I figured it would be interesting to read what the “significant IT problems” were. Many of the problems highlighted in the report had to do with funding, lack of manpower, higher priority projects and the like. We’ve all seen those in our jobs. What was most interesting to me was some of the more real, day-to-day problems that have cropped up as part of the project. Here’s a selection from the report – I’ve edited my excerpts but I've tried to preserve context and content as much as possible:
- There are many unused and unaccounted for test accounts and cards currently active
- There may be an excessive number of individuals with account access. Our analysis identified 11 “su,” or “super user,” accounts, which grant full access which allow the user to view and monitor system logs. The principle of least privilege must be implemented under DHS policy, and access to system logs should be restricted.
- We identified three web application accounts that were not assigned to specific individuals. Two were system accounts, used to initially set up the system and create administrative accounts; both of these accounts can no longer be used to access any information or establish new accounts. The third was a temporary test account that was never deleted. Accounts that are not in use or have never been used should be deleted.
- All IDMS EIWS users share one local administrator account.
- Forty of the 1,539 deactivated (smart) cards, or 2.6%, were deactivated but incorrectly left active in (the physical access system). When physical access rights are still activated on a card, an individual may gain unauthorized access to DHS Headquarters facilities and areas.
Are these problems ones that would only occur in this project? Only in the US government? Only with respect to smart cards or PKI? No. Absolutely not. They occur everywhere. However, it goes to show that *any* IT project really needs to be based on a solid identity and access management procedures and products. That’s only way that one can achieve compliance. That’s the only way that problems like the ones identified in the report can be avoided from the outset.