Tuesday, July 8, 2008

Report Praises Efforts to Secure ACE Data

(World Trade Interactive)

A June 2008 report recently made public by the Department of Homeland Security’s Office of Inspector General praises U.S. Customs and Border Protection for its actions to secure the Automated Commercial Environment. The report, which has been redacted to remove certain sensitive information, states that the measures taken by CBP are designed to reduce the risks associated with the intentional and unintentional actions of ACE users that could potentially result in the loss and misuse of the data processed and stored by the system. For example, CBP has:

• enabled point-to-point encryption to protect the data transmitted through the ACE Secure Data Portal from unauthorized access;

• established a change control process to ensure that system and software configuration changes are reviewed, authorized and tested prior to being implemented;

• completed a privacy assessment that outlines what type of information is to be collected through ACE, why it is collected, how it is intended to be used and with whom it will be shared;

• implemented adequate physical controls to restrict ACE access to authorized personnel and reduce the potential risks of theft, destruction, sabotage or compromise of equipment; and

• implemented procedures to ensure that ACE sensitive data is backed up periodically and can be restored at an alternate recovery location in the event of emergency.

CBP has also committed to making further improvements to the security posture of ACE. For example, CBP said in response to the OIG report that by November 30 it plans to (a) develop, update and implement policies and procedures to ensure that a formalized user account management process for ACE is established to grant, monitor and disable user access at ports of entry and (b) improve the current process for providing users with administrator access to ACE, which the OIG said should be restricted to minimize the potential of misuse.