It cost taxpayers $92.6 million to build, but at least the San Diego County Sheriff's Department Regional Crime Laboratory — said by a recently released federal audit report to have experienced extensive security breaches at its former facility — may make a harder target at its gleaming new Kearny Mesa headquarters.
August's audit, released by the U.S. Department of Justice's Inspector General two months after the reelection of Sheriff Bill Gore, an ex-FBI Special Agent in Charge, criticized the lab on multiple fronts.
"The Laboratory did not have adequate internal controls in place to protect against unauthorized personnel gaining access to DNA data and records," per the document.
"This created a heightened risk of improper access to privacy information and evidence by unauthorized individuals, as well as compromising the chain of custody of the evidence. In addition, the security of the Laboratory was put at risk."
In one case, an evidence bag was found lying unattended on the desk of a DNA analyst, violating requirements that such confidential material to be locked up. When asked about the bag, an administrator explained that the analyst "did not have a personal storage cabinet," adding that "the employee might return to the Laboratory later that day."
Said auditors, "The Laboratory should ensure that its DNA analysts have the means by which to adhere to Laboratory policy for securing evidence in storage cabinets at the end of each day, to minimize the risk of contamination and loss."
"Based on the other security risks we identified, including active keycards being held by former employees and contractors, the Laboratory was at an increased risk of unauthorized access to and potential mishandling of personally identifiable information and evidence."
The problems with the lab's keycard system, intended to prevent unauthorized entry, surfaced after auditors began a limited inventory of the devices. "We judgmentally selected a sample of 16 keycards that belonged to a combination of employees and contractors from the Laboratory’s keycard access list," the audit says.
"We found that the Laboratory’s list was neither accurate, nor up-to-date, because the Laboratory had failed to properly collect and deactivate keycards for six of these individuals when they ceased employment with the [crime lab] or upon completion of their work at the Laboratory."
"These keycards were active between 8 to 14 years after the keycards should have been collected and deactivated. The Laboratory could not confirm that it had retrieved the keycards from the former employees and contractors."
Negligent oversight likely compounded the problem, the document adds. "The Security Supervisor stated that his predecessor most likely failed to collect the keycards, which would explain why the six individuals’ keycards were still active.
"We believe that if there were periodic reviews of the Laboratory’s keycard access list, someone would have noticed that there were former employees and contractors included on the list."
"In addition to the six employees mentioned above, we determined that one of the remaining 10 keycards was returned by a former employee in a timely manner upon departing from the Laboratory but was not immediately deactivated and was used by another employee to access areas of the Laboratory," according to the report.
"We asked the Security Supervisor why the former employee’s keycard had not been deactivated, and the Security Supervisor stated that the keycard was returned to a Senior Office Assistant, who did not immediately provide the keycard for deactivation. Rather, the Senior Office Assistant used the keycard to access areas of the Laboratory when she left her own keycard at home."
Adds the document. "Upon our inquiry, the keycard was deactivated, 111 days after the employee’s departure."
Sloppy record-handling added to security woes. "During our site visit, while taking a tour of the Laboratory facility, we observed that at least one, if not more, of the Laboratory’s [Combined DNA Index System] specimen reports was left in an unsecured mailbox in the main hallway of the Laboratory that was accessible to all of the Laboratory’s employees and visitors, many of whom may not have a need to access such a report."
"The specimen reports contain personally identifiable information and according to [National DNA Index System] requirements, access to DNA data, such as specimen reports, should be secured and accessible only to those Laboratory employees needing such access."
Gore's office told auditors that issues surrounding keycard shortcomings would be resolved by the middle of last month, per the report.
"The Laboratory stated in its response that it is moving to a new facility on August 8, 2018, and any keycards to its current building will be of no significance after that date. The Laboratory also stated that it will track keycards for its new facility and that it will establish a new policy for an annual review of access records and its keycard distribution list. The Laboratory stated that the new policy will be established and in place by August 13, 2018."
Some of the audit's findings regarding physical security were not entirely agreed to, the report adds. "The Laboratory stated that its facility is secure and not accessible to the public and that its employees undergo background checks and receive ethics training."
It cost taxpayers $92.6 million to build, but at least the San Diego County Sheriff's Department Regional Crime Laboratory — said by a recently released federal audit report to have experienced extensive security breaches at its former facility — may make a harder target at its gleaming new Kearny Mesa headquarters.
August's audit, released by the U.S. Department of Justice's Inspector General two months after the reelection of Sheriff Bill Gore, an ex-FBI Special Agent in Charge, criticized the lab on multiple fronts.
"The Laboratory did not have adequate internal controls in place to protect against unauthorized personnel gaining access to DNA data and records," per the document.
"This created a heightened risk of improper access to privacy information and evidence by unauthorized individuals, as well as compromising the chain of custody of the evidence. In addition, the security of the Laboratory was put at risk."
In one case, an evidence bag was found lying unattended on the desk of a DNA analyst, violating requirements that such confidential material to be locked up. When asked about the bag, an administrator explained that the analyst "did not have a personal storage cabinet," adding that "the employee might return to the Laboratory later that day."
Said auditors, "The Laboratory should ensure that its DNA analysts have the means by which to adhere to Laboratory policy for securing evidence in storage cabinets at the end of each day, to minimize the risk of contamination and loss."
"Based on the other security risks we identified, including active keycards being held by former employees and contractors, the Laboratory was at an increased risk of unauthorized access to and potential mishandling of personally identifiable information and evidence."
The problems with the lab's keycard system, intended to prevent unauthorized entry, surfaced after auditors began a limited inventory of the devices. "We judgmentally selected a sample of 16 keycards that belonged to a combination of employees and contractors from the Laboratory’s keycard access list," the audit says.
"We found that the Laboratory’s list was neither accurate, nor up-to-date, because the Laboratory had failed to properly collect and deactivate keycards for six of these individuals when they ceased employment with the [crime lab] or upon completion of their work at the Laboratory."
"These keycards were active between 8 to 14 years after the keycards should have been collected and deactivated. The Laboratory could not confirm that it had retrieved the keycards from the former employees and contractors."
Negligent oversight likely compounded the problem, the document adds. "The Security Supervisor stated that his predecessor most likely failed to collect the keycards, which would explain why the six individuals’ keycards were still active.
"We believe that if there were periodic reviews of the Laboratory’s keycard access list, someone would have noticed that there were former employees and contractors included on the list."
"In addition to the six employees mentioned above, we determined that one of the remaining 10 keycards was returned by a former employee in a timely manner upon departing from the Laboratory but was not immediately deactivated and was used by another employee to access areas of the Laboratory," according to the report.
"We asked the Security Supervisor why the former employee’s keycard had not been deactivated, and the Security Supervisor stated that the keycard was returned to a Senior Office Assistant, who did not immediately provide the keycard for deactivation. Rather, the Senior Office Assistant used the keycard to access areas of the Laboratory when she left her own keycard at home."
Adds the document. "Upon our inquiry, the keycard was deactivated, 111 days after the employee’s departure."
Sloppy record-handling added to security woes. "During our site visit, while taking a tour of the Laboratory facility, we observed that at least one, if not more, of the Laboratory’s [Combined DNA Index System] specimen reports was left in an unsecured mailbox in the main hallway of the Laboratory that was accessible to all of the Laboratory’s employees and visitors, many of whom may not have a need to access such a report."
"The specimen reports contain personally identifiable information and according to [National DNA Index System] requirements, access to DNA data, such as specimen reports, should be secured and accessible only to those Laboratory employees needing such access."
Gore's office told auditors that issues surrounding keycard shortcomings would be resolved by the middle of last month, per the report.
"The Laboratory stated in its response that it is moving to a new facility on August 8, 2018, and any keycards to its current building will be of no significance after that date. The Laboratory also stated that it will track keycards for its new facility and that it will establish a new policy for an annual review of access records and its keycard distribution list. The Laboratory stated that the new policy will be established and in place by August 13, 2018."
Some of the audit's findings regarding physical security were not entirely agreed to, the report adds. "The Laboratory stated that its facility is secure and not accessible to the public and that its employees undergo background checks and receive ethics training."
Comments