[ISN] Audit: DHS beset by weak information security

InfoSec News isn at c4i.org
Thu Nov 3 09:42:12 EST 2005


http://www.washingtontechnology.com/news/1_1/daily_news/27340-1.html

By Alice Lipowicz
Staff Writer
11/02/05

Despite improvements, the Homeland Security Department still has weak
information security programs overall, according to a new report from
DHS Inspector General Richard L. Skinner.

The IG's audit [1] found that many of the department's IT systems
remain uncertified and unaccredited, while plans to correct weaknesses
are undeveloped. The report also said contingency plans have not been
developed and tested for all systems, and added that tools used to
measure progress are neither complete nor current.

"We recommend that DHS continue to consider its information security
program a significant deficiency for [fiscal] 2005," the IG concluded.

DHS officials agreed with the recommendations, and have developed
remediation plans for fiscal 2006, according to the report.

Skinner evaluated DHS. compliance with the Federal Information
Security Management Act of 2002, which focuses on program management,
implementation and evaluation of the security of unclassified and
national security IT systems.

The department has made progress on several fronts, including
developing so-called Plans of Action and Milestones, as well as a
Trusted Agent FISMA tool to collect and track data related to FISMA
compliance.

DHS also performed a comprehensive inventory of its IT systems,
identifying 795 operational systems as of Aug. 25. That's more than
double the 295 systems it reported the previous year, the report said.  
However, DHS does not yet have a process to update its inventory
annually.

Other deficiencies in DHS. IT security cited in the report included:

* Self-assessments have been performed on only 46 percent of
  contractor systems used on behalf of DHS.

* The Transportation Security Administration and the Secret Service
  have no contingency plans for network security, and the Citizenship
  and Immigration Services agency, the Coast Guard and the Secret
  Service have no contingency plans for database security.

* Fifteen out of 16 certification and accreditation packages reviewed
  at DHS were incomplete, with some key security documents either not
  prepared, in draft, or failing to meet appropriate guidelines.

* The Customs and Border Protection, CIS and Emergency Preparedness
  and Response agencies and the Federal Law Enforcement Training
  Center did not submit weekly reports to the DHS Computer Security 
  Incident Response Center as required, based on a 10-week evaluation
  period.

[1] http://www.dhs.gov/interweb/assetlibrary/OIG_05-46_Sep05.pdf






More information about the ISN mailing list