ICE Should Improve Controls to Restrict Unauthorized Access to Its Systems and Information

Date Issued

Thursday, July 20, 2023

Submitting OIG

Department of Homeland Security OIG

Other Participating OIGs

Department of Homeland Security OIG

Agencies Reviewed/Investigated

Department of Homeland Security

Components

United States Immigration and Customs Enforcement (ICE)

Report Number

OIG-23-33

Report Description

U.S. Immigration and Customs Enforcement (ICE) did not consistently implement effective access controls to restrict access to its network and information technology (IT) systems. Although ICE took a multi-layered approach to managing access for personnel who change positions or leave the component altogether, we determined that ICE did not consistently manage or remove access when personnel separated or changed positions.

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Open Recommendations

This report has 8 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
1	No	$0	$0
We recommend the ICE Office of the Chief Information Officer develop and implement processes to remove separated employees’ access to all ICE systems, networks, and applications in accordance with DHS policy.
2	No	$0	$0
We recommend the ICE Office of the Chief Information Officer develop and implement a process to identify all transferred employees and ensure their user group access is reviewed and verified immediately at the end of their prior position in accordance with DHS policy.
3	No	$0	$0
We recommend the ICE Office of the Chief Information Officer develop and implement a repeatable process to conduct and monitor privileged user and service account reviews in accordance with DHS policy.
4	No	$0	$0
We recommend the ICE Office of the Chief Information Officer remove the unnecessary privileges that allow additional users to access the sensitive security account we identified.
5	No	$0	$0
We recommend the ICE Office of the Chief Information Officer submit requests for waivers or risk acceptance to the DHS Chief Information Security Officer to forgo implementing DHS’ required encryption setting on affected ICE service accounts.
5	No	$0	$0
We recommend the ICE Office of the Chief Information Officer develop and implement measures to ensure service account passwords are updated as required.
6	No	$0	$0
We recommend the ICE Office of the Chief Information Officer develop and implement measures to ensure service account passwords are updated as required.
7	No	$0	$0
We recommend the ICE Office of the Chief Information Officer evaluate its vulnerability management program to identify and implement automated tools to help address known vulnerabilities within required timeframes.