The Federal Emergency Management Agency
(FEMA) did not consistently apply the information technology (IT) access
controls needed to restrict unnecessary access to its systems and
information. Specifically, FEMA did not promptly remove or adjust system
and information access when personnel separated or changed positions. For
example, 75 percent of the accounts for separated personnel we examined
remained active beyond the individual’s last workday. Additionally, FEMA
did not monitor and configure privileged user access, service accounts,
and access to sensitive security functions as required. These
deficiencies stemmed from insufficient internal controls and day-to-day
oversight to ensure access controls were administered appropriately and
effectively to prevent unauthorized access.
Based on our testing, FEMA did not
implement all the required security settings and address vulnerabilities
timely for its IT systems and workstations. This occurred because FEMA
was concerned updates might negatively impact system operations and
because it faced operational challenges.
The deficiencies identified during this
audit exposed FEMA’s network and IT systems to risks of compromise by
potential attackers. Additionally, these deficiencies could have limited
the Department’s overall ability to reduce the risk of unauthorized
access to its network, which may disrupt mission operations.
Post a Comment