Customs system fingered for admin access risk

The federal auditor has raised concerns over administrative access granted to a technology system used by Customs and Border Protection officers to record goods held for investigation.

The Auditor-General said the Detained Goods Management System (DGMS) had been introduced as an "interim measure" in 2006 but had since become the permanent system to record all goods detained by Customs.

Goods can be broadly classified as firearms, weapons, alcohol, drugs, wildlife, tobacco, "intellectual property rights", "sensitive" and "other". (pdf)

The Auditor-General raised concerns over eight "operational staff" that had administrative access to the system, as well as to goods that had been detained.

The staff had been given administrative rights to combat unspecified "limitations in the system".

"As these operational staff who work in close proximity to detained goods have the ability to delete records, there is an increased risk that an electronic record could be deleted and the corresponding goods stolen without detection," the Auditor-General warned.

"The Detained Goods Management System has a fully auditable trail, but user activity has not been monitored to identify potential misuse of the system."

The Auditor recommended that Customs "institute controls for system weaknesses, including monitoring administrators with close proximity to detained goods".

It said weaknesses in detained goods frameworks had been exploited in the past, either by staff or contractors.

"The risks inherent in managing detained goods, many of which are of an illicit or restricted nature, means that Customs and Border Protection requires ongoing assurance that its control framework is sound and being implemented as intended," the Auditor-General stated.

Customs detained 124,792 items in 2011-12, mostly because they were prohibited or restricted, or because import duties were unpaid.

The Auditor-General also noted DGMS had some prior history of instability — since corrected — but the system had no technological back-up, nor had Customs tested a business continuity plan to revert to manual records in the event of a "short or long-term outage".