Some parts of the report were redacted for security reasons. However, the report makes it clear that the CBP has not implemented even some of the most basic security -- such as installing anti-virus software on desktops -- to protect financial data. According to the report, the CBP does not maintain a current inventory of desktops with access to its financial system, nor does it conduct third-party review of changes made to system users' access rights.Moreover, a control option to limit the number of failed log-on attempts for system users is not configured correctly, according to the report. The CBP also has not configured its security system with parameters for mainframe audit and system utility logs to collect appropriate data for its financial system; audit logs are not being reviewed on a regular basis, and the agency does not maintain authorizations for personnel that have administrator access to the system.
There was some good news in the report. The CBP has taken some action to improve some deficiencies the inspector general found previously. For instance, the agency has made improvements to the tracking of security awareness completion, the controlling of emergency and temporary access to the system and the recertification of National Data Center (NDC) Local Area Network (LAN) accounts, according to the report. Still, the Inspector General has made more than 25 recommendations to the CBP to improve the security of its financial system. The agency agrees with the findings and recommendations, and is developing a plan to address them, according to the report.