Editor’s Note: The redacted, recently released “Audit of Department of State Access Controls for Major Applications” by the State Department Office of Inspector General is attached here.
The audit found continuing weaknesses in Departmental access controls. For example:
Two years after the unauthorized release of sensitive cables to the public through the Wikileaks organization [redacted] cable-related applications such as Net-Centric Diplomacy (NCD) and Classified State Messaging and Archival Retreival Toolset (SMART-C). Progress in addressing the NCD weaknesses that made the Wikileaks incident possible has been very slow.
The OIG also found that:
No formal vulnerability scanning process existed for databases as part of the risk management strategy, even though important operations such as consular affairs and financial management routinely rely on databases to support operations. Further, the Bureau of Diplomatic Security (DS) had not procured database scanning software necessary to accomplish this task. Lack of a database vulnerability scanning process weakens the Department’s ability to proactively identify and remediate database security configuration weaknesses before they are exploited.
Staffing shortages also contributed to security weakeness. The audit report states that the,
OIG found that audit logs for all of the applications audited were not reviewed periodically. OIG learned that because of limited staff, there was an operational need to provide all system administrators with the same permissions to enable other system administrators to perform the tasks necessary to continue operations when other system administrators are not available.
The OIG’s ten recommendations include:
Recommendation 2. OIG recommends that the Chief Information Officer establish standard training requirements for post Classified State Messaging and Archive Retrieval Toolset (SMART-C) and ensure that system administrators receive required training before they are assigned and annually thereafter.
Recommendation 3. OIG recommends that the Chief Information Officer implement logical access controls to ensure that system administrators do not have the ability to read information within sensitive cables that they do not need to perform their administrative duties.
***
Recommendation 9. OIG recommends that the Chief Information Officer institute a formal process to require system owners to certify that the Information Systems Security Officer has reviewed audit logs monthly in order to detect and resolve potential security incidents in a timely manner.
Leave a Reply