FinCEN gets so-so security report card from GAO
The Treasury Department bureau responsible for watching for money laundering isn't watching its security closely enough, according to GAO auditors. Worse, much of FinCEN's problems lie with the notoriously security-poor IRS.
FinCEN needs to step up its documentation efforts and its implementation of security control, according to a report from the US Government Accountability Office.
The report was presented last week to members of the House of Representatives, examined FinCEN's own information systems and the points at which FinCEN (the Financial Crimes Enforcement Network) draws on IRS and Treasury Communications System (TCS) data. Data was compiled from March 2008 to January 2009.
Together, FinCEN uses those three systems to administer the Bank Secrecy Act, which works with law enforcement here and abroad to nail down money laundering and the crimes associated with it. You probably know the BSA best as "that rule that you can't get access right away to all the funds when you deposit a really big check, and then they ask all those questions."
The good news is that all three agencies involved in the process have made, according to the report, important steps in control implementation. The bad news is that important security controls are inconsistent or lacking, and certain practices designed to protect information and systems are inconsistent or lacking too.
Much of the trouble, the report says, stems from incomplete implementation of security programs at FinCEN and the IRS. (IRS security befuddlement seems to be a theme with these GAO reports; for example, they're called out separately from FinCEN for not sufficiently verifying whether security actions taken to head off known vulns were effective...or even fully implemented.)
"FinCEN did not always include detailed implementation guidance in its policies and procedures and adequately test and evaluate information security controls," the report states. Problems included inadequate implementation of user and password management controls; poorly set permissions that could allow users to access data other than the data they need to do their jobs; inconsistent use of encryption; and poor boundary protections. In addition, keylogging -- which might catch problems if they arise -- isn't sufficiently implemented.
The details are, as details will be, a bit devilish. Among the highlights: Passwords on certain crucial FinCEN and IRS machines were easily guessed, and the machine dedicated to downloading to FinCEN from the IRS had multiple users sharing one account. At TCS, users had access to a shared administrative account. Over at the IRS, the access problem was far worse, with allegedly isolated machines accessible without detection by over 60,000 employees. (Not that the IRS documented access privileges, mind you.)
Encryption was implemented to some degree at FinCEN, but not consistently across devices such as USB drives. Logging was sloppy, with FinCEN logging activity on two key apps but not logging database security events; on the IRS side, security logging didn't mark changes to key datasets. And though FinCEN meant to do vulnerability scans on its systems every three months, investigators found that the period between such scans was at least four months in at least one instance.
"As a result," the report continues, "BSA data -- containing highly sensitive personal and financial information about private individuals that is used by the law enforcement community to identify and prosecute illegal activity -- are at an increased risk of unauthorized use, modification or disclosure."
GAO compiled a report with 88 detailed recommendations for fixing those controls, but you won't be seeing that. The agency did, however, give five general recommendations in the publicly released report. First, FinCEN needs to update its policies and procedures to cover problems such as patch prioritization, and needs also to nail down implementation guidance for configuring certain aspects of the network (e.g., the VPN) properly. Documentation of controls needs to be improved as well. And FinCEN needs to get right with documenting corrective actions, too.
Controls weren't the only issue on GAO's mind; vulnerability scanning, perhaps a more concrete issue for some security folk, made the list too. Vuln scanning on databases, applications, and the network infrastructure needs to be a quarterly occurrence. And scanning needs to be implemented on both customer source code and on any manual tweaks made to source code.
FinCEN officials saw a draft of the findings and, as noted at the end of the report, are working to implement the corrections.