Additional Guidance and Security Controls Are Needed Over Systems Using RFID at DHS (Redacted)

The Department of Homeland Security Office of Inspector General (OIG) audited the Department of Homeland Security (DHS) and its organizational components to evaluate the effectiveness of controls implemented or planned on systems using Radio Frequency Identification (RFID) technology. Further, for systems utilizing RFID technology that were in the planning stages, OIG determined whether security controls were adequately addressed during the system development process. RFID is a wireless technology that stores and retrieves data remotely from devices. Systems employing RFID technology include tags and readers on the front end and applications and databases on the back end. The technology allows sensitive information to be read and written to tags and for numerous tags to be scanned simultaneously from a distance. The flexibility and portability of RFID technology and devices, as well as the information that resides on the tags, increase the need for security and privacy controls. OIG performed its audit at four DHS organizational components: Science and Technology (S&T), Transportation Security Administration (TSA), U.S. Customs and Border Protection (CBP), and U.S. Visitor and Immigrant Status Indicator Technology (US-VISIT) Program. OIG's results were summarized in separate reports with findings and recommendations issued to CBP, TSA, and US-VISIT. No report was issued to S&T as its efforts in RFID involved only systems in the early stages of development. CBP, TSA, and US-VISIT have implemented effective physical security controls over RFID tags, readers, computer equipment, and databases supporting the RFID systems at the sites visited. No personal information is stored on the tags. Sensitive information is maintained in and can be obtained only with access to the system’s database. Additional security controls would be required if any component decides to store sensitive or personal information on RFID tags or migrates to universally readable Generation 2 (Gen2) products. Overall, good physical security controls exist on the RFID systems OIG audited. However, there remain other concerns that should be addressed to help improve system security. DHS needs to develop policy and procedures regarding RFID technology, incorporating security planning while in system development, and strengthen database security controls. These security-related concerns, if not addressed, increase the potential for unauthorized access to DHS resources and data. The DHS Chief Information Officer (CIO) has not developed department-wide policies and guidance regarding the management and protection of RFID systems. Further, none of the four components reviewed has developed its own RFID policies in order to protect their RFID systems. In addition, operating procedures for RFID systems at CBP and US-VISIT, including physical security of unused tags and proper destruction of damaged tags, were either incomplete or not followed consistently. CBP, TSA, and US-VISIT need to determine whether the necessary database security controls are being implemented in their RFID systems. OIG's vulnerability assessments of two CBP systems (Global Enrollment System (GES) and Free and Secure Trade (FAST)) as well as US-VISIT’s Automated Identification Management System (AIDMS) identified security concerns with user account and password management, user access permissions, and auditing. In addition, system configuration weaknesses exist with TSA’s weapons management system, and finally, the systems at CBP and TSA lacked accreditation. OIG identified similar issues in other DHS components’ database systems in its December 2005 report, Security Weaknesses Increase Risk to Critical DHS Databases. Processes need to be put in place at the department level to ensure that database security concerns at all DHS components are addressed and mitigated.

• Record URL:
  • http://www.oig.dhs.gov/assets/Mgmt/OIGr_06-53_Jul06.pdf
• 
• Corporate Authors:

  Department of Homeland Security

  Office of Inspector General
  245 Murray Drive, SW
  Washington, DC  United States  20528
• Publication Date: 2006-7

Language

• English

Media Info

• Media Type: Web
• Features: Appendices; Figures; Tables;
• Pagination: 19p

Subject/Index Terms

• TRT Terms: Auditing; Planning; Policy; Privacy; Radio frequency identification; Risk assessment; Security; Weapons
• Identifier Terms: U.S. Customs and Border Protection; U.S. Department of Homeland Security; U.S. Transportation Security Administration; U.S. Visitor and Immigrant Status Indicator Technology
• Uncontrolled Terms: Accreditation; Control strategies; Effectiveness; Guidance; Management systems; Physical security; System configuration; User access; User accounts (Computer systems); User passwords (Computer systems)
• Subject Areas: Administration and Management; Highways; Planning and Forecasting; Policy; Safety and Human Factors; Security and Emergencies; Society; I10: Economics and Administration;

Filing Info

• Accession Number: 01036415
• Record Type: Publication
• Report/Paper Numbers: OIG-06-53
• Files: TRIS
• Created Date: Oct 27 2006 8:15AM