A federal watchdog found 14 “significant deficiencies and material weaknesses” in the U.S. Coast Guard’s internal controls, including multiple workspaces with unsecured computer system passwords, materials requiring physical protection that were left unguarded and employees who divulged sensitive information over the telephone.
Seven of the 14 problems identified by the Department of Homeland Security inspector general were also discussed in a 2013 report. The inspector general said, for example, that auditors again found that “materials designated by DHS policy as requiring physical security from unauthorized access were left unattended.”
Eighty-four workspaces did not secure material containing “system passwords, information marked ‘For Office Use Only,’ documents containing sensitive personally identifiable information, and government-issued laptops or storage media,” according to the report. These problems were also among those identified two years ago.
Some Coast Guard employees were willing to divulge sensitive information, in violation of DHS policy, during conversations on the telephone. Investigators called 29 employees, posing as Coast Guard technical support personnel in a test that “applies trickery or deception for the purpose of information gathering or obtaining computer system access.”
Five of the 29 employees called disclosed network or system passwords that, “if exploited, could compromise Coast Guard sensitive information.”
The inspector general also found “excessive, unauthorized, or inadequately monitored access to, and actively within, system components for key Coast Guard financial applications” and “configuration management controls that were not fully defined, followed or effective.”
“Such control deficiencies limited USCG’s ability to ensure the confidentiality, integrity and availability of its critical financial and operational data,” the report said.
The Coast Guard employs nearly 9,000 civilian workers in addition to about 42,000 active uniformed members.
