CBP failed to follow basic security practices to protect financial systems

Administrators didn't review employees' rights to access files, enforce stringent password requirements, or block users from logging on after several failed attempts.

The Customs and Border Patrol bureau failed to properly set computer controls that allow only authorized users to view financial data, and to certify networks complied with security standards, according to an audit released on Wednesday by the Homeland Security Department's inspector general.

A number of problems the inspector general found in 2008 still were not fixed in fiscal 2009, according to the audit, which analyzed CBP's financial systems and was conducted by the accounting firm KPMG.

"Although we noted improvement, CBP still faces challenges related to the merging of numerous IT functions, controls, processes and organizational resource shortages," the report stated.

Specifically, administrators didn't regularly review changes to employees' access rights or enforce stringent password requirements. Also, systems were not configured to refuse a user to log on after failing a predetermined number of times, and the bureau didn't disable accounts after 45 days of inactivity, as required by department policy. CBP officials also failed to restrict what employees could access on the network to the least number of files required to perform their duties.

Auditors said CBP administrators failed to keep an up-to-date inventory of workstations that had access to financial systems and to ensure all computers had the latest antivirus software installed.

Portions of the report's findings were redacted for security reasons.

"Several of the deficiencies were a result of either an inadequate allocation of resources to address prior year findings, or only partial implementation of recommendations," the report noted. "By not addressing the conditions, the risk exists that deficiencies may be exploited, in either a singular fashion, or in combination [that] might affect the availability, confidentiality or integrity of CBP's financial systems and data."

According to a letter responding to the report, CBP officials said it is developing or putting in place actions to address the weaknesses KPMG identified.