Information Security:

Homeland Security Needs to Immediately Address Significant Weaknesses in Systems Supporting the US-VISIT Program

GAO-07-870: Published: Jul 13, 2007. Publicly Released: Aug 2, 2007.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Intended to enhance the security of U.S. citizens and visitors, United States Visitor and Immigrant Status Indicator Technology (US-VISIT) program encompasses the pre-entry, entry, status management, and exit of foreign national travelers who enter and leave the United States at 285 air, sea, and land ports of entry. GAO was asked to determine whether Department of Homeland Security (DHS) has implemented appropriate controls to protect the confidentiality, integrity, and availability of the information and systems used to support the US-VISIT program. To do this, GAO examined the controls over the systems operated by Customs and Border Protection (CBP) that support the US-VISIT program.

The systems supporting the US-VISIT program have significant information security control weaknesses that place sensitive and personally identifiable information at increased risk of unauthorized and possibly undetected disclosure and modification, misuse, and destruction. Weaknesses existed in all control areas and computing device types reviewed. Deficiencies in access controls and other system controls exposed mainframe computer, network infrastructure, servers, and workstations to insider and external threats. For example, CBP did not implement controls to effectively prevent, limit, and detect access to computer networks, systems, and information. To illustrate, it did not (1) adequately identify and authenticate users in systems supporting US-VISIT; (2) sufficiently limit access to US-VISIT information and information systems; (3) ensure that controls adequately protected external and internal network boundaries; (4) effectively implement physical security at several locations; (5) consistently encrypt sensitive data traversing the communication network; and (6) provide adequate logging or user accountability for the mainframe, workstations, or servers. In addition, CBP did not always ensure that responsibilities for systems development and system production were sufficiently segregated and did not consistently maintain secure configurations on the application servers and workstations at a key data center and ports of entry. These weaknesses collectively increase the risk that unauthorized individuals could read, copy, delete, add, and modify sensitive information, including personally identifiable information, and disrupt the operations of the US-VISIT program. They make it possible for intruders, as well as government and contractor employees, to bypass or disable computer access controls and undertake a wide variety of inappropriate or malicious acts. These risks are not confined to US-VISIT information. The CBP mainframe and network resources that support US-VISIT also support other programs and systems. As a result, the vulnerabilities identified in this report could expose the information and information systems of the other programs to the same increased risks. A key reason for these weaknesses is that, although CBP has made important progress in implementing elements of the department's information security program, it did not effectively or fully implement essential program activities. For example, CBP did not fully characterize the risks facing critical systems, update interconnection security agreements in security plans, sufficiently test and evaluate security controls, incorporate required elements in remedial action plans, adequately implement incident detection and handling procedures, and consistently address privacy issues. Until DHS and CBP act to mitigate the weaknesses in CBP systems supporting the US-VISIT program and CBP effectively and fully implements its information security program, limited assurance exists that the US-VISIT program will achieve its goal of enhancing the security of U.S. citizens and its visitors.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: To help the Department effectively and fully implement information security program activities for CBP systems supporting the US-VISIT program, the Secretary of Homeland Security should direct the Commissioner, U.S. Customs and Border Protection to fully develop and implement policies and tools for the timely detection and handling of security incidents.

    Agency Affected: Department of Homeland Security: Directorate of Border and Transportation Security: Bureau of Customs and Border Protection

    Status: Closed - Implemented

    Comments: In fiscal year 2011, we verified that DHS, in response to our recommendation, (1) installed host intrusion prevention system (HIPS) which included both intrusion prevention and host based firewall components onto all CBP Windows workstations, and (2) issued Policy and Procedures for Incident Handling.

    Recommendation: To help the Department effectively and fully implement information security program activities for CBP systems supporting the US-VISIT program, the Secretary of Homeland Security should direct the Commissioner, U.S. Customs and Border Protection to ensure remedial action plans address all significant security vulnerabilities, accurately report status of remedial actions, and identify necessary resources for completing actions.

    Agency Affected: Department of Homeland Security: Directorate of Border and Transportation Security: Bureau of Customs and Border Protection

    Status: Closed - Implemented

    Comments: In fiscal year 2011, we verified that DHS, in response to our recommendation, (1) developed remedial action plans for the US-VISIT system that addresses significant security vulnerabilities as identified in systems certification and accreditation and annual assessment,(2) accurately report status of remedial actions with milestones and completion dates, (3) identified financial resources to complete remediation action.

    Recommendation: To help the Department effectively and fully implement information security program activities for CBP systems supporting the US-VISIT program, the Secretary of Homeland Security should direct the Commissioner, U.S. Customs and Border Protection to enhance the procedures and documentation for testing and evaluating the effectiveness of security controls.

    Agency Affected: Department of Homeland Security: Directorate of Border and Transportation Security: Bureau of Customs and Border Protection

    Status: Closed - Implemented

    Comments: In fiscal year 2011, we verified that DHS, in response to our recommendation, conducted comprehensive security testing on the US-VISIT system that documented its procedures to include evaluation of management, technical and operational controls, security control requirements and traceability matrix, and procedures for evaluating controls being tested.

    Recommendation: To help the Department effectively and fully implement information security program activities for CBP systems supporting the US-VISIT program, the Secretary of Homeland Security should direct the Commissioner, U.S. Customs and Border Protection to update the interconnection security agreements in the Treasury Enforcement Communications System (TECS) security plan.

    Agency Affected: Department of Homeland Security: Directorate of Border and Transportation Security: Bureau of Customs and Border Protection

    Status: Closed - Implemented

    Comments: In fiscal year 2011, we verified that DHS, in response to our recommendation, updated the interconnection security agreements in the TECS security plan.

    Recommendation: To help the Department effectively and fully implement information security program activities for CBP systems supporting the US-VISIT program, the Secretary of Homeland Security should direct the Commissioner, U.S. Customs and Border Protection to fully characterize risks in risk assessments for systems supporting US-VISIT program.

    Agency Affected: Department of Homeland Security: Directorate of Border and Transportation Security: Bureau of Customs and Border Protection

    Status: Closed - Implemented

    Comments: In fiscal year 2011, we verified that DHS, in response to our recommendation, (1) completed a privacy impact assessment on December 22, 2010, and (2) completed inventory of all interconnections between TECS and other systems in its risk assessments for systems supporting the US-VISIT program.

    Recommendation: To help the Department effectively and fully implement information security program activities for CBP systems supporting the US-VISIT program, the Secretary of Homeland Security should direct the Commissioner, U.S. Customs and Border Protection to update and complete privacy documents for systems supporting the US-VISIT program.

    Agency Affected: Department of Homeland Security: Directorate of Border and Transportation Security: Bureau of Customs and Border Protection

    Status: Closed - Implemented

    Comments: In fiscal year 2011, we verified that DHS, in response to our recommendation, has issued an approved privacy impact assessment for TECS on December 22, 2010.

    Apr 17, 2014

    Apr 2, 2014

    Jan 28, 2014

    Jan 8, 2014

    Sep 26, 2013

    Feb 20, 2013

    Feb 1, 2013

    Sep 27, 2012

    Sep 18, 2012

    Jul 17, 2012

    Looking for more? Browse all our products here