department of homeland security office of inspector generaldepartment of homeland security office...
TRANSCRIPT
Department of Homeland Security Office of Inspector General
Information Technology Management Letter for the FY 2010 U.S. Customs
and Border Protection Financial Statement Audit
(Redacted)
OIG-11-90 June 2011
Office ofInspector General
u.s. Department ofHomeland Security Washington, DC 25028
I:
i 1
Homeland Security
JUN 142011
Preface
The Department of Romeland Security (DRS) Office ofInspector General (OIG) was established by the Homeland Security Act oj2002 (Public Law 107-296) by amendment to the Inspector General Act oj1978. This is one of a series of audit, inspection, and special reports prepared as part of our oversight responsibilities to promote economy, efficiency, and effectiveness within the department.
This report presents the information technology (IT) management letter for the FY 2010 U.S. Customs and Border Protection (CBP) financial statement audit as of September 30, 2010. It contains observations and recommendations related to information technology internal controls that were summarized in the Independent Auditors Report dated January 25,2011 and represents the separate restricted distribution report mentioned in that report. The independent accounting firm KPMG LLP (KPMG) performed the audit procedures at CBP in support of the DRS FY 2010 financial statement audit and prepared this IT management letter. KPMG is responsible for the attached IT management letter dated January 31, 2011, and the conclusions expressed in it. We do not express opinions on DRS' financial statements or internal controls or conclusions concerning compliance with laws and regulations.
The recommendations herein have been developed to the best knowledge available to our office, and have been discussed in draft with those responsible for implementation. We trust that this report will result in more effective, efficient, and economical operations. We express our appreciation to all of those who· contributed to the preparation of this report.
~~ Frank Deffer Assistant Inspector General Information Technology Audits
KPMG LLP 2001 M Street, NW Washington, DC 20036-3389 January 31, 2011
Office of Inspector General U.S. Department of Homeland Security
Chief Information Officer U.S. Customs and Border Protection
Chief Financial Officer U.S. Customs and Border Protection
Ladies and Gentlemen:
We have audited the consolidated balance sheets of the U.S. Customs and Border Protection (CBP), a Component of the U.S. Department of Homeland Security (DHS), as of September 30, 2010 and 2009, and the related consolidated statements of net cost, changes in net position, custodial activity, and the combined statements o f budgetary resources (hereinafter referred to as “consolidated financial statements”) for the years then ended. In planning and performing our audit of CBP’s consolidated financial statements, we considered CBP’s internal control over financial reporting in order to determine our auditing procedures for the purpose of expressing our opinion on the consolidated financial statements.
In connection with our fiscal year (FY) 2010 engagement, we considered CBP’s internal control over financial reporting by obtaining an understanding of CBP’s internal controls, determining whether internal controls had been placed in operation, assessing control risk, and performing tests of controls in order to determine our procedures. We limited our internal control testing to those controls necessary to achieve the objectives described in Government Auditing Standards and the Office of Management and Budget (OMB) Bulletin No. 07-04, Audit Requirements for Federal Financial Statements, as amended. We did not test all internal controls relevant to operating objectives as broadly defined by the Federal Managers’ Financial Integrity Act of 1982 (FMFIA). The objective of our engagement was not to provide an opinion on the effectiveness of CBP’s internal control over financial reporting. Accordingly, we do not express an opinion on the effectiveness of CBP’s internal control over financial reporting.
A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct misstatements on a timely basis. A material weakness is a deficiency, or combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected on a timely basis. A significant deficiency is a deficiency, or combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance.
Our audit of CBP as of, and for the year ended, September 30, 2010, disclosed a significant deficiency in the areas of Information Technology (IT) access controls, security management, segregation of duties, and functionality. These matters are described in the IT General Control Findings and Recommendations section of this letter.
KPMG LLP is a Delaware limited liability partnership, the U.S. member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity.
The significant deficiency described above is presented in our Independent Auditors’ Report, dated January 25, 2011. This letter represents the separate restricted distribution letter mentioned in that report.
The control deficiencies described herein have been discussed with the appropriate members of management, and communicated through a Notice of Finding and Recommendation (NFR), and are intended For Official Use Only.
Because of its inherent limitations, internal control over financial reporting may not prevent, or detect and correct misstatements. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate. We aim to use our knowledge of CBP gained during our audit engagement to make comments and suggestions that are intended to improve internal control over financial reporting or result in other operating efficiencies.
The Table of Contents on the next page identifies each section of the letter. We have provided a description of key CBP financial systems and IT infrastructure within the scope of the FY 2010 CBP consolidated financial statement audit in Appendix A; a description of each internal control finding in Appendix B; and the current status of the prior year NFRs in Appendix C.
CBP’s written response to our comments and recommendations included in Appendix D has not been subjected to auditing procedures and, accordingly, we express no opinion on it.
This communication is intended solely for the information and use of DHS and CBP management, DHS Office of Inspector General (OIG), the OMB, the Government Accountability Office (GAO), and the U.S. Congress, and is not intended to be and should not be used by anyone other than these specified parties.
Very truly yours,
TABLE OF CONTENTS
Page
Objective, Scope, and Approach 1
Summary of Findings and Recommendations 3
IT General Control Findings and Recommendations 4
Security Management 4
After-Hours Physical Security Testing 5
Social Engineering Testing 5
Access Control 6
Segregation of Duties 7
Financial System Functionality 7
Application Control Findings 11
Management’s Comments and OIG Response 11
APPENDICES
Appendix
A
Subject
Description of Key CBP Financial Systems and IT Infrastructure within the Scope of the FY 2010 DHS Financial Statement Audit
Page
12
B FY 2010 Notices of IT Findings and Recommendations at CBP - Notice of Findings and Recommendations – Definition of Severity Ratings
15 16
C
D
Status of Prior Year Notices of Findings and Recommendations and Comparison to Current Year Notices of Findings and Recommendations at CBP
Management’s Comments
32
34
Department of Homeland Security Customs and Border Protection
Information Technology Management Letter September 30, 2010
Department of Homeland Security Customs and Border Protection
Information Technology Management Letter September 30, 2010
OBJECTIVE, SCOPE, AND APPROACH
We have audited the CBP agency’s balance sheets and related consolidated statements of net cost, changes in net position, and custodial activity, and the combined statements of budgetary resources (hereinafter, referred to as “consolidated financial statements”) as of September 30, 2010 and 2009. In connection with our audit of CBP’s consolidated financial statements, we performed an evaluation of information technology general controls (ITGC), to assist in planning and performing our audit. The Federal Information System Controls Audit Manual (FISCAM), issued by the GAO, formed the basis of our ITGC evaluation procedures. The scope of the ITGC evaluation is further described in Appendix A.
FISCAM was designed to inform financial auditors about IT controls and related audit concerns to assist them in planning their audit work and to integrate the work of auditors with other aspects of the financial audit. FISCAM also provides guidance to IT auditors when considering the scope and extent of review that generally should be performed when evaluating general controls and the IT environment of a federal agency. FISCAM defines the following five control functions to be essential to the effective operation of the general IT controls environment.
�
�
�
�
�
Security Management (SM) – Controls that provide a framework and continuing cycle of activity for managing risk, developing security policies, assigning responsibilities, and monitoring the adequacy of computer-related security controls.
Access Control (AC) – Controls that limit or detect access to computer resources (data, programs, equipment, and facilities) and protect against unauthorized modification, loss, and disclosure.
Configuration Management (CM) – Controls that help to prevent unauthorized changes to information system resources (software programs and hardware configurations) and provides reasonable assurance that systems are configured and operating securely and as intended.
Segregation of Duties (SD) – Controls that constitute policies, procedures, and an organizational structure to manage who can control key aspects of computer-related operations.
Contingency Planning (CP) – Controls that involve procedures for continuing critical operations without interruption, or with prompt resumption, when unexpected events occur.
To complement our general IT controls audit procedures, we also performed technical security testing for key network and system devices, as well as testing over key financial application controls in the CBP environment. The technical security testing was performed both over the Internet and from within select CBP facilities, and focused on test, development, and production devices that directly support key general support systems.
Information Technology Management Letter for the FY 2010 CBP Financial Statement Audit Page 1
Department of Homeland Security Customs and Border Protection
Information Technology Management Letter September 30, 2010
In addition to testing CBP’s general control environment, we performed application control tests on a limited number of CBP’s financial systems and applications. The application control testing was performed to assess the controls that support the financial systems’ internal controls over the input, processing, and output of financial data and transactions. FISCAM defines application controls as follows: Application controls are the structure, policies, and procedures that apply to separate, individual application systems, such as accounts payable, inventory, or payroll.
� Application Controls (APC) - Application controls are the structure, policies, and procedures that apply to separate, individual application systems, such as accounts payable, inventory, or payroll.
Information Technology Management Letter for the FY 2010 CBP Financial Statement Audit Page 2
Department of Homeland Security Customs and Border Protection
Information Technology Management Letter September 30, 2010
SUMMARY OF FINDINGS AND RECOMMENDATIONS
During FY 2010, CBP took corrective action to address prior year IT control weaknesses. For example, CBP made improvements over various system logical access processes and system security settings, system administrator access processes and procedures, and performed more consistent tracking of contractors and system user rules of behavior agreements. However, during FY 2010, we continued to identify IT general control weaknesses that could potentially impact CBP’s financial data. The most significant weaknesses from a financial statement audit perspective related to controls over access to programs and data. Collectively, the IT control weaknesses limited CBP’s ability to ensure that critical financial and operational data were maintained in such a manner to ensure confidentiality, integrity, and availability. In addition, these weaknesses negatively impacted the internal controls over CBP financial reporting and its operation, and we considered them to collectively represent a significant deficiency for CBP under standards established by the American Institute of Certified Public Accountants (AICPA). The IT findings were combined into one significant deficiency regarding IT for the FY 2010 audit of the CBP consolidated financial statements. In addition, based upon the results of our test work, we noted that CBP did not fully comply with the requirements of the FFMIA.
In FY 2010, our IT audit work identified 23 IT findings, of which 16 were repeat findings from the prior year and 7 were new findings. In addition, we determined that CBP remediated 13 IT findings identified in previous years. Collectively, these findings represent deficiencies in three of the five FISCAM key control areas as well as deficiencies related to financial system functionality. The FISCAM areas impacted included Security Management, Access Controls, and Segregation of Duties. These weaknesses may increase the risk that the confidentiality, integrity, and availability of system controls and CBP financial data could be exploited thereby compromising the integrity of financial data used by management and reported in CBP’s financial statements.
The recommendations made by us in this report are intended to be helpful, and may not fully remediate the deficiency. CBP management has responsibility to determine the most appropriate method(s) for addressing the weaknesses identified based on their system capabilities and available resources.
Information Technology Management Letter for the FY 2010 CBP Financial Statement Audit Page 3
Department of Homeland Security Customs and Border Protection
Information Technology Management Letter September 30, 2010
IT GENERAL CONTROL FINDINGS AND RECOMMENDATIONS
Findings:
During the FY 2010 CBP financial statement audit, we identified the following IT and financial system control deficiencies that in the aggregate are considered a significant deficiency:
Security Management
�
�
�
�
�
�
�
�
A complete, up-to-date listing of all CBP workstations is not maintained. As a result, CBP cannot determine whether CBP workstations are adequately protected against security threats.
Of the forty-five selected employees that had separated in FY 2010, 19 of these individuals did not have a completed CBP Form 241 on file.
Separation procedures relating to CBP contractors refer to Department of Treasury policies, and therefore are outdated as CBP is no longer a part of Treasury. Additionally, CBP-242 contractor separation forms were not properly completed for 9 of 45 selected CBP contractors.
Non-Disclosure Agreements (NDAs) for 29 of 45 selected contractors were signed several months after their hire date, were not signed and/or dated by the contractor, and/or were not completed by CBP.
CBP has not completed reinvestigations of contractors that should have been completed during the FY 2010 fiscal year (previous investigation date was greater than five years).
During technical testing, access, configuration and patch management exceptions were identified on Active Directory (AD) Domain Controllers and hosts supporting the SAP, the Automated Commercial System (ACS), and the Automated Commercial Environment (ACE) applications.
Role-based security training requirements for personnel with IT security positions were inadequate and were not commensurate with the individual’s duties and responsibilities. Additionally, 8 of the 45 sampled individuals did not complete the required specialized training by the CBP deadline.
Access to the raised floor area at the National Data Center (NDC) was not consistently documented by approved access requests. Additionally, not all personnel with access to the raised floor area were re-authorized for access.
Information Technology Management Letter for the FY 2010 CBP Financial Statement Audit Page 4
Department of Homeland Security Customs and Border Protection
Information Technology Management Letter September 30, 2010
After-Hours Physical Security Testing
After-hours physical security testing was conducted to identify risks related to non-technical aspects of IT security. These non-technical IT security aspects include physical access to media and equipment that houses financial data and information residing on a CBP employee’s/contractor’s desk, which could be used by others to gain unauthorized access to systems hosting financial information. The testing was performed at various CBP locations that process and /or maintain financial data as shown in the following table.
Exceptions Noted
CBP Locations Tested Total Exceptions
by Type
NDC-7 (BLM
Building) NDC-1 Beauregard
(Alexandria) Falls
Church Tyson’s Corner NDC-4
Passwords 1 1 2 2 6 4 16 For Official
Use Only (FOUO)
5 18 5 5 6 4 43
Keys/Badges 3 1 0 6 1 2 13 Personally Identifiable Information
(PII)
4 4 0 1 0 2 11
Server Names/IP Addresses
1 5 1 0 2 1 10
Laptops 0 3 0 0 1 2 6 External Drives 0 0 1 1 0 0 2
Credit Cards 1 0 0 0 0 0 1
Total Exceptions by Location
15 32 9 15 16 15 102
Note that approximately 15 desks / offices were examined for each one of the columns in the above table.
Social Engineering Testing
Social engineering is defined as the act of attempting to manipulate or deceive individuals into taking action that is inconsistent with DHS policies, such as divulging sensitive information or allowing / enabling computer system access. The term typically applies to deception for the purpose of information gathering or for gaining computer system access.
Total Called Total Answered Number of People Who Divulged a Password 25 16 2
Information Technology Management Letter for the FY 2010 CBP Financial Statement Audit Page 5
Department of Homeland Security Customs and Border Protection
Information Technology Management Letter September 30, 2010
Access Control
�
�
The log of ACS access profile changes is not regularly reviewed by personnel independent from those individuals that have made the changes.
The following issues exist in regard to ACS Security Profile Change Log Procedures: - Procedures do not define how often the ACS security profile change audit logs are
reviewed; - Procedures do not describe how evidence of the review process is created by the ACS
Information System Security Officer (ISSO)/Independent Reviewer; and, - Procedures do not define the sampling methodology that is used to select ACS profile
change security logs for review.
�
�
�
�
�
�
�
�
�
ACE audit logs are not being reviewed on a regular basis.
The control option to limit the number of failed logon attempts to the was not configured properly.
ACS Information Security Agreements (ISAs) for all identified participating government agencies have not been documented as required by CBP and DHS policies.
Initial access requests and approvals for 9 of 25 individuals granted access to ACE during FY 2010 could not be provided.
ACE portal accounts for are not timely removed as required by CBP and DHS policy.
Access request documentation for individuals who had their ACS access profiles modified during FY 2010 was not consistently maintained.
Activities of developers granted temporary/emergency access to ACS production were not monitored for appropriateness.
Access request documentation for individuals who were granted access to the NDC Local Area Network (LAN) during FY 2010 was not consistently maintained.
Personnel with access to backup media maintained off site have not regularly been recertified to validate the need for continuing access and the specific levels of access warranted.
Information Technology Management Letter for the FY 2010 CBP Financial Statement Audit Page 6
Department of Homeland Security Customs and Border Protection
Information Technology Management Letter September 30, 2010
Segregation of Duties
� ACE is not currently configured to restrict access to least privilege for performing job functionality as required by CBP policy.
Financial System Functionality
KPMG identified control weaknesses related to the processing of drawback payments and in certain entry processes, which are reported in detail in the Independent Auditors’ Report. These weaknesses are reported here in the Information Technology Management Letter to emphasize the common technology link within these findings as related to ACS.
ACS is used to track, control, and process commercial goods and conveyances for the purpose of collecting import duties, fees, and taxes owed to the Federal government and processing refunds and drawbacks related to the process of these collections. Since ACS was created in the mid-1980s, maintenance for the system has become increasingly difficult and expensive. Furthermore, the funding necessary to substantially remediate these control weaknesses is not available.
These control weaknesses continue to exist where ACS is functionally deficient. The conditions below highlight the deficiencies within ACS.
�
�
�
�
ACS lacks the controls necessary to prevent, or detect and correct excessive drawback claims. The programming logic in ACS does not link drawback claims to imports at a detailed, line item level. In addition, ACS does not have the capability to compare, verify, and track essential information on drawback claims to the related underlying consumption entries and export documentation upon which the drawback claim is based. Export information is not linked to the Drawback module and therefore electronic comparisons of export data cannot be performed within ACS.
Certain monitoring reports used to monitor (review) importer compliance with the in-bond process have not been developed and therefore importer compliance is not being tracked. In addition, in-bonds are not automatically linked to the relevant entry or export filings in ACS, which leads to extensive manual work to close open in-bonds. Finally, ACS does not provide the ability to run oversight reports to determine if ports have completed all required in-bond post audits and exams.
ACS does not properly account for bond sufficiency of claims that involve a continuous bond and therefore a claimant can potentially claim and receive an accelerated payment that exceeds the bond amount on file. As a result, CBP will not have sufficient surety against a drawback over claiming.
ACS does not provide summary information of the total unpaid assessments for duties, taxes, and fees by individual importer (i.e., a sub-ledger) and cannot provide reporting information on outstanding receivables, the age of receivables, or other data necessary for management to effectively monitor collection actions.
Information Technology Management Letter for the FY 2010 CBP Financial Statement Audit Page 7
Department of Homeland Security Customs and Border Protection
Information Technology Management Letter September 30, 2010
�
�
The drawback selectivity function of ACS is not programmed to select a statistically valid sample of prior drawback claims against a selected import entry.
ACS is programmed to automatically indicate that a Port Director certified a refund or drawback payment even if the Port Director does not certify a given payment.
Recommendations:
We recommend that the CBP Chief Information Officer (CIO) and Chief Financial Officer (CFO), in coordination with the DHS Office of Chief Financial Officer and the DHS Office of the Chief Information Officer, make the following improvements to CBP’s financial management systems and associated information technology security program.
For Security Management
�
�
�
�
�
�
�
Continue installing and develop, implement, and monitor policies and procedures to move all workstations to or to obtain waivers and compensating controls for those workstations that cannot be moved to .
Review the validity of the CBP Form 241 for the Employee Separation process and to originate an alternate mechanism to hold managers accountable for timely notification of employee separations and for confirming the termination of access to information systems, and the return of Government property and equipment;
Review the current Customs Directive and update it to reflect the current operating environment. Additionally, consistent and accurate completion of the SF Form 242 is required for all separating contractors with access to CBP facilities, information systems and/or sensitive information;
Implement a more consistent method of ensuring that each contractor employee in moderate and high-risk positions complete and sign a NDA;
Additional work: - Complete via e-QIP the “initiation” of all remaining employee reinvestigations by
December 30, 2010. - Complete the reinvestigations for all such employees by December 30, 2011. - Develop/deploy a tracking mechanism (Contractor Tracking System) by which to
identify those contractors requiring reinvestigation;
Develop and implement a strategy to ensure that reinvestigations for all contractors are initiated as required;
Patch, upgrade, correct, or obtain waivers for any identified weaknesses as a result of the IT technical vulnerabilities assessment;
Information Technology Management Letter for the FY 2010 CBP Financial Statement Audit Page 8
Department of Homeland Security Customs and Border Protection
Information Technology Management Letter September 30, 2010
�
�
Re-examine the CBP role-based training program and consider implementing the DHS Role-Based Security Training Program at CBP once it is implemented at DHS; and
Develop tools and procedures for facilitating and documenting the approval/recertification and review of individual access to the raised floor area.
For After-Hours Physical Security Testing:
� Implement multiple types of security awareness reminders and opportunities to educate users of the importance of protecting CBP information systems and data. Specifically, social engineering evaluations should be incorporated into routine site inspections to test employee security awareness and to educate users on how to respond to information security attacks.
For Social Engineering Testing:
� Continue annual security awareness training. In addition, seek to add other means of increasing security awareness.
For Access Control �
�
�
�
�
�
Formalize a detailed procedure for the review of ACS security profile change logs. The procedure should include implementing a periodic review of the logs by an independent reviewer;
Develop and implement procedures that document the review process for ACS profile change logs. The process should include the documented evidence of review, how often audit logs are reviewed, and the review sampling methodology to be used;
Maintain evidence that regular reviews of audit logs are occurring. Specifically, continue plans initiated in July of 2010 to institutionalize a more formal method of documenting who performed reviews of audit logs, when these reviews occurred, and what issues (if any) were identified. ;
Perform a cost/benefit analysis to determine whether an ACE custom-developed solution or a purchased commercial off the shelf (COTS) product should be implemented for full automation of audit log reviews;
Devote sufficient resources in order to implement and maintain formal ISAs with the Partnering Government Agencies (PGAs) that interconnect with ACS. Document ISAs for all ACS PGA connections identified in the ACS SSP;
Issue a memorandum and distribute the procedures to the respective CBP Offices to implement monitoring procedures to ensure compliance with stated procedures and that Office Information Technology (OIT) coordinate a meeting with the other CBP Offices to determine if centralized access control measures are necessary;
Information Technology Management Letter for the FY 2010 CBP Financial Statement Audit Page 9
Department of Homeland Security Customs and Border Protection
Information Technology Management Letter September 30, 2010
�
�
�
�
�
Implement procedures to reinforce adherence to guidance requiring timely notification of separations by employees or contractors with access to ACE. Those responsible for ACE access control need to be notified of a separation no later than the day of separation;
Implement and monitor procedures to consistently document the access requests and approvals for any and all access creations and changes to ACS user profiles;
For the TSS audit of emergency access, run a report, as needed, at management’s (e.g., emergency approver’s) request;
Transition the process for requesting NDC-LAN Network access from the paper-based user access request form to an electronic user access request form. Once the electronic form is fully implemented, update the documented process to reflect that all NDC-LAN user access requests must go to the Technology Service Desk (TSD) for action. TSD will generate a trouble ticket and attach the electronic access request form to the initial user request ticket for NDC-LAN access. The ticket will be issued in the name of the user gaining the access so it is easily searchable; and
Update the access authorization process to indicate that the access list will undergo a 100% recertification annually. The artifact derived from this action should be an official report from the Contracting Officer Technical Representative for offsite media storage clearly stating the recertification results along with the backup paperwork for all adds, deletes, and changes to the access list.
For Segregation of Duties
� Continue to work with the Office of International Trade, Office of Administration and Office of Field Operations to identify incompatible roles and develop procedures as part of the access control process to ensure that these role combinations are not granted to ACE users, except when a waiver is granted in writing.
Lack of Financial System Functionality
� Continue efforts on the following: - Modernize business processes though the development and deployment of functionality
in the Automated Commercial Environment as it has done since 2001. - Work with ACE stakeholders, including CBP personnel, the trade, participating
government agencies, the Department of Homeland Security and the Congress to prioritize, develop, and deploy functionality that allows CBP to fulfill its mission and meet the needs of its stakeholders.
- Seek funds through the budget process that will allow CBP to continue to develop and deploy functionality in ACE that will support CBP’s mission and meet the needs of its stakeholders.
Information Technology Management Letter for the FY 2010 CBP Financial Statement Audit Page 10
Department of Homeland Security Customs and Border Protection
Information Technology Management Letter September 30, 2010
APPLICATION CONTROL FINDINGS
We did not identify any findings in the area of application controls during the fiscal year 2010 CBP audit engagement.
MANAGEMENT’S COMMENTS AND OIG RESPONSE
We obtained written comments on a draft of this report from CBP management. Generally, CBP management agreed with our findings and recommendations. CBP management has developed a remediation plan to address these findings and recommendations. We have included a copy of the comments in Appendix D.
OIG Response
We agree with the steps that CBP management is taking to satisfy these recommendations
Information Technology Management Letter for the FY 2010 CBP Financial Statement Audit Page 11
Appendix A Department of Homeland Security
Customs and Border Protection Information Technology Management Letter
September 30, 2010
Appendix A
Description of Key CBP Financial Systems and IT Infrastructure within the Scope of the FY 2010 DHS Financial
Statement Audit
Information Technology Management Letter for the FY 2010 CBP Financial Statement Audit Page 12
Appendix A Department of Homeland Security
Customs and Border Protection Information Technology Management Letter
September 30, 2010
Below is a description of significant CBP financial management systems and supporting IT infrastructure included in the scope of CBP’s FY 2010 Financial Statement Audit.
Automated Commercial Environment (ACE)
ACE is the commercial trade processing system being developed by CBP to facilitate trade while strengthening border security. It is CBP’s plan that this system will replace ACS when ACE is fully implemented. The mission of ACE is to implement a secure, integrated, government-wide system for the electronic collection, use, and dissemination of international trade and transportation data essential to Federal agencies. ACE is being deployed in phases, with no set final full deployment date due to funding setbacks. As ACE is partially implemented now and processes a significant amount of revenue for CBP, ACE was included in full scope in the FY2010 financial statement audit. The ACE system is located in Newington, VA.
Automated Commercial System (ACS)
ACS is a collection of mainframe-based business process systems used to track, control, and process commercial goods and conveyances entering the United States territory, for the purpose of collecting import duties, fees, and taxes owed to the Federal government. ACS collects duties at ports, collaborates with financial institutions to process duty and tax payments, provides automated duty filing for trade clients, and shares information with the Federal Trade Commission on trade violations and illegal imports. The ACS system is included in full scope in the FY 2010 financial statement audit. The ACS system is located in Newington, VA.
National Data Center – Local Area Network (NDC LAN)
The NDC LAN provides more than 1,200 CBP contractor and employee user access to enterprise-wide applications and systems. The mission of the NDC LAN is to the support Field Offices/Agents with applications and technologies in the securing and protection of our nation's borders. The NDC LAN consists of five Novell NetWare 6.5 servers, various workstations and printers/plotters, 11 Cisco switches, and the associated Novell Netware management applications. There are no major or minor applications running on the NDC LAN other than the file and print services associated with the Novell NetWare servers. The NDC LAN is an unclassified system processing For Official Use Only (FOUO) data. As the NDC LAN includes the environment where the ACE, ACS, and SAP applications physically reside, the NDC LAN is included in limited scope in the FY2010 financial statement audit. The NDC LAN is located in Newington, VA.
Information Technology Management Letter for the FY 2010 CBP Financial Statement Audit Page 13
Appendix A Department of Homeland Security
Customs and Border Protection Information Technology Management Letter
September 30, 2010
SAP Enterprise Central Component (SAP ECC 6.0)
SAP is a client/server-based financial management system and includes the Funds Management, Budget Control System, General Ledger, Real Estate, Property, Internal Orders, Sales and Distribution, Special Purpose Ledger, and Accounts Payable modules. These modules are used by CBP to manage assets (e.g., budget, logistics, procurement, and related policy), revenue (e.g., accounting and commercial operations: trade, tariff, and law enforcement), and to provide information for strategic decision making. The SAP ECC 6.0 financial management system is included in full scope in the FY 2010 financial statement audit. The SAP ECC 6.0 system is located in Newington, VA.
Information Technology Management Letter for the FY 2010 CBP Financial Statement Audit Page 14
Appendix B Department of Homeland Security
Customs and Border Protection Information Technology Management Letter
September 30, 2010
Appendix B FY 2010 Notices of IT Findings and Recommendations at CBP
Information Technology Management Letter for the FY 2010 CBP Financial Statement Audit Page 15
Appendix B Department of Homeland Security
Customs and Border Protection Information Technology Management Letter
September 30, 2010
Notice of Findings and Recommendations NFR – Definition of Severity Ratings:
Each NFR listed in Appendix B is assigned a severity rating from 1 to 3 indicating the influence on the DHS Consolidated Independent Auditors’ Report.
1 – Not substantial
2 – Less significant
3 – More significant
The severity ratings indicate the degree to which the deficiency influenced the determination of severity for consolidated reporting purposes.
These rating are provided only to assist CBP in prioritizing the development of its corrective action plans for remediation of the deficiency.
Information Technology Management Letter for the FY 2010 CBP Financial Statement Audit Page 16
FY
2010
Info
rmat
ion
Tech
nolo
gy
Not
ifica
tion
of F
indi
ngs a
nd R
ecom
men
datio
ns –
Det
ail
NFR
#
Con
ditio
n R
ecom
men
datio
n N
ew
Issu
e R
epea
t Is
sue
Ris
k R
atin
g C
BP
IT-1
0 01
This
is
a sy
stem
-leve
l fin
ding
. K
PMG
not
ed t
hat
CB
P po
rtal
acco
unts
for
a
re r
emov
ed o
n a
bi-w
eekl
y ba
sis
and
are
not r
emov
ed o
n
the
day
of t
he i
ndiv
idua
l’s s
epar
atio
n as
req
uire
d by
CB
P an
d D
HS
polic
y.
KPM
G d
id n
ote
that
CB
P is
aw
are
of th
e is
sue
and
is lo
okin
g in
to a
n au
tom
ated
so
lutio
n fo
r co
mpl
ianc
e w
ith C
BP
and
DH
S po
licy.
Upo
n fu
rther
tes
ting
of
term
inat
ed e
mpl
oyee
s, K
PMG
did
not
find
any
use
rs th
at h
ad a
cces
sed
the
syst
em
afte
r the
ir se
para
tion
date
from
CB
P.
CB
P sh
ould
im
plem
ent
proc
edur
es
to
rein
forc
e ad
here
nce
to
guid
ance
re
quiri
ng
timel
y no
tific
atio
n of
sep
arat
ions
by
em
ploy
ees
or
cont
ract
ors
with
acc
ess
to
AC
E.
Th
ose
re
spon
sibl
e fo
r A
CE
acce
ss
cont
rol
need
to
b
e no
tifie
d of
a
sepa
ratio
n no
late
r tha
n th
e da
y of
sepa
ratio
n.
X
2
CB
PIT
-10
02
This
is a
syst
em le
vel f
indi
ng.
KPM
G n
oted
that
AC
E is
not
cur
rent
ly c
onfig
ured
to
pre
vent
inco
mpa
tible
role
s fr
om b
eing
ass
igne
d to
a u
ser,
as re
quire
d by
CB
P an
d D
HS
polic
ies.
Whi
le,
initi
al s
teps
have
bee
n ta
ken
to a
ddre
ss f
orm
al
segr
egat
ion
of d
utie
s with
in th
e sy
stem
, no
addi
tiona
l act
ions
hav
e ta
ken
plac
e.
CB
P O
ffic
e of
Inf
orm
atio
n an
d Te
chno
logy
will
cont
inue
to
wor
k w
ith t
he
Off
ice
of
In
tern
atio
nal
Trad
e,
Off
ice
of
Adm
inis
tratio
n an
d O
ffic
e of
Fi
eld
Ope
ratio
ns
to
id
entif
y in
com
patib
le r
oles
an
d de
velo
p pr
oced
ures
as
part
of t
he a
cces
s co
ntro
l pr
oces
s to
ens
ure
that
thes
e ro
le c
ombi
natio
ns a
re
no
t gr
ante
d to
A
CE
user
s,
ex
cept
whe
n a
wai
ver
is
gran
ted
in w
ritin
g.
X
2
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
C
usto
ms a
nd B
orde
r Pr
otec
tion
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 C
BP
Fina
ncia
l Sta
tem
ent A
udit
Page
17
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
C
usto
ms a
nd B
orde
r Pr
otec
tion
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#
Con
ditio
n R
ecom
men
datio
n N
ew
Issu
e R
epea
t Is
sue
Ris
k R
atin
g C
BP
IT-1
003
This
is
a sy
stem
-leve
l fin
ding
. K
PMG
not
ed t
hat
evid
ence
of
com
plet
ed A
CE
syst
em l
og (
Sysl
og)
revi
ews
did
not
incl
ude
an a
ppro
pria
te l
evel
of
deta
il.
Spec
ifica
lly,
durin
g th
e m
ajor
ity o
f FY
2010
, th
ere
was
no
form
al m
etho
d of
do
cum
entin
g w
ho p
erfo
rmed
the
aud
it lo
g re
view
s, w
hen
they
wer
e re
view
ed,
wha
t iss
ues
(if a
ny) w
ere
iden
tifie
d, a
nd th
e ac
tions
take
n (if
app
licab
le).
KPM
G
note
d th
at p
roce
dure
s re
gard
ing
the
revi
ew o
f A
CE
audi
t lo
gs h
ave
been
es
tabl
ishe
d pr
ior
to
fisca
l ye
ar
2010
, an
d th
at
man
agem
ent
is
curr
ently
im
plem
entin
g a
form
al m
etho
d of
doc
umen
ting
the
requ
isite
sys
tem
log
revi
ew
info
rmat
ion.
We
reco
mm
end
that
CB
P m
aint
ain
evid
ence
th
at
regu
lar
revi
ews
of
audi
t lo
gs
are
occu
rrin
g.
Spec
ifica
lly,
we
reco
mm
end
that
C
BP
cont
inue
w
ith
plan
s in
itiat
ed in
Jul
y of
201
0 to
in
stitu
tiona
lize
a m
ore
form
al
met
hod
of
docu
men
ting
who
pe
rfor
med
rev
iew
s of
aud
it lo
gs,
whe
n th
ese
revi
ews
occu
rred
, an
d w
hat
issu
es
(if a
ny) w
ere
iden
tifie
d.
We
also
rec
omm
end
that
C
BP
perf
orm
a c
ost/b
enef
it an
alys
is
to
dete
rmin
e w
heth
er a
n A
CE
cust
om-
deve
lope
d so
lutio
n or
a
purc
hase
d C
OTS
pr
oduc
t sh
ould
be
impl
emen
ted
for
full
auto
mat
ion
of a
udit
log
revi
ews.
X
2
CB
PIT
-10
05
Soci
al e
ngin
eerin
g is
def
ined
as
the
act o
f at
tem
ptin
g to
man
ipul
ate
or d
ecei
ve
peop
le i
nto
taki
ng a
ctio
n th
at i
s in
cons
iste
nt w
ith p
olic
ies,
such
as
divu
lgin
g se
nsiti
ve in
form
atio
n or
allo
win
g / e
nabl
ing
com
pute
r sy
stem
acc
ess.
The
term
ty
pica
lly a
pplie
s to
trick
ery
or d
ecep
tion
for t
he p
urpo
se o
f inf
orm
atio
n ga
ther
ing,
or
com
pute
r sys
tem
acc
ess.
We
reco
mm
end
that
CB
P im
plem
ent
mul
tiple
ty
pes
of
secu
rity
awar
enes
s re
min
ders
an
d op
portu
nitie
s to
ed
ucat
e
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 C
BP
Fina
ncia
l Sta
tem
ent A
udit
Page
18
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
C
usto
ms a
nd B
orde
r Pr
otec
tion
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#
Con
ditio
n R
ecom
men
datio
n N
ew
Issu
e R
epea
t Is
sue
Ris
k R
atin
g
The
obje
ctiv
e of
our
soci
al e
ngin
eerin
g te
st w
ork
prim
arily
focu
sed
on a
ttem
ptin
g to
iden
tify
user
pas
swor
ds.
Posi
ng a
s DH
S te
chni
cal s
uppo
rt em
ploy
ees,
atte
mpt
s w
ere
mad
e to
obt
ain
this
typ
e of
acc
ount
inf
orm
atio
n by
con
tact
ing
rand
omly
se
lect
ed e
mpl
oyee
s by
tele
phon
e.
A s
crip
t was
use
d to
ask
for
ass
ista
nce
from
th
e us
er i
n re
solv
ing
a ne
twor
k is
sue
in t
he c
ompo
nent
. F
or e
ach
pers
on w
e at
tem
pted
to c
all,
we
note
d in
the
tabl
e be
low
whe
ther
the
indi
vidu
al a
nsw
ered
an
d w
heth
er w
e ob
tain
ed a
ny in
form
atio
n fro
m th
em th
at s
houl
d no
t hav
e be
en
shar
ed w
ith u
s ac
cord
ing
to D
HS
polic
y.
Our
sel
ectio
n of
indi
vidu
als
was
not
st
atis
tical
ly d
eriv
ed,
and
ther
efor
e w
e ar
e un
able
to
proj
ect
resu
lts t
o th
e co
mpo
nent
or d
epar
tmen
t as a
who
le.
Of 2
5 in
divi
dual
s ca
lled,
16
answ
ered
. O
f the
16
that
ans
wer
ed, 2
div
ulge
d th
eir
netw
ork
pass
wor
d.
user
s of
the
im
porta
nce
of
prot
ectin
g C
BP
info
rmat
ion
syst
ems
and
data
. Sp
ecifi
cally
, w
e re
com
men
d th
at
soci
al
engi
neer
ing
eval
uatio
ns b
e in
corp
orat
ed
into
ro
utin
e si
te
insp
ectio
ns
to
test
em
ploy
ee’s
se
curit
y aw
aren
ess
and
to e
duca
te
user
s on
how
to r
espo
nd to
in
form
atio
n se
curit
y at
tack
s.
CB
PIT
-10
06
This
is
a
syst
em-le
vel
findi
ng.
K
PMG
re
ques
ted
acce
ss
auth
oriz
atio
n do
cum
enta
tion
for 2
5 in
divi
dual
s w
ho w
ere
gran
ted
AC
E ac
cess
dur
ing
FY 2
010.
In
itial
acc
ess
requ
ests
and
app
rova
ls fo
r 9 o
f the
se in
divi
dual
s w
ere
not p
rovi
ded.
A
lthou
gh a
pro
cess
for
cre
atin
g an
d m
aint
aini
ng u
ser
acce
ss f
orm
s an
d re
ques
ts
has
been
in p
lace
sin
ce b
efor
e th
e be
ginn
ing
of F
Y 2
010,
acc
ess
appr
oval
s pr
ior
to th
e cr
eatio
n of
AC
E ac
coun
ts w
ere
not c
onsi
sten
tly m
aint
aine
d in
acc
orda
nce
with
CB
P po
licy
and
proc
edur
es.
We
reco
mm
end
that
th
e O
ffic
e of
Inf
orm
atio
n an
d Te
chno
logy
(O
IT) i
ssue
a
mem
oran
dum
an
d di
strib
ute
the
proc
edur
es to
th
e re
spec
tive
CB
P O
ffic
es
to
impl
emen
t. W
e al
so
reco
mm
end
that
m
onito
ring
pro
cedu
res
be
esta
blis
hed
to
ensu
re
com
plia
nce
with
th
e pr
oced
ures
an
d th
at
OIT
co
ordi
nate
a m
eetin
g w
ith
the
othe
r C
BP
Off
ices
to
dete
rmin
e if
cent
raliz
ed
acce
ss c
ontro
l mea
sure
s are
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 C
BP
Fina
ncia
l Sta
tem
ent A
udit
Page
19
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
C
usto
ms a
nd B
orde
r Pr
otec
tion
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#
Con
ditio
n R
ecom
men
datio
n N
ew
Issu
e R
epea
t Is
sue
Ris
k R
atin
g ne
cess
ary.
CB
PIT
-10
07
We
perf
orm
ed a
fter-
hour
s ph
ysic
al s
ecur
ity t
estin
g to
ide
ntify
ris
ks r
elat
ed t
o no
n-te
chni
cal
aspe
cts
of I
T se
curit
y.
Thes
e no
n-te
chni
cal
IT s
ecur
ity a
spec
ts
incl
ude
phys
ical
acc
ess
to e
quip
men
t tha
t hou
ses
finan
cial
dat
a an
d in
form
atio
n re
sidi
ng
on
CB
P pe
rson
nel
desk
s, w
hich
co
uld
be
used
by
ot
hers
to
in
appr
opria
tely
acc
ess
finan
cial
inf
orm
atio
n.
The
test
ing
was
per
form
ed a
t va
rious
CB
P lo
catio
ns t
hat
proc
ess
and/
or m
aint
ain
finan
cial
dat
a.
A C
BP
empl
oyee
was
des
igna
ted
to a
ssis
t with
and
mon
itor o
ur te
st w
ork.
Afte
r gai
ning
ac
cess
to C
BP
faci
litie
s, w
e in
spec
ted
a se
lect
ion
of d
esks
and
/or o
ffic
es, l
ooki
ng
for
item
s su
ch
as
impr
oper
pr
otec
tion
of
syst
em
pass
wor
ds,
unse
cure
d in
form
atio
n sy
stem
har
dwar
e, d
ocum
enta
tion
mar
ked
“For
Off
icia
l U
se O
nly”
(F
OU
O),
and
unlo
cked
net
wor
k se
ssio
ns.
Our
sel
ectio
n of
des
ks a
nd o
ffic
es w
as
not
stat
istic
ally
der
ived
, an
d th
eref
ore
we
are
unab
le t
o pr
ojec
t re
sults
to
the
com
pone
nt o
r dep
artm
ent a
s a
who
le.
For e
ach
loca
tion
visi
ted,
we
note
the
type
of
uns
ecur
ed i
nfor
mat
ion
or p
rope
rty w
e id
entif
ied
and
incl
uded
the
tot
al
exce
ptio
ns n
oted
by
loca
tion,
as
wel
l as
by
type
of
info
rmat
ion
or p
rope
rty
iden
tifie
d.
A to
tal o
f 10
2 in
stan
ces
wer
e id
entif
ied
acro
ss th
e si
x lo
catio
ns w
here
phy
sica
l as
sets
or
sens
itive
info
rmat
ion
was
not
sec
ured
in a
ccor
danc
e w
ith D
HS
and/
or
CB
P po
licie
s.
CB
P sh
ould
con
tinue
its
annu
al se
curit
y aw
aren
ess
train
ing.
In
addi
tion,
it
shou
ld se
ek to
add
oth
er
mea
ns o
f inc
reas
ing
secu
rity
awar
enes
s.
X
2
CB
PIT
-10
08
This
is a
com
pone
nt-le
vel f
indi
ng.
KPM
G n
oted
that
sep
arat
ion
proc
edur
es f
or
cont
ract
em
ploy
ees
(Cus
tom
s D
irect
ive
5171
5-00
6) a
re o
ut o
f da
te a
nd in
clud
e in
com
plet
e an
d in
accu
rate
refe
renc
es.
Spec
ifica
lly, t
he p
roce
dure
s hav
e no
t bee
n up
date
d si
nce
Sept
embe
r 200
1. T
he p
roce
dure
s re
fere
nce
Trea
sury
faci
litie
s an
d Tr
easu
ry p
olic
ies
as s
ourc
e do
cum
enta
tion.
K
PMG
not
es t
hat
a ne
w d
irect
ive,
C
BP
Dire
ctiv
e 12
10-0
07,
entit
led
‘Con
tract
or T
rack
ing
Syst
em,’
was
iss
ued
requ
iring
the
use
of th
e C
ontra
ctor
Tra
ckin
g Sy
stem
; how
ever
, the
new
dire
ctiv
e st
ill re
fers
to o
ut o
f dat
e C
usto
ms
Dire
ctiv
e 51
715-
006
for s
epar
atio
n pr
oced
ures
We
reco
mm
end
that
CB
P re
view
the
curr
ent C
usto
ms
Dire
ctiv
e an
d up
date
it
to
refle
ct
the
curr
ent
oper
atin
g en
viro
nmen
t. A
dditi
onal
ly,
we
reco
mm
end
that
C
BP
requ
ire t
he c
onsi
sten
t an
d
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 C
BP
Fina
ncia
l Sta
tem
ent A
udit
Page
20
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
C
usto
ms a
nd B
orde
r Pr
otec
tion
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#
Con
ditio
n R
ecom
men
datio
n N
ew
Issu
e R
epea
t Is
sue
Ris
k R
atin
g fo
r con
tract
or e
mpl
oyee
s.
Add
ition
ally
, K
PMG
not
ed t
hat
SF 2
42 c
ontra
ctor
sep
arat
ion
form
s ar
e no
t co
mpl
eted
con
sist
ently
for
sep
arat
ing
CB
P co
ntra
ctor
s. S
peci
fical
ly,
KPM
G
note
d th
at o
f 45
sep
arat
ed c
ontra
ctor
s w
ith a
cces
s to
CB
P fa
cilit
ies,
info
rmat
ion
syst
ems,
and/
or s
ensi
tive
info
rmat
ion
who
wer
e se
lect
ed fo
r tes
ting,
9 fo
rms
wer
e no
t com
plet
ed, w
ere
not p
rovi
ded,
or w
ere
not c
ompl
eted
in a
tim
ely
man
ner.
accu
rate
com
plet
ion
of t
he
SF 2
42 f
or a
ll se
para
ting
cont
ract
ors
with
acc
ess
to
CB
P fa
cilit
ies,
info
rmat
ion
syst
ems
and/
or
sens
itive
in
form
atio
n.
CB
PIT
-10
09
This
is
a co
mpo
nent
lev
el f
indi
ng.
KPM
G s
elec
ted
45 g
over
nmen
t em
ploy
ees
that
had
sep
arat
ed in
FY
201
0 an
d no
ted
that
19
of th
ese
indi
vidu
als
did
not h
ave
a co
mpl
eted
CB
P Fo
rm 2
41 o
n fil
e.
We
reco
mm
end
that
CB
P re
view
the
val
idity
of
the
CB
P Fo
rm 2
41 E
mpl
oyee
Se
para
tion
proc
ess
and
dete
rmin
e an
al
tern
ate
mec
hani
sm
to
hold
m
anag
ers
acco
unta
ble
for
timel
y no
tific
atio
n of
em
ploy
ee s
epar
atio
ns a
nd
for
conf
irmin
g th
e te
rmin
atio
n of
ac
cess
to
in
form
atio
n sy
stem
s, an
d th
e re
turn
of
prop
erty
and
eq
uipm
ent.
X
2
CB
PIT
-10
10
This
is a
com
pone
nt le
vel f
indi
ng.
Whi
le K
PMG
not
es th
at p
rogr
ess
has
been
m
ade
in im
plem
entin
g pr
oced
ures
req
uirin
g th
e si
gnin
g of
ND
As,
KPM
G n
oted
th
at
ND
As
are
still
no
t co
nsis
tent
ly
com
plet
ed
by
cont
ract
ors
at
CB
P.
Spec
ifica
lly, K
PMG
not
ed th
at o
ut o
f a se
lect
ion
of 4
5 co
ntra
ctor
s, on
e N
DA
was
si
gned
mor
e th
an fo
ur m
onth
s af
ter t
he h
ire d
ate.
In
addi
tion,
one
ND
A w
as n
ot
prov
ided
for
a c
ontra
ctor
in
a m
ediu
m o
r hi
gh r
isk
posi
tion.
Fur
ther
, K
PMG
We
reco
mm
end
that
CB
P im
plem
ent
a m
ore
cons
iste
nt
met
hod
of
ensu
ring
that
ea
ch
cont
ract
or
empl
oyee
in
m
oder
ate
and
high
-ris
k
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 C
BP
Fina
ncia
l Sta
tem
ent A
udit
Page
21
�
App
endi
x B
Dep
artm
ent o
f Hom
elan
d Se
curi
ty
Cus
tom
s and
Bor
der
Prot
ectio
n
Info
rmat
ion
Tech
nolo
gy M
anag
emen
t Let
ter
Sept
embe
r 30,
201
0
NFR #
Con
ditio
n R
ecom
men
datio
n N
ewIs
sue
Rep
eat
Issu
e R
isk
Rat
ing
note
d th
at th
e N
DA
s fo
r 27
cont
ract
ors
in m
ediu
m o
r hig
h ris
k po
sitio
ns d
id n
ot
have
a d
ate
of si
gnat
ure.
po
sitio
ns s
ign
and
date
a
ND
A.
CB
PIT
-10
11
This
is a
com
pone
nt-le
vel f
indi
ng.
KPM
G h
as n
oted
that
CB
P ha
s no
t bee
n ab
le
to p
rovi
de e
vide
nce
that
wor
ksta
tions
not
on
are
rece
ivin
g an
tivi
rus
and
othe
r sec
urity
pat
ch u
pdat
es o
n a
timel
y ba
sis.
KPM
G n
oted
that
whi
le
prog
ress
has
bee
n m
ade
in a
ccou
ntin
g fo
r all
CB
P w
orks
tatio
ns, a
com
plet
e an
d up
-to-d
ate
listin
g of
all
CB
P w
orks
tatio
ns h
as n
ot b
een
mai
ntai
ned
for
the
maj
ority
of
FY 2
010.
A
s a
resu
lt, C
BP
does
not
hav
e an
acc
urat
e in
vent
ory
of
whi
ch w
orks
tatio
ns h
ave
not r
ecei
ved
anti-
viru
s and
oth
er se
curit
y pa
tch
upda
tes.
We
reco
mm
end
that
CB
P co
ntin
ue i
nsta
lling
and
deve
lop,
im
plem
ent,
and
mon
itor
polic
ies
and
proc
edur
es
to
mov
e al
l w
orks
tatio
ns
to
or
to
obta
in
wai
vers
and
com
pens
atin
g co
ntro
ls
for
thos
e w
orks
tatio
ns th
at c
anno
t be
mov
ed to
.
X
2
CB
PIT
-10
12
CB
P’s
Rol
e B
ased
Se
curit
y Tr
aini
ng
Prog
ram
do
es
not
mee
t th
e D
HS
requ
irem
ents
for
“an
nual
spe
cial
ized
tra
inin
g” t
hat
is “
com
men
sura
te w
ith t
he
indi
vidu
al’s
dut
ies
and
resp
onsi
bilit
ies.”
Sp
ecifi
cally
, the
CB
P R
BST
pro
gram
requ
ires
IT p
erso
nnel
to c
ompl
ete
only
one
hou
r of
Inc
iden
t Res
pons
e tra
inin
g,
and
one
hour
of
Cla
ssifi
ed In
form
atio
n tra
inin
g (if
app
licab
le to
the
indi
vidu
al’s
re
spon
sibi
litie
s) a
nnua
lly.
Furth
erm
ore,
out
of
the
sam
pled
45
CB
P pe
rson
nel w
ith s
igni
fican
t IT
secu
rity
resp
onsi
bilit
ies,
5 co
mpl
eted
the
tra
inin
g af
ter
CB
P’s
inte
rnal
Jun
e 30
, 20
10
dead
line.
In
addi
tion,
ano
ther
eig
ht h
ave
yet t
o co
mpl
ete
the
train
ing.
We
reco
mm
end
that
CB
P re
-exa
min
e its
ro
le-b
ased
tra
inin
g pr
ogra
m
and
cons
ider
im
plem
entin
g th
e D
HS
RB
ST P
rogr
am o
nce
it ha
s be
en im
plem
ente
d at
th
e de
partm
ent l
evel
.
X
2
CB
PIT
-10
13
This
is a
com
pone
nt-le
vel f
indi
ng.
We
note
d th
e fo
llow
ing
wea
knes
ses
rela
ted
to
acce
ss to
the
rais
ed fl
oor a
rea:
W
e re
view
ed a
cces
s re
ques
t aut
horiz
atio
ns to
the
rais
ed fl
oor a
rea
of
and
note
d th
at o
f th
e 45
indi
vidu
als
sele
cted
, 1 a
utho
rized
acc
ess
form
was
We
reco
mm
end
that
man
agem
ent
deve
lop
tool
s an
d pr
oced
ures
fo
r fa
cilit
atin
g an
d do
cum
entin
g th
e
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 C
BP
Fina
ncia
l Sta
tem
ent A
udit
Page
22
�
App
endi
x B
Dep
artm
ent o
f Hom
elan
d Se
curi
ty
Cus
tom
s and
Bor
der
Prot
ectio
n
Info
rmat
ion
Tech
nolo
gy M
anag
emen
t Let
ter
Sept
embe
r 30,
201
0
NFR #
Con
ditio
n R
ecom
men
datio
n N
ewIs
sue
Rep
eat
Issu
e R
isk
Rat
ing
not p
rovi
ded.
W
e re
view
ed e
vide
nce
of th
e re
certi
ficat
ion
of in
divi
dual
s w
ith a
cces
s to
the
rais
ed fl
oor
area
and
not
ed th
at o
f th
e 15
sel
ecte
d in
divi
dual
s, 2
had
not y
et
been
rece
rtifie
d.
appr
oval
/rece
rtific
atio
n an
dre
view
of i
ndiv
idua
l acc
ess
to th
e ra
ised
floo
r are
a.
CB
PIT
-10
14
This
is a
sys
tem
leve
l fin
ding
. K
PMG
not
ed th
at a
lthou
gh c
hang
es to
a u
ser’
s A
CS
acce
ss p
rofil
e ar
e lo
gged
, the
logs
of t
hese
eve
nts a
re n
ot re
gula
rly re
view
ed
by p
erso
nnel
inde
pend
ent f
rom
thos
e in
divi
dual
s tha
t mad
e th
e ch
ange
s.
We
reco
mm
end
that
CB
P fo
rmal
ize
a de
taile
dpr
oced
ure
for t
he re
view
of
AC
S se
curit
y pr
ofile
ch
ange
lo
gs.
The
proc
edur
e sh
ould
in
clud
e im
plem
entin
g a
perio
dic
revi
ew o
f th
e lo
gs b
y an
in
depe
nden
t rev
iew
er.
X
2
CB
PIT
-10
15
Dur
ing
our
tech
nica
l te
stin
g, p
atch
and
con
figur
atio
n m
anag
emen
t ex
cept
ions
w
ere
iden
tifie
d on
the
W
e re
com
men
d th
at C
BP
perf
orm
th
e fo
llow
ing
rem
edia
l act
ions
: 1
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 C
BP
Fina
ncia
l Sta
tem
ent A
udit
Page
23
NFR
#
Con
ditio
n
.
Rec
omm
enda
tion
3
.
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
C
usto
ms a
nd B
orde
r Pr
otec
tion
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 C
BP
Fina
ncia
l Sta
tem
ent A
udit
Page
24
NFR
#
C
ondi
tion
Rec
omm
enda
tion
9
W
e re
com
men
d th
at C
BP
devo
te s
uffic
ient
res
ourc
es
in o
rder
to
impl
emen
t an
d m
aint
ain
form
al I
SAs
with
th
e PG
As
that
inte
rcon
nect
w
ith A
CS.
We
reco
mm
end
that
CB
P do
cum
ent
ISA
s fo
r al
l A
CS
PGA
co
nnec
tions
id
entif
ied
in
the
AC
S SS
P.
Issu
e
New
R
epea
t
Issu
e R
isk
Rat
ing
CB
P-IT
-10
16
This
is a
sys
tem
-leve
l fin
ding
and
a p
rior y
ear
issu
e fr
om F
Y20
08 a
nd F
Y20
09.
KPM
G d
eter
min
ed th
at e
vide
nce
of I
SAs
for
6 of
the
17 P
GA
s id
entif
ied
in th
e Sy
stem
Sec
urity
Pla
n co
uld
not b
e pr
ovid
ed.
Of t
he s
ix th
at w
ere
prov
ided
, tw
o
expi
red
durin
g FY
2010
and
had
not
bee
n re
new
ed.
X
2
CB
P-IT
-10
17
Th
is is
a sy
stem
-leve
l fin
ding
. W
e re
ques
ted
acce
ss a
utho
rizat
ion
evid
ence
for 4
5
AC
S us
ers
to d
eter
min
e w
heth
er A
CS
acce
ss w
as a
ppro
pria
tely
aut
horiz
ed.
OIT
w
as u
nabl
e to
pro
vide
evi
denc
e of
the
acce
ss re
ques
t aut
horiz
atio
ns fo
r any
of t
he
45 s
elec
ted
AC
S us
ers.
As
a re
sult,
we
are
not a
ble
to d
eter
min
e w
heth
er A
CS
acce
ss in
itiat
ions
or m
odifi
catio
ns w
ere
appr
opria
tely
app
rove
d an
d w
heth
er A
CS
acce
ss c
ontro
ls a
re in
pla
ce a
nd o
pera
ting
as re
quire
d by
DH
S an
d C
BP
polic
ies.
W
e re
com
men
d th
at C
BP
impl
emen
t pr
oced
ures
to
co
nsis
tent
ly d
ocum
ent
the
acce
ss
requ
ests
an
d ap
prov
als
for
any
and
all
acce
ss
crea
tions
an
d ch
ange
s to
A
CS
user
prof
iles.
X
2
CB
P-IT
-10
18
This
is
a co
mpo
nent
lev
el f
indi
ng.
We
note
d th
at a
cces
s re
ques
t fo
rms,
or
evid
ence
of
rece
rtific
atio
n of
acc
ess,
to th
e of
fsite
med
ia c
ould
not
be
prov
ided
fo
r 5 o
f the
15
sele
cted
em
ploy
ees.
W
e re
com
men
d th
at C
BP
upda
te
the
acce
ss
auth
oriz
atio
n pr
oces
s
to
indi
cate
that
the
acce
ss li
st
will
un
derg
o a
100%
re
certi
ficat
ion
annu
ally
.
X
1
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
C
usto
ms a
nd B
orde
r Pr
otec
tion
Info
rmat
ion
Tech
nolo
gy M
anag
emen
t Let
ter
Sept
embe
r 30,
201
0
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 C
BP
Fina
ncia
l Sta
tem
ent A
udit
Page
25
� � � �
t
App
endi
x B
Dep
artm
ent o
f Hom
elan
d Se
curi
ty
Cus
tom
s and
Bor
der
Prot
ectio
n
Info
rmat
ion
Tech
nolo
gy M
anag
emen
t Let
ter
Sept
embe
r 30,
201
0
NFR #
Con
ditio
n R
ecom
men
datio
n N
ewIs
sue
Rep
eat
Issu
e R
isk
Rat
ing
The
artif
act
shou
ld b
e an
of
ficia
l re
port
from
th
e C
ontra
ctin
g O
ffic
er
Tech
nica
l R
epre
sent
ativ
e fo
r of
fsite
m
edia
st
orag
e cl
early
sta
ting
the
resu
ltsal
ong
with
ba
ckup
pa
perw
ork
for
all
add,
de
lete
s, an
d ch
ange
s to
the
acce
ss li
st.
CB
PIT
-10
19
This
is a
sys
tem
leve
l fin
ding
. W
e w
ere
info
rmed
that
AC
S Se
curit
y A
udit
Logs
ar
e no
t be
ing
revi
ewed
. A
dditi
onal
ly, w
e no
ted
that
the
fol
low
ing
wea
knes
ses
rela
ted
to th
e A
CS
Secu
rity
Aud
it Lo
gs p
roce
dure
s con
tinue
to e
xist
: Pr
oced
ures
do
not
defin
e ho
w o
ften
the
AC
S se
curit
y pr
ofile
cha
nge
audi
t lo
gs a
re re
view
ed.
Proc
edur
es d
o no
t de
scrib
e ho
w t
he d
ocum
ente
d ev
iden
ce o
f th
e re
view
pr
oces
s is c
reat
ed b
y th
e A
CS
(ISS
O)/I
ndep
ende
nt R
evie
wer
. Pr
oced
ures
do
not
defin
e th
e sa
mpl
ing
met
hodo
logy
tha
t is
use
d to
sel
ect
AC
S pr
ofile
cha
nge
secu
rity
logs
for r
evie
w
We
reco
mm
end
that
CB
P de
velo
p an
d im
plem
ent
proc
edur
es t
hat
docu
men
t th
e re
view
pro
cess
for A
CS
prof
ile c
hang
e lo
gs.
The
proc
ess
shou
ld i
nclu
de t
he
docu
men
ted
evid
ence
of
re
view
, ho
w
ofte
n au
dit
logs
are
rev
iew
ed,
and
the
revi
ew
sam
plin
g m
etho
dolo
gy.
X
2
CB
PIT
-10
20
This
is a
sys
tem
-leve
l fin
ding
. W
e no
ted
the
follo
win
g w
eakn
esse
s re
late
d to
the
conf
igur
atio
n se
tting
s:K
PMG
not
ed th
at u
sers
wer
e al
low
ed a
n n
umbe
r of f
aile
d at
tem
pts
o ac
cess
dat
aset
s to
whi
ch th
ey w
ere
not a
utho
rized
. K
PMG
det
erm
ined
that
th
e co
ntro
l op
tion
in t
he s
ecur
ity s
oftw
are,
whi
ch r
esul
ts i
n im
med
iate
su
spen
sion
of a
ny u
ser
who
exc
eeds
the
spec
ified
num
ber
of v
iola
tions
, had
no
t bee
n co
nfig
ured
pro
perly
. K
PMG
not
ed th
at th
is se
tting
was
cor
rect
ed o
nFe
brua
ry 2
4, 2
010.
As
the
cond
ition
s w
ere
clos
ed
durin
g te
stin
g,
nore
com
men
datio
n is
re
quire
d.
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 C
BP
Fina
ncia
l Sta
tem
ent A
udit
Page
26
� � �
� � � �
App
endi
x B
Dep
artm
ent o
f Hom
elan
d Se
curi
ty
Cus
tom
s and
Bor
der
Prot
ectio
n
Info
rmat
ion
Tech
nolo
gy M
anag
emen
t Let
ter
Sept
embe
r 30,
201
0
NFR #
Con
ditio
n R
ecom
men
datio
n N
ewIs
sue
Rep
eat
Issu
e R
isk
Rat
ing
KPM
G n
oted
that
use
rs w
ere
allo
wed
fa
iled
logo
n at
tem
pts
befo
re th
eir
acco
unts
wer
e lo
cked
. A
t the
end
of t
he fi
scal
yea
r the
setti
ng w
as u
pdat
ed to
th
ree
faile
d lo
gin
atte
mpt
s, an
d K
PMG
obs
erve
d th
e se
tting
in th
e sy
stem
and
no
ted
that
it w
as c
orre
cted
on
Sept
embe
r 24,
201
0.
CB
PIT
-10
21
This
is a
com
pone
nt le
vel f
indi
ng.
We
note
d th
e fo
llow
ing
wea
knes
ses
rela
ted
to
the
CB
P B
ackg
roun
d In
vest
igat
ion
proc
ess:
O
f th
e 45
ind
ivid
uals
sel
ecte
d, w
e no
ted
t hat
1 c
ontra
ctor
did
not
hav
e a
com
plet
ed b
ackg
roun
d in
vest
igat
ion
as r
equi
red
by t
he C
BP
Info
rmat
ion
Syst
em S
ecur
ity P
olic
ies
and
Proc
edur
es H
andb
ook.
W
e no
ted
that
thi
s co
ntra
ct h
as a
cces
s to
the
AC
E sy
stem
. O
f the
45
indi
vidu
als
sele
cted
, we
note
d th
at 5
em
ploy
ees
and
25 c
ontra
ctor
s di
d no
t hav
e th
eir
back
grou
nd r
einv
estig
atio
ns in
itiat
ed w
ithin
the
five
year
tim
efra
me
as r
equi
red
by C
BP
Mem
oran
dum
Reg
ardi
ng R
einv
estig
atio
ns,
date
d A
ugus
t 18,
200
8.
KPM
G
reco
mm
ends
th
at
CB
P: Com
plet
e vi
a e-
QIP
the
“ini
tiatio
n” o
f al
lre
mai
ning
em
ploy
ee
rein
vest
igat
ions
by
D
ecem
ber 3
0, 2
010.
C
ompl
ete
the
rein
vest
igat
ions
for
all
suc h
em
ploy
ees
by
Dec
embe
r 30,
201
1.
Dev
elop
/dep
loy
a tra
ckin
g m
echa
nism
(C
ontra
ctor
Tr
acki
ng
Syst
em)
by w
hich
to
iden
tify
thos
e co
ntra
ctor
s re
quiri
ng
rein
vest
igat
ion.
Dev
elop
an
d im
plem
ent
a st
rate
gy
to
ensu
re
that
rein
vest
igat
ions
for
all
cont
ract
ors
are
initi
ated
as r
equi
red.
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 C
BP
Fina
ncia
l Sta
tem
ent A
udit
Page
27
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
C
usto
ms a
nd B
orde
r Pr
otec
tion
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#
Con
ditio
n R
ecom
men
datio
n N
ew
Issu
e R
epea
t Is
sue
Ris
k R
atin
g C
BP
IT-1
022
This
is a
sys
tem
-leve
l fin
ding
. A
CS
deve
lope
rs m
ay g
ain
emer
genc
y/te
mpo
rary
ac
cess
to th
e pr
oduc
tion
envi
ronm
ent t
hrou
gh th
e po
rtal r
eque
st p
roce
ss.
Whi
le
the
emer
genc
y/te
mpo
rary
acc
ount
act
iviti
es a
re l
ogge
d, C
BP
does
not
rev
iew
th
ese
activ
ity lo
gs to
iden
tify
inap
prop
riate
act
iviti
es.
KPM
G
reco
mm
ends
th
at
CB
P re
ports
on
the
TSS
audi
t of
em
erge
ncy
acce
ss
shou
ld b
e ru
n as
nee
ded
at
man
agem
ent’s
(e
.g.,
emer
genc
y ap
prov
er’s
) re
ques
t.
X
2
CB
PIT
-10
23
This
is a
sys
tem
-leve
l fin
ding
. A
cces
s ap
prov
als
prio
r to
the
crea
tion
of N
DC
LA
N a
ccou
nts
wer
e no
t con
sist
ently
mai
ntai
ned
in a
ccor
danc
e w
ith C
BP
polic
y an
d pr
oced
ures
. K
PMG
req
uest
ed a
cces
s au
thor
izat
ion
docu
men
tatio
n fo
r 25
in
divi
dual
s w
ho w
ere
gran
ted
ND
C-L
AN
acc
ess
durin
g FY
201
0.
Alth
ough
a
proc
ess
for
crea
ting
and
mai
ntai
ning
use
r ac
cess
for
ms
and
requ
ests
has
bee
n in
pl
ace
sinc
e be
fore
the
begi
nnin
g of
FY
201
0, in
itial
acc
ess r
eque
sts a
nd a
ppro
vals
fo
r 10
of th
ese
indi
vidu
als w
ere
not p
rovi
ded.
We
reco
mm
end
that
CB
P fu
lly
trans
ition
th
eir
proc
ess
for
requ
estin
g N
DC
-LA
N N
etw
ork
acce
ss
from
the
pap
er-b
ased
use
r ac
cess
req
uest
for
m t
o an
el
ectro
nic
user
ac
cess
re
ques
t fo
rm.
O
nce
the
elec
troni
c fo
rm
is
fully
im
plem
ente
d,
the
docu
men
ted
proc
ess
will
be
upd
ated
to
refle
ct t
hat
all
ND
C-L
AN
use
r ac
cess
re
ques
ts
mus
t go
to
th
e Te
chno
logy
Ser
vice
Des
k (T
SD) f
or a
ctio
n. T
SD w
ill
gene
rate
a
troub
le
ticke
t an
d at
tach
th
e el
ectro
nic
acce
ss r
eque
st f
orm
to
the
initi
al
user
re
ques
t tic
ket
for
ND
C-L
AN
acc
ess.
The
ticke
t will
be
issu
ed in
the
nam
e of
the
use
r ga
inin
g
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 C
BP
Fina
ncia
l Sta
tem
ent A
udit
Page
28
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
C
usto
ms a
nd B
orde
r Pr
otec
tion
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#
Con
ditio
n R
ecom
men
datio
n N
ew
Issu
e R
epea
t Is
sue
Ris
k R
atin
g th
e ac
cess
so
it is
eas
ily
sear
chab
le.
TSD
is
cu
rren
tly
in
the
deve
lopm
ent
phas
e fo
r a
new
use
r ac
coun
t re
ques
t po
rtal w
hich
will
pro
vide
a
secu
re o
nlin
e en
viro
nmen
t fo
r m
anag
ing
this
pro
cess
. Th
is n
ew t
ool
will
allo
w
requ
esto
rs
the
abili
ty
to
com
plet
e an
d su
bmit
LAN
an
d eM
ail a
ccou
nt re
ques
ts
via
onlin
e w
eb fo
rm.
Onc
e th
e re
ques
t is
revi
ewed
and
ap
prov
ed
by
the
CB
P su
perv
isor
, a ti
cket
will
be
auto
mat
ical
ly
gene
rate
d (b
ypas
sing
th
e ne
ed
of
savi
ng/a
ttach
ing
and
emai
ling
the
TSD
) an
d ro
uted
to
th
e ap
prop
riate
gr
oup
for
proc
essi
ng.
A
log
will
be
capt
ured
and
sa
ved
in t
he n
ew s
yste
m
for
each
ap
prov
ed/d
enie
d re
ques
t fo
r fu
ture
re
fere
nce.
CB
PIT
-10
CB
P ha
s no
t cor
rect
ed f
unct
iona
lity
issu
es c
urre
ntly
not
ed in
AC
S, a
nd r
outin
e m
aint
enan
ce is
incr
easi
ngly
diff
icul
t and
exp
ensi
ve.
Cur
rent
ly, o
nly
two
vend
ors
To
addr
ess
this
fin
ding
, X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 C
BP
Fina
ncia
l Sta
tem
ent A
udit
Page
29
� � �
App
endi
x B
Dep
artm
ent o
f Hom
elan
d Se
curi
ty
Cus
tom
s and
Bor
der
Prot
ectio
n
Info
rmat
ion
Tech
nolo
gy M
anag
emen
t Let
ter
Sept
embe
r 30,
201
0
NFR #
Con
ditio
n R
ecom
men
datio
n N
ewIs
sue
Rep
eat
Issu
e R
isk
Rat
ing
24
supp
ort
AC
S, w
hich
lim
its C
BP’
s ab
ility
to
obta
in m
aint
enan
ce s
ervi
ces
at a
re
ason
able
cos
t. D
urin
g FY
201
0, C
BP
spen
t ne
arly
$12
.1 m
illio
n ju
st t
o m
aint
ain
AC
S at
its
curr
ent l
evel
of
func
tiona
lity.
In
add
ition
, CB
P is
cur
rent
ly
re-v
isiti
ng t
he a
mou
nt o
f fu
ndin
g ne
cess
ary
to c
ompl
ete
the
impl
emen
tatio
n of
th
e A
CE
finan
cial
mod
ules
and
will
com
plet
e th
is a
naly
sis i
n FY
201
1.
Due
to
th
ese
cond
ition
s re
gard
ing
the
func
tiona
lity
of
AC
S an
d de
laye
dim
plem
enta
tion
of A
CE,
CB
P ha
s no
t re
solv
ed t
he f
ollo
win
g kn
own
AC
S fu
nctio
nalit
y is
sues
:
AC
S la
cks
the
cont
rols
nec
essa
ry to
pre
vent
, or d
etec
t and
cor
rect
exc
essi
ve
draw
back
cla
ims.
The
pro
gram
min
g lo
gic
in A
CS
does
not
link
dra
wba
ck
clai
ms
to i
mpo
rts a
t a d
etai
led,
line
item
lev
el.
In a
dditi
on, A
CS
does
not
have
the
cap
abili
ty t
o co
mpa
re,
verif
y, a
nd t
rack
ess
entia
l in
form
atio
n on
dr
awba
ck c
laim
s to
the
rel
ated
und
erly
ing
cons
umpt
ion
entri
es a
nd e
xpor
t do
cum
enta
tion
upon
whi
ch th
e dr
awba
ck c
laim
is b
ased
. Ex
port
info
rmat
ion
is n
ot li
nked
to th
e D
raw
back
mod
ule
and
ther
efor
e el
ectro
nic
com
paris
ons o
f ex
port
data
can
not
be p
erfo
rmed
with
in A
CS.
Se
e N
FR C
BP-
10-2
0 fo
r fu
rther
det
ails
. C
erta
in m
onito
ring
repo
rts u
sed
to m
onito
r (r
evie
w)
impo
rter
com
plia
nce
with
the
in-
bond
pro
cess
hav
e no
t be
en d
evel
oped
and
the
refo
re i
mpo
rter
com
plia
nce
is n
ot b
eing
trac
ked.
In
addi
tion,
in-b
onds
are
not
aut
omat
ical
ly
linke
d to
the
rele
vant
ent
ry o
r exp
ort f
iling
s in
AC
S, w
hich
lead
s to
exte
nsiv
e m
anua
l w
ork
to c
lose
ope
n in
-bon
ds.
Fina
lly,
AC
S do
es n
ot p
rovi
de t
he
abili
ty t
o ru
n ov
ersi
ght
repo
rts t
o de
term
ine
if po
rts h
ave
com
plet
ed a
ll re
quire
d in
-bon
d po
st a
udits
and
exa
ms.
See
NFR
CB
P-10
-14
for
furth
er
deta
ils.
AC
S do
es n
ot p
rope
rly a
ccou
nt fo
r bon
d su
ffic
ienc
y of
cla
i ms
that
invo
lve
a co
ntin
uous
bon
d an
d th
eref
ore
a cl
aim
ant c
an p
oten
tially
cla
im a
nd r
ecei
ve
an a
ccel
erat
ed p
aym
ent t
hat e
xcee
ds th
e bo
nd a
mou
nt o
n fil
e.
As
a re
sult,
C
BP
will
not
hav
e su
ffic
ient
sur
ety
agai
nst a
dra
wba
ck o
ver
clai
min
g.
See
CB
P re
com
men
ds
that
it
cont
inue
to:
1.
Mod
erni
ze it
s bu
sine
ss
proc
esse
s th
ough
th
e de
velo
pmen
t an
d de
ploy
men
t of
fu
nctio
nalit
y in
th
e A
utom
ated
C
omm
erci
alEn
viro
nmen
t as
it
has
done
sinc
e 20
01.
2.
Wor
k w
ithst
akeh
olde
rs, i
nclu
ding
C
BP
pers
onne
l, th
e tra
de,
parti
cipa
ting
gove
rnm
ent
agen
cies
, th
e D
epar
tmen
t of
H
omel
and
Secu
rity
and
the
Con
gres
s to
pr
iorit
ize,
dev
elop
, and
de
ploy
fu
nctio
nalit
yth
at
allo
ws
CB
P to
fulfi
ll its
mis
sion
and
m
eet
the
need
s of
its
stak
ehol
ders
.
3.
Seek
fund
s th
roug
h th
e bu
dget
pr
oces
s th
at
will
al
low
C
BP
to
cont
inue
to
de
velo
p
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 C
BP
Fina
ncia
l Sta
tem
ent A
udit
Page
30
� � �
App
endi
x B
Dep
artm
ent o
f Hom
elan
d Se
curi
ty
Cus
tom
s and
Bor
der
Prot
ectio
n
Info
rmat
ion
Tech
nolo
gy M
anag
emen
t Let
ter
Sept
embe
r 30,
201
0
NFR #
Con
ditio
n R
ecom
men
datio
n N
ewIs
sue
Rep
eat
Issu
e R
isk
Rat
ing
NFR
CB
P-10
-05
for f
urth
er d
etai
ls.
AC
S do
es n
ot p
rovi
de s
umm
ary
info
rmat
ion
of th
e to
tal u
npai
d as
sess
men
ts
for
dutie
s, ta
xes,
and
fees
by
indi
vidu
al i
mpo
rter
(i.e.
, a
sub-
ledg
er)
and
cann
ot p
rovi
de r
epor
ting
info
rmat
ion
on o
utst
andi
ng r
ecei
vabl
es, t
he a
ge o
f re
ceiv
able
s, or
oth
er d
ata
nece
ssar
y fo
r m
anag
emen
t to
eff
ectiv
ely
mon
itor
colle
ctio
n ac
tions
. Se
e N
FR C
BP-
10-0
4 fo
r fur
ther
det
ails
. Th
e dr
awba
ck s
elec
tivity
fun
ctio
n of
AC
S is
not
pro
gram
med
to
sele
ct a
st
atis
tical
ly v
alid
sam
ple
of p
rior
draw
back
cla
ims
agai
nst a
sel
ecte
d im
port
entry
. Se
e N
FR C
BP-
10-0
3 fo
r fur
ther
det
ails
. A
CS
is p
rogr
amm
ed to
aut
omat
ical
ly in
dica
te th
at a
Por
t Dire
ctor
cer
tifie
d a
refu
nd o
r dra
wba
ck p
aym
ent e
ven
if th
e Po
rt D
irect
or d
oes n
ot c
ertif
y a
give
n pa
ymen
t. S
ee N
FR C
BP-
10-1
9 fo
r fur
ther
det
ails
.
and
depl
oyfu
nctio
nalit
y in
th
at
will
su
ppor
t C
BP’
s m
issi
on
and
mee
t th
e ne
eds
of i
tsst
akeh
olde
rs.
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 C
BP
Fina
ncia
l Sta
tem
ent A
udit
Page
31
Appendix C Department of Homeland Security
Customs and Border Protection Information Technology Management Letter
September 30, 2010
APPENDIX C
Status of Prior Year Notices of Findings and Recommendations and Comparison to Current Year Notices of Findings and
Recommendations at CBP
Information Technology Management Letter for the FY 2010 CBP Financial Statement Audit Page 32
NFR No. Description Disposition Closed Repeat
CBP-IT-09-03 Contractor Tracking Deficiencies X CBP-IT-09-12 Install CBP-IT-10-11 CBP-IT-09-13 Complete List of CBP Workstations CBP-IT-10-11 CBP-IT-09-21 Review of Changes to Security Profiles in ACS CBP-IT-10-14 CBP-IT-09-27 Administrator Access Authorization Weaknesses X CBP-IT-09-29 Completion of CF-241 Forms for Terminated Employees CBP-IT-10-09 CBP-IT-09-34 Installation of Anti-Virus Protection CBP-IT-10-11 CBP-IT-09-41 Weaknesses in the Process of Separating CBP Contractors CBP-IT-10-08 CBP-IT-09-44 CBP-IT-09-45 CBP-IT-09-48
Completion of Non Disclosure Agreements for US CBP Contractors Log configuration weakness for System.
Lack of Effective ACS Access Change Log Review Procedures
CBP-IT-10-10 X
CBP-IT-10-19 CBP-IT-09-56 ACE Audit Log Reviews CBP-IT-10-03 CBP-IT-09-57 NDC LAN Audit Logs X CBP-IT-09-58 Novell Password Settings X CBP-IT-09-59 Formal Procedures for Mainframe System Utility Logs X CBP-IT-09-60 Configuration for Mainframe Security Violation Control Option CBP-IT-10-20
CBP-IT-09-61 Completion of Initial Background Investigations and Periodic Background Reinvestigations for CBP Employees and Contractors CBP-IT-10-21
CBP-IT-09-62 Rules of Behavior Not Consistently Signed by CBP Employees and Contractors X
CBP-IT-09-63 ACE does not disable accounts after 45 days X CBP-IT-09-64 ACS PGA ISAs Not Completely Documented CBP-IT-10-16CBP-IT-09-65 Documentation of ACE Access Change Requests CBP-IT-10-06 CBP-IT-09-66 Separated Employees on ACE Access Listing CBP-IT-10-01 CBP-IT-09-67 Inadequate Documentation of ACS Access Change Requests CBP-IT-10-17 CBP-IT-09-68 Vulnerabilities in Configuration and Patch Management X CBP-IT-09-69 Inadequate SAP Profile Change Review X CBP-IT-09-70 Overuse of ACS Emergency/Temporary Access Roles X
CBP-IT-09-71 Inadequate Documentation of SAP Emergency/Temporary Access Requests X
CBP-IT-09-72 ACE Segregation of Duties Controls are Not In Place CBP-IT-10-02
CBP-IT-09-73 Inadequate Documentation of ACE SCO Access Requests and Approvals X
CBP-IT-09-74 Inadequate Protection of CBP Information and Property CBP-IT-10-05 CBP-IT-10-07
Appendix C Department of Homeland Security
Customs and Border Protection Information Technology Management Letter
September 30, 2010
Information Technology Management Letter for the FY 2010 CBP Financial Statement Audit Page 33
1300 ~ns)'lvaniolA\~ueN'WW;lShingtOn. DC 20229
u.s. Customs ;mdBorder Protection
MAR 2 1 1011
MEMORANDUM FOR: Frank DefTerAssistant Inspector GeneralInfonnallon Technology Aud-
FROM: Charles AnnstrongAssistant CommissioneOffice oflnfonnation
SUBJECT: Draft Audit Report· In onnation Technology Management Letterfor the FY 2010 CBP Financial Statement Audit
In response to the memorandum dated Fcbruary 18, 201 J requcsting written comments on thedraft report and responses to its reconunendations, U.s. Customs and Border Protection's(CBP's) Office of Infonnation Technology (OIT) is providing the following commt;:nts on theremediation actions that arc being pcrfonned for the findings and recommendations from the FY20 I0 audit. We have included an attachment that contains a status on our Corrective ActionPlans (CAPs) and their estimated completion dales. CBP will provide a sensitivity review thatincludes redaction requests under separate: cover.
General comments
Twenty-three NFRs were issued to CBP OIT (16 were reissues of FY 2009 findings and 7 werenew). To date. remediation work on 3 findings have been completed. Progress is being reportedon the remaining 20_ orr hilS non-conC\lrred on I finding. CAPs for the applicable findings arein progress and their status is provided in the attachment.
Security Mumtgemenl
CBP concurred with KPMG's eight findings and recommendations in this area. OIT inconjunction with the CBP offices of Administralion and InlernaJ Affairs are cooperating toremedialc the eight findings. All except one are expected to be completed by the end of the fiscalyear. The status for each CAP is provided in the attachmenl.
Acceu Controls
Appendix D Department of Homeland Security
Customs and Border Protection Information Technology Management Letter
September 30, 2010
Information Technology Management Letter for the FY 2010 CBP Financial Statement Audit Page 34
CDP concurrro v.ith KPMG', 11 findings llnd 1"C(:0mmcndlllti0l15 in thi, lITCll, Work on 2 findingshas been completed and one of those was closed by the auditor during testing, The other ninefindings an: on trnek for c.ompletion this fixal year. Tile: status ofeach CAP is provided in tho<:attachmcnL
CBp concurred with KpMG's nnding and recommendation in this area. UH' continued tocomplete its FY2009 plan with collaboration between tlte CDP offices of International Trade,A .... "illisllll.liull. an" Fit:lu Ope:r~liolls to iuemify ar>d documem Incompatible roles. CBP!hen de\'elopeda procedure to ensure incompatiblc roles ....ere not assigned to thoe same user, unless an exception isproperly authoriu:u. cor developed un" implemented III process to review eJti:5ting roles andeliminate incompatible roles from the active user listings. The status of this CAP is provided inthe 1'Iltachmcni.
Financial S)'lltem ....unctiomdi.y
CDI' non-concurred with KPMO's finding and recommendations in this area. This NFR onlyserves as a summary of other issued NFRs for application functionality issues that include a lackof conrrols to pre\'em. deteet. and correct excessive d.rnwback claims; a Jack of reponing forlmCking importer compliance with the in-bond process; the: proper accounting ofbondsufficiency of claims; providing summary information for the lotal unpaid assessments tor duties,taxcs, and fees by individual imponCT; valid statisrical sampling for prior drawback claimsagainst a seleeled Impon entry; and alilomalif; indicating of cc:nifif;3.tion by a Port DireclOr for arefund or drawback claim, e\'cn if the payment hasn'l been certified by the Port DiTl:Clor.
Aher-llOllrs Ph)'llical Security and Socilll EngiD~riDgTn'ing
CBP concurred with KPMG's two findings and recommendations in this area.. orr inconjunction with the COP offices of Inlernal Affairs and Privacy arc continuing their FY 2009plan along with de\'eloping addilionaltasks to stre-ngthen the security awareness programs foreduC<lting employees on how to respond to information security attacks, protecting electronic andphysical data, hardware, and Personally Identifiable Infonnation (I'll). as well as informationmarked FOUO. The estimated completion date is September 15. 2011, The status of cach CAP isprovided in the attachment.
If you have any questions concerning this response, please contact Judy Wri~ht, Office orInrormation and Tcr.hnology Audit Liaison, at (5 71) 468-4155.
Attnchment:
Appendix D Department of Homeland Security
Customs and Border Protection Information Technology Management Letter
September 30, 2010
Information Technology Management Letter for the FY 2010 CBP Financial Statement Audit Page 35
Department of Homeland Security Customs and Border Protection
Information Technology Management Letter September 30, 2010
Report Distribution
Department of Homeland Security
Secretary Deputy Secretary General Counsel Chief of Staff Deputy Chief of Staff Executive Secretariat Under Secretary, Management Acting Deputy Commissioner, CBP DHS Chief Information Officer DHS Chief Financial Officer Chief Financial Officer, CBP Chief Information Officer, CBP Chief Information Security Officer Assistant Secretary for Office of Policy Assistant Secretary for Office of Public Affairs Assistant Secretary for Office of Legislative Affairs DHS GAO OIG Audit Liaison Chief Information Officer, Audit Liaison Audit Liaison, CBP
Office of Management and Budget
Chief, Homeland Security Branch DHS OIG Budget Examiner
Congress
Congressional Oversight and Appropriations Committees, as appropriate
Information Technology Management Letter for the FY 2010 CBP Financial Statement Audit Page 36
ADDITIONAL INFORMATION AND COPIES To obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4100, fax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig. OIG HOTLINE To report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal misconduct relative to department programs or operations: • Call our Hotline at 1-800-323-8603; • Fax the complaint directly to us at (202) 254-4292; • Email us at [email protected]; or • Write to us at:
DHS Office of Inspector General/MAIL STOP 2600, Attention: Office of Investigations - Hotline, 245 Murray Drive, SW, Building 410, Washington, DC 20528.
The OIG seeks to protect the identity of each writer and caller.