS was not always compliant with certification and accreditation processes and lacked contingency plans.

In a response to auditors, DHS leadership said they concur with report recommendations and will continue to strengthen the department's financial information systems controls environment.

For more:
- see the DHS IG report (.pdf)

Related Articles:
Senate appropriators milder to DHS IT than House 
Fractured congressional oversight hurts DHS mission, says Hamilton 
Agency financial reporting too reliant on manual processes, says Issa