An outside auditor found a material weakness during a review of the fiscal 2009 information technology operations of the Immigration and Customs Enforcement.

Auditing firm KPMG, in a review of ICE internal control over financial reporting--a review released June 8 by the Homeland Security Department inspector general without additional comment--found 14 new information technology instances of deficient controls that collectively rise to the level of a material weakness, the review states.

Specifically, ICE's Microsoft Active Director/Exchange implementation lacked comprehensive user access privilege recertifications, included default configuration settings, inadequate patches and weak password management. Also, some user roles and responsibilities on ICE financial management systems weren't properly segregated per guidelines, some contractors weren't reinvestigated and exit procedures for departing ICE staff weren't always followed.

Also, five of 20 ICE staff tested in a social engineering hack provided their login and password.

Among KPMG's recommendations is that ICE start continuously monitoring Active Directory objects for path and configuration management vulnerabilities.

In the agency's official response to the audit, Kathy Hill, office of assurance and compliance director, concurred with all 13 KPMG recommendations.

For more:
- read DHS OIG report 10-87 (.pdf)

Related Articles:
DHS active directory doesn't protect, says IG
NIST: Continuous monitoring can lead to false sense of security