IG: Insiders Pose Threat to Immigration Services' ITReport Highlights Safeguards to be Taken
The partly redacted report - Examining Insider Threat Risk at the U.S. Citizenship and Immigration Services, issued by the Department of Homeland Security's inspector general - said USCIS has opportunities to improve its security posture against threats posed by employees and contractors.
The report cites, as an example, USCIS's ability to institute an enterprise risk management plan and incorporate insider threat risk mitigation strategies into its new business processes. USCIS also could centralize records of misconduct and violations, institute a logging strategy to preserve system activities, implement separation of duties for adjudicative decisions, conduct audits of non-USCIS accounts, employ consistent policies for physical security and consistently enforce employee exit procedures.
The report explains why it's crucial USCIS must improve its approach to the insider threat: "USCIS employees and contractors hold the keys to one of the world's most coveted kingdoms: U.S. citizenship. This makes employees and contractors attractive targets for recruitment. Because of the sensitive nature of USCIS mission, some of its employees and contractors have been targets for recruitment for theft or unauthorized modification of USCIS data."
A Carnegie Mellon assessment team made 18 recommendations - including five redacted ones - to the USCIS director aimed at strengthening the agency's security posture against malicious insider threats, including:
- Instituting an enterprise risk management plan.
- Incorporating insider threat risk mitigation strategies into USCIS's transformation effort.
- Centralizing records of misconduct and violations to better enable a coordinated response to insider threats.
- Separating duties for critical business processes and their related information systems.
- Examining human resources screen procedures for high-risk jobs.
- Ensuring physical and computer access is terminated in a timely manner.
- Reducing the number of privileged accounts for critical data systems.
- Implementing controls to prevent source code under development from being released without appropriate controls.
- Providing period security refresher training for all employees.
USCIS concurred with all of its recommendations and said it has begun to take actions to implement them.
The report also noted progress USCIS made in implementing elements of an effective insider threat program, including establishing a conviction task force to review former employees convicted of criminal misconduct within the scope of their duties, performing risk management for IT and financial management, developing exit procedures for employees, enhancing protection of its facilities and assets and adhering to formalized processes for some systems. In addition, the report said, USCIS is implementing Homeland Security Presidential Directive 12 for physical and electronic account management.
The assessment evaluated USCISs against some 400 real insider threat compromises documented in the CERT Insider Threat Case database. These cases, all prosecuted in the United States, include fraud, sabotage and theft of intellectual property.
According to the IG, the assessment team performed fieldwork in the national capital region, Vermont Service Center, and USCIS's Burlington offices. Due to the limited scope of the assessment, systems reviewed, and locations visited, CERT was not able to verify the institutionalization and enforcement of any USCIS's policies or render an overall opinion of the effectiveness its insider threat posture. The IG did not request CERT to conduct a comprehensive information system's technical security controls review or vulnerability assessment to determine the susceptibility to internal threats, though the IG office said it might perform an in-depth follow up review to determine an overall opinion of the effectiveness of USCIS's insider threat posture.