by Kevin M Nixon, MSA, CISSP®, CISM®, CGEIT®
Timothy Geithner becomes 75th Treasury Secretary
When the dust from the departing helicopter finally settled, America realized that the old“shrubs” of the last 8 years had been replaced with the seeds of new growth opportunities! Secretary of the Treasury, Timothy Geithner will most certainly review the current state of affairs and enact some significant new enhancements.
Reporters (and our friends) at InfoSec News alerts at infosecnews.org picked up on a story by William Jackson at GCN.org which discussed a January 2009 General Accounting Office report citing some “significant holes in the security of systems protecting financial data”.
Despite the enactment of the USA PATRIOT ACT, which was to strengthen the Banking Secrecy Act and both of which were supposed to follow the Federal Information Security Management Act (FISMA), when all that helicopter dust finally settled, an audit showed that all of the puzzle pieces had been placed on the table, but none of the old guard had done anything to actually make the security really work.
A Quick Summary
The Financial Crimes Enforcement Network (FinCEN), a bureau within the Department of the Treasury, relies extensively on its own computer systems, as well as those at the Internal Revenue Service (IRS) and the Treasury Communications System (TCS), to administer the Bank Secrecy Act (BSA) and fulfill its mission of safeguarding the U.S. financial system from financial crimes. Effective information security controls over these systems are essential to ensuring that BSA data, which contains sensitive financial information used by law enforcement agencies to prosecute financial crime, is protected from inappropriate or deliberate misuse, improper disclosure, or destruction.
GAO evaluated whether security controls that effectively protect the confidentiality, integrity, and availability of the information and systems that support FinCEN’s mission have been implemented. To do this, GAO examined security policies and controls for systems at three organizations.
The three organizations [under the Treasury Department control] implemented many information security controls [in support of FISMA] to protect the information and systems that support FinCEN’s mission. For example, IRS controlled changes to a key application and FinCEN segregated areas of its network. Nonetheless, the organizations had inconsistently applied or not fully implemented controls to prevent, limit, or detect unauthorized access to this information and these systems (as effective as installing a big bomb proof door between 2 plate glass windows).
The organizations did not always (1) implement user and password management controls for properly identifying and authenticating users, (2) restrict user access to data to only what was required for performing job functions, (3) adequately encrypt data, (4) protect the external and internal boundaries on its systems, and (5) log user activity on databases. Furthermore, weaknesses in which systems were insecurely configured and patches were not applied to critical systems also existed. As a result, sensitive information used by the federal government, financial institutions, and law enforcement agencies to combat money laundering and terrorist financing is at an increased risk of unauthorized use, modification, or disclosure.
The Big Picture
Following the enactment of the USA PATRIOT ACT, the system was supposed to track and alert various law enforcement and regulatory agencies when certain suspicious financial transactions were occurring, as in “money laundering”. The system works nicely, however, not all cash transactions over $10,000 are neither, illegal or nefarious and therefore controlling who inside the Treasury, the IRS or external law enforcement still needs to be controlled. After all, some of that information happens to pertain to law abiding citizens.
Hopefully under the new administration, “common sense and good judgment” will return to the department and perhaps some of the habits which have become customary over the last few years will be tossed out like old shrubs.
Who would ever have thought at Tim Geithner as Secretary of Treasury might actually become know as “Landscaping Czar” in charge of getting rid of “old shrubs”?
For a complete copy of the GAO Audit report refer to GAO Publication #09-195 on the official Government Accounting Office Site or Click on the Box below:
© Copyright 2009 – Kevin M. Nixon – All Rights Reserved – See: Information Security Resources
(This article may be reprinted in whole or in part only with proper attribution to the author.)
