MANAGEMENT ADVISORY: Information Security: Weaknesses in USAID’s Management of Travel System Account Closures Highlight Concerns About Protecting Travelers and Sensitive Information

Advisory
Report Number
A-000-25-002-M

USAID OIG issued a management advisory to USAID regarding concerns with the Agency’s End-to-End Travel system (known as E2). Our evaluation found that USAID did not disable E2 accounts for 76 percent of users (137 of 178) within 24 hours following their separation from the Agency, as required. As a result, USAID faces the risk that unauthorized users will access sensitive travel plans, personally identifiable information, and credit card numbers of current or former employees. 

This advisory made five recommendations to strengthen USAID’s controls around its sensitive travel data. We consider Recommendations 1 and 2 open and resolved pending further actions; Recommendations 3 and 4 open and unresolved; and Recommendation 5 closed.

Read the full management advisory.

Recommendations

Recommendation
1

We recommend that USAID's Chief of Travel and Transportation review the list of 33 separated users whose accounts in the End-to-End Travel system that have no record of being disabled and, if they are not needed, disable them.

Questioned Cost
0
Funds for Better Use
0
Recommendation
2

We recommend that USAID's Chief of Travel and Transportation determine the activities of 11 separated users who logged into the End-to-End Travel system after their termination dates and take appropriate action.

Questioned Cost
0
Funds for Better Use
0
Recommendation
3

We recommend that USAID's Chief of Travel and Transportation designate an Information System Security Officer to perform security functions for the End-to-End Travel system in accordance with USAID policy.

Questioned Cost
0
Funds for Better Use
0
Recommendation
4

We recommend that USAID's Chief of Travel and Transportation revise the system security plan to require account managers for the End-to-End Travel system to be notified about personnel separations in a timely manner and receive sufficient time to disable system access within 24 hours, rather than 3 days, of a user's separation.

Questioned Cost
0
Funds for Better Use
0
Recommendation
5

We recommend that the Chief Information Officer revise Agency information systems security policies to eliminate conflicting language for the timeframe to disable accounts for separated employees.

Questioned Cost
0
Funds for Better Use
0
Close Date