department of homeland security ofﬁce of inspector generaldepartment of homeland security ofﬁce...

Department of Homeland Security Office of Inspector General

Information Technology Management Letter for the FY 2010 U.S. Customs

and Border Protection Financial Statement Audit

(Redacted)

OIG-11-90 June 2011

Office ofInspector General

u.s. Department ofHomeland Security Washington, DC 25028

I:

i 1

Homeland Security

JUN 142011

Preface

The Department of Romeland Security (DRS) Office ofInspector General (OIG) was established by the Homeland Security Act oj2002 (Public Law 107-296) by amendment to the Inspector General Act oj1978. This is one of a series of audit, inspection, and special reports prepared as part of our oversight responsibilities to promote economy, efficiency, and effectiveness within the department.

This report presents the information technology (IT) management letter for the FY 2010 U.S. Customs and Border Protection (CBP) financial statement audit as of September 30, 2010. It contains observations and recommendations related to information technology internal controls that were summarized in the Independent Auditors Report dated January 25,2011 and represents the separate restricted distribution report mentioned in that report. The independent accounting firm KPMG LLP (KPMG) performed the audit procedures at CBP in support of the DRS FY 2010 financial statement audit and prepared this IT management letter. KPMG is responsible for the attached IT management letter dated January 31, 2011, and the conclusions expressed in it. We do not express opinions on DRS' financial statements or internal controls or conclusions concerning compliance with laws and regulations.

The recommendations herein have been developed to the best knowledge available to our office, and have been discussed in draft with those responsible for implementation. We trust that this report will result in more effective, efficient, and economical operations. We express our appreciation to all of those who· contributed to the preparation of this report.

~~ Frank Deffer Assistant Inspector General Information Technology Audits

KPMG LLP 2001 M Street, NW Washington, DC 20036-3389 January 31, 2011

Office of Inspector General U.S. Department of Homeland Security

Chief Information Officer U.S. Customs and Border Protection

Chief Financial Officer U.S. Customs and Border Protection

Ladies and Gentlemen:

We have audited the consolidated balance sheets of the U.S. Customs and Border Protection (CBP), a Component of the U.S. Department of Homeland Security (DHS), as of September 30, 2010 and 2009, and the related consolidated statements of net cost, changes in net position, custodial activity, and the combined statements o f budgetary resources (hereinafter referred to as “consolidated financial statements”) for the years then ended. In planning and performing our audit of CBP’s consolidated financial statements, we considered CBP’s internal control over financial reporting in order to determine our auditing procedures for the purpose of expressing our opinion on the consolidated financial statements.

In connection with our fiscal year (FY) 2010 engagement, we considered CBP’s internal control over financial reporting by obtaining an understanding of CBP’s internal controls, determining whether internal controls had been placed in operation, assessing control risk, and performing tests of controls in order to determine our procedures. We limited our internal control testing to those controls necessary to achieve the objectives described in Government Auditing Standards and the Office of Management and Budget (OMB) Bulletin No. 07-04, Audit Requirements for Federal Financial Statements, as amended. We did not test all internal controls relevant to operating objectives as broadly defined by the Federal Managers’ Financial Integrity Act of 1982 (FMFIA). The objective of our engagement was not to provide an opinion on the effectiveness of CBP’s internal control over financial reporting. Accordingly, we do not express an opinion on the effectiveness of CBP’s internal control over financial reporting.

A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct misstatements on a timely basis. A material weakness is a deficiency, or combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected on a timely basis. A significant deficiency is a deficiency, or combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance.

Our audit of CBP as of, and for the year ended, September 30, 2010, disclosed a significant deficiency in the areas of Information Technology (IT) access controls, security management, segregation of duties, and functionality. These matters are described in the IT General Control Findings and Recommendations section of this letter.

KPMG LLP is a Delaware limited liability partnership, the U.S. member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity.

The significant deficiency described above is presented in our Independent Auditors’ Report, dated January 25, 2011. This letter represents the separate restricted distribution letter mentioned in that report.

The control deficiencies described herein have been discussed with the appropriate members of management, and communicated through a Notice of Finding and Recommendation (NFR), and are intended For Official Use Only.

Because of its inherent limitations, internal control over financial reporting may not prevent, or detect and correct misstatements. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate. We aim to use our knowledge of CBP gained during our audit engagement to make comments and suggestions that are intended to improve internal control over financial reporting or result in other operating efficiencies.

The Table of Contents on the next page identifies each section of the letter. We have provided a description of key CBP financial systems and IT infrastructure within the scope of the FY 2010 CBP consolidated financial statement audit in Appendix A; a description of each internal control finding in Appendix B; and the current status of the prior year NFRs in Appendix C.

CBP’s written response to our comments and recommendations included in Appendix D has not been subjected to auditing procedures and, accordingly, we express no opinion on it.

This communication is intended solely for the information and use of DHS and CBP management, DHS Office of Inspector General (OIG), the OMB, the Government Accountability Office (GAO), and the U.S. Congress, and is not intended to be and should not be used by anyone other than these specified parties.

Very truly yours,

TABLE OF CONTENTS

Page

Objective, Scope, and Approach 1

Summary of Findings and Recommendations 3

IT General Control Findings and Recommendations 4

Security Management 4

After-Hours Physical Security Testing 5

Social Engineering Testing 5

Access Control 6

Segregation of Duties 7

Financial System Functionality 7

Application Control Findings 11

Management’s Comments and OIG Response 11

APPENDICES

Appendix

A

Subject

Description of Key CBP Financial Systems and IT Infrastructure within the Scope of the FY 2010 DHS Financial Statement Audit

Page

12

B FY 2010 Notices of IT Findings and Recommendations at CBP - Notice of Findings and Recommendations – Definition of Severity Ratings

15 16

C

D

Status of Prior Year Notices of Findings and Recommendations and Comparison to Current Year Notices of Findings and Recommendations at CBP

Management’s Comments

32

34

Department of Homeland Security Customs and Border Protection

Information Technology Management Letter September 30, 2010



OBJECTIVE, SCOPE, AND APPROACH

We have audited the CBP agency’s balance sheets and related consolidated statements of net cost, changes in net position, and custodial activity, and the combined statements of budgetary resources (hereinafter, referred to as “consolidated financial statements”) as of September 30, 2010 and 2009. In connection with our audit of CBP’s consolidated financial statements, we performed an evaluation of information technology general controls (ITGC), to assist in planning and performing our audit. The Federal Information System Controls Audit Manual (FISCAM), issued by the GAO, formed the basis of our ITGC evaluation procedures. The scope of the ITGC evaluation is further described in Appendix A.

FISCAM was designed to inform financial auditors about IT controls and related audit concerns to assist them in planning their audit work and to integrate the work of auditors with other aspects of the financial audit. FISCAM also provides guidance to IT auditors when considering the scope and extent of review that generally should be performed when evaluating general controls and the IT environment of a federal agency. FISCAM defines the following five control functions to be essential to the effective operation of the general IT controls environment.

�

�

�

�

�

Security Management (SM) – Controls that provide a framework and continuing cycle of activity for managing risk, developing security policies, assigning responsibilities, and monitoring the adequacy of computer-related security controls.

Access Control (AC) – Controls that limit or detect access to computer resources (data, programs, equipment, and facilities) and protect against unauthorized modification, loss, and disclosure.

Configuration Management (CM) – Controls that help to prevent unauthorized changes to information system resources (software programs and hardware configurations) and provides reasonable assurance that systems are configured and operating securely and as intended.

Segregation of Duties (SD) – Controls that constitute policies, procedures, and an organizational structure to manage who can control key aspects of computer-related operations.

Contingency Planning (CP) – Controls that involve procedures for continuing critical operations without interruption, or with prompt resumption, when unexpected events occur.

To complement our general IT controls audit procedures, we also performed technical security testing for key network and system devices, as well as testing over key financial application controls in the CBP environment. The technical security testing was performed both over the Internet and from within select CBP facilities, and focused on test, development, and production devices that directly support key general support systems.

Information Technology Management Letter for the FY 2010 CBP Financial Statement Audit Page 1



In addition to testing CBP’s general control environment, we performed application control tests on a limited number of CBP’s financial systems and applications. The application control testing was performed to assess the controls that support the financial systems’ internal controls over the input, processing, and output of financial data and transactions. FISCAM defines application controls as follows: Application controls are the structure, policies, and procedures that apply to separate, individual application systems, such as accounts payable, inventory, or payroll.

� Application Controls (APC) - Application controls are the structure, policies, and procedures that apply to separate, individual application systems, such as accounts payable, inventory, or payroll.




SUMMARY OF FINDINGS AND RECOMMENDATIONS

During FY 2010, CBP took corrective action to address prior year IT control weaknesses. For example, CBP made improvements over various system logical access processes and system security settings, system administrator access processes and procedures, and performed more consistent tracking of contractors and system user rules of behavior agreements. However, during FY 2010, we continued to identify IT general control weaknesses that could potentially impact CBP’s financial data. The most significant weaknesses from a financial statement audit perspective related to controls over access to programs and data. Collectively, the IT control weaknesses limited CBP’s ability to ensure that critical financial and operational data were maintained in such a manner to ensure confidentiality, integrity, and availability. In addition, these weaknesses negatively impacted the internal controls over CBP financial reporting and its operation, and we considered them to collectively represent a significant deficiency for CBP under standards established by the American Institute of Certified Public Accountants (AICPA). The IT findings were combined into one significant deficiency regarding IT for the FY 2010 audit of the CBP consolidated financial statements. In addition, based upon the results of our test work, we noted that CBP did not fully comply with the requirements of the FFMIA.

In FY 2010, our IT audit work identified 23 IT findings, of which 16 were repeat findings from the prior year and 7 were new findings. In addition, we determined that CBP remediated 13 IT findings identified in previous years. Collectively, these findings represent deficiencies in three of the five FISCAM key control areas as well as deficiencies related to financial system functionality. The FISCAM areas impacted included Security Management, Access Controls, and Segregation of Duties. These weaknesses may increase the risk that the confidentiality, integrity, and availability of system controls and CBP financial data could be exploited thereby compromising the integrity of financial data used by management and reported in CBP’s financial statements.

The recommendations made by us in this report are intended to be helpful, and may not fully remediate the deficiency. CBP management has responsibility to determine the most appropriate method(s) for addressing the weaknesses identified based on their system capabilities and available resources.




IT GENERAL CONTROL FINDINGS AND RECOMMENDATIONS

Findings:

During the FY 2010 CBP financial statement audit, we identified the following IT and financial system control deficiencies that in the aggregate are considered a significant deficiency:

Security Management

�

�

�

�

�

�

�

�

A complete, up-to-date listing of all CBP workstations is not maintained. As a result, CBP cannot determine whether CBP workstations are adequately protected against security threats.

Of the forty-five selected employees that had separated in FY 2010, 19 of these individuals did not have a completed CBP Form 241 on file.

Separation procedures relating to CBP contractors refer to Department of Treasury policies, and therefore are outdated as CBP is no longer a part of Treasury. Additionally, CBP-242 contractor separation forms were not properly completed for 9 of 45 selected CBP contractors.

Non-Disclosure Agreements (NDAs) for 29 of 45 selected contractors were signed several months after their hire date, were not signed and/or dated by the contractor, and/or were not completed by CBP.

CBP has not completed reinvestigations of contractors that should have been completed during the FY 2010 fiscal year (previous investigation date was greater than five years).

During technical testing, access, configuration and patch management exceptions were identified on Active Directory (AD) Domain Controllers and hosts supporting the SAP, the Automated Commercial System (ACS), and the Automated Commercial Environment (ACE) applications.

Role-based security training requirements for personnel with IT security positions were inadequate and were not commensurate with the individual’s duties and responsibilities. Additionally, 8 of the 45 sampled individuals did not complete the required specialized training by the CBP deadline.

Access to the raised floor area at the National Data Center (NDC) was not consistently documented by approved access requests. Additionally, not all personnel with access to the raised floor area were re-authorized for access.




After-Hours Physical Security Testing

After-hours physical security testing was conducted to identify risks related to non-technical aspects of IT security. These non-technical IT security aspects include physical access to media and equipment that houses financial data and information residing on a CBP employee’s/contractor’s desk, which could be used by others to gain unauthorized access to systems hosting financial information. The testing was performed at various CBP locations that process and /or maintain financial data as shown in the following table.

Exceptions Noted

CBP Locations Tested Total Exceptions

by Type

NDC-7 (BLM

Building) NDC-1 Beauregard

(Alexandria) Falls

Church Tyson’s Corner NDC-4

Passwords 1 1 2 2 6 4 16 For Official

Use Only (FOUO)

5 18 5 5 6 4 43

Keys/Badges 3 1 0 6 1 2 13 Personally Identifiable Information

(PII)

4 4 0 1 0 2 11

Server Names/IP Addresses

1 5 1 0 2 1 10

Laptops 0 3 0 0 1 2 6 External Drives 0 0 1 1 0 0 2

Credit Cards 1 0 0 0 0 0 1

Total Exceptions by Location

15 32 9 15 16 15 102

Note that approximately 15 desks / offices were examined for each one of the columns in the above table.

Social Engineering Testing

Social engineering is defined as the act of attempting to manipulate or deceive individuals into taking action that is inconsistent with DHS policies, such as divulging sensitive information or allowing / enabling computer system access. The term typically applies to deception for the purpose of information gathering or for gaining computer system access.

Total Called Total Answered Number of People Who Divulged a Password 25 16 2




Access Control

�

�

The log of ACS access profile changes is not regularly reviewed by personnel independent from those individuals that have made the changes.

The following issues exist in regard to ACS Security Profile Change Log Procedures: - Procedures do not define how often the ACS security profile change audit logs are

reviewed; - Procedures do not describe how evidence of the review process is created by the ACS

Information System Security Officer (ISSO)/Independent Reviewer; and, - Procedures do not define the sampling methodology that is used to select ACS profile

change security logs for review.

�

�

�

�

�

�

�

�

�

ACE audit logs are not being reviewed on a regular basis.

The control option to limit the number of failed logon attempts to the was not configured properly.

ACS Information Security Agreements (ISAs) for all identified participating government agencies have not been documented as required by CBP and DHS policies.

Initial access requests and approvals for 9 of 25 individuals granted access to ACE during FY 2010 could not be provided.

ACE portal accounts for are not timely removed as required by CBP and DHS policy.

Access request documentation for individuals who had their ACS access profiles modified during FY 2010 was not consistently maintained.

Activities of developers granted temporary/emergency access to ACS production were not monitored for appropriateness.

Access request documentation for individuals who were granted access to the NDC Local Area Network (LAN) during FY 2010 was not consistently maintained.

Personnel with access to backup media maintained off site have not regularly been recertified to validate the need for continuing access and the specific levels of access warranted.




Segregation of Duties

� ACE is not currently configured to restrict access to least privilege for performing job functionality as required by CBP policy.

Financial System Functionality

KPMG identified control weaknesses related to the processing of drawback payments and in certain entry processes, which are reported in detail in the Independent Auditors’ Report. These weaknesses are reported here in the Information Technology Management Letter to emphasize the common technology link within these findings as related to ACS.

ACS is used to track, control, and process commercial goods and conveyances for the purpose of collecting import duties, fees, and taxes owed to the Federal government and processing refunds and drawbacks related to the process of these collections. Since ACS was created in the mid-1980s, maintenance for the system has become increasingly difficult and expensive. Furthermore, the funding necessary to substantially remediate these control weaknesses is not available.

These control weaknesses continue to exist where ACS is functionally deficient. The conditions below highlight the deficiencies within ACS.

�

�

�

�

ACS lacks the controls necessary to prevent, or detect and correct excessive drawback claims. The programming logic in ACS does not link drawback claims to imports at a detailed, line item level. In addition, ACS does not have the capability to compare, verify, and track essential information on drawback claims to the related underlying consumption entries and export documentation upon which the drawback claim is based. Export information is not linked to the Drawback module and therefore electronic comparisons of export data cannot be performed within ACS.

Certain monitoring reports used to monitor (review) importer compliance with the in-bond process have not been developed and therefore importer compliance is not being tracked. In addition, in-bonds are not automatically linked to the relevant entry or export filings in ACS, which leads to extensive manual work to close open in-bonds. Finally, ACS does not provide the ability to run oversight reports to determine if ports have completed all required in-bond post audits and exams.

ACS does not properly account for bond sufficiency of claims that involve a continuous bond and therefore a claimant can potentially claim and receive an accelerated payment that exceeds the bond amount on file. As a result, CBP will not have sufficient surety against a drawback over claiming.

ACS does not provide summary information of the total unpaid assessments for duties, taxes, and fees by individual importer (i.e., a sub-ledger) and cannot provide reporting information on outstanding receivables, the age of receivables, or other data necessary for management to effectively monitor collection actions.




�

�

The drawback selectivity function of ACS is not programmed to select a statistically valid sample of prior drawback claims against a selected import entry.

ACS is programmed to automatically indicate that a Port Director certified a refund or drawback payment even if the Port Director does not certify a given payment.

Recommendations:

We recommend that the CBP Chief Information Officer (CIO) and Chief Financial Officer (CFO), in coordination with the DHS Office of Chief Financial Officer and the DHS Office of the Chief Information Officer, make the following improvements to CBP’s financial management systems and associated information technology security program.

For Security Management

�

�

�

�

�

�

�

Continue installing and develop, implement, and monitor policies and procedures to move all workstations to or to obtain waivers and compensating controls for those workstations that cannot be moved to .

Review the validity of the CBP Form 241 for the Employee Separation process and to originate an alternate mechanism to hold managers accountable for timely notification of employee separations and for confirming the termination of access to information systems, and the return of Government property and equipment;

Review the current Customs Directive and update it to reflect the current operating environment. Additionally, consistent and accurate completion of the SF Form 242 is required for all separating contractors with access to CBP facilities, information systems and/or sensitive information;

Implement a more consistent method of ensuring that each contractor employee in moderate and high-risk positions complete and sign a NDA;

Additional work: - Complete via e-QIP the “initiation” of all remaining employee reinvestigations by

December 30, 2010. - Complete the reinvestigations for all such employees by December 30, 2011. - Develop/deploy a tracking mechanism (Contractor Tracking System) by which to

identify those contractors requiring reinvestigation;

Develop and implement a strategy to ensure that reinvestigations for all contractors are initiated as required;

Patch, upgrade, correct, or obtain waivers for any identified weaknesses as a result of the IT technical vulnerabilities assessment;




�

�

Re-examine the CBP role-based training program and consider implementing the DHS Role-Based Security Training Program at CBP once it is implemented at DHS; and

Develop tools and procedures for facilitating and documenting the approval/recertification and review of individual access to the raised floor area.

For After-Hours Physical Security Testing:

� Implement multiple types of security awareness reminders and opportunities to educate users of the importance of protecting CBP information systems and data. Specifically, social engineering evaluations should be incorporated into routine site inspections to test employee security awareness and to educate users on how to respond to information security attacks.

For Social Engineering Testing:

� Continue annual security awareness training. In addition, seek to add other means of increasing security awareness.

For Access Control �

�

�

�

�

�

Formalize a detailed procedure for the review of ACS security profile change logs. The procedure should include implementing a periodic review of the logs by an independent reviewer;

Develop and implement procedures that document the review process for ACS profile change logs. The process should include the documented evidence of review, how often audit logs are reviewed, and the review sampling methodology to be used;

Maintain evidence that regular reviews of audit logs are occurring. Specifically, continue plans initiated in July of 2010 to institutionalize a more formal method of documenting who performed reviews of audit logs, when these reviews occurred, and what issues (if any) were identified. ;

Perform a cost/benefit analysis to determine whether an ACE custom-developed solution or a purchased commercial off the shelf (COTS) product should be implemented for full automation of audit log reviews;

Devote sufficient resources in order to implement and maintain formal ISAs with the Partnering Government Agencies (PGAs) that interconnect with ACS. Document ISAs for all ACS PGA connections identified in the ACS SSP;

Issue a memorandum and distribute the procedures to the respective CBP Offices to implement monitoring procedures to ensure compliance with stated procedures and that Office Information Technology (OIT) coordinate a meeting with the other CBP Offices to determine if centralized access control measures are necessary;




�

�

�

�

�

Implement procedures to reinforce adherence to guidance requiring timely notification of separations by employees or contractors with access to ACE. Those responsible for ACE access control need to be notified of a separation no later than the day of separation;

Implement and monitor procedures to consistently document the access requests and approvals for any and all access creations and changes to ACS user profiles;

For the TSS audit of emergency access, run a report, as needed, at management’s (e.g., emergency approver’s) request;

Transition the process for requesting NDC-LAN Network access from the paper-based user access request form to an electronic user access request form. Once the electronic form is fully implemented, update the documented process to reflect that all NDC-LAN user access requests must go to the Technology Service Desk (TSD) for action. TSD will generate a trouble ticket and attach the electronic access request form to the initial user request ticket for NDC-LAN access. The ticket will be issued in the name of the user gaining the access so it is easily searchable; and

Update the access authorization process to indicate that the access list will undergo a 100% recertification annually. The artifact derived from this action should be an official report from the Contracting Officer Technical Representative for offsite media storage clearly stating the recertification results along with the backup paperwork for all adds, deletes, and changes to the access list.

For Segregation of Duties

� Continue to work with the Office of International Trade, Office of Administration and Office of Field Operations to identify incompatible roles and develop procedures as part of the access control process to ensure that these role combinations are not granted to ACE users, except when a waiver is granted in writing.

Lack of Financial System Functionality

� Continue efforts on the following: - Modernize business processes though the development and deployment of functionality

in the Automated Commercial Environment as it has done since 2001. - Work with ACE stakeholders, including CBP personnel, the trade, participating

government agencies, the Department of Homeland Security and the Congress to prioritize, develop, and deploy functionality that allows CBP to fulfill its mission and meet the needs of its stakeholders.

- Seek funds through the budget process that will allow CBP to continue to develop and deploy functionality in ACE that will support CBP’s mission and meet the needs of its stakeholders.




APPLICATION CONTROL FINDINGS

We did not identify any findings in the area of application controls during the fiscal year 2010 CBP audit engagement.

MANAGEMENT’S COMMENTS AND OIG RESPONSE

We obtained written comments on a draft of this report from CBP management. Generally, CBP management agreed with our findings and recommendations. CBP management has developed a remediation plan to address these findings and recommendations. We have included a copy of the comments in Appendix D.

OIG Response

We agree with the steps that CBP management is taking to satisfy these recommendations


Appendix A Department of Homeland Security

Customs and Border Protection Information Technology Management Letter

September 30, 2010

Appendix A

Description of Key CBP Financial Systems and IT Infrastructure within the Scope of the FY 2010 DHS Financial

Statement Audit




September 30, 2010

Below is a description of significant CBP financial management systems and supporting IT infrastructure included in the scope of CBP’s FY 2010 Financial Statement Audit.

Automated Commercial Environment (ACE)

ACE is the commercial trade processing system being developed by CBP to facilitate trade while strengthening border security. It is CBP’s plan that this system will replace ACS when ACE is fully implemented. The mission of ACE is to implement a secure, integrated, government-wide system for the electronic collection, use, and dissemination of international trade and transportation data essential to Federal agencies. ACE is being deployed in phases, with no set final full deployment date due to funding setbacks. As ACE is partially implemented now and processes a significant amount of revenue for CBP, ACE was included in full scope in the FY2010 financial statement audit. The ACE system is located in Newington, VA.

Automated Commercial System (ACS)

ACS is a collection of mainframe-based business process systems used to track, control, and process commercial goods and conveyances entering the United States territory, for the purpose of collecting import duties, fees, and taxes owed to the Federal government. ACS collects duties at ports, collaborates with financial institutions to process duty and tax payments, provides automated duty filing for trade clients, and shares information with the Federal Trade Commission on trade violations and illegal imports. The ACS system is included in full scope in the FY 2010 financial statement audit. The ACS system is located in Newington, VA.

National Data Center – Local Area Network (NDC LAN)

The NDC LAN provides more than 1,200 CBP contractor and employee user access to enterprise-wide applications and systems. The mission of the NDC LAN is to the support Field Offices/Agents with applications and technologies in the securing and protection of our nation's borders. The NDC LAN consists of five Novell NetWare 6.5 servers, various workstations and printers/plotters, 11 Cisco switches, and the associated Novell Netware management applications. There are no major or minor applications running on the NDC LAN other than the file and print services associated with the Novell NetWare servers. The NDC LAN is an unclassified system processing For Official Use Only (FOUO) data. As the NDC LAN includes the environment where the ACE, ACS, and SAP applications physically reside, the NDC LAN is included in limited scope in the FY2010 financial statement audit. The NDC LAN is located in Newington, VA.




September 30, 2010

SAP Enterprise Central Component (SAP ECC 6.0)

SAP is a client/server-based financial management system and includes the Funds Management, Budget Control System, General Ledger, Real Estate, Property, Internal Orders, Sales and Distribution, Special Purpose Ledger, and Accounts Payable modules. These modules are used by CBP to manage assets (e.g., budget, logistics, procurement, and related policy), revenue (e.g., accounting and commercial operations: trade, tariff, and law enforcement), and to provide information for strategic decision making. The SAP ECC 6.0 financial management system is included in full scope in the FY 2010 financial statement audit. The SAP ECC 6.0 system is located in Newington, VA.


Appendix B Department of Homeland Security


September 30, 2010

Appendix B FY 2010 Notices of IT Findings and Recommendations at CBP


Appendix B Department of Homeland Security


September 30, 2010

Notice of Findings and Recommendations NFR – Definition of Severity Ratings:

Each NFR listed in Appendix B is assigned a severity rating from 1 to 3 indicating the influence on the DHS Consolidated Independent Auditors’ Report.

1 – Not substantial

2 – Less significant

3 – More significant

The severity ratings indicate the degree to which the deficiency influenced the determination of severity for consolidated reporting purposes.

These rating are provided only to assist CBP in prioritizing the development of its corrective action plans for remediation of the deficiency.


FY

2010

Info

rmat

ion

Tech

nolo

gy

Not

ifica

tion

of F

indi

ngs a

nd R

ecom

men

datio

ns –

Det

ail

NFR

#

Con

ditio

n R

ecom

men

datio

n N

ew

Issu

e R

epea

t Is

sue

Ris

k R

atin

g C

BP

IT-1

0 01

This

is

a sy

stem

-leve

l fin

ding

. K

PMG

not

ed t

hat

CB

P po

rtal

acco

unts

for

a

re r

emov

ed o

n a

bi-w

eekl

y ba

sis

and

are

not r

emov

ed o

n

the

day

of t

he i

ndiv

idua

l’s s

epar

atio

n as

req

uire

d by

CB

P an

d D

HS

polic

y.

KPM

G d

id n

ote

that

CB

P is

aw

are

of th

e is

sue

and

is lo

okin

g in

to a

n au

tom

ated

so

lutio

n fo

r co

mpl

ianc

e w

ith C

BP

and

DH

S po

licy.

Upo

n fu

rther

tes

ting

of

term

inat

ed e

mpl

oyee

s, K

PMG

did

not

find

any

use

rs th

at h

ad a

cces

sed

the

syst

em

afte

r the

ir se

para

tion

date

from

CB

P.

CB

P sh

ould

im

plem

ent

proc

edur

es

to

rein

forc

e ad

here

nce

to

guid

ance

re

quiri

ng

timel

y no

tific

atio

n of

sep

arat

ions

by

em

ploy

ees

or

cont

ract

ors

with

acc

ess

to

AC

E.

Th

ose

re

spon

sibl

e fo

r A

CE

acce

ss

cont

rol

need

to

b

e no

tifie

d of

a

sepa

ratio

n no

late

r tha

n th

e da

y of

sepa

ratio

n.

X

2

CB

PIT

-10

02

This

is a

syst

em le

vel f

indi

ng.

KPM

G n

oted

that

AC

E is

not

cur

rent

ly c

onfig

ured

to

pre

vent

inco

mpa

tible

role

s fr

om b

eing

ass

igne

d to

a u

ser,

as re

quire

d by

CB

P an

d D

HS

polic

ies.

Whi

le,

initi

al s

teps

have

bee

n ta

ken

to a

ddre

ss f

orm

al

segr

egat

ion

of d

utie

s with

in th

e sy

stem

, no

addi

tiona

l act

ions

hav

e ta

ken

plac

e.

CB

P O

ffic

e of

Inf

orm

atio

n an

d Te

chno

logy

will

cont

inue

to

wor

k w

ith t

he

Off

ice

of

In

tern

atio

nal

Trad

e,

Off

ice

of

Adm

inis

tratio

n an

d O

ffic

e of

Fi

eld

Ope

ratio

ns

to

id

entif

y in

com

patib

le r

oles

an

d de

velo

p pr

oced

ures

as

part

of t

he a

cces

s co

ntro

l pr

oces

s to

ens

ure

that

thes

e ro

le c

ombi

natio

ns a

re

no

t gr

ante

d to

A

CE

user

s,

ex

cept

whe

n a

wai

ver

is

gran

ted

in w

ritin

g.

X

2

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

C

usto

ms a

nd B

orde

r Pr

otec

tion

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 C

BP

Fina

ncia

l Sta

tem

ent A

udit

Page

17

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

C

usto

ms a

nd B

orde

r Pr

otec

tion

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#

Con

ditio

n R

ecom

men

datio

n N

ew

Issu

e R

epea

t Is

sue

Ris

k R

atin

g C

BP

IT-1

003

This

is

a sy

stem

-leve

l fin

ding

. K

PMG

not

ed t

hat

evid

ence

of

com

plet

ed A

CE

syst

em l

og (

Sysl

og)

revi

ews

did

not

incl

ude

an a

ppro

pria

te l

evel

of

deta

il.

Spec

ifica

lly,

durin

g th

e m

ajor

ity o

f FY

2010

, th

ere

was

no

form

al m

etho

d of

do

cum

entin

g w

ho p

erfo

rmed

the

aud

it lo

g re

view

s, w

hen

they

wer

e re

view

ed,

wha

t iss

ues

(if a

ny) w

ere

iden

tifie

d, a

nd th

e ac

tions

take

n (if

app

licab

le).

KPM

G

note

d th

at p

roce

dure

s re

gard

ing

the

revi

ew o

f A

CE

audi

t lo

gs h

ave

been

es

tabl

ishe

d pr

ior

to

fisca

l ye

ar

2010

, an

d th

at

man

agem

ent

is

curr

ently

im

plem

entin

g a

form

al m

etho

d of

doc

umen

ting

the

requ

isite

sys

tem

log

revi

ew

info

rmat

ion.

We

reco

mm

end

that

CB

P m

aint

ain

evid

ence

th

at

regu

lar

revi

ews

of

audi

t lo

gs

are

occu

rrin

g.

Spec

ifica

lly,

we

reco

mm

end

that

C

BP

cont

inue

w

ith

plan

s in

itiat

ed in

Jul

y of

201

0 to

in

stitu

tiona

lize

a m

ore

form

al

met

hod

of

docu

men

ting

who

pe

rfor

med

rev

iew

s of

aud

it lo

gs,

whe

n th

ese

revi

ews

occu

rred

, an

d w

hat

issu

es

(if a

ny) w

ere

iden

tifie

d.

We

also

rec

omm

end

that

C

BP

perf

orm

a c

ost/b

enef

it an

alys

is

to

dete

rmin

e w

heth

er a

n A

CE

cust

om-

deve

lope

d so

lutio

n or

a

purc

hase

d C

OTS

pr

oduc

t sh

ould

be

impl

emen

ted

for

full

auto

mat

ion

of a

udit

log

revi

ews.

X

2

CB

PIT

-10

05

Soci

al e

ngin

eerin

g is

def

ined

as

the

act o

f at

tem

ptin

g to

man

ipul

ate

or d

ecei

ve

peop

le i

nto

taki

ng a

ctio

n th

at i

s in

cons

iste

nt w

ith p

olic

ies,

such

as

divu

lgin

g se

nsiti

ve in

form

atio

n or

allo

win

g / e

nabl

ing

com

pute

r sy

stem

acc

ess.

The

term

ty

pica

lly a

pplie

s to

trick

ery

or d

ecep

tion

for t

he p

urpo

se o

f inf

orm

atio

n ga

ther

ing,

or

com

pute

r sys

tem

acc

ess.

We

reco

mm

end

that

CB

P im

plem

ent

mul

tiple

ty

pes

of

secu

rity

awar

enes

s re

min

ders

an

d op

portu

nitie

s to

ed

ucat

e

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 C

BP

Fina

ncia

l Sta

tem

ent A

udit

Page

18

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

C

usto

ms a

nd B

orde

r Pr

otec

tion

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#

Con

ditio

n R

ecom

men

datio

n N

ew

Issu

e R

epea

t Is

sue

Ris

k R

atin

g

The

obje

ctiv

e of

our

soci

al e

ngin

eerin

g te

st w

ork

prim

arily

focu

sed

on a

ttem

ptin

g to

iden

tify

user

pas

swor

ds.

Posi

ng a

s DH

S te

chni

cal s

uppo

rt em

ploy

ees,

atte

mpt

s w

ere

mad

e to

obt

ain

this

typ

e of

acc

ount

inf

orm

atio

n by

con

tact

ing

rand

omly

se

lect

ed e

mpl

oyee

s by

tele

phon

e.

A s

crip

t was

use

d to

ask

for

ass

ista

nce

from

th

e us

er i

n re

solv

ing

a ne

twor

k is

sue

in t

he c

ompo

nent

. F

or e

ach

pers

on w

e at

tem

pted

to c

all,

we

note

d in

the

tabl

e be

low

whe

ther

the

indi

vidu

al a

nsw

ered

an

d w

heth

er w

e ob

tain

ed a

ny in

form

atio

n fro

m th

em th

at s

houl

d no

t hav

e be

en

shar

ed w

ith u

s ac

cord

ing

to D

HS

polic

y.

Our

sel

ectio

n of

indi

vidu

als

was

not

st

atis

tical

ly d

eriv

ed,

and

ther

efor

e w

e ar

e un

able

to

proj

ect

resu

lts t

o th

e co

mpo

nent

or d

epar

tmen

t as a

who

le.

Of 2

5 in

divi

dual

s ca

lled,

16

answ

ered

. O

f the

16

that

ans

wer

ed, 2

div

ulge

d th

eir

netw

ork

pass

wor

d.

user

s of

the

im

porta

nce

of

prot

ectin

g C

BP

info

rmat

ion

syst

ems

and

data

. Sp

ecifi

cally

, w

e re

com

men

d th

at

soci

al

engi

neer

ing

eval

uatio

ns b

e in

corp

orat

ed

into

ro

utin

e si

te

insp

ectio

ns

to

test

em

ploy

ee’s

se

curit

y aw

aren

ess

and

to e

duca

te

user

s on

how

to r

espo

nd to

in

form

atio

n se

curit

y at

tack

s.

CB

PIT

-10

06

This

is

a

syst

em-le

vel

findi

ng.

K

PMG

re

ques

ted

acce

ss

auth

oriz

atio

n do

cum

enta

tion

for 2

5 in

divi

dual

s w

ho w

ere

gran

ted

AC

E ac

cess

dur

ing

FY 2

010.

In

itial

acc

ess

requ

ests

and

app

rova

ls fo

r 9 o

f the

se in

divi

dual

s w

ere

not p

rovi

ded.

A

lthou

gh a

pro

cess

for

cre

atin

g an

d m

aint

aini

ng u

ser

acce

ss f

orm

s an

d re

ques

ts

has

been

in p

lace

sin

ce b

efor

e th

e be

ginn

ing

of F

Y 2

010,

acc

ess

appr

oval

s pr

ior

to th

e cr

eatio

n of

AC

E ac

coun

ts w

ere

not c

onsi

sten

tly m

aint

aine

d in

acc

orda

nce

with

CB

P po

licy

and

proc

edur

es.

We

reco

mm

end

that

th

e O

ffic

e of

Inf

orm

atio

n an

d Te

chno

logy

(O

IT) i

ssue

a

mem

oran

dum

an

d di

strib

ute

the

proc

edur

es to

th

e re

spec

tive

CB

P O

ffic

es

to

impl

emen

t. W

e al

so

reco

mm

end

that

m

onito

ring

pro

cedu

res

be

esta

blis

hed

to

ensu

re

com

plia

nce

with

th

e pr

oced

ures

an

d th

at

OIT

co

ordi

nate

a m

eetin

g w

ith

the

othe

r C

BP

Off

ices

to

dete

rmin

e if

cent

raliz

ed

acce

ss c

ontro

l mea

sure

s are

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 C

BP

Fina

ncia

l Sta

tem

ent A

udit

Page

19

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

C

usto

ms a

nd B

orde

r Pr

otec

tion

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#

Con

ditio

n R

ecom

men

datio

n N

ew

Issu

e R

epea

t Is

sue

Ris

k R

atin

g ne

cess

ary.

CB

PIT

-10

07

We

perf

orm

ed a

fter-

hour

s ph

ysic

al s

ecur

ity t

estin

g to

ide

ntify

ris

ks r

elat

ed t

o no

n-te

chni

cal

aspe

cts

of I

T se

curit

y.

Thes

e no

n-te

chni

cal

IT s

ecur

ity a

spec

ts

incl

ude

phys

ical

acc

ess

to e

quip

men

t tha

t hou

ses

finan

cial

dat

a an

d in

form

atio

n re

sidi

ng

on

CB

P pe

rson

nel

desk

s, w

hich

co

uld

be

used

by

ot

hers

to

in

appr

opria

tely

acc

ess

finan

cial

inf

orm

atio

n.

The

test

ing

was

per

form

ed a

t va

rious

CB

P lo

catio

ns t

hat

proc

ess

and/

or m

aint

ain

finan

cial

dat

a.

A C

BP

empl

oyee

was

des

igna

ted

to a

ssis

t with

and

mon

itor o

ur te

st w

ork.

Afte

r gai

ning

ac

cess

to C

BP

faci

litie

s, w

e in

spec

ted

a se

lect

ion

of d

esks

and

/or o

ffic

es, l

ooki

ng

for

item

s su

ch

as

impr

oper

pr

otec

tion

of

syst

em

pass

wor

ds,

unse

cure

d in

form

atio

n sy

stem

har

dwar

e, d

ocum

enta

tion

mar

ked

“For

Off

icia

l U

se O

nly”

(F

OU

O),

and

unlo

cked

net

wor

k se

ssio

ns.

Our

sel

ectio

n of

des

ks a

nd o

ffic

es w

as

not

stat

istic

ally

der

ived

, an

d th

eref

ore

we

are

unab

le t

o pr

ojec

t re

sults

to

the

com

pone

nt o

r dep

artm

ent a

s a

who

le.

For e

ach

loca

tion

visi

ted,

we

note

the

type

of

uns

ecur

ed i

nfor

mat

ion

or p

rope

rty w

e id

entif

ied

and

incl

uded

the

tot

al

exce

ptio

ns n

oted

by

loca

tion,

as

wel

l as

by

type

of

info

rmat

ion

or p

rope

rty

iden

tifie

d.

A to

tal o

f 10

2 in

stan

ces

wer

e id

entif

ied

acro

ss th

e si

x lo

catio

ns w

here

phy

sica

l as

sets

or

sens

itive

info

rmat

ion

was

not

sec

ured

in a

ccor

danc

e w

ith D

HS

and/

or

CB

P po

licie

s.

CB

P sh

ould

con

tinue

its

annu

al se

curit

y aw

aren

ess

train

ing.

In

addi

tion,

it

shou

ld se

ek to

add

oth

er

mea

ns o

f inc

reas

ing

secu

rity

awar

enes

s.

X

2

CB

PIT

-10

08

This

is a

com

pone

nt-le

vel f

indi

ng.

KPM

G n

oted

that

sep

arat

ion

proc

edur

es f

or

cont

ract

em

ploy

ees

(Cus

tom

s D

irect

ive

5171

5-00

6) a

re o

ut o

f da

te a

nd in

clud

e in

com

plet

e an

d in

accu

rate

refe

renc

es.

Spec

ifica

lly, t

he p

roce

dure

s hav

e no

t bee

n up

date

d si

nce

Sept

embe

r 200

1. T

he p

roce

dure

s re

fere

nce

Trea

sury

faci

litie

s an

d Tr

easu

ry p

olic

ies

as s

ourc

e do

cum

enta

tion.

K

PMG

not

es t

hat

a ne

w d

irect

ive,

C

BP

Dire

ctiv

e 12

10-0

07,

entit

led

‘Con

tract

or T

rack

ing

Syst

em,’

was

iss

ued

requ

iring

the

use

of th

e C

ontra

ctor

Tra

ckin

g Sy

stem

; how

ever

, the

new

dire

ctiv

e st

ill re

fers

to o

ut o

f dat

e C

usto

ms

Dire

ctiv

e 51

715-

006

for s

epar

atio

n pr

oced

ures

We

reco

mm

end

that

CB

P re

view

the

curr

ent C

usto

ms

Dire

ctiv

e an

d up

date

it

to

refle

ct

the

curr

ent

oper

atin

g en

viro

nmen

t. A

dditi

onal

ly,

we

reco

mm

end

that

C

BP

requ

ire t

he c

onsi

sten

t an

d

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 C

BP

Fina

ncia

l Sta

tem

ent A

udit

Page

20

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

C

usto

ms a

nd B

orde

r Pr

otec

tion

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#

Con

ditio

n R

ecom

men

datio

n N

ew

Issu

e R

epea

t Is

sue

Ris

k R

atin

g fo

r con

tract

or e

mpl

oyee

s.

Add

ition

ally

, K

PMG

not

ed t

hat

SF 2

42 c

ontra

ctor

sep

arat

ion

form

s ar

e no

t co

mpl

eted

con

sist

ently

for

sep

arat

ing

CB

P co

ntra

ctor

s. S

peci

fical

ly,

KPM

G

note

d th

at o

f 45

sep

arat

ed c

ontra

ctor

s w

ith a

cces

s to

CB

P fa

cilit

ies,

info

rmat

ion

syst

ems,

and/

or s

ensi

tive

info

rmat

ion

who

wer

e se

lect

ed fo

r tes

ting,

9 fo

rms

wer

e no

t com

plet

ed, w

ere

not p

rovi

ded,

or w

ere

not c

ompl

eted

in a

tim

ely

man

ner.

accu

rate

com

plet

ion

of t

he

SF 2

42 f

or a

ll se

para

ting

cont

ract

ors

with

acc

ess

to

CB

P fa

cilit

ies,

info

rmat

ion

syst

ems

and/

or

sens

itive

in

form

atio

n.

CB

PIT

-10

09

This

is

a co

mpo

nent

lev

el f

indi

ng.

KPM

G s

elec

ted

45 g

over

nmen

t em

ploy

ees

that

had

sep

arat

ed in

FY

201

0 an

d no

ted

that

19

of th

ese

indi

vidu

als

did

not h

ave

a co

mpl

eted

CB

P Fo

rm 2

41 o

n fil

e.

We

reco

mm

end

that

CB

P re

view

the

val

idity

of

the

CB

P Fo

rm 2

41 E

mpl

oyee

Se

para

tion

proc

ess

and

dete

rmin

e an

al

tern

ate

mec

hani

sm

to

hold

m

anag

ers

acco

unta

ble

for

timel

y no

tific

atio

n of

em

ploy

ee s

epar

atio

ns a

nd

for

conf

irmin

g th

e te

rmin

atio

n of

ac

cess

to

in

form

atio

n sy

stem

s, an

d th

e re

turn

of

prop

erty

and

eq

uipm

ent.

X

2

CB

PIT

-10

10

This

is a

com

pone

nt le

vel f

indi

ng.

Whi

le K

PMG

not

es th

at p

rogr

ess

has

been

m

ade

in im

plem

entin

g pr

oced

ures

req

uirin

g th

e si

gnin

g of

ND

As,

KPM

G n

oted

th

at

ND

As

are

still

no

t co

nsis

tent

ly

com

plet

ed

by

cont

ract

ors

at

CB

P.

Spec

ifica

lly, K

PMG

not

ed th

at o

ut o

f a se

lect

ion

of 4

5 co

ntra

ctor

s, on

e N

DA

was

si

gned

mor

e th

an fo

ur m

onth

s af

ter t

he h

ire d

ate.

In

addi

tion,

one

ND

A w

as n

ot

prov

ided

for

a c

ontra

ctor

in

a m

ediu

m o

r hi

gh r

isk

posi

tion.

Fur

ther

, K

PMG

We

reco

mm

end

that

CB

P im

plem

ent

a m

ore

cons

iste

nt

met

hod

of

ensu

ring

that

ea

ch

cont

ract

or

empl

oyee

in

m

oder

ate

and

high

-ris

k

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 C

BP

Fina

ncia

l Sta

tem

ent A

udit

Page

21

�

App

endi

x B

Dep

artm

ent o

f Hom

elan

d Se

curi

ty

Cus

tom

s and

Bor

der

Prot

ectio

n

Info

rmat

ion

Tech

nolo

gy M

anag

emen

t Let

ter

Sept

embe

r 30,

201

0

NFR #

Con

ditio

n R

ecom

men

datio

n N

ewIs

sue

Rep

eat

Issu

e R

isk

Rat

ing

note

d th

at th

e N

DA

s fo

r 27

cont

ract

ors

in m

ediu

m o

r hig

h ris

k po

sitio

ns d

id n

ot

have

a d

ate

of si

gnat

ure.

po

sitio

ns s

ign

and

date

a

ND

A.

CB

PIT

-10

11

This

is a

com

pone

nt-le

vel f

indi

ng.

KPM

G h

as n

oted

that

CB

P ha

s no

t bee

n ab

le

to p

rovi

de e

vide

nce

that

wor

ksta

tions

not

on

are

rece

ivin

g an

tivi

rus

and

othe

r sec

urity

pat

ch u

pdat

es o

n a

timel

y ba

sis.

KPM

G n

oted

that

whi

le

prog

ress

has

bee

n m

ade

in a

ccou

ntin

g fo

r all

CB

P w

orks

tatio

ns, a

com

plet

e an

d up

-to-d

ate

listin

g of

all

CB

P w

orks

tatio

ns h

as n

ot b

een

mai

ntai

ned

for

the

maj

ority

of

FY 2

010.

A

s a

resu

lt, C

BP

does

not

hav

e an

acc

urat

e in

vent

ory

of

whi

ch w

orks

tatio

ns h

ave

not r

ecei

ved

anti-

viru

s and

oth

er se

curit

y pa

tch

upda

tes.

We

reco

mm

end

that

CB

P co

ntin

ue i

nsta

lling

and

deve

lop,

im

plem

ent,

and

mon

itor

polic

ies

and

proc

edur

es

to

mov

e al

l w

orks

tatio

ns

to

or

to

obta

in

wai

vers

and

com

pens

atin

g co

ntro

ls

for

thos

e w

orks

tatio

ns th

at c

anno

t be

mov

ed to

.

X

2

CB

PIT

-10

12

CB

P’s

Rol

e B

ased

Se

curit

y Tr

aini

ng

Prog

ram

do

es

not

mee

t th

e D

HS

requ

irem

ents

for

“an

nual

spe

cial

ized

tra

inin

g” t

hat

is “

com

men

sura

te w

ith t

he

indi

vidu

al’s

dut

ies

and

resp

onsi

bilit

ies.”

Sp

ecifi

cally

, the

CB

P R

BST

pro

gram

requ

ires

IT p

erso

nnel

to c

ompl

ete

only

one

hou

r of

Inc

iden

t Res

pons

e tra

inin

g,

and

one

hour

of

Cla

ssifi

ed In

form

atio

n tra

inin

g (if

app

licab

le to

the

indi

vidu

al’s

re

spon

sibi

litie

s) a

nnua

lly.

Furth

erm

ore,

out

of

the

sam

pled

45

CB

P pe

rson

nel w

ith s

igni

fican

t IT

secu

rity

resp

onsi

bilit

ies,

5 co

mpl

eted

the

tra

inin

g af

ter

CB

P’s

inte

rnal

Jun

e 30

, 20

10

dead

line.

In

addi

tion,

ano

ther

eig

ht h

ave

yet t

o co

mpl

ete

the

train

ing.

We

reco

mm

end

that

CB

P re

-exa

min

e its

ro

le-b

ased

tra

inin

g pr

ogra

m

and

cons

ider

im

plem

entin

g th

e D

HS

RB

ST P

rogr

am o

nce

it ha

s be

en im

plem

ente

d at

th

e de

partm

ent l

evel

.

X

2

CB

PIT

-10

13

This

is a

com

pone

nt-le

vel f

indi

ng.

We

note

d th

e fo

llow

ing

wea

knes

ses

rela

ted

to

acce

ss to

the

rais

ed fl

oor a

rea:

W

e re

view

ed a

cces

s re

ques

t aut

horiz

atio

ns to

the

rais

ed fl

oor a

rea

of

and

note

d th

at o

f th

e 45

indi

vidu

als

sele

cted

, 1 a

utho

rized

acc

ess

form

was

We

reco

mm

end

that

man

agem

ent

deve

lop

tool

s an

d pr

oced

ures

fo

r fa

cilit

atin

g an

d do

cum

entin

g th

e

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 C

BP

Fina

ncia

l Sta

tem

ent A

udit

Page

22

�

App

endi

x B

Dep

artm

ent o

f Hom

elan

d Se

curi

ty

Cus

tom

s and

Bor

der

Prot

ectio

n

Info

rmat

ion

Tech

nolo

gy M

anag

emen

t Let

ter

Sept

embe

r 30,

201

0

NFR #

Con

ditio

n R

ecom

men

datio

n N

ewIs

sue

Rep

eat

Issu

e R

isk

Rat

ing

not p

rovi

ded.

W

e re

view

ed e

vide

nce

of th

e re

certi

ficat

ion

of in

divi

dual

s w

ith a

cces

s to

the

rais

ed fl

oor

area

and

not

ed th

at o

f th

e 15

sel

ecte

d in

divi

dual

s, 2

had

not y

et

been

rece

rtifie

d.

appr

oval

/rece

rtific

atio

n an

dre

view

of i

ndiv

idua

l acc

ess

to th

e ra

ised

floo

r are

a.

CB

PIT

-10

14

This

is a

sys

tem

leve

l fin

ding

. K

PMG

not

ed th

at a

lthou

gh c

hang

es to

a u

ser’

s A

CS

acce

ss p

rofil

e ar

e lo

gged

, the

logs

of t

hese

eve

nts a

re n

ot re

gula

rly re

view

ed

by p

erso

nnel

inde

pend

ent f

rom

thos

e in

divi

dual

s tha

t mad

e th

e ch

ange

s.

We

reco

mm

end

that

CB

P fo

rmal

ize

a de

taile

dpr

oced

ure

for t

he re

view

of

AC

S se

curit

y pr

ofile

ch

ange

lo

gs.

The

proc

edur

e sh

ould

in

clud

e im

plem

entin

g a

perio

dic

revi

ew o

f th

e lo

gs b

y an

in

depe

nden

t rev

iew

er.

X

2

CB

PIT

-10

15

Dur

ing

our

tech

nica

l te

stin

g, p

atch

and

con

figur

atio

n m

anag

emen

t ex

cept

ions

w

ere

iden

tifie

d on

the

W

e re

com

men

d th

at C

BP

perf

orm

th

e fo

llow

ing

rem

edia

l act

ions

: 1

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 C

BP

Fina

ncia

l Sta

tem

ent A

udit

Page

23

NFR

#

Con

ditio

n

.

Rec

omm

enda

tion

3

.

New

Is

sue

Rep

eat

Issu

e R

isk

Rat

ing

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

C

usto

ms a

nd B

orde

r Pr

otec

tion

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 C

BP

Fina

ncia

l Sta

tem

ent A

udit

Page

24

NFR

#

C

ondi

tion

Rec

omm

enda

tion

9

W

e re

com

men

d th

at C

BP

devo

te s

uffic

ient

res

ourc

es

in o

rder

to

impl

emen

t an

d m

aint

ain

form

al I

SAs

with

th

e PG

As

that

inte

rcon

nect

w

ith A

CS.

We

reco

mm

end

that

CB

P do

cum

ent

ISA

s fo

r al

l A

CS

PGA

co

nnec

tions

id

entif

ied

in

the

AC

S SS

P.

Issu

e

New

R

epea

t

Issu

e R

isk

Rat

ing

CB

P-IT

-10

16

This

is a

sys

tem

-leve

l fin

ding

and

a p

rior y

ear

issu

e fr

om F

Y20

08 a

nd F

Y20

09.

KPM

G d

eter

min

ed th

at e

vide

nce

of I

SAs

for

6 of

the

17 P

GA

s id

entif

ied

in th

e Sy

stem

Sec

urity

Pla

n co

uld

not b

e pr

ovid

ed.

Of t

he s

ix th

at w

ere

prov

ided

, tw

o

expi

red

durin

g FY

2010

and

had

not

bee

n re

new

ed.

X

2

CB

P-IT

-10

17

Th

is is

a sy

stem

-leve

l fin

ding

. W

e re

ques

ted

acce

ss a

utho

rizat

ion

evid

ence

for 4

5

AC

S us

ers

to d

eter

min

e w

heth

er A

CS

acce

ss w

as a

ppro

pria

tely

aut

horiz

ed.

OIT

w

as u

nabl

e to

pro

vide

evi

denc

e of

the

acce

ss re

ques

t aut

horiz

atio

ns fo

r any

of t

he

45 s

elec

ted

AC

S us

ers.

As

a re

sult,

we

are

not a

ble

to d

eter

min

e w

heth

er A

CS

acce

ss in

itiat

ions

or m

odifi

catio

ns w

ere

appr

opria

tely

app

rove

d an

d w

heth

er A

CS

acce

ss c

ontro

ls a

re in

pla

ce a

nd o

pera

ting

as re

quire

d by

DH

S an

d C

BP

polic

ies.

W

e re

com

men

d th

at C

BP

impl

emen

t pr

oced

ures

to

co

nsis

tent

ly d

ocum

ent

the

acce

ss

requ

ests

an

d ap

prov

als

for

any

and

all

acce

ss

crea

tions

an

d ch

ange

s to

A

CS

user

prof

iles.

X

2

CB

P-IT

-10

18

This

is

a co

mpo

nent

lev

el f

indi

ng.

We

note

d th

at a

cces

s re

ques

t fo

rms,

or

evid

ence

of

rece

rtific

atio

n of

acc

ess,

to th

e of

fsite

med

ia c

ould

not

be

prov

ided

fo

r 5 o

f the

15

sele

cted

em

ploy

ees.

W

e re

com

men

d th

at C

BP

upda

te

the

acce

ss

auth

oriz

atio

n pr

oces

s

to

indi

cate

that

the

acce

ss li

st

will

un

derg

o a

100%

re

certi

ficat

ion

annu

ally

.

X

1

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

C

usto

ms a

nd B

orde

r Pr

otec

tion

Info

rmat

ion

Tech

nolo

gy M

anag

emen

t Let

ter

Sept

embe

r 30,

201

0

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 C

BP

Fina

ncia

l Sta

tem

ent A

udit

Page

25

� � � �

t

App

endi

x B

Dep

artm

ent o

f Hom

elan

d Se

curi

ty

Cus

tom

s and

Bor

der

Prot

ectio

n

Info

rmat

ion

Tech

nolo

gy M

anag

emen

t Let

ter

Sept

embe

r 30,

201

0

NFR #

Con

ditio

n R

ecom

men

datio

n N

ewIs

sue

Rep

eat

Issu

e R

isk

Rat

ing

The

artif

act

shou

ld b

e an

of

ficia

l re

port

from

th

e C

ontra

ctin

g O

ffic

er

Tech

nica

l R

epre

sent

ativ

e fo

r of

fsite

m

edia

st

orag

e cl

early

sta

ting

the

resu

ltsal

ong

with

ba

ckup

pa

perw

ork

for

all

add,

de

lete

s, an

d ch

ange

s to

the

acce

ss li

st.

CB

PIT

-10

19

This

is a

sys

tem

leve

l fin

ding

. W

e w

ere

info

rmed

that

AC

S Se

curit

y A

udit

Logs

ar

e no

t be

ing

revi

ewed

. A

dditi

onal

ly, w

e no

ted

that

the

fol

low

ing

wea

knes

ses

rela

ted

to th

e A

CS

Secu

rity

Aud

it Lo

gs p

roce

dure

s con

tinue

to e

xist

: Pr

oced

ures

do

not

defin

e ho

w o

ften

the

AC

S se

curit

y pr

ofile

cha

nge

audi

t lo

gs a

re re

view

ed.

Proc

edur

es d

o no

t de

scrib

e ho

w t

he d

ocum

ente

d ev

iden

ce o

f th

e re

view

pr

oces

s is c

reat

ed b

y th

e A

CS

(ISS

O)/I

ndep

ende

nt R

evie

wer

. Pr

oced

ures

do

not

defin

e th

e sa

mpl

ing

met

hodo

logy

tha

t is

use

d to

sel

ect

AC

S pr

ofile

cha

nge

secu

rity

logs

for r

evie

w

We

reco

mm

end

that

CB

P de

velo

p an

d im

plem

ent

proc

edur

es t

hat

docu

men

t th

e re

view

pro

cess

for A

CS

prof

ile c

hang

e lo

gs.

The

proc

ess

shou

ld i

nclu

de t

he

docu

men

ted

evid

ence

of

re

view

, ho

w

ofte

n au

dit

logs

are

rev

iew

ed,

and

the

revi

ew

sam

plin

g m

etho

dolo

gy.

X

2

CB

PIT

-10

20

This

is a

sys

tem

-leve

l fin

ding

. W

e no

ted

the

follo

win

g w

eakn

esse

s re

late

d to

the

conf

igur

atio

n se

tting

s:K

PMG

not

ed th

at u

sers

wer

e al

low

ed a

n n

umbe

r of f

aile

d at

tem

pts

o ac

cess

dat

aset

s to

whi

ch th

ey w

ere

not a

utho

rized

. K

PMG

det

erm

ined

that

th

e co

ntro

l op

tion

in t

he s

ecur

ity s

oftw

are,

whi

ch r

esul

ts i

n im

med

iate

su

spen

sion

of a

ny u

ser

who

exc

eeds

the

spec

ified

num

ber

of v

iola

tions

, had

no

t bee

n co

nfig

ured

pro

perly

. K

PMG

not

ed th

at th

is se

tting

was

cor

rect

ed o

nFe

brua

ry 2

4, 2

010.

As

the

cond

ition

s w

ere

clos

ed

durin

g te

stin

g,

nore

com

men

datio

n is

re

quire

d.

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 C

BP

Fina

ncia

l Sta

tem

ent A

udit

Page

26

� � �

� � � �

App

endi

x B

Dep

artm

ent o

f Hom

elan

d Se

curi

ty

Cus

tom

s and

Bor

der

Prot

ectio

n

Info

rmat

ion

Tech

nolo

gy M

anag

emen

t Let

ter

Sept

embe

r 30,

201

0

NFR #

Con

ditio

n R

ecom

men

datio

n N

ewIs

sue

Rep

eat

Issu

e R

isk

Rat

ing

KPM

G n

oted

that

use

rs w

ere

allo

wed

fa

iled

logo

n at

tem

pts

befo

re th

eir

acco

unts

wer

e lo

cked

. A

t the

end

of t

he fi

scal

yea

r the

setti

ng w

as u

pdat

ed to

th

ree

faile

d lo

gin

atte

mpt

s, an

d K

PMG

obs

erve

d th

e se

tting

in th

e sy

stem

and

no

ted

that

it w

as c

orre

cted

on

Sept

embe

r 24,

201

0.

CB

PIT

-10

21

This

is a

com

pone

nt le

vel f

indi

ng.

We

note

d th

e fo

llow

ing

wea

knes

ses

rela

ted

to

the

CB

P B

ackg

roun

d In

vest

igat

ion

proc

ess:

O

f th

e 45

ind

ivid

uals

sel

ecte

d, w

e no

ted

t hat

1 c

ontra

ctor

did

not

hav

e a

com

plet

ed b

ackg

roun

d in

vest

igat

ion

as r

equi

red

by t

he C

BP

Info

rmat

ion

Syst

em S

ecur

ity P

olic

ies

and

Proc

edur

es H

andb

ook.

W

e no

ted

that

thi

s co

ntra

ct h

as a

cces

s to

the

AC

E sy

stem

. O

f the

45

indi

vidu

als

sele

cted

, we

note

d th

at 5

em

ploy

ees

and

25 c

ontra

ctor

s di

d no

t hav

e th

eir

back

grou

nd r

einv

estig

atio

ns in

itiat

ed w

ithin

the

five

year

tim

efra

me

as r

equi

red

by C

BP

Mem

oran

dum

Reg

ardi

ng R

einv

estig

atio

ns,

date

d A

ugus

t 18,

200

8.

KPM

G

reco

mm

ends

th

at

CB

P: Com

plet

e vi

a e-

QIP

the

“ini

tiatio

n” o

f al

lre

mai

ning

em

ploy

ee

rein

vest

igat

ions

by

D

ecem

ber 3

0, 2

010.

C

ompl

ete

the

rein

vest

igat

ions

for

all

suc h

em

ploy

ees

by

Dec

embe

r 30,

201

1.

Dev

elop

/dep

loy

a tra

ckin

g m

echa

nism

(C

ontra

ctor

Tr

acki

ng

Syst

em)

by w

hich

to

iden

tify

thos

e co

ntra

ctor

s re

quiri

ng

rein

vest

igat

ion.

Dev

elop

an

d im

plem

ent

a st

rate

gy

to

ensu

re

that

rein

vest

igat

ions

for

all

cont

ract

ors

are

initi

ated

as r

equi

red.

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 C

BP

Fina

ncia

l Sta

tem

ent A

udit

Page

27

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

C

usto

ms a

nd B

orde

r Pr

otec

tion

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#

Con

ditio

n R

ecom

men

datio

n N

ew

Issu

e R

epea

t Is

sue

Ris

k R

atin

g C

BP

IT-1

022

This

is a

sys

tem

-leve

l fin

ding

. A

CS

deve

lope

rs m

ay g

ain

emer

genc

y/te

mpo

rary

ac

cess

to th

e pr

oduc

tion

envi

ronm

ent t

hrou

gh th

e po

rtal r

eque

st p

roce

ss.

Whi

le

the

emer

genc

y/te

mpo

rary

acc

ount

act

iviti

es a

re l

ogge

d, C

BP

does

not

rev

iew

th

ese

activ

ity lo

gs to

iden

tify

inap

prop

riate

act

iviti

es.

KPM

G

reco

mm

ends

th

at

CB

P re

ports

on

the

TSS

audi

t of

em

erge

ncy

acce

ss

shou

ld b

e ru

n as

nee

ded

at

man

agem

ent’s

(e

.g.,

emer

genc

y ap

prov

er’s

) re

ques

t.

X

2

CB

PIT

-10

23

This

is a

sys

tem

-leve

l fin

ding

. A

cces

s ap

prov

als

prio

r to

the

crea

tion

of N

DC

LA

N a

ccou

nts

wer

e no

t con

sist

ently

mai

ntai

ned

in a

ccor

danc

e w

ith C

BP

polic

y an

d pr

oced

ures

. K

PMG

req

uest

ed a

cces

s au

thor

izat

ion

docu

men

tatio

n fo

r 25

in

divi

dual

s w

ho w

ere

gran

ted

ND

C-L

AN

acc

ess

durin

g FY

201

0.

Alth

ough

a

proc

ess

for

crea

ting

and

mai

ntai

ning

use

r ac

cess

for

ms

and

requ

ests

has

bee

n in

pl

ace

sinc

e be

fore

the

begi

nnin

g of

FY

201

0, in

itial

acc

ess r

eque

sts a

nd a

ppro

vals

fo

r 10

of th

ese

indi

vidu

als w

ere

not p

rovi

ded.

We

reco

mm

end

that

CB

P fu

lly

trans

ition

th

eir

proc

ess

for

requ

estin

g N

DC

-LA

N N

etw

ork

acce

ss

from

the

pap

er-b

ased

use

r ac

cess

req

uest

for

m t

o an

el

ectro

nic

user

ac

cess

re

ques

t fo

rm.

O

nce

the

elec

troni

c fo

rm

is

fully

im

plem

ente

d,

the

docu

men

ted

proc

ess

will

be

upd

ated

to

refle

ct t

hat

all

ND

C-L

AN

use

r ac

cess

re

ques

ts

mus

t go

to

th

e Te

chno

logy

Ser

vice

Des

k (T

SD) f

or a

ctio

n. T

SD w

ill

gene

rate

a

troub

le

ticke

t an

d at

tach

th

e el

ectro

nic

acce

ss r

eque

st f

orm

to

the

initi

al

user

re

ques

t tic

ket

for

ND

C-L

AN

acc

ess.

The

ticke

t will

be

issu

ed in

the

nam

e of

the

use

r ga

inin

g

X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 C

BP

Fina

ncia

l Sta

tem

ent A

udit

Page

28

App

endi

x B

D

epar

tmen

t of H

omel

and

Secu

rity

C

usto

ms a

nd B

orde

r Pr

otec

tion

In

form

atio

n Te

chno

logy

Man

agem

ent L

ette

r Se

ptem

ber 3

0, 2

010

NFR

#

Con

ditio

n R

ecom

men

datio

n N

ew

Issu

e R

epea

t Is

sue

Ris

k R

atin

g th

e ac

cess

so

it is

eas

ily

sear

chab

le.

TSD

is

cu

rren

tly

in

the

deve

lopm

ent

phas

e fo

r a

new

use

r ac

coun

t re

ques

t po

rtal w

hich

will

pro

vide

a

secu

re o

nlin

e en

viro

nmen

t fo

r m

anag

ing

this

pro

cess

. Th

is n

ew t

ool

will

allo

w

requ

esto

rs

the

abili

ty

to

com

plet

e an

d su

bmit

LAN

an

d eM

ail a

ccou

nt re

ques

ts

via

onlin

e w

eb fo

rm.

Onc

e th

e re

ques

t is

revi

ewed

and

ap

prov

ed

by

the

CB

P su

perv

isor

, a ti

cket

will

be

auto

mat

ical

ly

gene

rate

d (b

ypas

sing

th

e ne

ed

of

savi

ng/a

ttach

ing

and

emai

ling

the

TSD

) an

d ro

uted

to

th

e ap

prop

riate

gr

oup

for

proc

essi

ng.

A

log

will

be

capt

ured

and

sa

ved

in t

he n

ew s

yste

m

for

each

ap

prov

ed/d

enie

d re

ques

t fo

r fu

ture

re

fere

nce.

CB

PIT

-10

CB

P ha

s no

t cor

rect

ed f

unct

iona

lity

issu

es c

urre

ntly

not

ed in

AC

S, a

nd r

outin

e m

aint

enan

ce is

incr

easi

ngly

diff

icul

t and

exp

ensi

ve.

Cur

rent

ly, o

nly

two

vend

ors

To

addr

ess

this

fin

ding

, X

2

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 C

BP

Fina

ncia

l Sta

tem

ent A

udit

Page

29

� � �

App

endi

x B

Dep

artm

ent o

f Hom

elan

d Se

curi

ty

Cus

tom

s and

Bor

der

Prot

ectio

n

Info

rmat

ion

Tech

nolo

gy M

anag

emen

t Let

ter

Sept

embe

r 30,

201

0

NFR #

Con

ditio

n R

ecom

men

datio

n N

ewIs

sue

Rep

eat

Issu

e R

isk

Rat

ing

24

supp

ort

AC

S, w

hich

lim

its C

BP’

s ab

ility

to

obta

in m

aint

enan

ce s

ervi

ces

at a

re

ason

able

cos

t. D

urin

g FY

201

0, C

BP

spen

t ne

arly

$12

.1 m

illio

n ju

st t

o m

aint

ain

AC

S at

its

curr

ent l

evel

of

func

tiona

lity.

In

add

ition

, CB

P is

cur

rent

ly

re-v

isiti

ng t

he a

mou

nt o

f fu

ndin

g ne

cess

ary

to c

ompl

ete

the

impl

emen

tatio

n of

th

e A

CE

finan

cial

mod

ules

and

will

com

plet

e th

is a

naly

sis i

n FY

201

1.

Due

to

th

ese

cond

ition

s re

gard

ing

the

func

tiona

lity

of

AC

S an

d de

laye

dim

plem

enta

tion

of A

CE,

CB

P ha

s no

t re

solv

ed t

he f

ollo

win

g kn

own

AC

S fu

nctio

nalit

y is

sues

:

AC

S la

cks

the

cont

rols

nec

essa

ry to

pre

vent

, or d

etec

t and

cor

rect

exc

essi

ve

draw

back

cla

ims.

The

pro

gram

min

g lo

gic

in A

CS

does

not

link

dra

wba

ck

clai

ms

to i

mpo

rts a

t a d

etai

led,

line

item

lev

el.

In a

dditi

on, A

CS

does

not

have

the

cap

abili

ty t

o co

mpa

re,

verif

y, a

nd t

rack

ess

entia

l in

form

atio

n on

dr

awba

ck c

laim

s to

the

rel

ated

und

erly

ing

cons

umpt

ion

entri

es a

nd e

xpor

t do

cum

enta

tion

upon

whi

ch th

e dr

awba

ck c

laim

is b

ased

. Ex

port

info

rmat

ion

is n

ot li

nked

to th

e D

raw

back

mod

ule

and

ther

efor

e el

ectro

nic

com

paris

ons o

f ex

port

data

can

not

be p

erfo

rmed

with

in A

CS.

Se

e N

FR C

BP-

10-2

0 fo

r fu

rther

det

ails

. C

erta

in m

onito

ring

repo

rts u

sed

to m

onito

r (r

evie

w)

impo

rter

com

plia

nce

with

the

in-

bond

pro

cess

hav

e no

t be

en d

evel

oped

and

the

refo

re i

mpo

rter

com

plia

nce

is n

ot b

eing

trac

ked.

In

addi

tion,

in-b

onds

are

not

aut

omat

ical

ly

linke

d to

the

rele

vant

ent

ry o

r exp

ort f

iling

s in

AC

S, w

hich

lead

s to

exte

nsiv

e m

anua

l w

ork

to c

lose

ope

n in

-bon

ds.

Fina

lly,

AC

S do

es n

ot p

rovi

de t

he

abili

ty t

o ru

n ov

ersi

ght

repo

rts t

o de

term

ine

if po

rts h

ave

com

plet

ed a

ll re

quire

d in

-bon

d po

st a

udits

and

exa

ms.

See

NFR

CB

P-10

-14

for

furth

er

deta

ils.

AC

S do

es n

ot p

rope

rly a

ccou

nt fo

r bon

d su

ffic

ienc

y of

cla

i ms

that

invo

lve

a co

ntin

uous

bon

d an

d th

eref

ore

a cl

aim

ant c

an p

oten

tially

cla

im a

nd r

ecei

ve

an a

ccel

erat

ed p

aym

ent t

hat e

xcee

ds th

e bo

nd a

mou

nt o

n fil

e.

As

a re

sult,

C

BP

will

not

hav

e su

ffic

ient

sur

ety

agai

nst a

dra

wba

ck o

ver

clai

min

g.

See

CB

P re

com

men

ds

that

it

cont

inue

to:

1.

Mod

erni

ze it

s bu

sine

ss

proc

esse

s th

ough

th

e de

velo

pmen

t an

d de

ploy

men

t of

fu

nctio

nalit

y in

th

e A

utom

ated

C

omm

erci

alEn

viro

nmen

t as

it

has

done

sinc

e 20

01.

2.

Wor

k w

ithst

akeh

olde

rs, i

nclu

ding

C

BP

pers

onne

l, th

e tra

de,

parti

cipa

ting

gove

rnm

ent

agen

cies

, th

e D

epar

tmen

t of

H

omel

and

Secu

rity

and

the

Con

gres

s to

pr

iorit

ize,

dev

elop

, and

de

ploy

fu

nctio

nalit

yth

at

allo

ws

CB

P to

fulfi

ll its

mis

sion

and

m

eet

the

need

s of

its

stak

ehol

ders

.

3.

Seek

fund

s th

roug

h th

e bu

dget

pr

oces

s th

at

will

al

low

C

BP

to

cont

inue

to

de

velo

p

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 C

BP

Fina

ncia

l Sta

tem

ent A

udit

Page

30

� � �

App

endi

x B

Dep

artm

ent o

f Hom

elan

d Se

curi

ty

Cus

tom

s and

Bor

der

Prot

ectio

n

Info

rmat

ion

Tech

nolo

gy M

anag

emen

t Let

ter

Sept

embe

r 30,

201

0

NFR #

Con

ditio

n R

ecom

men

datio

n N

ewIs

sue

Rep

eat

Issu

e R

isk

Rat

ing

NFR

CB

P-10

-05

for f

urth

er d

etai

ls.

AC

S do

es n

ot p

rovi

de s

umm

ary

info

rmat

ion

of th

e to

tal u

npai

d as

sess

men

ts

for

dutie

s, ta

xes,

and

fees

by

indi

vidu

al i

mpo

rter

(i.e.

, a

sub-

ledg

er)

and

cann

ot p

rovi

de r

epor

ting

info

rmat

ion

on o

utst

andi

ng r

ecei

vabl

es, t

he a

ge o

f re

ceiv

able

s, or

oth

er d

ata

nece

ssar

y fo

r m

anag

emen

t to

eff

ectiv

ely

mon

itor

colle

ctio

n ac

tions

. Se

e N

FR C

BP-

10-0

4 fo

r fur

ther

det

ails

. Th

e dr

awba

ck s

elec

tivity

fun

ctio

n of

AC

S is

not

pro

gram

med

to

sele

ct a

st

atis

tical

ly v

alid

sam

ple

of p

rior

draw

back

cla

ims

agai

nst a

sel

ecte

d im

port

entry

. Se

e N

FR C

BP-

10-0

3 fo

r fur

ther

det

ails

. A

CS

is p

rogr

amm

ed to

aut

omat

ical

ly in

dica

te th

at a

Por

t Dire

ctor

cer

tifie

d a

refu

nd o

r dra

wba

ck p

aym

ent e

ven

if th

e Po

rt D

irect

or d

oes n

ot c

ertif

y a

give

n pa

ymen

t. S

ee N

FR C

BP-

10-1

9 fo

r fur

ther

det

ails

.

and

depl

oyfu

nctio

nalit

y in

th

at

will

su

ppor

t C

BP’

s m

issi

on

and

mee

t th

e ne

eds

of i

tsst

akeh

olde

rs.

Info

rmat

ion

Tec

hnol

ogy

Man

agem

ent L

ette

r fo

r th

e FY

201

0 C

BP

Fina

ncia

l Sta

tem

ent A

udit

Page

31

Appendix C Department of Homeland Security


September 30, 2010

APPENDIX C

Status of Prior Year Notices of Findings and Recommendations and Comparison to Current Year Notices of Findings and

Recommendations at CBP


NFR No. Description Disposition Closed Repeat

CBP-IT-09-03 Contractor Tracking Deficiencies X CBP-IT-09-12 Install CBP-IT-10-11 CBP-IT-09-13 Complete List of CBP Workstations CBP-IT-10-11 CBP-IT-09-21 Review of Changes to Security Profiles in ACS CBP-IT-10-14 CBP-IT-09-27 Administrator Access Authorization Weaknesses X CBP-IT-09-29 Completion of CF-241 Forms for Terminated Employees CBP-IT-10-09 CBP-IT-09-34 Installation of Anti-Virus Protection CBP-IT-10-11 CBP-IT-09-41 Weaknesses in the Process of Separating CBP Contractors CBP-IT-10-08 CBP-IT-09-44 CBP-IT-09-45 CBP-IT-09-48

Completion of Non Disclosure Agreements for US CBP Contractors Log configuration weakness for System.

Lack of Effective ACS Access Change Log Review Procedures

CBP-IT-10-10 X

CBP-IT-10-19 CBP-IT-09-56 ACE Audit Log Reviews CBP-IT-10-03 CBP-IT-09-57 NDC LAN Audit Logs X CBP-IT-09-58 Novell Password Settings X CBP-IT-09-59 Formal Procedures for Mainframe System Utility Logs X CBP-IT-09-60 Configuration for Mainframe Security Violation Control Option CBP-IT-10-20

CBP-IT-09-61 Completion of Initial Background Investigations and Periodic Background Reinvestigations for CBP Employees and Contractors CBP-IT-10-21

CBP-IT-09-62 Rules of Behavior Not Consistently Signed by CBP Employees and Contractors X

CBP-IT-09-63 ACE does not disable accounts after 45 days X CBP-IT-09-64 ACS PGA ISAs Not Completely Documented CBP-IT-10-16CBP-IT-09-65 Documentation of ACE Access Change Requests CBP-IT-10-06 CBP-IT-09-66 Separated Employees on ACE Access Listing CBP-IT-10-01 CBP-IT-09-67 Inadequate Documentation of ACS Access Change Requests CBP-IT-10-17 CBP-IT-09-68 Vulnerabilities in Configuration and Patch Management X CBP-IT-09-69 Inadequate SAP Profile Change Review X CBP-IT-09-70 Overuse of ACS Emergency/Temporary Access Roles X

CBP-IT-09-71 Inadequate Documentation of SAP Emergency/Temporary Access Requests X

CBP-IT-09-72 ACE Segregation of Duties Controls are Not In Place CBP-IT-10-02

CBP-IT-09-73 Inadequate Documentation of ACE SCO Access Requests and Approvals X

CBP-IT-09-74 Inadequate Protection of CBP Information and Property CBP-IT-10-05 CBP-IT-10-07

Appendix C Department of Homeland Security


September 30, 2010


1300 ~ns)'lvaniolA\~ueN'WW;lShingtOn. DC 20229

u.s. Customs ;mdBorder Protection

MAR 2 1 1011

MEMORANDUM FOR: Frank DefTerAssistant Inspector GeneralInfonnallon Technology Aud-

FROM: Charles AnnstrongAssistant CommissioneOffice oflnfonnation

SUBJECT: Draft Audit Report· In onnation Technology Management Letterfor the FY 2010 CBP Financial Statement Audit

In response to the memorandum dated Fcbruary 18, 201 J requcsting written comments on thedraft report and responses to its reconunendations, U.s. Customs and Border Protection's(CBP's) Office of Infonnation Technology (OIT) is providing the following commt;:nts on theremediation actions that arc being pcrfonned for the findings and recommendations from the FY20 I0 audit. We have included an attachment that contains a status on our Corrective ActionPlans (CAPs) and their estimated completion dales. CBP will provide a sensitivity review thatincludes redaction requests under separate: cover.

General comments

Twenty-three NFRs were issued to CBP OIT (16 were reissues of FY 2009 findings and 7 werenew). To date. remediation work on 3 findings have been completed. Progress is being reportedon the remaining 20_ orr hilS non-conC\lrred on I finding. CAPs for the applicable findings arein progress and their status is provided in the attachment.

Security Mumtgemenl

CBP concurred with KPMG's eight findings and recommendations in this area. OIT inconjunction with the CBP offices of Administralion and InlernaJ Affairs are cooperating toremedialc the eight findings. All except one are expected to be completed by the end of the fiscalyear. The status for each CAP is provided in the attachmenl.

Acceu Controls

Appendix D Department of Homeland Security


September 30, 2010


CDP concurrro v.ith KPMG', 11 findings llnd 1"C(:0mmcndlllti0l15 in thi, lITCll, Work on 2 findingshas been completed and one of those was closed by the auditor during testing, The other ninefindings an: on trnek for c.ompletion this fixal year. Tile: status ofeach CAP is provided in tho<:attachmcnL

CBp concurred with KpMG's nnding and recommendation in this area. UH' continued tocomplete its FY2009 plan with collaboration between tlte CDP offices of International Trade,A .... "illisllll.liull. an" Fit:lu Ope:r~liolls to iuemify ar>d documem Incompatible roles. CBP!hen de\'elopeda procedure to ensure incompatiblc roles ....ere not assigned to thoe same user, unless an exception isproperly authoriu:u. cor developed un" implemented III process to review eJti:5ting roles andeliminate incompatible roles from the active user listings. The status of this CAP is provided inthe 1'Iltachmcni.

Financial S)'lltem ....unctiomdi.y

CDI' non-concurred with KPMO's finding and recommendations in this area. This NFR onlyserves as a summary of other issued NFRs for application functionality issues that include a lackof conrrols to pre\'em. deteet. and correct excessive d.rnwback claims; a Jack of reponing forlmCking importer compliance with the in-bond process; the: proper accounting ofbondsufficiency of claims; providing summary information for the lotal unpaid assessments tor duties,taxcs, and fees by individual imponCT; valid statisrical sampling for prior drawback claimsagainst a seleeled Impon entry; and alilomalif; indicating of cc:nifif;3.tion by a Port DireclOr for arefund or drawback claim, e\'cn if the payment hasn'l been certified by the Port DiTl:Clor.

Aher-llOllrs Ph)'llical Security and Socilll EngiD~riDgTn'ing

CBP concurred with KPMG's two findings and recommendations in this area.. orr inconjunction with the COP offices of Inlernal Affairs and Privacy arc continuing their FY 2009plan along with de\'eloping addilionaltasks to stre-ngthen the security awareness programs foreduC<lting employees on how to respond to information security attacks, protecting electronic andphysical data, hardware, and Personally Identifiable Infonnation (I'll). as well as informationmarked FOUO. The estimated completion date is September 15. 2011, The status of cach CAP isprovided in the attachment.

If you have any questions concerning this response, please contact Judy Wri~ht, Office orInrormation and Tcr.hnology Audit Liaison, at (5 71) 468-4155.

Attnchment:

Appendix D Department of Homeland Security


September 30, 2010




Report Distribution

Department of Homeland Security

Secretary Deputy Secretary General Counsel Chief of Staff Deputy Chief of Staff Executive Secretariat Under Secretary, Management Acting Deputy Commissioner, CBP DHS Chief Information Officer DHS Chief Financial Officer Chief Financial Officer, CBP Chief Information Officer, CBP Chief Information Security Officer Assistant Secretary for Office of Policy Assistant Secretary for Office of Public Affairs Assistant Secretary for Office of Legislative Affairs DHS GAO OIG Audit Liaison Chief Information Officer, Audit Liaison Audit Liaison, CBP

Office of Management and Budget

Chief, Homeland Security Branch DHS OIG Budget Examiner

Congress

Congressional Oversight and Appropriations Committees, as appropriate


ADDITIONAL INFORMATION AND COPIES To obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4100, fax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig. OIG HOTLINE To report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal misconduct relative to department programs or operations: • Call our Hotline at 1-800-323-8603; • Fax the complaint directly to us at (202) 254-4292; • Email us at [email protected]; or • Write to us at:

DHS Office of Inspector General/MAIL STOP 2600, Attention: Office of Investigations - Hotline, 245 Murray Drive, SW, Building 410, Washington, DC 20528.

The OIG seeks to protect the identity of each writer and caller.

department of homeland security ofﬁce of inspector generaldepartment of homeland security ofﬁce...

Documents