I have increasingly found certain US government web sites to be veritable treasure troves of timely relevant content for identity and access management (IAM) and governance, risk and compliance (GRC) issues.  The specific websites are those for the Offices of the Inspector General (OIG) for many federal government agencies.

The OIG serve a very important function in the US government in that they function to conduct internal investigations and audits to identify fraud, corruption or general mismanagement.  Almost every major US federal agency has its own OIG.  And while these offices are connected to the agencies that they audit, the OIG acts independently and has proven itself a useful weapon in fixing problems in the government.  As my last blog noted, these OIG investigators author very thorough and sobering reports, which are increasingly becoming must-reads for me (as well as a good source of inspiration for blog content!)

My latest report comes from the OIG for the Department of Homeland Security and is based on an in-depth review of physical security procedures about an agency the traveling public is all too familiar with-the Transportation Security Administration (TSA).

The actual report is here:

http://www.dhs.gov/xoig/assets/mgmtrpts/OIGr_08-92_Sep08.pdf

This is the TSA official response to the OIG report...

http://www.tsa.gov/press/happenings/oig_badges.shtm

Some specifics from this report have been reported and leaked previously, but the report identifies some crucial process breakdowns around the de-provisioning of TSA identity cards and uniforms.   TSA's physical access problems were compounded because TSA employees required badges issued from 2 entities-the TSA employee badge and a badge granting access to the secure areas of the airport (called a SIDA badge).  The OIG's report clearly identified process breakdowns where ex-TSA employees still possessed valid SIDA badges and could thus theoretically access secure areas of the airport facility. In a check of 5 unnamed airports, the OIG found 1,188 missing badges covering a period of 3 years.  And while these badges were all de-activated at the time of the OIG audit, these badges were not in the TSA's or the airport's possession.

The report found similar gaps in the return of TSA uniforms-nearly 50% of ex-TSA employees at the 5 selected airports had never returned their uniforms!

This report should serve as a reminder for all organizations to review their internal processes for physical security.  And while IAM technologies often focus on creating and suspending virtual access to applications and systems, the risk and threats posed by a poor physical security process should never be overlooked.  In fact, identity management solutions like CA Identity Manager can just as easily provision/de-provision employee badges as they can provision/de-provision access to an ERP system.

For those attending CA World next month, there will be a session that will talk about these same physical security issues and how CA technology is being utilized to address the problem.