[ISN] Audit: DHS beset by weak information security
InfoSec News
isn at c4i.org
Thu Nov 3 09:42:12 EST 2005
http://www.washingtontechnology.com/news/1_1/daily_news/27340-1.html
By Alice Lipowicz
Staff Writer
11/02/05
Despite improvements, the Homeland Security Department still has weak
information security programs overall, according to a new report from
DHS Inspector General Richard L. Skinner.
The IG's audit [1] found that many of the department's IT systems
remain uncertified and unaccredited, while plans to correct weaknesses
are undeveloped. The report also said contingency plans have not been
developed and tested for all systems, and added that tools used to
measure progress are neither complete nor current.
"We recommend that DHS continue to consider its information security
program a significant deficiency for [fiscal] 2005," the IG concluded.
DHS officials agreed with the recommendations, and have developed
remediation plans for fiscal 2006, according to the report.
Skinner evaluated DHS. compliance with the Federal Information
Security Management Act of 2002, which focuses on program management,
implementation and evaluation of the security of unclassified and
national security IT systems.
The department has made progress on several fronts, including
developing so-called Plans of Action and Milestones, as well as a
Trusted Agent FISMA tool to collect and track data related to FISMA
compliance.
DHS also performed a comprehensive inventory of its IT systems,
identifying 795 operational systems as of Aug. 25. That's more than
double the 295 systems it reported the previous year, the report said.
However, DHS does not yet have a process to update its inventory
annually.
Other deficiencies in DHS. IT security cited in the report included:
* Self-assessments have been performed on only 46 percent of
contractor systems used on behalf of DHS.
* The Transportation Security Administration and the Secret Service
have no contingency plans for network security, and the Citizenship
and Immigration Services agency, the Coast Guard and the Secret
Service have no contingency plans for database security.
* Fifteen out of 16 certification and accreditation packages reviewed
at DHS were incomplete, with some key security documents either not
prepared, in draft, or failing to meet appropriate guidelines.
* The Customs and Border Protection, CIS and Emergency Preparedness
and Response agencies and the Federal Law Enforcement Training
Center did not submit weekly reports to the DHS Computer Security
Incident Response Center as required, based on a 10-week evaluation
period.
[1] http://www.dhs.gov/interweb/assetlibrary/OIG_05-46_Sep05.pdf
More information about the ISN
mailing list