There is a myriad of problems with the Secret Service’s IT management including inadequate system security plans, systems with expired authorities to operate, inadequate access and audit controls, noncompliance with logical access requirements, inadequate privacy protections, and over-retention of records, a new report said.
The Secret Service’s IT management was ineffective because the Secret Service has historically not given it priority, according to the report from the Department of Homeland Security Office of Inspector General (OIG).
The Secret Service CIO’s Office lacked authority, inadequate attention was given to updating IT policies, and Secret Service personnel were not given adequate training regarding IT security and privacy, the report said.
OIG made 11 recommendations and Secret Service agreed to take the recommended corrective actions.
“Today’s report reveals unacceptable vulnerabilities in Secret Service’s systems,” said Inspector General John Roth. “While Secret Service initiated IT improvements late last year, until those changes are fully made and today’s recommendations implemented, the potential for another incident like that involving Chairman Chaffetz’ personal information remains.”
OIG conducted a follow up to a prior investigation into Secret Service employees’ improper access and disclosure of information about Congressman Jason Chaffetz contained in a Secret Service database.
In the prior investigation, OIG found on 60 different occasions, 45 Secret Service employees accessed database information about Representative Chaffetz, Chairman of the House Committee on Oversight and Government Reform, related to his job application from 2003. The vast majority of the 45 employees who accessed the information did so in violation of the Privacy Act, as well as Secret Service and DHS policy. This episode prompted the DHS OIG to audit the effectiveness of the protections in place on Secret Service IT systems.