IG: TSA's financial data jeopardized by lax controls

Published 28 May 2009

Inspector General reports finds that TSA’s financial statements are vulnerable to tampering; TSA does not review computer accounts to ensure people who have left the agency are locked out, and does not check the privileges associated with each active account regularly to ensure that level of access remains necessary

Lax control of access to IT systems makes the Transportation Security Administration’s (TSA) financial statements vulnerable to tampering, according to a new inspector general report. An audit by the consulting firm KPMG identified 15 control deficiencies that could affect the reliability of TSA’s financial data, 13 of which were repeats from fiscal 2008, the Homeland Security Department IG noted in the report. “Collectively, the IT control weaknesses limited TSA’s ability to ensure that critical financial and operational data were maintained in such a manner to ensure confidentiality, integrity and availability,” the report stated. “In addition, these weaknesses negatively impacted the internal controls over TSA financial reporting and its operation, and we consider them to collectively represent a material weakness for TSA.”

Nextgov.com’s Gautham Nagesh writes that the IG found that TSA does not review computer accounts to ensure people who have left the agency are locked out, and does not check the privileges associated with each active account regularly to ensure that level of access remains necessary. The report also noted weaknesses related to security patch and security configuration management for the financial reporting system.

The weaknesses identified within TSA’s access controls increase the risk that employees and contractors may have access to a system that is outside the realm of their job responsibilities or that a separated individual, or another person with knowledge of an active account of a terminated employee, could use the account to alter the data contained within the application or database,” the IG said.

Auditors also noted cracks in TSA’s procedures for recovering data following a disaster. The agency made strides in testing recovery procedures during fiscal 2008 and improved emergency response training for personnel with data center access, but failed to incorporate the results of the tests in its continuity of operations plan, the report said.

TSA officials generally agreed with the report’s findings and said they plan to implement the IG’s recommendations.